Microsoft outlined a detailed plan for new international laws governing the transfer of data between the U.S. and Europe on Tuesday, carrying the torch for the technology industry.
Thousands of companies on both continents were put on notice earlier this month when European courts struck down a 15-year-old Safe Harbor agreement that had allowed user data to flow freely across the Atlantic Ocean.
Because of well-documented spying by the U.S. government, however, the Court of Justice of the European Union nullified that agreement on Oct. 6, saying it didn’t offer its citizens adequate privacy protections.
Now, as lawyers, government officials and international companies scramble to figure out what to do next, Microsoft says it has a plan.
In a somewhat unusual move, the company outlined a specific four-step proposal that would require rewriting international laws and establishing legal protections for the new generation of technology.
“This month the old legal system collapsed, but the foundation long ago had crumbled,” Microsoft President and Chief Legal Officer Brad Smith wrote in a Tuesday blog post. “In recent years it has been apparent that a new century requires a new privacy framework. It’s time to go build it.”
First, Microsoft says users’ legal rights should “move with their data.” That would mean the U.S. government would have to agree to abide by all EU laws when requesting private data on a European citizen who’s information is stored on U.S. soil.
Second, the company proposes a “new trans-Atlantic agreement” that creates a expedited and legal process through which governments on both sides of the Atlantic can make data requests.
Third, Microsoft says there should be an exception carved out for when users move between the continents. For example, if a European citizen traveled to the U.S., the U.S. government could then request that person’s private information held there without complying with European laws.
And finally, Microsoft says all governments involved should agree to only access a particular company’s user data through that company directly. That’s instead of surreptitiously gaining access through cloud provider, or some other means of spying.
“This fundamental approach would cut through the existing legal confusion by making clear both that people will not lose their privacy rights when their data is moved across a border and that there is an effective and legally proper basis for law enforcement to access the data needed to keep the public safe,” Smith wrote in the blog post.