This week I’m in Hong Kong at the 39th International Conference of Data Protection and Privacy Commissioners. This is the seventh year in a row that I’ve attended. In 2014, as a commissioner on the U.S. Federal Trade Commission, I was the first U.S. official to serve on the International Conference’s executive committee. This year I’m attending in my new role as corporate vice president and deputy general counsel at Microsoft. Now, instead of being a regulator, I’m one of the regulated.
These gatherings are always important because privacy commissioners play such a key role in formulating and enforcing frameworks that protect individuals’ right to privacy and that regulate what companies can do with data. If anything, this year’s conference is more consequential than ever. Advances in cloud computing, data analytics and machine learning are beginning to revolutionize how we live, work and play, and the decisions privacy commissioners make will have a huge influence on how much people and businesses around the world benefit from this new wave of technology innovation.
Europe’s new General Data Protection Regulation (GDPR), which will take effect next May and which Microsoft supports, is a good example of the impact that privacy regulations can have. GDPR’s data protection provisions reach farther than any previous privacy law and the effect on how companies collect, move and use data will be enormous. That’s why Microsoft and other global technology companies are working around the clock to strengthen compliance and to make sure that our customers have everything they need to be ready as well.
But companies aren’t the only ones that need to respond to GDPR’s stronger requirements. The European Union (EU) has long required that countries have an adequate level of data protection to permit cross-border data transfers from countries in Europe. Because this adequacy requirement is now part of GDPR, countries around the world are reviewing their existing laws and considering changes to ensure that their data can flow freely in and out of Europe.
Japan, South Korea and Hong Kong are all exploring steps to create a legal and regulatory environment that aligns with GDPR. Japan has already adopted new data protection standards that more closely reflect GDPR, and Japan and the EU have announced that they are working to achieve a simultaneous finding of adequacy by early next year. Regulators in South Korea are also seeking an adequacy assessment, and in Hong Kong, the Office of the Privacy Commissioner is reviewing Hong Kong’s Personal Data (Privacy) Ordinance to determine what changes to recommend in light of GDPR.
Privacy Shield, a bilateral framework that facilitates data transfers between the EU and the U.S., is a possible model for other countries as they prepare for GDPR. It could serve as a useful reference point in Japan’s discussions with the European Commission about EU-Japanese data flows. Another encouraging approach is the Cross Border Privacy Rules (CBPR) system developed by the 21 nations participating in the Asia Pacific Economic Cooperation forum. This framework is designed to allow companies to use established mechanisms to protect the privacy and security of personal data as it moves across borders.
Support for sound regulatory frameworks isn’t the only way Microsoft promotes privacy and data protection for cross-border data transfers. Finding the right balance between the need for law enforcement to have appropriate access to data and our commitment to protect our customers’ privacy and their data is another critical issue that Microsoft has been deeply involved in.
Notably, in 2014, Microsoft sued the U.S. government to prevent a U.S. warrant from compelling us to produce email stored in a Microsoft data center in Dublin. We filed this case because it involves an extraterritorial application of a decades-old U.S. law that does not provide such authority and because it ignores Irish laws and the rights of those who own the emails. In the future, when critical principles with important consequences for our customers are at issue, we will not hesitate to return to the courts to uphold basic rights.
At the same time, we are heartened that the U.S. Congress is considering legislation to modernize the aging data protection framework in the U.S. and to provide a clear and fair legal process when governments seek to access emails and other digital information. We strongly support passage of the proposed International Communications Privacy Act.
It’s great to be in Hong Kong to attend the International Conference of Data Protection and Privacy Commissioners once again. I’m pleased to be here representing Microsoft, because I know that my former data commissioner colleagues and I all want the benefits and opportunities of technology to be shared broadly by the citizens, consumers, and customers we serve.