Remarks by Brad Smith, General Counsel and Senior Vice President, Legal and Corporate Affairs
January 24, 2011
BRAD SMITH (Initial remarks in French): Distinguished members of the National Assembly, ladies and gentlemen, thank you for your welcome. It is a very great honor for me to be in Paris, especially in this prestigious location, here in the French Parliament.
Sir, thank you for having so clearly outlined the stakes involved by cloud computing:
While I was listening to you, it crossed my mind that what we are looking at is almost a philosophical question.
When I arrived here, I looked at the pediment of the National Assembly and saw the Republic’s motto: “Liberty, Equality, Fraternity,” and thought to myself, fundamental principles are stronger than mere technological progress.
The great Declaration of the Rights of Man and of the Citizen of 1789 illustrates this. It is by basing itself on this declaration that France’s Conseil Constitutionnel protects pluralism, privacy and intellectual property in the wake of technological progress.
Recently, your Supreme Court was able to protect the right to access to the Internet by relying on that declaration. Yet, in 1789, the Internet did not yet exist.
The major challenge before us is to succeed in implementing these principles so as to promote the spread of technological progress by guaranteeing and reconciling rights and freedoms.
Some think that these principles should take the back seat to technology. For my part, I think that progress requires, to the contrary, that these fundamental principles be stronger than technology so as to produce the best possible use. Privacy, the security of our data, the rights of content creators, human dignity, non-discrimination: These are all principles that help technology give the best of itself.
In this respect, yes, cloud computing marks a great stride forward; it vehicles new freedoms, growth and employment. It thus invites us to think about the best way of concretely and pragmatically making sure these principles live on, and of getting the best out of cloud computing.
Right now, I’m going to try and respect a first principle, which is that of no longer massacring your wonderful language, so I’ll stop speaking in the language of Molière and switch to that of Benjamin Franklin.
(Remaining remarks in English.)
Thank you for your indulgence. I told Marc last night that this would be — that was the most difficult five minutes of my entire trip. This is a second speech, if you will, in a series that I started a year ago. I had a chance last January to give a speech in Washington, D.C., at the Brookings Institution, and then in Brussels, to really introduce some thoughts about cloud computing, and the principles that we’re talking about here this morning.
And we had the opportunity to meet here in Paris a year later, and I think first and foremost it’s really quite striking to see how much progress there has been in the marketplace and in technology in the past 12 months. And more than anything else, I think this progress over the last 12 months really gives us the opportunity today to take the conversation forward and really frame much more concretely the challenges and steps that we in industry and in government are going to need to address, certainly the steps we’re going to need to address if we’re going to uphold the principles that I spoke about a moment ago.
Certainly we at Microsoft have seen widespread adoption of cloud computing, and I would say if anything, we have seen customers adopt cloud computing solutions even faster than we would have anticipated a year ago. If you look at the different uses of the cloud, certain uses are perhaps, not surprisingly, taking off first. E-mail is moving to the cloud. And for many enterprises, whether they be in the private sector or government, we’re seeing the widespread adoption of cloud-based e-mail solutions.
In the last year, we at Microsoft have launched a new version of Office, Office 2010, which makes it possible for people to work on and save many other documents in the cloud as well: word processing based documents, spreadsheets, even things like PowerPoint slides. And we’re seeing customers adopt this, too. We’re also seeing customers use the cloud as a new platform. We have our Windows Azure platform, Amazon has a platform of its own. And so we’re seeing customers start to move specialized applications, so-called line-of-business applications to the cloud, too.
So, after a year of progress, I think we’re farther along than we would have anticipated. I think the reasons for that rapid movement are pretty clear-cut. In the first instance, customers are recognizing that they can save money by moving computing to the cloud. But it’s not just about cost savings for these customers, it’s about new advantages that they are appreciating in terms of accelerated software development cycles, and the ability to bring new services to their customers, bring them to market much more rapidly than they could before.
We’re starting to see the cloud create new economic benefits as well. Just a few months ago, a study from the University of Milan estimated that cloud computing has the potential to create a million new jobs here in Europe over the next five years. And I think this kind of opportunity for job growth is probably most pronounced in the small and medium enterprise segment of the economy, because after all, these customers will no longer need to have somebody who can maintain a dedicated server room, and they can in effect leverage the large scale economics of major cloud service providers like Microsoft and Amazon and Google and IBM and others. So, we’re seeing these benefits really come to the forefront and drive the progress towards the cloud.
