Systems such as Passport work by storing personal data such as credit card details and billing addresses to enable users to fill out online registration and shopping forms automatically, without re-keying data. However, there are fears this data could fall into the wrong hands and be used for unauthorised purposes.
In a statement last week, the commission said Microsoft had agreed to implement "a comprehensive package of data protection measures" to give users more information and choice over the data they provide and how it is used.
"Anyone out there developing similar systems [to Passport] needs to take note of this ruling and the importance of complying with data protection issues," said Paula Barrett, a partner in the IT and e-commerce group at law firm Eversheds.
Barrett said the ruling was indicative of a more rigorous enforcement of data protection laws across Europe. "There is more to come - the tide is turning," she said.
Overall, Barrett praised the Microsoft ruling. "It is helpful. It puts it in context," she said. However, it is unlikely to be the end of the matter.
"The working party [of EU regulators] will continue monitoring future developments in this field," the commission said. "In particular, two issues need further consideration: the current electronic advertisement communication within Hotmail and the use of identifiers both in the .net Passport system and by the Liberty Alliance project."