The transfer of data between the US and Europe has been something of a privacy and security nightmare. In an attempt to improve privacy protection, the European Commission established the EU-US Privacy Shield "to restore trust in transatlantic data flows" post-Edward Snowden's NSA surveillance revelations, replacing the controversial Safe Harbor arrangement.
Today Microsoft has announced its support for the principles the framework says that companies will have to abide by. More than this, Vice President for EU Government Affairs at Microsoft, John Frank, says the company will comply with Data Protection Authorities advice in disputes, and cooperate with them on data transfer processes.
Whilst recognizing that "no single legal instrument can address for all time all of the privacy issues on both sides of the Atlantic", Microsoft nonetheless says that Privacy Shield is a good starting pointing. The company says that additional steps will be needed to localize the framework, and praises the European Commission and US Department of Commerce for what it describes as having helped create "stronger and pragmatic privacy protection".
In a blog post, Frank says:
First and foremost, at Microsoft we believe that privacy is a fundamental human right. In a time when business and communications increasingly depend on the transmission of personal data across borders, no one should give up their privacy rights simply because their information is stored in electronic form or their technology service provider transfers it to another country.
We recognize that privacy rights need to have effective remedies. We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved.
As well as announcing that it will sign up for Privacy Shield, Microsoft also says that it will embrace the dispute resolution process. Specifically, Microsoft will respond to any complaints it receives within 45 days. Having complied with Safe Harbor and cooperated with Data Protection Agencies for nearly 15 years, the company says "we believe it makes the most sense for us to continue with this approach and submit disputes to the DPAs under the Privacy Shield".
The Privacy Shield framework also places transparency obligations on companies, and this is something that Microsoft also embraces:
We also welcome the obligations in the Privacy Shield for transparency about government requests of access to personal information. As a company we have advocated for greater U.S. transparency. In 2013, Microsoft and other U.S. tech companies successfully challenged the U.S. Government over our constitutional right to disclose more detailed information about the Government’s demands for data. And in 2014, we filed suit against the U.S. Government after it attempted to force us to turn over a customer’s email stored in our Irish data center. While we continue to advocate for additional domestic legal steps in the United States, we believe that the European Commission and Department of Commerce have chosen a sensible approach in the Privacy Shield. In this area as in others, we believe the Privacy Shield represents an important step in the right direction.
What needs to happen next is to convince more companies and, importantly, individuals that the Privacy Shield agreement is in their best interests.
Photo credit: StockStudio / Shutterstock