A big question for governments and business at the moment, and indeed for users of the Internet all over the world, is how personal data – a person’s identity, personal materials, financial or sensitive information – can be protected in a workable and effective way. This is particularly important in an age where we have ubiquitous connectivity, online business and social networking, and flows and storage of information all over the world on all kinds of computers and devices.
This is an important question for everybody, but not a new one for Microsoft. In fact, 10 years ago this month, Bill Gates himself focused our company’s developers on building strong privacy and security protections into all of our products and services as part of the Trustworthy Computing initiative — which still drives our ethos today. I have blogged before on some of the practical examples of how Microsoft’s commitment to the concept of privacy by design protects consumers using our browser, Xbox, Office, cloud and other products.
Today marks the release of a proposed new set of regulations in Europe to protect personal data, which reflects some important principles and improvements of Europe’s laws in this area. These rules were last updated in 1995 when the Internet was largely in its infancy.
The European Commission’s new proposed Data Protection Regulation, among other things, maintains clear rules that companies must protect individuals’ personal data, while helpfully eliminating inconsistent rules and interpretations across the borders of the 27 EU countries, simplifying some of the administrative paperwork that companies have had to do to comply, and making the transfer of data more workable.
Microsoft’s General Counsel Brad Smith had advocated just such types of improvements to this regulation in his speech on Cloud computing in Brussels two years ago, which we explained in detail in our formal submission to the Commission on these issues.
There is, of course, still a lot to be considered as the national governments, European Parliament and Commission now start looking at this proposed regulation together – particularly as to how this regulation can be effective but also workable in practice. Are some of the details too prescriptive? How can consumers give or withdraw consent in ways that are relevant to their particular activities? Do specific procedures or even technologies really need to be mandated?
And for small businesses – who presently pay about 4 times more per employee than large companies to comply with data protection regulation in Europe – how much is this going to cost? Microsoft cares a lot about protecting individuals’ privacy and personal data, and about getting regulation right so that businesses can comply effectively and cost-efficiently as they offer products and services and run their operations. We’re looking forward to continuing to pursue these important goals in the European data protection dialogue launched by today’s EU announcement.