Out-Law / Your Daily Need-To-Know

EU privacy watchdogs probe 'consequences' of changes to Microsoft service user terms

Out-Law News | 19 Dec 2012 | 5:07 pm | 2 min. read

EU privacy regulators in France and Luxembourg are leading an investigation into changes Microsoft made to its user terms and conditions earlier this year, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) told Out-Law.com that it was assisting "partners" across Europe with an investigation into recent changes to the Microsoft Service Agreement (MAS).

Bloomberg news agency had first reported that Jacob Kohnstamm, the head of the Dutch data protection authority and chairman of the EU's Article 29 Working Party, had written to Microsoft to inform it that its changes to MSA were being looked into. The Article 29 Working Party is a committee made up of representatives from the data protection authorities based in the EU's 27 member states.

"Given the wide range of services you offer, and popularity of these services, changes in your Services Agreement and the linked Privacy Policy may affect many individuals in most or all of the EU member states," Kohnstamm said in his letter, according to the Bloomberg report. The watchdogs have therefore "decided to check the possible consequences for the protection of the personal data of these individuals in a coordinated procedure," he added.

A spokesperson for the ICO confirmed the probe to Out-Law.com.

"The Information Commissioner's Office (ICO) is currently working with European partners to support work by the Luxemburgish data protection authority (CNPD) and the French data protection authority (CNIL) around recent changes to the Microsoft Service Agreement," the ICO spokesperson said in a statement.

"Any organisation that processes people’s personal data must be open and upfront about how this information will be used and for what purpose. It is important to remember that service agreements and their linked privacy policies rarely break laws in themselves, and companies should be encouraged to communicate changes to how they handle personal data to their customers. If anyone feels that an organisation has not handled their information fairly then they can make a complaint to the ICO," they added.

In August Microsoft outlined changes, from 19 October, brought changes to the terms contained in the MAS.

The new terms state: "When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services."

Previously the terms stated that Microsoft could make use of users' data "solely to the extent necessary to provide the service," according to a report by The Register.

In October a Microsoft spokesman told the New York Times that the company does not "use the content of our customers’ private communications and documents to create targeted advertising". He said that "if that ever changes, we’ll be the first to let our customers know," according to the newspaper's report.

A spokesperson for the technology giant has now said that the company is "happy to answer any questions officials may have about recent changes to the Microsoft Services Agreement, which we’ve said previously do not alter our privacy policies," according to The Register's report.

Earlier this year CNIL in France led an investigation by the Article 29 Working Party into changes Google introduced to its privacy policies. Since March the internet giant has used one single all-encompassing privacy policy covering the collection of personal data across all its services. However, the move drew concern from privacy campaigners and prompted a probe by the French data protection authority on behalf of the Working Party.

In October CNIL published a document containing recommendations it said Google should adopt to remedy the concerns expressed by it and the other privacy watchdogs.

At the time CNIL said that Google does not have a "valid legal basis" to combine personal data it gathers about users from their use of more than one of its services for some purposes for which the information is collected. It said Google needs user consent to combine personal data collected from various services in some cases and said users should have access to "simple opt outs" where they have a "right to object".

Google's privacy policy "gives incomplete or approximate information about the purposes and the categories of data collected", CNIL also said.

However, Google has defended its privacy policy and said that it believes it complies with EU data protection laws.