Microsoft Deems Privacy A Fundamental Right, Asks U.S. And EU Governments To Obey It

Brad Smith, Microsoft's Chief Legal Officer, said in a blog post that it's time for both the U.S. and EU governments to guarantee their citizens' data is protected even when crossing borders. He laid out four necessary steps the governments must take to protect user privacy, while still allowing transfers of data across borders in a safe and legal way.

Preserving Privacy Rights Across Borders

Smith said that people's legal rights should move with their data. This would mean that if the data is stored on U.S. servers but belongs to an EU national, then the U.S. government should only be able to get access to that data in a manner that conforms to EU laws. The reverse should also be true: If the EU government wants access to an American citizen's data stored on EU servers, it should comply with U.S. laws when doing so.

New Trans-Atlantic Agreement

Smith suggested that the U.S. and EU should agree to create an expedited process where whenever they need to get access to each other's citizens' data, first they need to comply with their own laws, and then they need to ask the citizens' governments for permission to the data. The citizens' governments can then either accept or reject the request, depending on whether they believe it's in compliance with their laws or not.

Smith believes that if this agreement were put in place, data transfers would comply with the recent Court of Justice of the European Union (CJEU) ruling that said the U.S. government must guarantee "essentially equivalent" data protection as to the protections available in the EU, because the U.S. government could only get that data if the EU authorities think their request complies with EU laws.

Moving Physically Across The Atlantic

Smith thinks that there should be an exception to the above proposals when a citizen is traveling across the Atlantic. In this case, the law of that jurisdiction should apply, in order to be consistent with longstanding legal principles, as well as the practical reality that public safety is more pronounced when a suspect is physically present in the given jurisdiction. Therefore, if an EU citizen travels to the U.S., Microsoft's legal officer believes that the U.S. law should apply when dealing with his data.

Asking The Right Company For Data

Right now, the U.S. government, and perhaps other governments as well, likes to go to cloud services providers to ask for data of another company's employees who use Microsoft's services, because it's easier to go to Microsoft than to all of its corporate customers individually.

However, Smith pointed out that in the physical world, the authorities go to the company where the employee works with a warrant to ask for the data, rather than to a third-party provider that may be holding that data. Therefore, the U.S. and EU national governments should also go to the directly-involved company and not to a third-party cloud services provider such as Microsoft.

Microsoft is also promoting this idea because it has seen that some businesses in the EU (and elsewhere) have stopped trusting American service providers because the U.S. government can go directly to them to ask for those companies' data. What Microsoft is saying here is that the U.S. and EU governments should agree to go directly to the party responsible and leave Microsoft and other third-party service providers out of it.

As more and more user data moves to the cloud, average citizens become vulnerable to having their data easily accessed by governments, too, even with a warrant. In the physical world, law enforcement must come with a warrant before entering someone's house in the U.S., but that doesn't seem to apply when it comes to digital data that's stored on someone else's servers.

As Microsoft is proposing here -- that when governments want a corporation's data they should go directly to that corporation -- it stands to reason that the governments should also go with a warrant to the user whose data they require, rather than gagging the service provider and then accessing the data in secret. However, this is not something Microsoft is suggesting in this case; the company is only asking for this sort of protection for its corporate customers, but not individual users of its cloud services such as Skype, Outlook, and so on.

21st Century Privacy Laws

Privacy laws in the U.S. or in the EU were passed decades ago, and Microsoft believes that they haven't aged well. The old laws are obsolete when it comes to protecting digital data in the twenty-first century, but they are also obsolete when it comes to providing a clear path for transferring data across borders in a way that protects user data against abusive government requests.

A new Judicial Redress Act has just passed the U.S. House, which gives EU citizens and other foreigners the same privacy protections that Americans get from the Privacy Act of 1974, which deals with how federal agencies can handle citizens' data. The recent CJEU ruling does mention that the U.S. would have to offer some way of judicial redress for EU citizens, but it's not clear whether the Privacy Act of 1974 is also "essentially equivalent" to the data protection laws in the EU.

