EU Policy Blog News and perspectives on EU digital policy Sat, 29 Apr 2017 13:40:06 +0000 en-US hourly 1 Microsoft appoints globally respected regulator to privacy leadership role Fri, 28 Apr 2017 16:26:42 +0000

Microsoft announced today that Julie Brill, former Commissioner of the U.S. Federal Trade Commission (FTC), will join Microsoft to lead privacy, data protection and other regulatory issues as head of its Privacy and Regulatory Affairs Group.

Brill will join as corporate vice president and deputy general counsel for Privacy and Regulatory Affairs. She will report directly to Brad Smith, Microsoft’s president and chief legal officer.

Skype in the EECC: Suffocating a European success story or allowing others? Thu, 20 Apr 2017 13:15:32 +0000 Read more »]]> skype
Skype represents a remarkable European success story. Founded in Estonia by a Swede and a Dane, it unlocked free and low-cost communications for the entire world. It is a perfect demonstration of what Europe hopes to achieve; a true digital single market player. Today, 500 million Europeans from Poland to Portugal can enjoy how Skype, and other Internet-based messaging services, allow them to send messages, make video and voice calls, translate conversations in real time, and for some, call a traditional telephone line over the Internet.

Revenge of the past on the future?

Both the European Parliament and the Council are currently debating a European Commission proposal that threatens to curtail these benefits: the European Electronic Communications Code (EECC). The outcome of this debate is largely unknown. Will Internet-based services available across Europe be chopped up into different national services? Or will it be recognized that there are no substantive reasons for regulating modern communication apps and services within the telecoms framework because they are, from a consumer perspective, substantially different? Consumers use these apps and services because they are free or low-cost and easy-to-use. On any given day, they can switch between all sorts of communications apps and services. Moreover, these apps are increasingly integrated into other services, from babysitter apps and social networks, to customer support. This environment is very different to the traditional regulated telephone service of the 20th century.

Number-dependency: Much ado about nothing?

Today, Skype is provided for free over the Internet just like other web content, services and applications. It also offers low cost calls to traditional phones. In the proposed EECC, this ‘number-dependency” – the use of telephone numbers – triggers a whole range of telecom-specific regulation. Yet, it is worth mentioning that there are very few network-independent providers which offer Internet telephone calls, and the usage of these features can be considered marginal. Just 3% of Skype customers – approximately 0.5% of European citizens – use the app to call traditional phones.


Does this justify all the obligations that have been proposed? Let’s look at it from a consumer and public policy perspective. Like other network-independent services, Skype calling – despite the ability to call a network-dependent telephone line – is substantially different from fixed or mobile telephony in terms of connectivity, devices, functionality, contracting, pricing, and means of payment:

  • One requires the Internet, the other does not (Skype cannot be used without access to the Internet. A telephone service requires no Internet access).
  • One provides a phone number, the other usually does not (while Skype offers a separate product feature called Skype Number – providing the user with a phone number on which they can be called – very few users purchase Skype Numbers and make outbound calls to traditional phones).
  • One is sold via long-term contracts, the other is not (Skype does not require a long-term contract; like many other apps, it is pay-as-you-go).
  • One entails a significant financial commitment, the other does not (indicative of the ancillary, supplementary nature of Skype).
  • One comes with expectations about call quality and service levels, the other does not (providers of traditional telephony services run the network that customers use to access the service and, thus, directly control the quality of service. Skype does not).
  • One is simply about making traditional phone calls, the other encompasses much more (including the ability to share documents and content, send instant messages, make a video call, translate the conversation, or interact with a bot).

Many of the sector-specific consumer protections in the EECC are irrelevant to users of a service like Skype. Unlike traditional telephone services for which these consumer protections were developed and applied, consumers can at any time stop using the service, change to a different service, use different services simultaneously, or return to Skype, at no cost and at any time.

