Microsoft’s commitments, including DPA cooperation, under the EU-U.S. Privacy Shield

Why we conclude, after detailed review, the Privacy Shield should be approved

In light of the ongoing discussions about the EU-U.S. Privacy Shield – the framework to replace the Safe Harbor agreement that governed data transmission between Europe and the United States until it was overturned last October – I wanted to share an overview of where Microsoft stands in this important debate. The issue has been especially important to me.  Until late last year, I was responsible for Microsoft’s law enforcement and national security matters at the company’s headquarters in Redmond, Washington, and so I have worked directly on many initiatives to enhance and protect our customers’ privacy.

First and foremost, at Microsoft we believe that privacy is a fundamental human right. In a time when business and communications increasingly depend on the transmission of personal data across borders, no one should give up their privacy rights simply because their information is stored in electronic form or their technology service provider transfers it to another country.

We recognize that privacy rights need to have effective remedies. We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved.

As a company, we’ve also said since last fall that no single legal instrument can address for all time all of the privacy issues on both sides of the Atlantic. We continue to believe today that additional steps will be needed to build upon the Privacy Shield after it is adopted, ranging from additional domestic legislation to modernization of mutual legal assistance treaties and new bilateral and ultimately multilateral agreements.  But we believe that the Privacy Shield as negotiated provides a strong foundation on which to build.

We believe that the European Commission and U.S. Department of Commerce deserve credit for addressing complicated legal issues in ways that create stronger and pragmatic privacy protection for European citizens while enabling the continued movement of data that is the lifeblood of our economies. The European Union and the United States are better off with this new Privacy Shield.

We also recognize that the effectiveness of the Privacy Shield will turn in part on the responsible steps taken by companies to abide by it. For our part, I’m pleased to announce today that Microsoft pledges to sign up for the Privacy Shield, and we will put in place new commitments to advance privacy as this instrument is implemented.

We appreciate that the Privacy Shield creates alternative approaches for addressing and resolving disputes, recognizing that the thousands of companies and organizations that will depend on it are at different stages of maturity, growth, and physical presence in Europe. Part of Microsoft’s commitment, as the Privacy Shield envisions, will be to respond promptly to any individual complaints we receive. Specifically, we’ll do this within 45 days. In addition, Microsoft will commit to cooperate with EU national Data Protection Authorities and comply with their advice as regards any disputes under the Privacy Shield. For Microsoft, which has had a subsidiary and employees present in virtually every EU country for over two decades and which have cooperated with Data Protection Agencies for almost 15 years under the Safe Harbor rules, we believe it makes the most sense for us to continue with this approach and submit disputes to the DPAs under the Privacy Shield.

We also welcome the obligations in the Privacy Shield for transparency about government requests of access to personal information. As a company we have advocated for greater U.S. transparency. In 2013, Microsoft and other U.S. tech companies successfully challenged the U.S. Government over our constitutional right to disclose more detailed information about the Government’s demands for data. And in 2014, we filed suit against the U.S. Government after it attempted to force us to turn over a customer’s email stored in our Irish data center. While we continue to advocate for additional domestic legal steps in the United States, we believe that the European Commission and Department of Commerce have chosen a sensible approach in the Privacy Shield. In this area as in others, we believe the Privacy Shield represents an important step in the right direction.

We’re also committed to doing our own part as a company to provide citizens in the EU and worldwide with information about our practices as a company. We will therefore continue to maintain the highest levels of transparency about government requests for access to personal information. Our Law Enforcement Requests Report (which we started in 2013) and our U.S. National Security Orders Report (which we started in 2014), appear twice a year and provide this information to the public.

Microsoft’s commitment to privacy has been proven by our actions. We were the first enterprise cloud services provider to implement the rigorous controls needed to earn approval for our contractual model clauses governing the transfer of data outside of European Union. We were also the first cloud provider to achieve compliance with ISO’s important new 27018 cloud privacy standard. This focus on privacy reflects not just our belief in fundamental rights and the rule of law, but also our understanding that our business is ultimately built on trust.

We’re entering a remarkable period in the history of technology development as cloud computing connects people around the world to advanced capabilities that have the potential to drive economic growth and address some of the world’s most pressing challenges.

But people won’t use technology that they don’t trust. Legal rules that clearly delineate individual rights, ensure transparency in how those rights are protected, and offer due process when people believe their rights have been violated. They provide a foundation for trust that is essential to realizing the full power of these new technologies to drive innovation and advance human progress.

It took two years of intense negotiation for the European Commission and the U.S. Department of Commerce to hammer out the new Privacy Shield agreement. We appreciate their hard work.

By providing a clear framework that ensures key protections of EU citizens continue when data is transferred to the United States, the Privacy Shield framework is an important step in enhancing trust in the global digital economy, and we hope that it will be approved as negotiated.


John Frank
Vice President for UN Affairs