With the one-year anniversary of the European Union's adoption of its General Data Protection Regulation (GDPR) coming up on Saturday, Microsoft is calling on Congress to do the same in the U.S.
In a blog post on Tuesday, Microsoft's Julie Brill, corporate vice president and deputy general counsel, made the case that Congress and the federal government need to implement a privacy protection framework that is similar to, and works with, the EU's GDPR.
"No matter how much work companies like Microsoft do to help organizations secure sensitive data and empower individuals to manage their own data, preserving a strong right to privacy will always fundamentally be a matter of law that falls to governments," said Brill in the blog. "Despite the high level of interest in exercising control over personal data from U.S. consumers, the United States has yet to join the EU and other nations around the world in passing national legislation that accounts for how people use technology in their lives today."
While there's nothing like GDPR on the federal level, Brill pointed out that California took an important first step toward advancing privacy protection by passing the California Consumer Privacy Act (CCPA) which will go into effect on Jan. 1, 2020. Brill called California's privacy law a watershed moment in privacy protection since it's the first law in the U.S. that includes rights inspired by GDPR.
California's law is a good first step, but Brill said Congress needs to adopt a privacy framework that gives people control over their data, and requires more accountability and transparency in regards to how companies use the personal information that they collect, that latter of which has been highlighted of late by Facebook. Federal legislation could also require companies to act as responsible stewards of customers' personal data.
"One way to achieve this is by requiring assessments that weigh the benefits of data processing against potential privacy risks to those whose data is processed," according to Brill. "This is important because the prevailing opt-in/opt-out privacy model in the United States forces consumers to make a decision for every website and online service they visit. This places an unreasonable—and unworkable—burden on individuals. Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information."
Brill, who served on the Federal Trade Commission, also said federal law needs to include strong enforcement provisions because the current laws don't have enough teeth to enable the FTC to protect privacy effectively in today's digital economy.
"Finally, while federal privacy legislation should reflect U.S. legal precedent—and the cultural values and norms of American society—it should also work with GDPR," Brill said. "For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing—and even conflicting—requirements for privacy protection in the countries where they do business."
Brill noted that Brazil, China, India, Japan and South Korea were among the nations that have passed new laws, proposed new legislation or are considering changes to their existing laws to their privacy regulations to align more closely with GDPR.
Brill said more than 18 million people have used Microsoft's privacy dashboard to manage their personal information since GDPR went into effect.