The first anniversary of GDPR, Europe’s gold-standard privacy law, is later this week – and Microsoft has marked the occasion by backing Apple’s call for a US version.
Microsoft, like Apple, responded at the time by committing to offer GDPR-level protections to all its customers globally, but thinks voluntary moves by tech giants are not enough …
Europe’s General Data Protection Regulation has 99 separate articles, but at the heart of the law are four requirements for companies wanting to store and process your personal data:
- There must be a specific, lawful reason to process the data
- Personal data must be encrypted
- You have a right to a copy of your data
- You can ask for your data to be deleted
Apple CEO Tim Cook has repeatedly called for a US federal privacy law that would offer similar protections to GDPR, most notably in a TIME magazine op-ed.
Microsoft has now lent its support in a blog post, noting that many other countries have already followed Europe’s example.
It has inspired a global movement that has seen countries around the world adopt new privacy laws that are modeled on GDPR. Brazil, China, India, Japan, South Korea and Thailand are among the nations that have passed new laws, proposed new legislation, or are considering changes to existing laws that will bring their privacy regulations into closer alignment with GDPR […]
No matter how much work companies like Microsoft do to help organizations secure sensitive data and empower individuals to manage their own data, preserving a strong right to privacy will always fundamentally be a matter of law that falls to governments. Despite the high level of interest in exercising control over personal data from U.S. consumers, the United States has yet to join the EU and other nations around the world in passing national legislation that accounts for how people use technology in their lives today […]
Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States.
The company says that compatibility with GDPR is crucial.
While federal privacy legislation should reflect U.S. legal precedent—and the cultural values and norms of American society—it should also work with GDPR. For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing—and even conflicting—requirements for privacy protection in the countries where they do business.
There is bipartisan support for a federal privacy law, but no consensus on the exact approach. In particular, there are differing views on the role of the FTC.
The Democratic view is that Congress should give the FTC powers to make and enforce privacy rules, while the Republican view is that the legislative branch should create the rules, and the FTC should simply be empowered to enforce them.
Is the first anniversary of GDPR a good time to ask Congress to stop debating and act? Is there really a need for separate rules in the US, or could Congress simply mirror GDRP protections so that the exact same standards apply? Let us know your thoughts in the comments.