At the same time as customers have garnered more real world experience, they increasingly are providing us with feedback about their concerns. Not everything is rosy. So, customers do want to see real steps taken to address the kinds of questions that are on their mind, perhaps most especially with privacy and security.
In my job I have the opportunity to talk with CIOs and general counsels and others in both the public and the private sector. And if anything, what has most impressed me in recent months is how well informed and sophisticated customers have become in really thinking about the challenges that they need to address. And in many respects, for obvious reasons, the challenges that they need to address are the same challenges that we in industry need to address if we’re going to serve them well.
What does this mean today, here in January of 2011? I think it really means two things. First, we in industry are going to need to continue to step up and step out to drive innovation that will address the questions that customers have. We have a responsibility, if we want to continue to grow this market, to take new steps to strengthen privacy and security in the cloud. And I think this is a responsibility that we have as individual companies in competition with each other, as well as a responsibility that we share across the industry.
At Microsoft we’ve been quite focused on trying to think through what new steps we need to take, and then we’ve been striving to take them. The first thing that customers have been asking for of us is more transparency. Put simply, they want to know how things are going to work when they move their software from their premise to a datacenter instead. And not surprisingly, this is a question that almost everyone has, whether they’re a consumer at home or an enterprise large or small. We’ve strived for some time to address this kind of question for consumers with greater clarity in our notices relating to privacy. We were the first company to really develop layered notices that tried to provide consumers with better information and more information, and put all of that in a more useful form.
Over the last year, we’ve done a couple of things to build on that experience to provide greater transparency and clarity for enterprise customers as well. First, we undertook a project to really look at and even take apart our contractual terms and conditions for enterprise customers. We went to work to try to simplify it. We took a look at what others in the industry were doing, and we set a goal for ourselves to be the market leader in terms of providing clear and transparent information in our contracts for enterprise customers. And then we adopted these new terms and conditions, and started to put them in the contracts that we’re using. So, with both consumers and with enterprises this has enabled us to provide more information, and more information is a good thing in and of itself, but I think most people would probably agree that providing more information and making things more transparent is really just a first step. The real question is, what does the information have to say, and what are we in industry committed to do, in concrete terms and in pragmatic ways, to protect and promote privacy?
Well, we’ve been striving to take new steps in that regard across the board as well. I think one of the more important and most noteworthy for us at Microsoft came just over the last six weeks when we announced that the new version of our browser, Internet Explorer 9, would include what we call tracking protection. We announced that there would be a do-not-track feature in the browser that would enable consumers for the first time to really manage where their information goes in terms of providing it not only to a first party website that they’re viewing, but to third party sites on the Web as well.
As we all know, the Web has become in effect a myriad of different sites, and when we visit a single site, we’re oftentimes provided with content that’s pulled off of third-party sites as well. This is most pronounced in the context of Web-based advertising. And yet for many consumers there may not be an awareness of, or a comfort with, the notion of providing their own information to these third-party sites.
Our developers designed our tracking protection features to make it much easier for consumers to be aware of what is going on, and to start to make real choices, if they want, about whether their information is shared with third-party sites. So, we’ve created a new technology based on tracking lists, and with the use of tracking lists a consumer can turn on the do-not-track feature in the browser, and if he or she wants, the consumer can bar the browser, if you will, from allowing information to be sent to third-party sites that are contained on a particular tracking list.
Well, you might ask, who will create these lists, where will they come from? We’ve designed this technology in an open way so that any consumer group, any individual, any media outlet, or any other entity, including a government if it wants, can create a list, and then it can be easily downloaded and installed and used in the browser. An entity can create a list of sites, for example, that it feels are suspect, a list of entities that don’t adhere to certain well-established industry standards, and a consumer can stop information from flowing to those entities. Or in the opposite way, an individual can use a white list and designate certain websites that it is comfortable, he or she, the consumer is comfortable sending information to. So, with this combination of the tracking protection feature in the browser and the use of these tracking lists, we’re, in fact, empowering consumers in new ways to control where their information goes. I think that’s one important tangible example of the kind of step that can be taken.
