Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Changes to the Microsoft Service Agreement

Correspondence summary

21 December 2012

On 26 October 2012, the Privacy Commissioner wrote to Microsoft to seek clarification about changes that it had made to its Service Agreement. The letter asked Microsoft to respond to a range of questions about: the level of detail in Microsoft's privacy policies, information about how users were notified of the changes, how users are given choice and control over their data and information, data retention practices for accounts, and information about biometric processing.

On 6 November 2012, the OAIC received a pdfwritten response from Microsoft557.68 KB. The OAIC responded to this letter on 13 November 2012.

Post script: On 17 December, the OAIC received pdfa further response from Microsoft467.1 KB. The Privacy Commissioner responded to Microsoft on 21 December 2012.

Back to Contents

Letter from the Privacy Commissioner

21 December 2012

Our reference: P12/104
Mr Brendon Lynch
Chief Privacy Officer
Microsoft
One Microsoft Way
REDMOND WA, 98075 USA

Via email: [email address redacted]

Dear Mr Lynch

Thank you for your letter dated 16 December 2012.

I am pleased that Microsoft has reviewed its privacy practices and intends to implement improvements, including:

  • making the applicable privacy policy clear to users when they download products
  • clarifying data retention periods
  • clarifying that inactive accounts are deleted
  • reducing the data retention period from 270 days to 60 days when a user deletes their account, and
  • updating the Microsoft Online Privacy Statement to state that when a customer requests deletion of their information through the Privacy Feedback Form, Microsoft will respond within 30 days.

I would appreciate Microsoft notifying Toni Pirani, Acting Assistant Commissioner, at [email address redacted] when these changes have been implemented.

This has been a productive dialogue resulting in increased clarity for Microsoft users. I commend Microsoft for its intention to improve its privacy practices.

Yours sincerely

[signature]

Timothy Pilgrim
Australian Privacy Commissioner

21 December 2012


Post script: This email was in reponse to pdfcorrespondence received by the OAIC from Microsoft467.1 KB on 17 December. An outline is available.

Back to Contents

Correspondence — Letter to Microsoft Chief Privacy Officer

13 November 2012

Mr Brendon Lynch
Chief Privacy Officer
Microsoft One Microsoft Way
Redmond WA, 98075 USA

Sent via email

Dear Mr Lynch

Thank you for your letter dated 6 November 2012, in which you provide additional information about the Microsoft Service Agreement (MSA).[1]

Your letter provided important details about how user information and data is collected and used. The Office of the Australian Information Commissioner (OAIC) suggests that users would benefit if that information was provided in the MSA or Microsoft Online Privacy Statement.[2]

I appreciate Microsoft's longstanding commitment to privacy, and would like to take this opportunity to suggest some ways in which Microsoft can improve its privacy practices.

Applicable privacy policy

Thank you for clarifying that the Microsoft Online Privacy Statement applies to all services covered by the MSA, except Bing, which is covered by its own Privacy Statement. The OAIC supports the use of product-specific privacy policies where they provide users with information that is required to understand how their data and information is collected and used.

In the case of Microsoft Photo Gallery, Microsoft Movie Maker, Microsoft Mail Desktop, Microsoft Writer and Windows Live Manager, the OAIC believes that there is potential for users to mistakenly think the Microsoft.com Privacy Statement is the applicable privacy policy. This is because the link at the bottom of the pages where these products are made available for download takes users to the Microsoft.com Privacy Statement. Further, the Microsoft.com Privacy Statement states that it 'applies to Microsoft websites, services and products that collect data and display these terms' (emphasis added).[3] The OAIC suggests that if users were provided with a link to the Microsoft Online Privacy Statement on the page where these products are downloaded this would clearly instruct users that the Microsoft Online Privacy Statement applies to these products, and provide users with notice of how their data and information will be used prior to interacting with the products.

Data retention

It remains unclear whether the closure of an account results in the deletion of all customer data and information and, if it is deleted, how long deletion will take. The OAIC has made some suggestions below about how information about this issue may be provided to users.

Inactive accounts

Your letter states: '[i]n the case of the former (ie accounts that become inactive), the MSA states explicitly that "[the user's] data will be permanently deleted" from the portion of the services that become inactive. (Section 4.2).'

The MSA states that accounts that are not accessed for 270 days will 'result in a closure of your access to and use of that portion of the services, and you may permanently lose your content on that portion of the services (Section 4.2)' (emphasis added). This does not provide certainty about whether an inactive user's information will be deleted, the rules governing when information will be deleted, or how long it will take for a user's data and information to be deleted.

