US Tech Firms Must Align with Europe’s Privacy Values
Thoughts about technology that is inclusive, trusted, and creates a more sustainable world
These posts represent my personal views on the future of the digital economy powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.
I have often written about the spreading global influence of Europe’s landmark privacy law, the General Data Protection Regulation (GDPR), which establishes fundamental principles for the protection of personal data in the Internet era. The GDPR is a complex law that has not been without controversy in its young life, but most observers probably agree with the assessment of Berkeley law professor Chris Hoofnagle and colleagues that it is “the most consequential regulatory development in information policy in a generation.”
Many countries around the world have taken steps to incorporate key GDPR principles into their own privacy legislation. These countries include Brazil, Canada, India, Japan, Kenya, South Africa, South Korea, and Thailand. It would not be an exaggeration to say that Europe has come to serve as the world’s default privacy regulator.
But the United States remains an exception. Of course, it is not correct to say that America has no privacy laws. We do have privacy laws. In a sense, we even have too many. We have state privacy laws, some even consciously modeled on the GDPR, such as the California Consumer Privacy Act (CCPA). We also have strong though somewhat outdated privacy laws from the pre-Internet era for important specialized domains such as health data (HIPAA) and student data (FERPA). And the Fourth Amendment to the US constitution provides strong protections—arguably among the best in the world—against unjustified searches and seizures of private citizens’ data by agents of law enforcement. But we do not have an overarching national privacy law to ensure the consistent and across-the-board application of the principles embodied in these worthy but piecemeal safeguards.
Observers who follow trans-Atlantic relations will know that the storage of European personal data in the US has long been a contentious issue. In July of this year a ruling by the EU’s highest court, the Court of Justice of the European Union, overturned the 2016 EU-U.S. Privacy Shield agreement, which provided a legal basis for US companies to store personal data of EU residents on computers in the US while remaining in compliance with the GDPR.
I don’t mean to imply that there is any irreconcilable gap between European and American views on the necessity of strong data privacy protections. There is a difference of views on what certain government agencies should be allowed to do in the interests of national security. But I am quite certain that the two polities share a similar and profound commitment to democracy and democratic values, and this deep affinity ultimately outweighs all differences. The problem is that the ease with which data now travels around the world, together with the infinite variety of ways in which it can be processed to create economic value, render complex the task of establishing a shared legal framework that can stand up to all objections.
Knowledgeable observers expect that the US and the EU will negotiate a new agreement perhaps as soon as next year to replace the Privacy Shield. While there is no immediate fix, Microsoft’s VP of European Government Affairs Casper Klynge noted in an interview last month that the two sides are “working below the radar screen to try and find a pragmatic way forward.” In the meantime, as Microsoft’s Chief Privacy Officer Julie Brill made clear in a statement published immediately after the European court decision, the alternative legal mechanism of Standard Contractual Clauses allows enterprises and public administrations to continue transferring data between the EU and the US using cloud services such as Microsoft’s.
But the responsibility for establishing a data privacy framework shared by all democratic nations does not lie solely with governments. It also behooves companies, and especially large tech companies like Microsoft, to help move things forward. While waiting for the US to develop national privacy legislation, which it surely will one day, and while the US and the EU negotiate a new legal framework for trans-Atlantic data transfers, tech firms must adopt their own strong privacy standards and assume accountability for how they use their customers’ data.
In another blog post published last week and entitled Why privacy is essential to equitable recovery Julie Brill wrote that:
“Strong privacy legislation is important. But the simple truth is that the onus to create and maintain trust must fall on the companies that collect, process, and store personal data. No matter what the law says, if companies aren’t responsible, transparent, and accountable when using personal information, their customers will not trust them and they will fail.”
Microsoft’s leaders recognize that no US tech firm can expect to play a significant role in Europe’s vast ongoing project of digital transformation unless it aligns with Europe’s essential values. Microsoft shares Europe’s commitment to privacy as a fundamental human and democratic right. While working hard to persuade US policymakers that the time has come to pass a US privacy law to match the GDPR, Microsoft is not waiting to implement Europe’s data protection values in its own products and business models. And the company is doing this not just in Europe, but globally.
Allow me to conclude with another remark from Julie Brill’s recent blog post:
“It is time for government and business to work together to pass laws and reinvent practices to recognize the individual right to own and control personal data and to place the responsibility for protecting privacy where it belongs—on companies. This is the best and only way to create the conditions that will make trust possible. It is also an essential foundation for building a recovery that is robust and sustainable and serves everyone equally.”
In a time of continuing pandemic, these are important words.