Moreover, Skype simply cannot comply with some consumer protection obligations since its quality of service is dependent on Internet access providers’ networks. Emergency calling is not possible in countries that operate more than one emergency calling center as calls cannot be routed properly without a caller’s location, and number portability cannot be provided where there is no phone number to be ported. Other obligations related to switching, billing and usage monitoring disregard the business model logic of low-cost, prepaid, and interchangeable applications like Skype.

Appropriate regulation of services that enable limited connection to phone numbers requires a much more tailored review of provision to ensure that specific public policy objectives are being addressed. Simply applying the full gamut of traditional telecom regulation will dampen innovation because these rules are disproportionate to the capabilities offered by services like Skype Out.


Who would benefit?

No one is likely to benefit from this; not the 0.5% of Europeans using the Skype calling feature, and not even incumbent telephone companies who continue to clamor for the creation of a “level playing field.” The incumbent telecom providers no longer depend on voice services to bolster their bottom line; rather, they depend on Internet services to drive data subscriptions. And Skype calling is not a substitute for traditional telephony. However, it is likely that some Skype features will disappear if the regulation remains unchanged.

With its beginning in Estonia, Skype was one of the original European digital success stories. MEP Dita Charanzová is encouraging the European Parliament to pare down the proposal to what is needed to protect consumers, ensure innovative services are promoted in Europe, and achieve the Digital Single Market. In just a couple of months, Estonia will take over the Presidency of the Council of the EU, working hand-in-hand with Vice President Ansip, also an Estonian, and the European Parliament to finalise the EECC. We hope that with this digital leadership, European regulation doesn’t end up suffocating this Euro-Estonian success story but helps to build the framework for allowing others.

Export Controls: The Next Frontier in Cybersecurity? Thu, 13 Apr 2017 13:42:22 +0000 Read more »]]> When it comes to cybersecurity, issues such as data protection or data localization tend to dominate the headlines, as well as regulators’ attention. But a number of other developments are unfolding which have significant repercussions for the sector, even if they have gone largely unnoticed. These relate to two different sets of export control regulations.

Last week, governments met in Vienna to once again discuss proposed multilateral export controls on intrusion software proposed under the Wassenaar Agreement. Meanwhile in Brussels, the EU is moving ahead with a proposal for export controls on cyber-surveillance tools, as part of proposed revisions to its trade regulations. Both of these regulatory efforts are a matter of considerable importance for network owners, cyber responders, policymakers, and academics alike – many of whom came together to discuss the topic in Brussels last week, at the invitation of the Coalition for Responsible Cybersecurity and BSA | The Software Alliance.

The EU’s proposed controls on cyber-surveillance tools are particularly broad, having been expanded to include not only intrusion software but also monitoring centers, lawful intercept and data retention systems, and digital forensics. In essence, it creates an entirely new area of regulation for “Other Items of Cyber-Surveillance Technology”.

Much like the Wassenaar member states’ efforts, the EU’s intentions are focused on protecting human rights. Governments around the world are struggling to balance a range of issues thrown up by technological progress, including the line between technology used to secure and technology used to surveil. Both the Coalition and BSA believe more can and should be done to shore up human rights in the digital era. But many of the technologies which would fall under the scope of these two controls are in fact the solution, not the problem – they can be used to safeguard human rights and protect national security.

As MEP Marietje Schaake has said, “the question is how to make sure that stopping such exports is achieved in a targeted way, without unnecessary burdens, and in a way that provides legal clarity and certainty for business as well as authorities. It is absolutely essential that legitimate security research is not hindered. More information exchange, greater transparency, and much clearer guidance on how criteria such as human rights and repression should be interpreted are key.”

One of the principal challenges relates to the breadth of the proposed controls. When the definitions of what should be considered as “intrusion software” or “cyber-surveillance tools” are too broad, this not only risks impeding the development of defensive cyber-technologies, it also leaves the door wide open to confusion and misinterpretation. In many instances, there is broad agreement as to the specific systems which are of most concern to governments, but so far definitions and associated control descriptions remain broad, vague, and subject to multiple interpretations. Both industry and academics have expressed concern about this issue, which is only compounded by a lack of transparency into the process by which the Wassenaar member states define their terms.

