The EU-U.S. Privacy Shield’s first annual review begins today in Washington DC and it’s worth recognizing the value of having a review process. The previous Safe Harbor Agreement failed in large part because it wasn’t reviewed in light of changing circumstances, such as the Snowden disclosures.
At Microsoft, we believe the Privacy Shield has contributed to stronger privacy protections for Europeans since its adoption. And the Annual Review process, like all deadlines, has focused the new U.S. Administration’s efforts at taking steps to fulfil its commitments under that Privacy Shield. In the run-up to this week’s meeting, the Administration has made key appointments, including sixteen highly qualified professionals to serve as Privacy Shield arbitrators for European citizens who raise complaints. And the seats on the Privacy and Civil Liberties Oversight Board are being filled. In the change of U.S. Administration, the Privacy Shield remains a bipartisan project, and the Department of Commerce led by Secretary Wilbur Ross has continued the work begun under the leadership of Secretary Penny Pritzker.
The tough negotiations leading to the Privacy Shield were successful precisely because they were challenging and thorough. They were built on a stronger foundation: Deeper understanding on both sides about the other’s privacy laws and legal protections. And the review process can be expected to include some tough discussions about select issues where more progress would be welcomed. It will be more productive to focus on making progress, rather than insisting on perfection.
Microsoft became one of the first companies certified under the Privacy Shield in 2016. Today, around 2500 companies have gone through the detailed certification process, which helps to ensure that Europeans’ data remains protected and their privacy is respected when data is sent to the United States.
The processes we implemented at Microsoft to comply with the Privacy Shield are now being tested by our customers. We have been able to resolve the inquiries that Microsoft has received under the Privacy Shield rules directly with the inquiring individuals and companies, and we did so well within the 45-day deadline. When dealing with Privacy Shield requests, we found that the big investments we are making in GDPR compliance helped enable us to prepare our responses more quickly and efficiently. This summer, we provided written responses to the European Commission’s request for information about companies’ experiences under the Privacy Shield, and we are participating today in one of the review sessions in Washington DC to present our experiences and respond to questions.
As our economy and personal lives continue to be enhanced and challenged by new technologies, we at Microsoft have focused on how privacy and security laws can best serve our customers. We advocate in Europe and U.S. for privacy protections that enable technology to advance in socially responsible paths. We are supporting legislative initiatives, and we are challenging governments in court on points, that we consider important to advance the rule of law and our customers’ important interests in our era of cloud computing.