We’ve similarly taken a new step with respect to our new phone software, Windows Phone 7. As I’m sure all of you know, one of the great things about a smartphone is all of the applications and services that can make use of your location. It can tell you how to get from where you are to where you want to go. If you’re looking for a particular store or a restaurant, it can tell you where to find it. It can tell you what else is close by. But, of course, by definition these features work only if the phone knows where you are, and only if the service running on a server knows where you are as well.
Well, we designed Windows Phone 7 so that that information would be shared with the server and with a service only by a consumer making an informed choice. And the consumer can make that choice once for all time if he or she wants, or the consumer can make it on a case-by-case basis. But it’s another example of innovating in a way that empowers consumers with greater choice.
A third example of what we’ve been striving to do is for the enterprise with the BitLocker enhanced security protection we built into Windows 7. One of the most common problems that large enterprises have when it comes to information technology is that their employees just have a way, and a habit, sometimes of leaving laptop computers in taxis after they get out of them. And, of course, if there’s sensitive information on that laptop, that is the kind of thing that by definition sends shivers down the spines of people who worry about the security of information. Well, with BitLocker, enterprises can turn on a security feature by default so that if somebody finds that laptop, they’re not going to be able to turn it on without having the password that is needed to get past the encryption protection. This is an example of a new form, I think, of security tools that make it easier for enterprises to manage not only the sensitivity of their own information, but potentially the information that they hold with respect to their customers as well.
If you think about these three examples — tracking protection in the browser, geolocation services in the phone, security protection for a laptop — they all add up to and fit together in something that we call “privacy by design.” This is something that we at Microsoft have been working on for several years now. It may sound a bit like a marketing slogan, but, in fact, it’s an engineering principle. It means that our engineers identify privacy and security issues early in the development process for new software. It means that they create features and tools that are designed to manage and address those issues. It means that as the development work goes forward, there are additional steps in the process to assess the privacy and security protection that is included in the product. And finally, it means that before the product is released to manufacturing, there is a final review of the various privacy and security issues.
Privacy by design is increasingly becoming part of the computing landscape, and I think we can all envision a future in which it becomes the norm for all of the companies in our industry. In many ways it’s good for us to work together across the industry to advance privacy and security, and we do that. We advance codes of conduct, we work together on industry standards, we pursue self-regulatory initiatives. And at the same time, I think innovation for privacy and security also flourishes when companies work hard to compete and differentiate themselves. Certainly we at Microsoft are quite determined to be and remain an industry leader in meeting customer privacy and security needs. And I think our business model actually serves us well when we do that.
Our business model, as you know, is based more than anything else on licensing our software and services for a fee, which generates revenue. We also have advertising-based business models for certain services, but I think that the fact that we rely on licensing revenue and not simply advertising gives us a very strong economic incentive to ensure that we’re moving the cutting-edge of technology forward, especially when it comes to privacy and security. And I think this combination of collaboration and cooperation on the one hand, coupled with competition on the other, is a good recipe for our industry and its work to continue to move these areas ahead. That’s what industry needs to do, that’s what companies need to do, but I think the other thing that has become so much clearer in the last year is what governments need to do as well. Because if we’re going to succeed in moving privacy and security forward, new steps by governments are needed as well.
This is actually a very interesting and important time, because on both sides of the Atlantic, governments are engaged right now in new efforts to consider changes in their legal and regulatory landscape when it comes to privacy and security. In Brussels, the European Commission has asked for comments on what it should do to revise and reform the Data Protection Directive that was adopted in 1995. At the end of last year in Washington, D.C., both the Fair Trade Commission and the Department of Commerce published papers and asked for comments. We basically have companies and consumer groups and other interested bodies on both sides of the Atlantic offering their views in both continents at exactly the same time. The comments were due in Brussels in the middle of this month, and they’re due in Washington at the end of this month. And I think by February, it’s going to be possible to look out and look across, and we’ll start to discern I think some common trends in terms of what people think government needs to do in order to address these issues.
