Resolution on Automatic Software Updates

25th International Conference of Data Protection Privacy Commissioners Sydney, 12 September 2003

This resolution was adopted on Friday 12 September 2003


The Data Protection Commissioners of Germany, the Czech Republic, Italy, the State Data Protection Inspectorate of the Republic of Lithuania, the Information and Privacy Commissioner of Ontario and the Swiss Federal Data Protection Commissioner propose that the International Conference resolve that:

1. The Conference notes with concern that software manufacturers worldwide increasingly use non-transparent techniques to transfer software updates to users' computers.
In doing so they

This may cause particular problems in government institutions and private companies to the extent that they are under specific legal obligations how to process personal information.

2. The Conference therefore calls on software companies

  1. to offer procedures to update software online only at the user's initiative or request, in a transparent way and without allowing unchecked access to the user's computer;
  2. to ask for the disclosure of personal data only with the informed consent of the user and insofar as it is necessary to carry out the online update. Users should not be forced to identify (as opposed to authenticate) themselves before they can initiate the download process;
  3. to provide for freedom of choice by offering online updates only as an alternative to other (offline) means of software distribution such as CD-ROM.

3. The conference encourages the development and implementation of techniques to update software which respect the privacy and autonomy of computer users.