Microsoft's national privacy benefits gesture is welcome as California's 'GDPR avatar' looms

In a welcome move that will up the pressure on naysayers in Silicon Valley, Microsoft intends to extend the “core rights” of California’s new privacy law to customers right across the US.

The California Consumer Privacy Act (CCPA) comes into effect on 1 January., requiring companies to be transparent about how they handle customer data. 

Consumers will have the right to know what personal data information companies are collecting about them, why the companies are collecting the data, and with whom they are sharing it. They will also have the right to tell companies to delete personal data, as well as to not sell or share their information. Organisations found to breach CCPA requirements face fines of $2,500 per violation or up to $7,500 if that violation was intentional.

The Act has some enthusiastic supporters in Silicon Valley, such as Salesforce and Apple, both supporters of wider data privacy legislation. But equally it has its detractors, both within the tech sector and in the wider political world. The primary concern from tech firms is the potential impact on profits that the new legislation might incur, while some politicos and privacy activists are concerned that such state-level legislation will lead to a patchwork of data protection laws around the country rather than a federal-level universal regime.

For its part, Microsoft is calling for legislators to build on state laws such as CCPA to put in place a national privacy framework akin to Europe’s General Data Protection Regulation (GDPR). As diginomica has noted many times, that still seems like an elusive prospect, even if there are signs that the tide is turning in favor of a ‘something needs to be done’ mindset. Check out the amount of lobbying in Washington as evidence.

So Microsoft’s decision to commit to applying CCPA provisions is a significant gesture. In a blogpost to announce the move, Julie Brill, Microsoft Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer, said:

CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act. We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents.

Brill said that Microsoft had voluntarily extended GDPR privacy rights to its customers in the US:

Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the US.

Quite how this plays out in practice is an evolving matter, she added:

Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing. Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the US  While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction

In addition, we are working closely with our enterprise customers to help them comply with CCPA. Our goal is to help our customers understand how California’s new law affects their operations and provide the tools and guidance they will need to meet its requirements.

More to do 

But CCPA is only the start of a wider process, said Brill, calling for Congress to be more proactive in tackling the question of federal legislation:

We are optimistic that the California Consumer Privacy Act — and the commitment we are making to extend its core rights more broadly — will help serve as a catalyst for even more comprehensive privacy legislation in the US As important a milestone as CCPA is, more remains to be done to provide the protection and transparency needed to give people confidence that businesses respect the privacy of their personal information and can be trusted to use it appropriately.

In addition to guaranteeing the rights of individuals to control their personal information, we believe privacy laws should be further strengthened by placing more robust accountability requirements on companies. This includes making companies minimize the data they collect about people, specify the purposes for which they are collecting and using people’s data, and making them more responsible for analyzing and improving data systems to ensure that they use personal data appropriately. 

Indeed, we are calling upon policymakers in other states and in Congress to build upon the progress made by California and go further by incorporating robust requirements that will make companies more responsible for the data they collect and use, and other key rights from GDPR.  More requirements for companies, together with the rights and tools for people to control their data, will prevent placing the privacy burden solely on the individual, and will provide layers of data protection that are appropriate for the digital age.

My take

There are those who will accuse Microsoft of an easy win here, arguing that its business model isn’t as dependent on collating and sharing data to the same extent as, for example, Facebook or Google. Those divisions which do collect data, such as Cortana or Xbox Live, are categorised as service providers, a class of company that gets some leeway under the CCPA.

That may be so, but comparing Microsoft’s stance on extending GDPR rights to US customers with the equivocation and obfuscation on display from Facebook CEO Mark Zuckerberg is telling. And adding Microsoft’s voice to the leadership shown on this topic by the likes of Apple and Salesforce is a welcome development.

With a federal-level ‘GDPR-US’ still seemingly a long way off, other states will undoubtedly follow California’s lead with CCPA. Microsoft will presumably commit to extending any specific provisions that these throw up to all its users as well.

Let’s not get too carried away by Microsoft’s staking a claim to GDPR purity though. The firm’s contractual agreements with European Union organisations have come under heavy fire from the European Data Protection Supervisor (EDPS) who argues that they do not fully comply with the regulation.

This followed an investigation by the Dutch government into how Windows telemetry settings impacted on what data is sent to Microsoft and whether that data is processed in the EU or the US. In July it said that its concerns had been largely dealt with, but the EDPS wasn’t so happy, with Wojciech Wiewiórowski, Assistant EDPS, stating:

The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation. Until Microsoft takes measures to mitigate these risks, government organisations should refrain from using Office Online and the mobile Office apps included in Office 365 licence.

The EDPS will submit recommendations on revisions to contractual agreements with Microsoft by the end of this month.  How Microsoft reacts to those proposed changes will test its GDPR 'purity' on the front line.