Certainly from our perspective, and I would venture the perspective of most enterprises in our industry, we need help from government to move the law forward. Privacy laws in both Europe and the United States today are a product of technology and a technology vision that pretty much is grounded in the 1980s. The principle U.S. privacy and security laws were adopted in the mid-1980s. The Data Protection Directive here in Europe was adopted in the mid-1990s. But it was such a lengthy process of adoption, that it too largely reflects principles that were devised in the 1980s. And as we all know, technology has come a long, long ways since then. As a result, we increasingly face a real need for the laws that are so important in this field to start to enter the 21st century.
There are a lot of very specific questions that governments on both sides of the Atlantic are starting to address. And, in fact, if you read the request for comments, one of the things that is striking is just how many detailed questions they ask for feedback on. But I think even with all of these different questions, one can really distill and focus on three themes, and I’d like to talk briefly about these.
In our view, there are three areas on which governments can help innovation by focusing the most. The first is the need to create better legal certainty for companies providing cloud services. Today, there is very little, if any, legal certainty, really for two reasons. The first is that the law has become outdated; but second, independent of that, it’s often very unclear whose law actually applies at any given moment. In Europe, in the Data Protection Directive the approach, the obvious approach really was to harmonize the law at a relatively general level, and then to let the member states decide how to implement it. In the course of implementing the directive, not surprisingly over the last 15 years, different interpretations have arisen.
You know, today, we might have a customer who lives in France relying on a cloud service that is based on data that sits in a datacenter in Ireland, and it might be moving from Ireland to France on a high bandwidth broadband cable that runs through the United Kingdom. It’s often unclear whether we are supposed to be applying French law, British law, or Irish law to that specific scenario. And, of course, if the customer is in Greece, and the cable is crossing yet more countries, this situation becomes more confusing still. It becomes a real barrier to investment and to innovation because it becomes more difficult for engineers to know how they are supposed to design the next version of our products and services.
Recently in Brussels, the Article 29 Committee that focuses on a number of these questions, has started to recognize this problem as well. The European Commission, I think quite helpfully in its request for comments, identified this as an important question on which it wanted feedback. Clearly, it had been hearing already about questions around legal certainty. And recently the Article 29 Committee advocated that the European Union should consider a principle based on country of origin. In other words, everyone should apply the law of the country in which the service originates. I think that’s a helpful step in the right direction. It probably needs some further amplification to really work. But certainly if it were possible to have in Europe a legal regime that enabled a cloud service provider to designate the country where its principle datacenter resides, and know that it is supposed to apply that country’s law, it would be far easier to know what one is supposed to do.
Of course, for that to work across Europe, there would have to be real confidence among the member states about the selection of that law. It would likely mean that there would need to be greater harmonization and in some greater detail in terms of data protection law. And then there would have to be, in effect, this system of mutual recognition. But that is a recipe that I believe would advance innovation more quickly. It would encourage investment by technology companies. It would help grow jobs, and move technology forward. It’s the right kind of thing, I believe, for Europe to consider. I should add that this is not a European issue alone. We face the same problem in the United States, the only difference is instead of having 27 member states, we have 50 U.S. states, and similarly there’s a patchwork of laws, and sometimes real confusion as to whose law applies. But, nonetheless, if there were to be only one thing that governments could do to help accelerate innovation, I think enhancing legal certainty would be at the top of the list.
The second aspect that we would recommend is that there be real focus on creating a new generation of laws and regulations that are focused on outcomes rather than defining the precise technical ways in which these outcomes will be achieved. One of the biggest problems we have with the current laws is that in many respects they’re based not on outcomes, but rather on technology processes. There is probably no better example of this than the seemingly absurd result produced by the law in the United States under the Electronic Communications and Privacy Act called ECPA. ECPA is one of the laws that was enacted in the mid-1980s. And it basically prescribes among other things the level of privacy protection that will be accorded to e-mail. And it basically says that e-mails that are 180 days old or less are entitled to greater privacy protection than e-mails that are more than 180 days old. And you might ask, who figured that out? Well, the reason the law was written in that way was because in the 1980s most businesses kept their documents on site for only about six months. And after six months they’d move them offsite to some storage facility. And the law said that documents that were moved elsewhere, that were no longer on premise, were typically entitled to a lower level of privacy protection under the law. And so our Congress applied that same principle to e-mail. Of course, those were days when e-mail was pretty new, it was seldom used, and computer storage was a lot more expensive than it is today. And almost by definition there is no one on any part of the planet that is walking around today in late January asking themselves what e-mail did I write last July that is about to hit that six month point and become entitled to a lower standard of privacy protection?
