In a Microsoft blog post from Monday, Corporate Vice President and Deputy General Counsel Julie Brill reflected on the European Union’s General Data Protection Regulation (GDPR) that was enacted nearly one year ago. Brill feels that the GDPR has been very effective in changing the way that tech companies handle personal data.
“[Companies] have adapted, putting new systems and processes in place to ensure that individuals understand what data is collected about them and can correct it if it is inaccurate and delete it or move it somewhere else if they choose,” she wrote.
Brill points out that the GDPR has inspired other countries to adopt similar regulations. She also pats her company on the back for being “the first company to provide the data control rights at the heart of GDPR to our customers around the globe, not just in Europe.”
However, such self-regulation is not good enough. While some states such as California and Illinois have strong data protection laws in place, Brill feels the US needs something similar to the GDPR at the federal level.
“No matter how much work companies like Microsoft do to help organizations secure sensitive data and empower individuals to manage their own data, preserving a strong right to privacy will always fundamentally be a matter of law that falls to governments,” Brill states. “Despite the high level of interest in exercising control over personal data from U.S. consumers, the United States has yet to join the EU and other nations around the world in passing national legislation that accounts for how people use technology in their lives today.”
She points to the California Consumer Privacy Act (CCPA), which goes into effect next year, as a model for federal policy. Brill says that consumers have the right to control their information and that companies need to be held to a higher degree of accountability and transparency with how they collect and use customer data. The new laws also need to have teeth.
Brill said that one problem with current privacy laws is that they are problematic when it comes to enforcement. The Federal Trade Commission is charged with enforcing such laws, but cannot fine a company without a consent decree.
“Laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today’s complex digital economy.”
When companies violate these laws, they are not typically fined at first. Instead, they sign a consent decree, which makes them liable for penalties if they are caught in the act again. We have recently seen these decrees in effect with both Facebook and Google. However, these are outlying cases.
According to the Government Accountability Office, over the last 10 years, the FTC has filed 101 enforcement actions. Nearly all of these carried no civil penalties. Instead, they amounted to settlement agreements requiring companies to take measures to prevent the violation from occurring again.
“Federal law must also include strong enforcement provisions,” Brill said. “Laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today’s complex digital economy.”
Microsoft is not the only big tech corporation to call for federal regulation. Apple, which also touts itself on its strong privacy policies, recently indicated that the time for self-regulation is over.
“We all have to be intellectually honest, and we have to admit that what we’re doing isn’t working,” said Tim Cook back in April at the Time 100 Summit. "Technology needs to be regulated. There are now too many examples where the no rails have resulted in great damage to society.”