Tech companies are still reeling from a top European court's decision invalidating Safe Harbor, a trade agreement used by thousands of American companies to transfer European's data across the Atlantic.
In a new blog post, Microsoft president and chief legal officer Brad Smith argues that privacy is a human right and the Safe Harbor decision is an opportunity for stronger privacy regulations. Smith also warns that without policy changes, the invalidation could signal "a return to the digital dark ages" by setting the stage for a world where data is segregated by nation:
While it increasingly is possible to store data in a specific data center, personal information for consumers still needs to cross borders for good reasons in a variety of scenarios. Imagine trying to complete a purchase online and being told that your purchase has been blocked because your credit card information needs to be processed somewhere else. Imagine having your airline reservation rejected because your passport information cannot be transmitted by the airline to the country where you want to fly. Countless times every week as consumers and citizens we need other people to move our personal information to the places it needs to go. And future technology innovations will aggregate personal information to enable devices to be even more useful for people.
But Smith lays out a four-step proposal to address what he calls the "privacy Rubik's cube" of balancing privacy rights, a global Internet and public safety within a legal framework that the company hopes will appease those on both side of the Atlantic.
The first step is to ensure that people's legal rights move with their data -- something Smith argues could be managed by an agreement that the U.S. would only demand access to personal information that belongs to Europeans in ways that line up with European Union law and vice versa. The second step is an expedited process for governments in the U.S. and E.U. to serve lawful requests for data to authorities in a person's home country, while the third suggests an exception to such a rule that gives the U.S. or E.U. countries authority over people who physically resides within their boundaries.
The final component of the proposal is an agreement, "except in the most limited circumstances," that governments on both sides to only seek access to data by going through the companies themselves -- implicitly rejecting policies that rely on surreptitious access like spying on or hacking into companies to access information.
The Microsoft plan is perhaps the most detailed road map released by a company in the wake of the Safe Harbor decision, and would require significant changes to law. The tone of the blog post and speed that such a plan was pulled together likely signals the real threat major tech companies feel from the ruling, which grew out of revelations about U.S. government surveillance from former government contractor Edward Snowden.
The American cloud computing industry has already seen its business damaged by spying fears. While the Safe Harbor ruling doesn't stop data transfers altogether, tech giants who previously relied on the pact to green-light their privacy practices are now open to scrutiny from national regulators in Europe who could investigate or even block the flow of Europeans' data across the Atlantic.
Even today, the Irish data protection watchdogs went before the countries High Court in Dublin and agreed to investigate how Facebook transmits Europeans' data to the U.S, according to local news reports. The ruling that invalidated Safe Harbor stemmed from a suit against the data regulators by Austrian activist and student Max Schrems after the Irish watchdogs declined to investigate Facebook's practices because they were covered by the pact.