I think that example illustrates the pitfalls of laws that try to devise specific technical processes. Instead, it makes far more sense for laws and regulations to focus on the outcomes that they want cloud service and other providers to aspire to achieve. The e-commerce directive here in Europe actually does that. It prescribes certain broad standards in terms of a level of protection consistent with industry standards and consumer expectations. And so, as the world changes, the law can change with it, and doesn’t have to be constantly rewritten. If our governments can aspire to this kind of approach, they’re likely to do a much better job of creating a legal paradigm that will work not only for the next few years, but for the next couple of decades as well. And that should be a goal, we believe, for the work that is now going on.
The final theme or goal that we hope governments will address is to enhance the ability for data to cross borders. This is something that probably has not gotten nearly enough attention, and it certainly hasn’t gotten the attention that it deserves in public policy in broader circles. If you look at the laws that were written in the 1990s, and especially the data protection directive, you would think that they were based on the premise that the movement of data across a national border is a bad thing. You would certainly conclude that the authors of that directive thought that the movement of European data outside of Europe was likely to be a bad thing. And yet, with the migration to the cloud, it is increasingly important that data, in fact, be able to move across borders, and even around the world, albeit with real and effectively legal safeguards.
You might first ask well, why, why is it important for data to move? Let me give you an example. If a customer is having a problem with its e-mail system and with some of the messages in that e-mail system, the engineers who know the most about that particular feature or issue might be located halfway around the world. In that kind of situation the fastest way to solve a customer’s problem may well be to move some of the data to the location of the engineers, or in another situation if engineers start working on the problem here in Europe, but realize as the clock gets close to midnight that they’re getting a little tired, it might help if some engineers across the Atlantic had the opportunity to spend the next several hours working on the problem, as well.
In both of those scenarios customer service is enhanced when data can move to the engineers who can best handle the troubleshooting that’s needed. But it’s not just a question of customer support and troubleshooting. There is often a real advantage in being able to create a backup copy of data in another location. In a way, this is obvious when you start to think about it. We may have entered a new era of computing, but we still live in a world that is subject to natural disasters, hurricanes, earthquakes, fires, and other problems. It makes sense in many circumstances not only to create a backup of a customer’s data, but to put that backup in a different geographic location. And oftentimes, that location will be in another country, or region of the world.
Finally, we often encounter situations where the development of new products can be enhanced and accelerated when there is a limited ability to work with customer data in finite circumstances. So, whether it’s troubleshooting, or backup, or just product innovation, data increasingly needs to move around the world, or at least across borders. The question is how to do that in a way that ensures that privacy is going to continue to be protected.
Well, in fact, I think some new legal tools are beginning to emerge. To some degree these are being discussed in Brussels, and to some degree I think there’s an opportunity to learn from new privacy legislation that recently was enacted in Canada. This model basically enables data to move across borders, as long as the service provider will ensure that the same standard of legal protection is applied, regardless of where the data sits. In effect, this places a new level of accountability on cloud service providers, and people are starting to refer to this as an accountability principle. It’s the type of principle that, in fact, probably makes a great deal of sense, because it will enable ongoing legal protection according to one country’s standard, if the cloud service provider steps forward and agrees to abide by that level in moving the data somewhere else. If you put these three themes together, they provide a recipe for moving the law in a direction that will better enhance innovation. It creates more legal certainty about whose law applies. It focuses the law on outcomes, rather than technical implementation, and it would enable data to move around the world where it’s needed. Put together, we think that there’s the opportunity for some real progress in this next year, in reforming and improving, and modernizing this area of the law.
The last thing I would point to is that the need for legal reform is not something that should be considered separately on a country-by-country, or even continent-by-continent basis. The Internet is obviously a global medium. Cloud services are a global phenomenon. As a result, there’s a real virtue and even need for governments to start to move their laws forward more closely together. Nowhere is this more pronounced than across the North Atlantic. In our view, it would be a shame if Europe, for example, were to revise its laws, get the entire job done, and only then have Washington, D.C., wake up and start to think about what it should do, as well. Certainly if the European Union can sort out a new set of rules for 27 member states and get the job done, it’s unlikely to want to reopen the entire process, simply because the U.S. government has decided it’s time to have that kind of dialogue.
