May 25 marks one year since the European Union’s General Data Protection Regulation officially went into effect. GDPR is a groundbreaking privacy framework that empowers residents of the EU to control their personal information so they can use digital technologies to engage freely and safely with each other and with the world.
A lot has happened on the global privacy front since GDPR went into force. Overall, companies that collect and process personal information for people living in the EU have adapted, putting new systems and processes in place to ensure that individuals understand what data is collected about them and can correct it if it is inaccurate and delete it or move it somewhere else if they choose.
This has improved how companies handle their customers’ personal data. And it has inspired a global movement that has seen countries around the world adopt new privacy laws that are modeled on GDPR. Brazil, China, India, Japan, South Korea and Thailand are among the nations that have passed new laws, proposed new legislation, or are considering changes to existing laws that will bring their privacy regulations into closer alignment with GDPR.
Empowering people to manage their information through our privacy dashboard
The driving force behind the global movement to modernize privacy laws is the new understanding people have of their right to privacy as technology changes how people create and share information. Around the world, there is a growing expectation that everyone should benefit from digital technology without losing control of their personal information. This is why Microsoft was the first company to provide the data control rights at the heart of GDPR to our customers around the globe, not just in Europe.
One year later, the ever-growing number of people using our privacy dashboard is a clear sign that people want to be empowered to control their data. Since GDPR went into effect, more than 18 million people from around the world have used our tool to manage their personal information. The highest level of engagement, both on a per capita basis and in absolute numbers, continues to come from the United States where about 6.7 million people have used the dashboard. Not surprisingly, residents of European countries covered under GDPR also account for a significant percentage of people who have visited the privacy dashboard—to date more than 4 million of our customers in the EU have logged on to manage their data.
Transforming culture and advancing privacy throughout the digital economy
To elevate the importance of privacy and embed it in their operational systems, companies like Microsoft that have fully embraced GDPR have undergone a profound cultural shift that begins at the executive level and reaches across the entire organization. Today, at Microsoft our responsibility to protect our customers’ privacy is the starting point for everything we do. Our commitment to greater user control and empowerment is stronger than ever.
You can see the results of this cultural transformation across our products and services. Last month, for example, we announced new steps to increase transparency about the data we collect when people use our products and to provide them with greater control over how their data is used. Those steps include describing the data we collect in clear and simple language; and making it easier for people to control their personal information. To enhance transparency, we are improving documentation and introducing a new biannual report about our data collection procedures.
We are also providing tools to help our customers meet their own privacy obligations under GDPR. To make it easier for game developers to comply with GDPR, we developed tools so they can allow players to view or delete data that is stored about them. We’re delivering features that improve how businesses secure sensitive data and protect the privacy of their employees and customers. We offer encryption to enable companies to protect sensitive data including credit cards and national IDs such as U.S. Social Security numbers. To help companies safeguard sensitive information on mobile devices, we announced a set of advanced privacy and security capabilities that enable companies’ IT administrators to better enforce privacy and security protection policies. And in April, we released new privacy tools for Office365 ProPlus that provide greater control over diagnostic data that is sent to Microsoft, and over optional cloud-based features in Office that enhance functionality.
Toward a framework for new privacy laws in the U.S. and interoperability around the globe
No matter how much work companies like Microsoft do to help organizations secure sensitive data and empower individuals to manage their own data, preserving a strong right to privacy will always fundamentally be a matter of law that falls to governments. Despite the high level of interest in exercising control over personal data from U.S. consumers, the United States has yet to join the EU and other nations around the world in passing national legislation that accounts for how people use technology in their lives today.
In the absence of federal action, California took an important first step forward in advancing privacy protection with the passage of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020. A watershed for U.S. privacy law, CCPA was the first law in the United States to include rights inspired by GDPR.
Now, it’s Congress’s turn to adopt a new framework that reflects the changing understanding of the right to privacy in the United States and around the world. Like GDPR, this framework should uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.
California’s law is a good starting point. But federal legislation should go further and ensure that companies act as responsible stewards of consumers’ personal data. One way to achieve this is by requiring assessments that weigh the benefits of data processing against potential privacy risks to those whose data is processed.
This is important because the prevailing opt-in/opt-out privacy model in the United States forces consumers to make a decision for every website and online service they visit. This places an unreasonable—and unworkable—burden on individuals. Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information.
Federal law must also include strong enforcement provisions. As I saw first-hand when I served on the Federal Trade Commission, laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today’s complex digital economy.
Finally, while federal privacy legislation should reflect U.S. legal precedent—and the cultural values and norms of American society—it should also work with GDPR. For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing—and even conflicting—requirements for privacy protection in the countries where they do business.
In the year since it went into effect, GDPR has been an important catalyst for progress in privacy protection. Countries around the world have implemented new laws that reflect the new understanding people have for privacy in our digital era. Some companies are doing a better job of handling sensitive personal data and they have delivered new tools that make it easier for people to manage and control their personal information.
Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States.