Regulatory challenges of this scale warrant deep engagement with private sector experts, who can help ensure any regulation is logically scoped, sufficiently specific, or even purely sanctions-based. This is the path to providing the clearest guidance; a way to protect individual rights whilst supporting European growth and innovation, and avoiding unintended consequences.

The Coalition for Responsible Cybersecurity, along with many others in the sector, encourages governments to continue to address both the intrusion software controls and the proposed controls on cyber-surveillance tools in a thoughtful and targeted manner, and we stand ready to engage in further dialogue on this critical issue.

Ethics now: shaping a new ethical framework for health data Fri, 07 Apr 2017 09:00:43 +0000 Read more »]]> Artificial intelligence and big data have the potential to revolutionize and democratize healthcare across societies. However, their use carries significant ethical implications. We must ensure that the right frameworks are in place so that new technologies help rather than harm, human welfare, and that we avoid missing opportunities to improve living standards.

When it comes to technology, we have already seen successful applications of AI and big data in healthcare, including data analytics in clinical trials, prevention of re-admissions, faster diagnosis of rare diseases, and better predictions of diseases like cancer. So there is an urgent need to make progress on data ethics as well. Whilst these applications may entail specific regulatory and compliance requirements, compliance is not the same as ethics. Compliance may be compared to playing by the rules of the game. Ethics is how well you play. It is therefore an ongoing process aimed at improving the game itself, which means, in this case, doing anything we can to improve human welfare whilst fostering individual and social rights.

There is a significant difference between what can be done (feasibility), may be done (legality) and should be done (ethics). Striking the balance between these three elements can be challenging, especially when it comes to the ethics of health data, a particularly sensitive kind of personal information. That is why it is vital to speed up research into the topic and invest in foresight analysis. In our digital society, the implications of technology are no longer purely legal or technical. They have become conceptual, forcing us to reconsider fundamental philosophical questions related to personhood, identity, the human condition, and the values we wish to promote.

To this end, the Digital Ethics Lab of the Oxford Internet Institute (OII) at the University of Oxford, the Data Ethics Group at the Alan Turing Institute (ATI), and Microsoft are collaborating on a new project on “The Ethics of Medical Data & Advanced Analytics”. This aims to foster research around the ethics of health data in Europe. Over the past few months, we have created a network of experts from across the fields of ethics, law, healthcare, machine learning, and industry, and brought them together to scope the ethical considerations related to adopting advanced analytics tools and exploiting health data. Over the next two years, we plan to establish best practices for the ethical use of health data, and to identify and help mitigate any risk of unethical consequences.

Convening the relevant stakeholders to tackle these issues is essential if we are to unlock the vast potential of data, which is fast becoming a most valuable resource. Within the OII’s newly established Digital Ethics Lab, we have an opportunity to collaborate on new projects such as the one supported by Microsoft on developing a European ethical code for data donation and encouraging data philanthropy, which is building on the joint “Ethics of Medical Data & Advanced Analytics” project mentioned above. The goal is to explore ways in which citizen participation in research efforts may be supported via ‘data donations’, and to shape best practice with regards to respecting individuals’ rights as well as ensuring proper regulatory oversight of existing and future data exchange partnerships between governments and tech companies.

This is an ambitious plan and it is clear that we are only just embarking on what will be a long journey. Yet it is a necessary one. Existing ethical frameworks are insufficient to address the specific challenges faced in medical data analytics, and to ensure that Europe maximises its benefits while minimising its risks. There will undoubtedly be difficulties on the road along the way but the ultimate destination – a digital world underpinned by a pro-ethical infrastructure – is well worth the effort and work.