Relevantly, s 2.1 of the MSA does not provide specific detail or certainty on the retention period for inactive accounts. That section states; '[I]f you fail to sign in during this period, we may cancel your access to the Microsoft branded services. If the Microsoft branded services are cancelled due to your failure to sign in, your data may be permanently deleted from our servers' (emphasis added).

The MSA appears only to give Microsoft the right to delete a user's information, not a guarantee to users that Microsoft will delete their account, and associated information and data, if it becomes inactive. It would be better privacy practice if Microsoft clarified that all information and data from an inactive account is deleted in a set and expressly defined period of time, and that users can request the deletion of their personal information and data. If there are rules or criteria for the deletion of inactive account data and information, these could be included or linked to in the MSA. Further, providing a link in the MSA to the Privacy Feedback Form would ensure that users knew at the formation of the contract how to request the deletion of their data.

Termination of an account

Thank you for highlighting that the MSA provides users with a link to the Account Settings Page, and for providing additional information about data retention of emails and Hotmail addresses.

The OAIC suggests that Microsoft could provide users with an estimate of how long different categories of data are retained.

Privacy Feedback Form

You have pointed out that the Microsoft Online Privacy Statement provides links to the Privacy Feedback Form that allows users to request the deletion of their personal data and information.[4] The links to the Privacy Feedback Form appear under the headings 'Accessing your personal information' and 'How to contact us'. The information provided under these headings does not make it clear that users can use these links to request the deletion of their personal data and information.

The OAIC suggests that Microsoft could more clearly and explicitly state that users can request that their personal information and data be deleted via the Privacy Feedback Form.

Biometric information

Thank you for confirming that Microsoft Photo Gallery uses facial recognition technology.

In the Australian context, National Privacy Principle (NPP) 1 requires organisations that collect personal information[5] to take reasonable steps to ensure that the individual to whom that information relates is aware of specific matters, including:

  • the fact that he or she is able to gain access to the information
  • the purpose for which the information has been collected; and
  • the organisations (or the types of organisations) to which the collecting organisation usually discloses information of that kind.[6]

Biometric information is often viewed by individuals as being of a sensitive nature; this is because it is information about an individual's physical characteristics. This observation was supported by comments made by the Australian Law Reform Commission in its report For Your Information: Australian Privacy Law and Practice (Report 108) where it noted that:

Biometric information shares many of the attributes of information currently defined as sensitive in the Privacy Act 1988. It is very personal because it is information about an individual's physical self. Biometric information can reveal other sensitive information, such as health or genetic information and racial or ethnic origin.[7]

Further, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 proposes to amend the definition of sensitive information to include biometric information.[8]

To the extent that biometric information reveals other sensitive information about an individual, NPP 10 prohibits the collection of that information except in specifically defined circumstances; for example, where the individual consents to the collection of that information.[9]

The Microsoft Online Privacy Statement does not state that Microsoft will collect biometric information. Nor does it state explicitly how Microsoft will use biometric information. The OAIC recommends that in accordance with the Privacy Act 1988 (Cth) Microsoft notify users that they are collecting biometric information, how that information is being used, and whether or not that information is or may be disclosed to other individuals or organisations.

The OAIC notes that, in Microsoft Photo Gallery, facial detection and recognition is enabled as a default setting. The OAIC believes that it would be better privacy practice if users were given the opportunity to opt-in to facial detection and recognition.

Consistent with the OAIC's usual practices, this letter will be published on our website. For transparency and accountability, any response made by Microsoft's will also be published.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner

13 November 2012


Footnotes

[1]Microsoft Service Agreement, August 2012, Microsoft website <windows.microsoft.com/en-IN/windows-live/microsoft-services-agreement>.

[2]Microsoft Online Privacy Statement, April 2012, Microsoft website <privacy.microsoft.com/en-us/fullnotice.mspx>.

[3]Microsoft.com Privacy Statement, July 2012, Microsoft website <www.microsoft.com/privacystatement/en-AU/core/default.aspx>.

[4]Contact Us: Privacy Feedback, Microsoft Support website <https://support.microsoft.com/contactus/emailcontact.aspx?scid=sw;en;1310>.

[5]Privacy Act 1988 (Cth) s 6.

[6]Privacy Act 1988 (Cth) National Privacy Principle 1.3.

[7] ALRC, For Your Information: Australian Privacy Law and Practice (Report 108) (2008) <www.alrc.gov.au/publications/6.%20The%20Privacy%20Act%3A%20Some%20Important%20Definitions/sensitive-information>, Para 6.119.

[8] Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) cl 42.

[9]Privacy Act 1988 (Cth), National Privacy Principle 10.1 (a).

