After a first analysis carried out by its Internet Task Force, the Working Party is of the opinion that, although Microsoft has put in place some measures to address data protection, a number of elements of the .NET Passport system raise legal issues and therefore require further consideration:
- The information given to the data subjects at the moment of collecting, further processing the data or transferring it to a third party, possibly located in a third country.
- The value and quality of the consent given by the data subjects to these operations.
- The data protection rules applied by the websites affiliated to .NET Passport.
- The necessity and conditions of use of a unique identifier.
- The proportionality and quality of data of the data collected and stored by .NET Passport and further transmitted to affiliated sites.
- The exercise of the rights of the data subjects.
- The security risks associated to these operations.
The Working Party therefore decides to undertake this further analysis, where necessary in dialogue with Microsoft and with other services and organisations, in order to assess where the European data protection principles are correctly complied with and, where appropriate, to identify elements of the systems that require changes.
The Working Party will consider again this matter at its next plenary meeting. Due to the evolving nature of the .NET Passport service and of the possible developments of its future architecture and of other similar authentication services, the Working Party will continue monitoring future developments in this field.
For more information about the Article 29 Working Party please click here.