Staying the course on data flows: a priority for the G20 Wed, 05 Apr 2017 10:10:51 +0000 Read more »]]> How to create confidence in the digital world? We at Microsoft have joined the G20’s business dialogue process (B20) and will discuss concerns and responses to this question at the G20 Conference on “Digitalization: Policies for a Digital Future” taking place in Düsseldorf today, before the meeting of the G20 digital ministers.

Digitalization and its impacts are high on the G20’s list of priorities for 2017. Digital transformation has become a way to drive “strong, balanced, sustainable and inclusive economic growth” and an overarching prism to view how we regulate a series of interconnected policy issues. Because of the impacts on our local economies, we need international dialogue and joined-up thinking about how to advance digital developments both wisely and responsibly.

The B20 taskforce on digitalization has identified three areas for collective action: encouraging the uptake of industrial Internet applications, supporting the evolution of Artificial Intelligence (AI), and fostering global connectivity. Although the EU’s Digital Single Market Strategy can help address many issues, concerns remain that uneven application of new rules could further fragment, rather than unite, the single market.

Data localization measures are a prime example, designed to keep data within national borders. Such policies are sometimes called for in an attempt to protect national economic interests but frequently have the opposite effect. Such requirements are particularly burdensome for SMEs, who suddenly need to know all the ins-and-outs of the varying legislation applicable in every Member State they operate in. This is manageable for a large multinational company with hundreds of in-house lawyers; less so for a startup or a family-run business. Bearing in mind that SMEs represent 99% of all businesses in the EU, the potential impact on Europe’s overall competitiveness is considerable.

But questions related to the free flow of data go beyond Europe’s borders. A recent McKinsey report notes that while trade in goods and services has declined since 2012, digital flows of commerce and information have soared. In a decade, cross-border bandwidth has grown 45 times larger and global data flows have raised the world’s GDP by an estimated 10 percent. As my colleague from Microsoft Germany, Sabine Bendiek, put it recently: “the new global trade economy is no longer measured in standard shipping units, but in bits and bytes.”

Information continuously crisscrossing the globe is not just good news for the technology industry. The OECD has pointed out how cross-border data flows enable companies from all industries, and of all shapes and sizes, to participate in the global economy. SMEs in particular benefit from access to new markets and trading opportunities; over half of the companies that had registered under the Privacy Shield’s predecessor, the Safe Harbor agreement, had fewer than 100 employees.

The free flow of data underpins the competitiveness of local economies and the functioning of global marketplaces. But appropriate privacy and security safeguards should underpin the data flows themselves. As MEPs Viviane Reding and Jan Philipp Albrecht highlighted just last week, “data privacy and data flows are not mutually exclusive. They can reinforce each other.” The EU’s efforts in this regard have already led to data transfer agreements with 12 countries, as well as the launch of negotiations with Japan and South Korea – giving Europe a strong economic footing on the world stage.

The ongoing commitment to finding common ground across borders is a principle which should underpin all our dealings in the digital era. This means improving the harmonization of legal frameworks and standards, pursuing international dialogue based on shared values (which may themselves need to be updated – something I talked about in Berlin yesterday), and making existing rules such as Mutual Legal Assistance Treaties (MLATs) fit for the digital age.

So when it comes to moving forward with confidence, we need to create a future that builds trust, and to build enduring trust, we must find ways to advance inclusive and responsible digitalization.

Celebrating Europe Thu, 23 Mar 2017 09:06:49 +0000 Read more »]]> Sixty years ago, on the 25th of March 1957, European politicians gathered in Rome to lay the blueprint for the European Union as we know it today. This momentous occasion ushered in decades of peace and prosperity, and we at Microsoft are proud to join in the Treaties of Rome anniversary celebrations.

Our success as a company has been closely linked to the success of the European project. We’ve always supported the fundamental ideal of a union of European nations and peoples, even if we’ve sometimes disagreed with the EU on specific issues, and paid some record fines along the way. When all is said and done, the arguments in favor of the European Union far outweigh those against.