What we really need is for governments to start moving forward together. Certainly we may see some differences. It’s, of course, all together possible, and even some respects reasonable to expect that different governments will make different choices based on different values and cultures. But we’ll all be well served if those kinds of decisions are made after a robust, and well-informed, and candid, and direct dialogue between regulators and legislators in different parts of the world. In that regard I think it’s especially encouraging to see discussions starting between the European Commission and the member states on the one hand, and the U.S. Government on the other. It was a real step forward in that process for the U.S. Government in December to designate the Department of Commerce in the Executive Branch, so it would in fact be clear who is supposed to be speaking on behalf of the administration in Washington.
Now that we have some additional clarity, it’s a great time for that discussion to move forward. And we would hope that just as entities, companies, consumer groups and others are offering comments on both sides of the Atlantic in basically the same two or three week period of time, it will be possible for the governments on both sides of the Atlantic to take stock of what they’re hearing and then compare notes with each other. If we can see this kind of progress, I personally think there’s enormous cause for optimism for where cloud computing will go.
I base this in part on what we’ve seen governments accomplish in the past. One of the first issues I ever had the opportunity to work on here in Europe was the software copyright directive that was approved in 1991. I remember well what that did for our industry, and even more importantly for software customers in Europe. Prior to 1991, there was nothing resembling a single market for software in Europe. And as part of the European Commission’s 1992 initiative around the creation of a single market, the European governments came together with a real determination to ensure that software would be part of the new single market that would emerge. I had the chance to work on that directive as it went through the legislative process in Brussels and the member states. And then I had a chance to join Microsoft in 1993 as our industry really adapted to implement it. Prior to the creation of a single market for software almost all software products cost more than twice as much in Europe as they did in the United States. There were concerns at the time about the price disparity between Europe and North America. But, one of the reasons that software was so much more expensive in Europe was because the distribution system was so much less efficient. Before Microsoft adapted in 1993, for example, it had a different warehouse, and a different distribution system, and a different set of distributors in every single country. And there just weren’t the economies of scale that could be created in a market the size of the United States.
Well, after the European Union created the single market for software, companies like Microsoft and every other in the industry decided that they could take advantage of the new set of common rules. Instead of having one warehouse in every country, we had one larger warehouse for all of Europe. And the distributors themselves started to build their own networks out, so they crossed borders, as well. The distribution system became much more efficient and as it did prices rapidly started to fall. And within a few years we, in fact, saw prices for software in Europe tending to be at about the same level as North America, especially modulo particular currency fluctuations. Everybody benefited. The industry grew. Customers saw prices fall. And it simply became easier to buy and install and support software products.
We have an opportunity now to create a much more robust single market in Europe for cloud services, and we have the opportunity to ensure that in many respects this market spans not only Europe itself, but the Atlantic as well. And if we can take these kinds of steps, then I believe that the potential of cloud computing really can best be realized. It brings with it another opportunity to reduce costs, and to improve services, and just enhance the computing experience, certainly for enterprises, certainly for governments, but for consumers as well. And just as in the last 12 months we saw the issues start to come together and some real clarity emerge, in the next 12 months I think we have the opportunity for governments and companies, and the industry as a whole, to take new and concrete and tangible steps forward. If so, then a year from now I think we’ll have the opportunity to look back and see more progress, and look forward and see even greater cause for optimism.
Thank you very much. (Applause.)
We have some time for some questions if you have any?
QUESTION: (Translation off mike.)
BRAD SMITH: Absolutely. I would be happy to provide a link to the study. I think the basic idea is especially for small and medium enterprises. There is enormous potential for them to enhance their productivity and better reach customers in small markets, and more generally as well. And just as we’ve seen in prior periods of time, these kinds of productivity enhancements really encourage companies to invest and hire new people, and bring new services to market. There is a strong sense that these cloud services do so as well.
If you think about the history of the personal computer, it probably made more of a difference for small businesses than for large enterprises because they could reach customers over the Internet without having a large group of a sales force or a marketing budget. They could automate certain aspects of everyday business work. So, it really gave a small company the kind of reach, if you will, that previously was reserved just for larger enterprises. And yet, what’s interesting is we see very substantial differences around the world in the rate of technology adoption by small businesses in particular, small and medium-size enterprises. There are some countries, I would say especially in Northern Europe and in North America, where PCs have been adopted very widely in smaller enterprises. But as you go to other parts of the world, as you go south in Europe, or as you go to a country like Japan, you actually see PC use in small and medium-size enterprises at a far lower level.
