data privacy

  • October 20, 2015
    Guest Post

    by Brad Smith, president and chief legal officer, Microsoft

    *This piece first appeared at Microsoft on the Issues

    When people who care about technology look back at the year 2015, they will remember October as the month when the EU-U.S. Safe Harbor collapsed. An international legal agreement that has been in place for 15 years was invalidated in a single day. On Oct. 6, the Court of Justice of the European Union struck down an international legal regime that over 4,000 companies have been relying upon not just to move data across the Atlantic, but to do business and serve consumers on two continents with over 800 million people.

    The decision made clear what many have been advocating for some time: Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud. In both the United States and Europe, we need new laws adapted to a new technological world.

    As lawyers and officials scurry to assess the situation, it’s apparent that both a variety of smaller steps and a more fundamental long-term change will be needed. We need to focus on both of these aspects.

    It’s important to focus on a wide variety of steps, especially given the potentially drastic ripple effects caused by the collapse of the U.S.-EU Safe Harbor. Government officials in Washington and Brussels will need to act quickly, and we should all hope that Congress will enact promptly the Judicial Redress Act, so European citizens have appropriate access to American courts. In addition, companies like our own that have put in place additional safeguards such as the EU Model Clauses will rely on and add to them, even while everyone discusses additional measures.

    But for the sake of the long-term we should also recognize some obvious and fundamental facts. We need solutions that will work not just for large tech enterprises but for small companies across the economy, and for consumers most of all. If we’re going to ensure that data more broadly can move across the Atlantic on a sustainable basis, we need to put in place a new type of trans-Atlantic agreement. This agreement needs to protect people’s privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards.