GDPR, USA? Microsoft says US should match the EU's digital privacy law

Microsoft ratchets up its lobbying for federal EU-style privacy laws for the US.
Written by Liam Tung, Contributing Writer

As the first anniversary of the Europe Union's General Data Protection Regulation (GDPR) approaches, a senior lawyer at Microsoft has called for US Congress to adopt a parallel set of EU-style federal privacy laws. 

Even Microsoft has been stung by GDPR's strict rules, albeit lightly compared to Google's €50m GDPR fine in January over "forced consent" after activist lawyer Max Schrems filed a complaint on the day the law arrived on May 25, 2018. 

The big question now on the other side of the Atlantic is when and whether the US will introduce a GDPR-like law that puts a bigger burden on companies to protect the data of their users.

SEE: GDPR: A cheat sheet (TechRepublic)

Microsoft's top legal officer, company president Brad Smith, recently predicted 2019 could be a turning point on this debate, thanks to the emergence of several state-based privacy acts, most notably the California Consumer Privacy Act (CCPA), which are the toughest in the nation.    

Now Julie Brill, a former commissioner of the US Federal Trade Commission and currently Microsoft's deputy general counsel, has given her opinion on privacy laws in the US and how they would work with other countries outside the EU that have introduced new GDPR-inspired privacy laws, including Brazil, China, India, Japan, South Korea, and Thailand. 

"Despite the high level of interest in exercising control over personal data from U.S. consumers, the United States has yet to join the EU and other nations around the world in passing national legislation that accounts for how people use technology in their lives today," says Brill

"Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States," she said.

The risk for firms operating in the US is a future of operating in a piecemeal patchwork of state-based US laws, and for multinational US firms, dealing with local laws that don't mesh across the key international markets they serve. 

California's CCPA will become law on January 1, 2020. California is the largest US state by population, accounting for more than 10% of the total US population. Any firm that provides services to this population will need to comply with CCPA. 

Brill says US Congress should "adopt a new framework that reflects the changing understanding of the right to privacy in the United States and around the world."

SEE: IT pro's guide to GDPR compliance (free PDF)

It should "uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect."

Brill highlights how the current opt-in versus opt-out privacy options for US consumers forces them to make a decision for every site and online service they visit, which places an "unreasonable -- and unworkable -- burden on individuals". 

She calls for more power for consumers to control their data and for the law to place greater emphasis on companies' accountability when they collect and use consumers' personal information. GDPR allows regulators to fine firms in breach of the law up to 4% of global annual turnover.

"Federal law must also include strong enforcement provisions. As I saw first-hand when I served on the Federal Trade Commission, laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today's complex digital economy," Brill argues. 

Tough laws could be hard for smaller companies, but big firms like Microsoft, Apple, Facebook, Google and basically any US company that trades internationally, could benefit from stricter laws if they align better with the European Union's and other nation's laws that use it as a reference. 

"For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don't have to build separate systems to meet differing -- and even conflicting -- requirements for privacy protection in the countries where they do business," said Brill. 


Editorial standards