The Global Reach of Privacy Laws

Thoughts about digital transformation and AI for enterprise leaders and their legal & compliance advisors

These posts represent my personal views on enterprise governance, regulatory compliance, and legal or ethical issues that arise in digital transformation projects powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.

Until now, the privacy rights of individuals have nearly always flowed from rules passed by legislative bodies with a specific geographic scope: the U.S. Congress, the California State Assembly, or the European Parliament, for example. But that is changing. As awareness of the risks to personal data privacy presented by our high tech ever-more-connected modern society grows, the demand for greater protection from these risks also grows. When citizens of one state or region observe that those in another seem to benefit from stronger privacy laws, their natural instinct is to say, “we want the same protections for ourselves.”

The most conspicuous example of this trend (though not the only one, as we shall see at the end of this post) is the widening global influence of the European Union’s General Data Protection Regulation (GDPR). It is no exaggeration to say that GDPR’s passage has spurred nations around the world to rethink and in many cases strengthen their privacy laws. Dozens of countries have passed or are debating new laws that emulate many of the features of GDPR.

This trend reflects the power that the idea of privacy has acquired in global public opinion. It also reflects more mundane self-interest on the part of Europe’s trading partners. A company in India, Japan, or Brazil that sells goods or services to residents of the EU may wish to process data relating to its EU customers in its home country. GDPR imposes strict limits on such processing outside of EU frontiers, but these limits are somewhat relaxed if the EU has assessed that the home country’s data protection laws meet GDPR’s adequacy criteria.

This week brings another instructive example of GDPR’s global reach, this time from my own employer Microsoft. In a much-noted statement published just yesterday, Microsoft’s Chief Privacy Officer (and ex-FTC Commissioner) Julie Brill announced that starting early next year, Microsoft will not only strengthen the privacy terms in the commercial cloud contracts it offers to enterprises in the EU but will extend those terms to the entire world.

The key change in the new Microsoft commercial cloud contracts involves Microsoft’s assumption of greater legal responsibility under GDPR for the protection of customer data. Until now, Microsoft’s contractual role in its cloud services such as Azure or Office 365 has mostly been restricted to what GDPR calls a data processor. Now it will also take on the broader role of data controller for certain specific functions.

You will find innumerable discussions on the web by legal experts and other commentators about the differences in GDPR between controllers and processors. But the most useful to my mind is this simple example published by the European Commission itself (which I paraphrase here):

• Consider the case of a company that employs an outside specialist firm to process payroll for its employees. The employer company determines when and how much employees should be paid, when they join or leave the company, when their pay will rise and what additional benefits they receive. The employer, therefore, is the GDPR controller. The payroll firm performs the processing necessary to calculate the employees’ pay together with tax and pension withholdings and keeps detailed records of the results of this processing. The payroll firm is the GDPR processor. Both controller and processor are responsible for protecting the personal information of the employees, but their roles are nevertheless quite different.

In short, the controller determines why, how, and by who personal data will be processed. The processor merely carries out the instructions of the controller. Both are subject by GDPR to strict rules on how they must handle personal data, but the burden of responsibility is naturally heavier on the controller. Among the controller’s additional responsibilities are the duties to:

• perform data impact assessments
• respond to data subjects’ requests to enforce their GDPR rights (such as the well-known “right to be forgotten”)
• maintain detailed records of the processing they perform (or instruct processors to perform on their behalf)
• and, last but not least, notify data protection authorities in the event of a data breach

The GDPR also imposes detailed requirements on the contracts that bind controllers and their processors.

So what are the additional data controller responsibilities that Microsoft will now take on in its commercial cloud contracts? Julie Brill summarizes the changes as follows:

“… we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services… we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics, and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.”

This language is a bit technical, but the core idea is that Microsoft will now recognize a distinction between its activity of processing data on the customer’s behalf (processor role) and the activity of administering its business and technical relationship with the customer (controller role). I believe Microsoft is the first large cloud provider to do this.

What’s particularly interesting in Brill’s statement is the inclusion of cybersecurity as one of the domains where Microsoft will now assume the role of controller. This reflects the fact that Microsoft is taking an increasingly pro-active role in analyzing customers’ cloud data for signs of cyberattacks—for example, by scanning emails for malware or signs of phishing attacks. It’s only natural that Microsoft should also accept the stricter data protection requirements that GDPR assigns to such a role. Unlike a processor that only passively carries out instructions, Microsoft is now actively deciding why and how to process customers’ information for cybersecurity purposes.

As I mentioned, although Microsoft is under no legal obligation to extend these new privacy terms to customers outside the EU, it will nevertheless do just that, and it will do so without delay. In Brill’s words, “We anticipate being able to offer the new contract provisions to all public sector and enterprise customers globally at the beginning of 2020.”

I mentioned above that the GDPR is not the only example of the tendency of privacy laws to expand beyond their formal geographic boundaries. Another example is California’s strict new consumer privacy law, set to go in effect in January 2020. Here again Microsoft has announced that it will bring the protections of the new law to all U.S. consumers. The company’s hope is that this action will encourage the U.S. Congress to pass a national privacy law comparable in scope to the GDPR. It’s hard to predict when that might happen. But to quote Julie Brill again, the goal is to ensure that privacy rights and their protection become truly global:

“As with GDPR and CCPA, whenever and wherever strong, sensible privacy laws are enacted, we will work to quickly extend the core protections those laws offer to our customers everywhere.”

To be sure, a world where everyone enjoys the same strong privacy protections for their personal data is still a long way off. But every step toward that goal is significant.

Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including a section on GDPR. The book explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy. Kindle version available as well here.

We invite you to visit our Transformation Tuesday YouTube channel to view two presentations targeted at enterprise leaders and their legal and compliance advisors.