Microsoft on the Frontier for Legal Privacy Protections

Posted by Mark Greisiger

Privacy button on keyboardA Q&A with Geff Brown of Microsoft
“Privacy is without a doubt the most exciting area of the law to be involved in right now,” says Geff Brown, assistant general counsel in regulatory affairs at Microsoft. I asked him about the current legal climate for consumers and tech companies around privacy issues and what Microsoft is doing to proactively protect user information.

The recent Supreme Court decision handed down in Riley v California (2014) established that iPhones and other devices now hold what Justice Roberts termed “privacies of life.” Why is this significant from a legal perspective?
The Riley decision is fascinating because it shows the Supreme Court realizing that the protections we expect in the physical world around our papers and effects apply in the virtual world as well—and they may be even more applicable in terms of people’s mobile devices. This hasn’t always been clear in lower courts’ decisions. When you think about mobile devices and the amount of data and personality data that’s going up into the cloud every time those devices get synced you can understand the need for strong protections for that data. This decision really applies the principles of the Constitution for the 21st century.

Privacy is not just an economic right. It’s absolutely a human right we’re talking about-

One implication for Microsoft as a company is that we need to fight for users’ rights. We are already seeing that in the current federal case in New York, which centers around the ability of the United States government to access data stored in the cloud. We strongly believe the government should have a process for obtaining cyber data that matches their process for obtaining data in the physical world. The Riley decision is really going in the right direction on these issues.

Why should companies care about Big Data, ethical privacy practices and transparency?
Big Data has huge promise, and there are already so many uses for it. In the future we will only unlock more of its potential. But people have to trust that when their data goes into the cloud in Big Data sets that it won’t be misused. They need to know that companies and others won’t be selling the data, using it to discriminate against other users, or turning the user into a commodity. Privacy is not just an economic right. It’s absolutely a human right we’re talking about—you hear that in the discussions in the EU and elsewhere right now. People are increasingly recognizing the importance of this right.

How is Microsoft proactively protecting private information in the Cloud?
We do many things, chief among which is that we work to get certification from independent third parties through international standards. These standards mean we will always be thinking about how to secure data, about the ways we access data and how we need to improve these practices over time because we do need to improve over time. I feel very lucky to work for a company that has so many resources it can devote to this process. With so many data centers around the world in various jurisdictions we can make a big difference in improving data security. Microsoft was also the first cloud service provider to sign data processing agreements with the EU’s Standard Contractual Clauses (in 2010). That meant improving our practices, and it took quite a bit of legal work to interpret the commission’s document into practical recommendations for a company serving many thousands if not millions of customers. It also put us ahead of the curve.

Can you talk about the balancing act between public safety versus technology versus privacy?
Technology helps drive great data protection. You can’t have great privacy without great security so we build the security in as a foundation but you also have to put privacy practices on top of that. We want our customers to know that we have definite requirements with respect to public safety and government access to data. If we see the government pushing the envelope, as we have seen with the United States, we will be pushing back to make sure there are appropriate procedures and transparency. It’s not enough just to have laws. You also have to have governments following the laws.

How about the relationship between foreign surveillance and public trust?
If you go back maybe 10 years ago there wasn’t as much data traveling across borders in countries, but that data was protected by bilateral agreements and other mutual systems. Those systems are showing their age now that so much data is going back and forth. We need to improve policy and create umbrella agreements about data transfer and that drive needs to come from governments and societies [pushing for action] through their governments. I have a great deal of hope about that process. It’s not necessarily going to be quick because governments need to get it right but it will happen. At Microsoft we really do care about these issues and we realize they are critical not only to the future of our business but also to our customers’ futures, too.

In Summary…
Mr. Brown’s insightful comments shed light on the complex issues of ethical privacy in the age of Big Data. Developing appropriate practices to mitigate wrongful data collection liability exposures will continue to be an important issue for risk managers whose organizations collect, store, transmit, and/or sell private information/data about people. With so many governmental, international, ethical and commercial implications at stake, forward-thinking companies like Microsoft must provide innovative solutions and establish Privacy by Design as a guiding principle. We thank Microsoft for leading the way in exploring and addressing these new and evolving issues.