Microsoft’s own European journey began in 1982 when we opened a headquarters in London – our first outside the U.S. At the time, the company employed just 128 people worldwide. Today, 25,000 of our employees live and work in Europe. Our main European operations are based in Dublin, Ireland. And our business is increasingly rooted in cloud computing – technologies which will transform Europe’s economy.

I vividly remember my first business visit to Brussels. It was in 1995 and I had recently started working for Microsoft in Paris. Brad Smith – now Microsoft’s President and Chief Legal Counsel – and I travelled to Brussels for meetings with EU officials. But on that occasion, we also had another very particular mission: to introduce Stuart ‘Stu’ Eizenstat, the U.S. Ambassador to the EU, to the most exciting new technology of the time – the World Wide Web. Our demo equipment tripped the circuit breaker and we literally turned off the lights, but the power of the Web to transform society was evident. Over twenty years later, I’ve come full circle, living and working full time in Brussels to try to help shape a regulatory framework for cloud computing.

It seems fitting to recall this anecdote on EU Digital Day. Tremendous technological leaps forward have been made in a relatively short time. But it’s likely that there are plenty more to come. As digital has become increasingly interwoven into the fabric of societies and citizen’s lives across the globe, Brussels’ significance has grown.

Today, the EU is the center of regulation for the ICT industry, setting standards and norms for the rest of the world and exporting policies on key issues such as privacy, security and competition law. Amidst the ongoing debate about the purpose of the EU, setting rules for the technology sector which benefit Europeans and the European economy is an achievement to be proud of. In our industry we have a saying, “Where the U.S. talks, Europe acts”. This is good a thing for us, too, because rules help people trust our technology.

Respectful and constructive transatlantic relations are a necessity for the data economy to work properly. The EU-U.S. Privacy Shield is just one example of how Europe and the U.S. can successfully work together. This agreement protects European’s privacy rights in the U.S., whilst allowing U.S. companies to offer their services in Europe and create jobs at home and abroad.

If both sides of the Atlantic are to seize the opportunities offered by the digital transformation, then we must narrow – not widen – the gap between Brussels and Washington D.C. This week, as the EU reflects on its past and looks to its future, it’s worth remembering how transatlantic relations grounded in mutual respect, trust and openness have been and will be key to our common wellbeing. Microsoft’s focus going forward is to help make sure existing bridges between Brussels and Washington D.C. stay open and to help build new ones for even closer cooperation in future.

B20: The new global economy runs on free flow of data and trust Fri, 03 Mar 2017 09:05:16 +0000 Read more »]]> The German Federal Government took over the G20 Presidency at the end of last year. The economic dialogue B20 is an integral part of the G20 process, representing the entire business community of all G20 members. Its mission is to support the G20 through concrete policy proposals, consolidated representation of interests and expertise. Within the B20 task forces, joint recommendations for action are developed by representatives from trade associations, industry and international organisations from around the world.

Sabine Bendiek, Chairwoman of the Management Board, Microsoft Germany, is Co-Chair of the B20 Digitalization Taskforce, which was established for the first time within the B20 process. The taskforce will present the results of its work during the meeting of G20 digital ministers on “Digitalization: Policies for a Digital Future” to be held on 6-7 April in Düsseldorf. Next to topics such as Industry 4.0 and artificial intelligence, the B20 Digitalization Taskforce also addresses policy recommendations in the area of cross-border data flows. The B20 dossier on the topic, written by Sabine Bendiek, explains the significance of free data flows for the global economy and outlines the implications for political and legal frameworks.

Read Sabine Bendiek’s full contribution “The new global economy runs on free flow of data and trust” in the B20 Digitization Dossier.

This article first appeared on our Microsoft Politik Blog (in German) published by Inger Paus, Head of Social and Economic Policy, Microsoft Germany

Why we need new rules to deal with cyber (in)security Fri, 24 Feb 2017 15:45:08 +0000 Read more »]]> Last weekend, I had the pleasure of joining over 500 political leaders, diplomats, academics, civil society representatives and tech industry colleagues, at the 2017 Munich Security Conference (MSC). As was to be expected given the recent installation of a new U.S. administration, the future of the transatlantic relationship dominated conference discussions – but I was surprised at how the topics of cybersecurity, and insecurity, kept coming up over and over again.