Back to Contents

Letter to Microsoft Chief Privacy Officer

26 October 2012

Mr Brendon Lynch
Chief Privacy Officer
Microsoft
One Microsoft Way
Redmond WA, 98075 USA

Sent via email

Dear Mr Lynch

I am aware that Microsoft has recently changed the terms of the Microsoft Service Agreement (Service Agreement).[1] The Office of the Australian Information Commissioner (OAIC) has recently been examining the Service Agreement and linked privacy policies.

As a result of this examination, we have identified a number of issues on which we would appreciate your response. I have set these out below.

Applicable privacy policy

The Service Agreement refers users to the Microsoft Online Privacy Statement (April 2012 Policy) if they wish to understand how Microsoft uses and protects their personal information.[2] The April 2012 Policy applies to the products covered by the Service Agreement. However, many of the webpages for individual products link to the Microsoft.com Privacy Statement (July 2012 Policy).[3] Having various iterations of similar privacy policies may cause some confusion to users.

In that regard, could you clarify whether a single privacy policy applies to each of the products covered by the Service Agreement or whether separate privacy policies apply to the different products?

Notification

I understand that Microsoft informed users of the changes to the Service Agreement through a blog post on 29 August 2012[4] and an email to users on 2 September 2012.

The April 2012 Policy states 'If there are material changes to this statement or in how Microsoft will use your personal information, we will notify you either by prominently posting a notice of such changes prior to implementing the change or by directly sending you a notification.'[5]. Can you please advise if Microsoft has provided users with other forms of notice about the changes to the Service Agreement such as on product log in pages?

User choice and control of data and information

The Service Agreement now states that user content can be 'used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services.'[6] Further, the Service Agreement requires users to agree that Microsoft can 'access, disclose, or preserve information associated with ... use of the services, including (without limitation) ... personal information and content, or information that Microsoft acquires ... through ... use of the services (such as IP address or other third-party information)'.[7]

These terms appear to limit the choice or control individuals have about how their data and information is collected and used. I am aware that Microsoft provides users with the choice to opt out of targeted advertising and has released a beta Personal Data Dashboard that allows users to clear their Bing search history.[8] However, the clearing of Bing search history does not appear to stop the collection of a user's search history by Microsoft or in some cases third parties. In addition, the beta Personal Data Dashboard is currently difficult to find and does not significantly increase user control of their information or data. Could you advise whether there are any other mechanisms that give users control over how their data and information is collected and used?

Level of detail in the privacy policies

The April 2012 Policy does not appear to provide sufficient detail in the following key areas:

Data retention

The April 2012 Policy does not appear to state:

  • that a user may delete an account and associated information
  • how long it will take to effect a request for an account to be deleted
  • what data will be deleted
  • how long it takes for data to be deleted from back-ups, or
  • what happens to inactive accounts.

Can you provide clarification about what the processes and timeframes are for deleting user data when requested, and when an account becomes inactive?

Further, the July 2012 Policy provides a link to a web form where users can request access to, and deletion of, their personal information within 30 days.[9] It would be better privacy practice if this process was available across all the services covered by the Service Agreement.

Biometric information

The April 2012 Policy does not mention the collection of biometric information, although I understand that Microsoft provides services that allow users to share, edit and tag photos. These activities potentially result in the collection of sensitive biometric information. Can you advise whether Microsoft collects personal information through these services, and if so, how does it characterise the information and mange it?

Consistent with the OAIC's usual practices, this letter will be published on our website. For transparency and accountability, Microsoft's response will also be published.

I look forward to your response to these issues.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner

26 October 2012


Footnotes

[1]Microsoft Service Agreement, August 2012,Microsoft website <windows.microsoft.com/en-IN/windows-live/microsoft-services-agreement>.

[2]Microsoft Online Privacy Statement, April 2012, Microsoft website <privacy.microsoft.com/en-us/fullnotice.mspx>.

[3]Microsoft.com Privacy Statement, July 2012, Microsoft website <www.microsoft.com/privacystatement/en-AU/core/default.aspx>.

[4]Updating our Microsoft Services Agreement, 29 August 2012, Microsoft Volume Licensing <blogs.technet.com/b/volume-licensing/archive/2012/08/29/updating-our-microsoft-services-agreement.aspx> .

[5]Microsoft Online Privacy Statement.

[6]Microsoft Service Agreement, cl 3.3.

[7]Microsoft Service Agreement, cl 5.2.

[8]Personalized Advertising from Microsoft, February 2012, Microsoft Advertising website <https://choice.microsoft.com/AdvertisementChoice>, Microsoft Personal Data Dashboard Beta, October 2012 Microsoft Profile website, <https://choice.microsoft.com/Data/Dashboard>.

[9]Microsoft.com Privacy Statement.

Back to Contents