Skype, Microsoft's voice over IP (VoIP) service, is allegedly under investigation by the Luxembourgish data protection commissioner regarding its involvement in the American online spying programme PRISM.
The Guardian reports the Redmond giant, which acquired Luxembourg-based Skype in 2011, could face criminal and administrative sanctions, including a ban on passing communications to the American National Security Agency (NSA), which ran PRISM, if it is found to have broken Luxembourgish data protection laws.
Skype could also be fined individually if it is found to have transgressed, the newspaper claimed.
The investigation hinges on an article in the Luxembourgish constitution, which holds individuals' rights to privacy to be absolute and secrecy of correspondence to be inviolable.
This definitive right to privacy can only be broken and communications monitored following judicial approval or authorisation of a tribunal selected by the prime minister.
The investigation will reportedly examine whether or not Skype violated the constitution in this regard when it handed over user generated data resulting from conversations on the service to the NSA.
A complicating factor, according to the Guardian, is the possibility Skype's transfer of data to the NSA may have been sanctioned by the state through a secret legal assistance or data transfer agreement, which would not be known by the commissioner at the beginning of the investigation.
Both the Luxembourgish data protection commissioner and Microsoft declined to comment to the Guardian.
The news comes just two weeks after Microsoft issued its latest transparency report, which it has begun to release on a regular basis to try and boost consumer confidence in the wake of the PRISM scandal.
The report showed 3,509 requests were received from governments worldwide for data from Skype during the first six months of 2013. While some data was handed over on almost every occasion, Microsoft claims to have never handed over the content of messages during that period.
In Luxembourg, 33 requests referring to 90 individual accounts were made, and 75.8 per cent of those requests resulted in subscriber and/or transactional data being handed over, while in the remaining 24.2 per cent of cases no data was found.
