Guess who's leading the charge to replace the now-defunct Safe Harbor agreement with a new international framework to protect privacy? None other than Microsoft. Sounding more like an activist than the president and chief legal officer of the world's largest software company, Brad Smith this week laid out a sweeping, four-point program in a blog post that explicitly values privacy over business and national security concerns.
"Privacy really is a fundamental human right," he wrote. Most significantly, Smith said that countries on both sides of the Atlantic should agree to only access user data through the company that holds it, instead of gaining access by hacking into corporate networks or other surreptitious means.
Microsoft has also led the fight against U.S. government efforts to take American citizens' and companies' data held in foreign data centers.
The privacy ground has shifted in Silicon Valley
It's easy to be cynical and argue that Microsoft and other tech giants now lobbying for privacy have come to Jesus because the Edward Snowden revelations have made foreign customers wary of doing business with U.S. companies.
That may well be true, but it's also true that the ground has shifted dramatically this year. Silicon Valley firms are now taking strong stands on privacy-related matters beyond Safe Harbor.
For example, Apple and Dropbox said Tuesday they oppose a controversial cyber security bill called CISA that would give the government sweeping new powers to spy on Americans in the name of protecting them from hackers. "The trust of our customers means everything to us, and we don't believe security should come at the expense of their privacy," Apple said in a statement, echoing positions taken recently by Google, Facebook, and others in Silicon Valley.
In last year's iOS 8, Apple also changed how encryption works in its mobile devices, so it can no longer unlock users' devices even if ordered to do so by the courts. The decision was meant to thwart government efforts to gain such access.
Despite such tech-industry opposition, it would be surprising if the CISA bill doesn't pass -- it has broad bipartisan support and President Barack Obama is certain to sign it. And the tech industry's newfound commitment to privacy hasn't meant an end to tracking cookies and the sale of customer data to advertisers, among other privacy-invading tactics.
Unsafe harbor: Why Safe Harbor was overturned
The Safe Harbor agreement allowed companies to move data such as people's Web search histories, online purchases, and social media updates between the United States and the European Union.
In today's environment of global companies and cloud services, personal data belonging to a person who lives in one country is routinely stored in another, then moved back and forth as needed. It's also often bought and sold as part of cross-border advertising deals.
Safe Harbor imposed some restrictions on how companies could use that personal data, since Europeans desire greater privacy than Americans do and didn't want America's looser standards imposed on them through corporate actions. American companies wanted a clear set of usage guidelines that would at least not interfere with their data storage and transmission processes.
That changed radically in early October when the European Court of Justice said the agreement was flawed because it allowed American government authorities to gain routine access to Europeans' online information. Snowden's revelations, the court said, showed that U.S. spy agencies had easy access to data belonging to Europeans.
Microsoft now favors user privacy despite its self-interest
The end to Safe Harbor is a massive problem for companies like Google and Facebook, whose businesses are built on online advertising and the user tracking needed to get the most from those ads. Microsoft is affected as well, as Smith quite rightly points out, but not nearly as severely.
Even so, Smith's blog post marks a notable departure in the tech industry's approach to privacy. American law allowed the industry to tap data when convenient, and American technology made it possible to do so efficiently. You'd expect giants like Microsoft to cling desperately to the status quo.
Under Smith, Microsoft is doing the opposite:
This month, the old legal system collapsed, but the foundation long ago had crumbled. In recent years it has been apparent that a new century requires a new privacy framework. It's time to go build it.
The protection of privacy from government intrusion has been enshrined in the U.S. Constitution since 1791, when the Fourth Amendment was ratified as part of the Bill of Rights. In our own time the courts in both the United States and Europe have been moving in similar directions, and for good reason.
Microsoft proposes new, privacy-protecting Safe Harbor
Here's a summary of Smith's proposal for a new version of the Safe Harbor agreement:
- Users' legal rights should move with their data. That would mean the U.S. government would have to agree to abide by all E.U. laws when requesting private data on a European citizen whose information is stored on U.S. soil.
- A new agreement would creates an expedited legal process through which governments on both sides of the Atlantic can make data requests.
- For the sake of public safety, there should be an exception to this approach for citizens who move physically across the Atlantic. For example, the U.S. government should be permitted to turn solely to its own courts under U.S. law to obtain data about E.U. citizens who move to the United States, and the same would be true for a European government when U.S. citizens reside there.
- All governments involved should agree to only access a particular company's user data through that company directly instead of surreptitiously gaining access through a cloud provider or another means of spying.
Smith wrote, "This fundamental approach would cut through the existing legal confusion by making clear both that people will not lose their privacy rights when their data is moved across a border and that there is an effective and legally proper basis for law enforcement to access the data needed to keep the public safe."
Smith pointed out that without a replacement for Safe Harbor there will be serious business consequences: "Imagine trying to complete a purchase online and being told that your purchase has been blocked because your credit card information needs to be processed somewhere else. Imagine having your airline reservation rejected because your passport information cannot be transmitted by the airline to the country where you want to fly."
New laws might simply mandate that everyone's information stay inside one's country or perhaps even one's personal devices. That's a simple approach legislatively, "but that would require a return to the digital dark ages," he argued. Why? In effect it would stymie cross-border transactions. Opponents of global capitalism may aspire to that result, but it would undo centuries of commerce and cooperation among nations, not only cross-border exploitation.
I know that the Microsoft haters will find all sorts of reasons to doubt Smith's sincerity and poke holes in his arguments. That's not important. What is important is we're finally having serious discussions about privacy and due process, and Microsoft deserves credit for its contribution to that dialog.