Protecting Data Privacy

Rights and Responsibilities When It Comes to Data Privacy

Privacy is recognized as a fundamental human right by the United Nations Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and many other treaties.

Data-driven innovations and services should not impinge on this fundamental right. Privacy can and should be maintained into today’s highly connected digital world. At the same time, the collection, analysis, and use of data is an important engine of innovation. Responsibly used data can improve outcomes in healthcare, education, commerce, policymaking, and many other areas.

Both government and the private sector have a responsibility to protect data privacy. Many technology companies have made significant commitments to protecting consumer privacy—and to allowing consumers to control how their data is collected and used. Unfortunately, not all businesses have strong privacy practices. Many businesses are also looking to government to provide baseline rules to support customers’ privacy and strengthen trust in tech.

The Role of Government

Microsoft has been calling for federal digital privacy legislation since 2005. Since that time, members of Congress have introduced several legislative proposals to strengthen data privacy protections. However, despite this work, Congress has not yet enacted a comprehensive data privacy law that would provide a nationwide legal framework for both businesses and consumers.

In the meantime, many governments worldwide have responded to growing concerns about data collection by developing new laws and regulations to protect privacy in the digital age. Notably, the European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018. Many other countries have adopted similar data privacy policies.

In the U.S., state lawmakers have taken action to fill the gap in federal policy. In California, lawmakers enacted the California Consumer Privacy Act (CCPA), which became effective in 2020. This law was updated in 2020 by the voter-approved California Privacy Rights Act (CPRA), which went into effect on January 1, 2023.

Since California passed its landmark legislation, ten additional states have passed comprehensive privacy legislation. These states include Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, and Texas. These laws are modeled on the Washington Privacy Act. Though Washington has yet to pass this bill, its framework—which is intended to provide consumer rights and ensure that companies are responsible stewards of data—has become a model for other states. All ten state laws give robust enforcement authority to state Attorneys General; Colorado’s AG, unlike others, also has broad rulemaking authority.

While state data privacy laws represent progress, a patchwork of 50 state privacy laws will create compliance challenges, especially for small businesses, and drive up costs. A unifying federal law would help provide consumer protections while limiting the burden on businesses.

In 2018, Congress did take one important step in establishing a framework for digital privacy when it comes to law enforcement and public safety by passing the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act provides clear rules for how the U.S. government accesses data stored abroad—and it provides legal clarity for businesses that are stewards of their customers’ data. The law, however, does not address broader consumer privacy concerns about the commercial collection and use of personal data.

In 2022, Congress brought a renewed focus to data privacy. Congressional leaders released a bicameral, bipartisan discussion draft of data privacy legislation, the American Data Privacy and Protection Act. The release of the discussion draft represented a significant step forward toward enacting a unifying federal data privacy law. Leaders in both chambers and both parties worked with their colleagues to refine the proposal and build consensus, though legislation was not passed in 2022.

Congress and several state legislatures are again expected to consider data privacy proposals in 2023. Voices for Innovation will continue to keep our members up to date about the progress of digital privacy policies.