Microsoft pushes data privacy steps in the wake of safe harbor collapse
When the European Union’s top court struck down legal provisions that allowed tech companies to share customer data across the Atlantic Ocean, it upended 15 years of business practices in a single day. Now, new thinking has to come to bear, according to Microsoft (MSFT) president Brad Smith.
In a blog post published Tuesday, Smith, Microsoft’s long-time top lawyer who was named president last month, agreed that it is important to balance customer data privacy with the need of businesses to be able to handle data across international borders. He likened the meeting of such disparate demands to solving a Rubik’s cube.
If we’re going to ensure that data more broadly can move across the Atlantic on a sustainable basis, we need to put in place a new type of trans-Atlantic agreement. This agreement needs to protect people’s privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards.
Microsoft, Facebook (FB), Google (GOOG), and other U.S. tech giants reeled at the news last week out of the European Union. What put the old safe harbor at risk were European concerns about the ability and willingness of U.S. intelligence agencies to scoop up personal data wherever it resides in service to its War on Terror. And some European tech companies are using the issue to flaunt their own, supposedly more privacy-friendly cloud options.
The European court said that the data protection leaders in the E.U.’s two dozen or so constituent countries should manage how companies collect and manage data for their own citizens. And it’s not like all those nations have the same view here. Some countries—Germany and Switzerland for example—have much stricter rules governing data sovereignty than some of their peers. That sets a whole new level of complexity for vendors that store customer data.
With an eye to fixing this problem, Smith recommended a few not-so-simple steps, the first being that a consumer’s privacy rights move with her data. That would require that the U.S. government agree that it will only demand access to personal information that is stored in the U.S. and belongs to an E.U. national in a manner that conforms with E.U. law, and vice versa,” Smith wrote.
Second, the world needs a new process for government agencies on both sides of the ocean to access personal online information that is moved across the Atlantic and belongs to each other’s citizens “by serving lawful requests directly with the appropriate authority in an individual’s home country.” In other words, every country needs to obey the other country’s laws regarding requests for citizen data.
Third, if an E.U. citizen physically moves to the U.S. or vice versa, that person’s new country’s laws should apply to her data.
And, perhaps most interesting, his fourth point follows:
Finally, it makes sense, except in the most limited circumstances, for governments on both sides of the Atlantic to agree that they will seek to access the content of a legitimate business only by means of service on that business, even when it is stored in the cloud. This would address one of the principal areas of current legal concern for businesses that are relying on cloud services.
This means that, as in the physical world, if the government wants information on a corporation’s employee, it should go to the corporation with its warrant or request, not to the vendor that provides that company’s database or storage technology. The point here seems to be that that process should not change in the digital realm.
And please subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.
This report was updated at 10:22 a.m. EDT with an explanation of Smith’s fourth point.