Microsoft has expressed deep concern over the United States failing to enact strong privacy regulations even as many other countries are bringing in new legal frameworks, without U.S. involvement, to preserve and protect the personal data of their citizens.
These apprehensions were expressed by Julie Brill, Microsoft's Chief Privacy Officer who also serves as the company's Corporate Vice President for Global Privacy and Regulatory Affairs, in a blog post based on the results of a YouGov poll that revealed 90% of people are concerned about sharing their information online.
Brill said that considering people's data, such as information about their health, location, and their work, is essential to achieve digital transformation, it is necessary for people to believe that their information is used responsibly and respectfully. However, the lack of strong privacy laws makes it difficult for people to find out what personal data is collected about them or how it will be used.
The YouGov survey, based on opinions of 5,000 registered voters in the US, revealed that while 90% of people are concerned about sharing their information online, 70% of them don’t think the government does enough to keep their personal data private, and a similar number would like to see privacy regulation addressed during the next administration.
"As countries around the world pursue new legal frameworks, global standards are being developed without U.S. involvement. In contrast to the role our country has traditionally played on global issues, the U.S. is not leading, or even participating in, the discussion over common privacy norms," Bill wrote.
"If the U.S. wants to join the global conversation about how to develop robust privacy and data protection laws that will enable innovation through responsible data use, it will need to act fast. If Congress does not act soon, we will see the balance of power on these critical issues shift away from Washington, D.C., and move to Brussels, Berlin, New Delhi, and Tokyo."
Onus on companies to create strong privacy protection frameworks
Brill also said that the onus to create and maintain trust must fall on the companies that collect, process, and store personal data. As of now, the vast bulk of responsibility for privacy protection is placed on individuals, and the vast number of websites, devices, and apps that people rely on makes it even harder for them to navigate the privacy information overload and make informed decisions about how their data is used.
"Instead of lobbying Congress or state legislatures to water down or block privacy legislation, it is time for businesses to advocate for stronger privacy laws in this country. In addition to engendering greater trust with their customers, strong privacy law will provide companies with clear guardrails about how they can use data for responsible innovation with greater assurance.
"And whether new laws are passed or not, it is essential that companies develop their own strong privacy standards and assume accountability for how they use customers’ data," she added, stating that new frameworks of trust should be based on transparency about how companies collect, use and share personal information, the empowerment of consumers, corporate responsibility, and strong enforcement.
However, neither companies not the government can act alone on this front, she said, adding that it is time for government and business to work together to pass laws and reinvent practices to recognise the individual right to own and control personal data and to place the responsibility for protecting privacy where it belongs – on companies.
"This is the best and only way to create conditions that will make trust possible. It is also an essential foundation for building a recovery that is robust and sustainable and serves everyone equally," Brill concluded.
Microsoft's concern over the lack of strong privacy laws in the U.S. comes not long after the European Court of Justice invalidated the EU- U.S. Privacy Shield, stating that personal data protection and its judicial protection in the U.S. is not as per requirements of EU law.
The court noted that the personal data of EU citizens can be processed outside the European Union only if a country has data protection rules and regulations that are essentially equivalent to those required under EU law. However, in the case of the United States, there is no such equivalence as the scope of surveillance programmes are not limited to what is strictly necessary.
It added that the limitations on the protection of personal data from the access and use by U.S. public authorities do not place any limitations on the power they confer to implement surveillance programmes and also do not offer any guarantees to potentially targeted non-U.S. persons.