If it's not, then this new Judicial Redress Act won't make a new Safe Harbor agreement any more likely or legally sound, unless the U.S. reforms its privacy laws to be at least as strong as those in the EU, per CJEU's ruling.

For now, Microsoft seems to believe that even in the absence of a Safe Harbor agreement, it can continue to transfer data within EU, but also to the U.S., by transferring it first to other EU companies. According to Maximilian Schrems, who made the original Safe Harbor complaint that led to its recent invalidation, this sort of solution would at the very least be in a legal gray area, but likely still illegal under the recent CJEU ruling.

Ultimately, this is only a trick to make it look like the EU data transfers are legal because they first happen between EU companies if in the end the data still reaches the U.S. under the same weak privacy protections as before. Therefore, there's no reason to believe this is legal or that it would pass CJEU's muster. However, a new Safe Harbor agreement must be reached by the end of January 2016 (pdf), so the company must believe it won't have to use this solution for long anyway, until a real one appears.


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • poochiepiano
    Windows 10 PR?
  • frakyo
    A Company who spy users without consent fight for privacy... more twisted than that only in México (i'm mexican btw).
  • Math Geek
    this does seem a bit ironic coming from a company that has decided to track and record literally everything done on a windows pc.

    rather than worrying about how various countries try to abuse the data, why not simply not collect it in the first place!! i know this is just a stupid end user idea but it seems to me like not having the data in the first place is a sure fire way to prevent countries from trying to exploit said data. then again what do i know......
  • ohim
    A Company who spy users without consent fight for privacy... more twisted than that only in México (i'm mexican btw).
    so click`ing next without reading the Agreement it`s without consent ? :)
  • lichurdeath
    frakyo - While I am sure MS has some task tracking on user machines. All companies do this. At the server level things are different. They do not track information on companies private data. If they did no company would use MS servers. The corporate market and the private market are night and day different. This article is specifically addressing private data held on servers within corporations. MS has been a huge proponent of positive change in the server industry for a long time. This is not the first time this topic has been brought up and not the first time MS has been spearheading it. It is in their best interest to guide companies to a secure data path. In turn it will generate revenue for them from companies that trust them and respect their stance.
  • amk-aka-Phantom
    As more and more user data moves to the cloud

    They speak as if this isn't something Microsoft is artificially forcing with their online accounts and other BS but rather just something that's kind of happening on its own... right.

    Therefore, if an EU citizen travels to the U.S., Microsoft's legal officer believes that the U.S. law should apply when dealing with his data.

    By this logic, if I own a gun in a US state where it's legal and then travel to the EU, I can get arrested for illegal possession of firearms, since EU law now applies to me. Is this guy serious?
  • Math Geek
    if you take your gun with you and it is illegal there, then yes you would be arrested. the lawyer is saying that any data the visitor has on his/her person would fall under the law of the country he is in and not the country he is from.

    this is how the rest of law works and he is stating that he wants data to follow similar logic. if you go to a country where something is illegal, then that law applies to you as well as residents. just because pot is legal in colorado, does not mean it is legal for a colorado resident to take it with them where ever they go. it's still illegal in the rest of the states around them except for a couple others. this is the same logic MS is working on using for data.

    where the data is at the time is the law that should apply to it, not the home address of the person carrying it. US cloud storage should be under US law no matter who owns the data. EU cloud data should fall under EU law no matter who owns it, etc etc etc
  • mforce2
    Damn I was tired and I first read the MS deems Piracy as a fundamental right and I was like hell high, I like em' now.....

    Sure I suppose Privacy is also OK but I think they only want the so called Privacy to go against Google, I don't really believe they care much about their user's Privacy .... so much valuable data, it's a pity not to take a peek :D
  • surphninja
    They should lead by example. Stop tracking everything Windows users do, stop looking through people's hotmail accounts without a warrant, declare that they're building in default encryption with no government back doors, etc.

    Pretty hypocritical statement coming from a company that's constantly under investigation in the EU for violating privacy rights.
  • surphninja
    The government should just respond with Microsoft's boilerplate excuse: "We're not violating privacy- we're simply monitoring your every move in order to provide you with better service."