Earlier this month, Microsoft agreed with the FTC to implement comprehensive changes to its Passport service to maintain privacy and security of personal information collected from consumers.
Now a working party established by the European Commission to look at online authentication services has concluded that "a number of elements of the .net Passport system raise legal issues and require further consideration".
The working party has already questioned whether the Passport system breaks the European Union-US Safe Harbour agreement on data protection.
Because Passport collects personal information from consumers and allows them to sign in at any participating Website with a single name and password, there is concern that personal data could migrate beyond the control of computer users to other countries. This would contravene the trans-Atlantic deal.
Working party documents obtained by CW360.com said that further inquiries would be made into the "information given to the data subjects at the moment of collecting."
It added that EC experts would also consider:
- The value and quality of the consent given by data subjects and the extent to which they exercise their data protection rights
- Data protection rules applied by the websites affiliated to .net Passport
- The necessity and conditions of use of unique identifiers
- The proportionality and quality of data of the data collected and stored by .net Passport, which is transmitted to affiliated sites
- Associated security risks
The paper concluded that the working party should "assess where the European data protection principles are correctly complied with and, where appropriate, to identify elements of the systems that require changes".