92002E2439

WRITTEN QUESTION E-2439/02

by Erik Meijer (GUE/NGL) to the Commission

(28 August 2002)

Subject: Agreement between Microsoft and the American FTC on the non-use of data collected and the forthcoming EU evaluation

1. In view of the persistent criticism of the fact that it remains possible to store far more data concerning users of Microsoft .NET Passport than Microsoft was for a long time prepared to admit, is the Commission aware that at the beginning of August an agreement was reached between Microsoft and the American Federal Trade Commission whereby the company agrees not to use the data it has gathered and undertakes to make it possible for a third party to check the system within one year?

2. Does the Commission agree with American consumers' organisations and competitors of Microsoft that, although these agreements are an important step in the right direction, they do not afford any watertight guarantees that it will no longer be possible to use the data collected, particularly bearing in mind that previously Microsoft denied the existence of a number of the possibilities which have since come to light and that even now it continues to point to the alleged benefit to consumers from the fact that their data are stored for 90 days without their consent?

3. Does the Commission recall that, in the answers to questions E-3111/01(1) (Windows XP) and E-3430/01(2) (Smart Tags), it stated that it had never received any complaints? How can this be reconciled with the fact that, according to my own observations, both groups and individuals are complaining? Who has the power to complain, what conditions must be met in order for the Commission to consider complaints, and how long does it take before the results are known?

4. Will the Commission in fact take measures to subject Microsoft's operations within the EU fully to Community law, so that any database containing personal data has to comply with the requirements of Directive 95/46/EC(3) of 24 October 1995, with the result that data subjects must be informed of the purpose, who is responsible for what and rights of use, no compulsion is permitted and the supervisory authority of the Member State concerned must be notified of how data is processed? Will it consequently no long be technically possible to gather data secretly here, although it will remain possible in the USA? Will the Commission take account of efforts to achieve this in its evaluation pursuant to Article 33 of Directive 95/46/EC which it promised before the end of 2002 in its answer to question E-0718/02(4)?

(1) OJ C 147 E, 20.6.2002, p. 97.

(2) OJ C 172 E, 18.7.2002, p. 60.

(3) OJ L 281, 23.11.1995, p. 31.

(4) OJ C 205 E, 29.8.2002, p. 200.

Answer given by Mr Bolkestein on behalf of the Commission

(1 October 2002)

1. Yes, the Commission was contacted and informed by the Federal Trade Commission (FTC) itself on the day its enforcement resolution was issued. The Commission has regular contacts with the FTC on a wide range of issues, not least the enforcement of the Safe Harbor Privacy Principles.

2. The Commission agrees that the FTC resolution is indeed an important step in the right direction. Although the FTC operates in a different legal framework than the one existing in Europe, the Commission has a positive opinion of the effectiveness of its enforcement actions.

3. The Commission can confirm that it has not itself received complaints related to the matters referred in this question. It understands the term complaint in the sense defined in its Communication to the Parliament and the European ombudsman on relations with the complainant in respect of infringements of Community law of March 2002(1): complaint shall mean any written approach made to the Commission pointing to measures or practices contrary to Community Law. Anyone may file a complaint with the Commission free of charge against a Member State about any measure (law, regulation or administrative action) or practice within a Member State that they consider incompatible with a provision or principle of Community law. The same Communication sets out the other aspects of the Commission's policy and practice as regards complaints.

4. The data protection authorities of the Member States are the primary enforcers of data protection rules and they meet regularly in the working party set up under Article 29 of the Data Protection Directive (Directive 95/46/EC of the Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). The Commission provides the secretariat for this working party and its sub-groups.

The working party is aware of the expansion of on-line authentication services. It has stressed that these services need to respect the core data protection principles. Microsoft's .NET Passport is the most important initiative in this field at present and the working party's Internet Sub-Group has therefore made an initial study of it and reported to the working party.

At its meeting on 1 and 2 July 2002, the working party found that Microsoft had put in place some measures to address data protection requirements, but that a number of elements of the .NET Passport system raised legal issues and required further consideration. It therefore decided to undertake further analysis, where necessary in dialogue with Microsoft, in order to assess whether the Community data protection principles are correctly complied with and, where appropriate, to identify elements that require to be changed(2). At the FTC's request, the Commission informed the members of this Working Party about the enforcement action taken by the FTC against Microsoft. The Working Party will meet again on 2 and 3 October 2002 and will continue its discussion on this subject.

The Commission's review of Directive 95/46/EC will be wide-ranging and will take account of all useful and relevant information brought to its attention.

(1) COM(2002) 141 final.

(2) The complete text of the adopted document is available at: http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp60_en.pdf.