Microsoft wants GDPR-style privacy laws for the US
It is now a year since GDPR (General Data Protection Regulation) rules came into effect in Europe, and on this anniversary, Microsoft is starting a conversation about bringing similar privacy regulation to the US.
The company praises the privacy framework and says that it has improved how companies handle their customers' personal data. It says that GDPR has inspired a global movement that has seen countries around the world adopt new privacy laws, and that it is time for the US to follow suit.
- Four out of five people expect Facebook to have another data privacy issue this year
- Privacy: Microsoft is tracking your search activity for Bing Maps
- Privacy: Twitter 'inadvertently' collected and shared location data of some users
In a blog post, Microsoft's Corporate Vice President and Deputy General Counsel, Julie Brill, says that GDPR and similar frameworks help "individuals understand what data is collected about them and can correct it if it is inaccurate and delete it or move it somewhere else if they choose".
She goes on to say: "Around the world, there is a growing expectation that everyone should benefit from digital technology without losing control of their personal information. This is why Microsoft was the first company to provide the data control rights at the heart of GDPR to our customers around the globe, not just in Europe".
Having given greater privacy protection to people around the world, Microsoft thinks it's time that other companies follow suit. Brill says that not only does the US need new privacy laws, but they need to work with those that are in place in other countries:
No matter how much work companies like Microsoft do to help organizations secure sensitive data and empower individuals to manage their own data, preserving a strong right to privacy will always fundamentally be a matter of law that falls to governments. Despite the high level of interest in exercising control over personal data from US consumers, the United States has yet to join the EU and other nations around the world in passing national legislation that accounts for how people use technology in their lives today.
In the absence of federal action, California took an important first step forward in advancing privacy protection with the passage of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020. A watershed for US privacy law, CCPA was the first law in the United States to include rights inspired by GDPR.
Now, it's Congress's turn to adopt a new framework that reflects the changing understanding of the right to privacy in the United States and around the world. Like GDPR, this framework should uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.
California's law is a good starting point. But federal legislation should go further and ensure that companies act as responsible stewards of consumers' personal data. One way to achieve this is by requiring assessments that weigh the benefits of data processing against potential privacy risks to those whose data is processed.
This is important because the prevailing opt-in/opt-out privacy model in the United States forces consumers to make a decision for every website and online service they visit. This places an unreasonable -- and unworkable -- burden on individuals. Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information.
Federal law must also include strong enforcement provisions. As I saw first-hand when I served on the Federal Trade Commission, laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today's complex digital economy.
Finally, while federal privacy legislation should reflect US legal precedent -- and the cultural values and norms of American society -- it should also work with GDPR. For American businesses, interoperability between US law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing -- and even conflicting -- requirements for privacy protection in the countries where they do business.