Microsoft Backs Emerging European Privacy Shield Agreement

A Microsoft executive expressed optimism today for a new European Union-United States Privacy Shield agreement, which is expected to get announced by the European Commission on July 12.

The Privacy Shield agreement is the replacement for the Safe Harbor agreement that previously had served as the legal basis for protecting data transferred between the European Union countries and the United States. The European Court of Justice had scrapped that Safe Harbor framework in October, perhaps because of the massive bulk spying details disclosed by the document leaks of former U.S. National Security Agency contractor and whistleblower Edward Snowden.

John Frank, Microsoft's vice president for EU government affairs, expressed his personal opinion in a blog post that the emerging EU-U.S. Privacy Shield would address the privacy concerns of EU member countries and individuals:

Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements. The Privacy Shield secures Europeans' right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body, and it clarifies data collection practices by U.S. security agencies. In addition, it introduces new rules for data retention and onward transfer of data.

Specifically, the Privacy Shield permits individuals and organizations in EU member countries to sue in U.S. courts when privacy laws may have been violated. Their ability to sue was enabled when President Obama signed the Judicial Redress Act in February. Previously, U.S. organizations and individuals could sue in European courts, but not vice versa, which the European Commission saw as a stumbling block toward reform, according to its February draft of the Privacy Shield.

That February draft also called for the following guarantees:

  • "Strong obligations on companies and robust enforcement"
  • "Clear safeguards and transparency obligations on U.S. government access"
  • "Effective protection," with complaint resolution within 45 days
  • "Annual joint review mechanism"

The European Commission clarified the first point in an earlier announcement by explaining that "U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed," and that the U.S. Department of Commerce "will monitor that companies publish their commitments."

As for U.S. transparency, the Commission indicated it was given assurances by the U.S. government that "any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data."

The annual review specified in the agreement will be conducted by the European Commission and the U.S. Department of Commerce, along with "national intelligence experts from the U.S. and European Data Protection Authorities," according to the draft. This review will result in a report, which will get issued to the "European Parliament and the Council."

In late June, the Electronic Privacy Information Center (EPIC) issued a critique of the Privacy Shield's revised draft, indicating that it had failed to "resolve flaws previously identified by European data protection authorities and the European Data Protection Supervisor." EPIC and other nongovernmental organizations had earlier stated in a letter to EU authorities (PDF) that establishment of the Privacy Shield should be contingent on having the United States "formally commit to substantial reforms to respect human rights and international law," which was lacking in the Privacy Shield draft. They also called for "a narrowed definition of 'foreign intelligence information' to limit the scope of data collection."

It's not clear if those concerns were addressed in the Privacy Shield's final draft.

Microsoft, for its part, has a lot at stake in getting these international legal protections in place. EU markets likely won't use its cloud services without U.S. government assurances on data privacy and data sovereignty protections. Microsoft recently described that stake. It has invested $15 billion in building out its datacenter infrastructure worldwide, and it has invested with Facebook in building out its own trans-Atlantic undersea cable infrastructure.

It's not really clear how data can be protected via legal agreements between governments. Undersea communications hubs typically get tapped secretly by governments, according to revelations from Snowden-leaked documents.

Nothing in the Privacy Shield agreement would seem to apply to U.S. citizens or organizations, except that they both have the common right to sue in U.S. courts. However, it's not clear they'd have the requisite information to carry out such actions. For instance, Microsoft currently has a lawsuit contesting 2,576 U.S. gag orders in which government agencies are seeking customer data or information without notifying the customer of the request. Microsoft also is actively pursuing an appeal contesting a U.S. government request for customer data stored in a Microsoft datacenter in Dublin, Ireland.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

  • Microsoft Offers 1 Year of Free Windows 7 Extended Security Updates to E5 Licensees

    Microsoft is offering one year of free support under its Extended Security Updates program to Windows 7 users if their organizations have E5 licensing.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.