Cybersecurity concerns have escalated into one of the central security policy issues of our time, with serious implications for the stability of our economies and social structures. Recent incidents of state hacking and doxing, as well as the distribution of fake news, have raised awareness and concerns to new levels.

Forty nations are currently known to be developing offensive cyber capabilities, reinforcing the urgent need for international rules for cyber actions, whether in war or peacetime. Microsoft has been one of the most vocal companies advocating for cybersecurity norms to govern state actions – we’ve come up with proposals for such norms for both the public and private sectors. And just last week, at the RSA Conference in San Francisco, Microsoft’s President, Brad Smith, called for a Digital Geneva Convention to protect civilians on the Internet in peacetime.

While at MSC, Microsoft hosted a discussion entitled “Cyber Influence, Attack, and Integrity – The Need for Norms of State Behaviour in Cyberspace,” moderated by my colleague Jan Neutze. I had the pleasure of introducing former U.S. Secretary of State, Madeleine Albright, who spoke on the topic, followed by a delegation of international panelists united by their expertise: former U.S. Secretary of Homeland Security, Michael Chertoff; the former Foreign Minister of Estonia, Marina Kaljurand, and Julian King, European Commissioner for the Security Union.

The principle of integrity was central to the discussion. It doesn’t just mean sticking to a code of values – something very pertinent in the context of defining acceptable behavior in cyberspace – it also defines “a state of being complete or undivided”.

This isn’t only about keeping cyberspace safe in the face of escalating threats. It’s about ensuring that all actors are united in their determination to protect citizens online. We should all lend our support to the recently launched Global Commission on the Stability of Cyberspace, an organization which will be entirely dedicated to developing policies that can improve security in cyberspace.

So where do we go from here? I think the answer lies in strong engagement from all; whether around agreeing to norms of conduct and building the capacity to enforce them, or finding ways to address the challenges of attribution and deterrence. A global agreement should create mechanisms to foster cooperation on attribution and hold perpetrators of attacks accountable.

We can learn from and build on the work of international legal experts whose recently published Tallinn Manual 2.0 is a very timely and valuable contribution on how existing international law applies to cyberspace.

Defining the parameters for state actions deserves broad and thoughtful discussion to find agreement where we can. Constructive and collective dialogue is the only way to progress. There was an overwhelming consensus in Munich that nation states should not be interfering with each other’s electoral processes, be it around balloting, counting, or reporting. It may be harder to reach agreement in other areas.

However, I did get the sense from almost all attendees at MSC that, now more than ever before, it is vital that we demonstrate a commitment to international cooperation, in particular to the historically-significant relationship between Europe and the United States, and to reducing cyber insecurity. In times of uncertainty, we should aim for more unity, not more division.

Get GDPR compliant with the Microsoft Cloud Wed, 15 Feb 2017 12:00:52 +0000 Read more »]]> The new General Data Protection Regulation (GDPR) is the most significant change to European Union (EU) privacy law in two decades. The GDPR requires that organizations respect and protect personal data – no matter where it is sent, processed or stored. Complying with the GDPR will not be easy. To simplify your path to compliance, Microsoft is committing to be GDPR compliant across our cloud services when enforcement begins on May 25, 2018. ]]> The need for a Digital Geneva Convention Tue, 14 Feb 2017 13:42:29 +0000 Read more »]]> This year’s RSA Conference in San Francisco brings the world’s security professionals together to discuss cybersecurity at a critical time.  The past year has witnessed not just the growth of cybercrime, but a proliferation in cyberattacks that is both new and disconcerting.  This has included not only cyber-attacks mounted for financial gain, but new nation-state attacks as well.  As engineers and other employees across the tech sector meet in San Francisco, we need to ask ourselves what our response should be.