Rights and Responsibilities When It Comes to Data Privacy
Privacy is recognized as a fundamental human right by the United Nations Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and many other treaties.
Data-driven innovations and services should not impinge on this fundamental right. Privacy can and should be maintained into today’s highly connected digital world. At the same time, the collection, analysis, and use of data is an important engine of innovation. Responsibly used data can improve outcomes in healthcare, education, commerce, policymaking, and many other areas.
Both government and the private sector have a responsibility to protect data privacy. Many technology companies have made significant commitments to protecting consumer privacy—and to allowing consumers to control how their data is collected and used. Unfortunately, not all businesses have strong privacy practices. Many businesses are also looking to government to provide baseline rules to support customers’ privacy and strengthen trust in tech.
The Role of Government
Microsoft has been calling for federal digital privacy legislation since 2005. Since that time, members of Congress have introduced several legislative proposals to strengthen data privacy protections. However, despite this work, Congress has not yet enacted a comprehensive data privacy law that would provide a nationwide legal framework for both businesses and consumers.
In the meantime, many governments worldwide have responded to growing concerns about data collection by developing new laws and regulations to protect privacy in the digital age. Notably, the European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018. Many other countries have adopted similar data privacy policies.
In the U.S., state lawmakers have taken action to fill the gap in federal policy. In California, lawmakers enacted the California Consumer Privacy Act (CCPA), which became effective in 2020. Virginia and Colorado passed data privacy laws in 2021 with wide bipartisan support. Upon signing the Colorado Privacy Act (CPA), which takes effect in 2023, Governor Jared Polis suggested the state’s law “become a template for a nationwide standard passed by Congress in the future.” Many other states are considering enacting their own data privacy laws as well.
While state data privacy laws represent progress, a patchwork of 50 state privacy laws will create compliance challenges, especially for small businesses. A unifying federal law would help provide consumer protections while limiting the burden on businesses.
In 2018, Congress did take one important step in establishing a framework for digital privacy when it comes to law enforcement and public safety by passing the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act provides clear rules for how the U.S. government accesses data stored abroad—and it provides legal clarity for businesses that are stewards of their customers’ data. The law, however, does not address broader consumer privacy concerns about the commercial collection and use of personal data.
Voices for Innovation will continue to keep our members up to date about the progress of digital privacy policies.
Why privacy is essential to equitable recovery – Julie Brill, Microsoft on the Issues
The CLOUD Act is an important step forward, but now more steps need to follow – Brad Smith, Microsoft on the Issues
Privacy at Microsoft – Satya Nadella, Microsoft CEO Statement
GDPR’s first anniversary: A year of progress in privacy protection – Julie Brill, Microsoft on the Issues
Emerging patchwork or laboratories of democracy? Privacy legislation in Virginia and other states – Future of Privacy Forum
A new U.S. model for privacy? Comparing the Washington privacy act to GDPR, CCPA, and more – Future of Privacy Forum
Data privacy – BSA | The Software Alliance