The EU’s Proposed Data Protection Regulation: Microsoft’s Position
On 25 January 2012, the European Commission announced a proposed General Data Protection Regulation. The Commission’s proposal introduces sweeping reforms designed to modernise Europe’s 17-year-old data protection regime. Microsoft welcomes steps to strengthen and harmonise the data protection regime.
Our company’s greatest asset is customer trust and our technologies are developed with data protection in mind. Our priority is to protect personal data in an age where we support ubiquitous connectivity, pervasive online business and social networking, and flows and storage of information all over the world on all kinds of computers and devices.
Our efforts have led us to conclude that enterprises, including Microsoft, have a critical role to play in protecting privacy – a role that includes embedding privacy protection into products and services early in and throughout the design cycle, and being transparent about how we collect and use data. We place particular value on transparency, because it enables our customers to make informed choices about how their data is used. With this in mind, we have invested heavily to provide clear and easy-to-understand guidance about how we gather, store, manage and secure information. Microsoft’s Office 365 Trust Center is a concrete example of how we put our privacy principles into practice. The Office 365 Trust Center provides transparency about how we promote privacy and security, what international standards we adhere to, and how data flows in our services, among other matters.
Of course, industry efforts alone are inadequate to ensure the privacy and security of personal data. A regulatory environment that promotes transparent and responsible practices is also essential. It is clear, however, that the dramatic technological changes of the past decade have tested Europe’s existing data protection framework (Directive 95/46/EC). While the explosive growth of the internet has brought us tremendous social and economic benefits, internet technologies have also fundamentally expanded how, where and by whom data is collected, transmitted and used.
The rapid growth of cloud computing is a prime example. Attracted by the significant cost savings and flexibility of cloud services, individuals, businesses and governments are storing and sharing unprecedented amounts of information online, leading to a significant increase in the quantity and types of data collected and processed by third parties. Cloud technologies offer great promise for Europe, with estimates indicating that the cloud will create a million new jobs and several hundred thousand new small and medium sized enterprises, and drive down the cost of ICT for the public and private sectors. But these and many other web-enabled benefits will only be realised if users have confidence that their personal data and the data they process for others are safe in the cloud.
The challenge before us is thus how to protect Europeans’ privacy while also encouraging innovation and facilitating the productivity and cost-efficiency offered by new computing paradigms like the cloud. The Regulation adds a number of important measures that will help to achieve these goals, including requirements that companies design technologies with privacy in mind, be transparent about their processing activities, and remain responsible for how they use personal data. The proposal also helpfully addresses inconsistent rules and interpretations across the 27 EU Member States, reduces the administrative paperwork for companies, and improves mechanisms to transfer data safely outside of the EU.
Other proposals – particularly those relating to online technologies – need refining to ensure that the protections they offer are both strong and workable. For example, the Regulation in some places dictates not only what obligations apply, but also how those obligations should be implemented – moving the Commission beyond creating regulation to support privacy and into designing technology and business processes. Overly prescriptive approaches in areas like a “right to be forgotten,” data portability, and consent do not always reflect how the internet is technically structured today, what consumers want and need, or how technology is likely to evolve tomorrow. Obligations that cannot be properly implemented due to technical hurdles, or that frustrate data subjects, or that become obsolete when technology changes, will be of little lasting value.
The next generation of privacy regulation in the EU ultimately needs to achieve two ends: it must both provide transparency and robust protection to data subjects as well as allow organisations to innovate while holding them accountable to achieving an appropriate level of data protection. Achieving both of these goals will enable Europeans to benefit from online services offerings and to compete globally by innovating to create their own services. A regulatory environment that achieves these ends is particularly important for small- and medium sized European businesses to innovate successfully, leading to job and wealth creation. This is a serious challenge, but also a tremendous opportunity for responsible companies – and indeed for all of us concerned with the protection of data.
Please click here to read the full Microsoft Position on EU privacy regulation.
 See F. Etro, The Economics of Cloud Computing (March 2011), available at http://www.intertic.org/Policy%20Papers/JManEc.pdf.