Microsoft Calls for National Privacy Law
Microsoft Corp. today called on Congress to enact a new federal privacy law, a move that is sure to prompt lawmakers to consider whether consumer privacy both online and offline should go further than merely requiring companies to notify people when their personal and financial data is lost, stolen, or inadvertently disclosed.
In an eight-page document released on Capitol Hill today, Microsoft outlined a series of steps it would like to see Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information.
Microsoft said any federal privacy law should require data keepers to notify people of any material changes in company privacy policies or if a data breach, theft or loss jeopardizes the security of their personal information. Microsoft also said consumers should have a right -- within reason -- to view any information a company holds about them.
Perhaps most significantly, Microsoft said consumers should have at least some control over how their personal information is used and disclosed. Specifically, Microsoft said the federal government should require data keepers to obtain people's consent before disclosing or sharing their information for "secondary purposes" -- apparently meaning purposes unrelated to why they provided the information in the first place.
Last, but not least, Microsoft said organizations that maintain private consumer information should have to meet some kind of national standard to prove they have at least taken reasonable steps to protect that data from hackers, viruses, or other kind of loss, theft or disclosure.
This strikes me as a good beginning, and Microsoft's vision of a federal privacy law should help jump-start a larger debate that launched way back in the late 90s but has since stalled.
A lot of people may be uncomfortable with Microsoft prodding lawmakers on privacy issues, but I think their approach is a sane one: If Congress passes a general privacy law that fairly and sensibly addresses the issues of consent, security, notification and control, then to a large degree that would eliminate the need to spend vast amounts of time on other, more problematic types of legislation relating to spyware, phishing, for example.
To the extent that Congress has been addressing consumer privacy issues at all, it has focused mainly on heading off the states from passing a patchwork of different data-breach-notification laws, which 21 of them have now done. In fact, two separate congressional committees are voting on notification legislation today.
I find it interesting that Microsoft has come so far in its stance on privacy issues over the years. Just five or six years ago, it was a strong and vocal advocate of industry self-regulation on privacy. Now, it has effectively embraced the very principles espoused by groups as diverse as the Center for Democracy and Technology (CDT), American Civil Liberties Union (ACLU) and Electronic Privacy Information Center (EPIC).
CDT President Jerry Berman praised Microsoft's move as "a landmark moment in the cause of establishing and protecting individual privacy rights online. ... While we have not reached consensus on all of the provisions of a privacy bill, we applaud Microsoft 's willingness to work actively with other high tech companies, consumer organizations and policymakers."
Chris Hoofnagle, EPIC's senior counsel, agreed that Microsoft's position has softened significantly over the years. He noted that it was opposition from Microsoft and Hewlett-Packard that derailed an industry-friendly privacy bill from Rep. Cliff Stearns (R-Fla.) that was quickly gathering support a few years ago.
"Microsoft is being more assertive now and it shows that the company is maturing," he said.
Still, the devil will be in the details, Hoofnagle cautioned, noting that Microsoft's statement of principles says the company supports "consumer opt-in" -- the consumer's advance permission would be required -- for sharing of sensitive (e.g., financial or medical) data but supports "opt-out" -- data can be shared unless the consumer explicitly says "no" -- for every other kind of information.
ACLU legislative counsel Timothy Sparapani also praised Microsoft's move, but cautioned that any federal privacy law would need to include safeguards for data gathered by commercial data brokers. That includes companies like ChoicePoint and LexisNexis, both of which had fairly large security breaches that exposed sensitive data on thousands of consumers, most of whom had no idea these companies held such information about them (much less routinely sold it to the government and other companies.)
Almost any time Congress passes a law that tells companies how they should act, lawmakers exempt themselves and the government at large from the same requirements. But that cannot happen with respect to privacy legislation, Sparapani said.
"This issue needs to be seen in the broader, post-9/11 context that information is power and access in our society, access not only to secure places but to people's personal and financial well-being," Sparapani said. "We welcome the people with the butterfly logo to the debate, but we need to be sure [of] a broad push that really will provide citizens with the ability to enforce the commodification of their own personally identifiable information."
Posted by: H. Carvey | November 3, 2005 1:44 PM | Report abuse
Posted by: Dave H | November 3, 2005 3:51 PM | Report abuse
Posted by: Habanero | November 3, 2005 8:04 PM | Report abuse
Posted by: Eric | November 3, 2005 9:27 PM | Report abuse
Posted by: Eric | November 3, 2005 9:33 PM | Report abuse
Posted by: LaserSight | November 4, 2005 10:03 AM | Report abuse
Posted by: A. Kelly | November 4, 2005 10:37 AM | Report abuse
Posted by: Phil | November 4, 2005 2:40 PM | Report abuse
Posted by: Jack E. Dunning | November 5, 2005 4:42 PM | Report abuse
The comments to this entry are closed.