In many respects, these enterprises probably have the most to gain from the adoption of cloud services. They can, in some ways, leapfrog, if you will, the state of technology. And in so doing, they’re likely to reap real economic benefits. And this is where we just see perhaps the greatest potential. And I think it’s not a surprise that one of the more positive studies has come out of Italy and the University of Milan, because Italy is a country where SMEs have been probably among the most reluctant to adopt computing, and they now perceive exactly what this can mean for the Italian economy among others.
QUESTION: You mentioned we had the opportunity in the coming 12 months to have a sort of common understanding of what privacy, data privacy really was. One of the challenges for Europe, as you mentioned, but there is also a challenge, because there is an inconsistency in the understanding of what data privacy is on both sides. In the U.S., if I’m not mistaken, there is a very different conception of what data privacy is across sectors. For instance, privacy in e-health is not the same perception as in other sectors. Can you say a little bit about what is the challenge for you in the U.S., as we are on both sides of it having to be very careful about sort of what’s happening in the U.S., and also in having something consistent across the Atlantic?
BRAD SMITH: I think you raise a great point because the privacy issue is often discussed in different ways in different parts of the world. But increasingly I think there’s an opportunity for the discussion at least to start to converge. But it’s probably worth starting with some reflection on the differences.
If you think about the privacy issue, the data protection issue, I think the first thing that one might note is that there are two very different aspects to it. In Europe, data protection has typically been discussed first and foremost in terms of the relationship between consumers and companies. That’s the principle focus of the 1995 directive. It’s all about what companies that have personal information from consumers can do with it. In the U.S., privacy has typically been discussed first and foremost in terms of the relationship between citizens and the state; in other words, what does the state need to do in order to get the personal information of a citizen. But when you stop and think about it, these are really two halves of a whole. We’re all consumers, and we’re all citizens, and we have a common set of personal information. And there are issues that arise both with respect to what companies can do with our information, and what the government or the state can do with it as well.
And I do think that to some degree on each side of the Atlantic the issue is broadening. It’s broadening especially quickly in the United States. As you pointed out, historically, especially in Washington, D.C., the Congress has been reluctant to consider a broad set of privacy issues especially in terms of the relationship between consumers and companies. They were prepared to do it in the context of banking, and there was the Gramm-Leach-Bliley Bill that was enacted that created a law that applied to data protection for financial information held by banks. And then they acted with respect to healthcare and enacted the HIPAA law that applied to data protection with respect to healthcare records. But there was a reluctance to address data protection across the board. And what we saw late in 2010 was the Administration, in the form of the Commerce Department and the Federal Trade Commission, both advocate that there should be some consideration more broadly of the right set of rules for the protection of consumer data vis-à-vis companies. I think one of the really interesting questions for 2011 in Washington is whether we’ll see some bipartisan interest emerge with respect to new privacy legislation that is more broad than what Congress has considered in the past. It’s only January, so the year is young. But already it’s quite interesting to see both Republicans and Democrats in Congress express some strong interest in some new privacy legislation.
There was a hearing in the Senate Judiciary Committee last November where I was the witness on behalf of the industry, and Senator Leahy, who chairs that committee and a number of other senators, made it quite explicit that they wanted to move forward with privacy legislation in at least some important areas in this session of Congress. So, we’ll see that, I think, continue to move fairly rapidly and I think that holds some prospect of bringing the United States closer to Europe, certainly in terms of the questions that people and government are asking. And then we’ll find out whether the answers that emerge are common, as well.
The other part of the issue that probably gets less discussion here in Europe, at least at a pan-European level, is this question of the relationship between citizens and the state and the handling of personal information. And I think that’s principally because in Europe this is addressed most typically in the criminal law, and that’s an area of the law that isn’t dealt with as much in Brussels. But, I think as governments compare notes, if you will, on the state of computer security we may see some more dialogue that brings countries together. It will be interesting to see with the G8 meeting being here in France, in Deauville in May. One of the really interesting characteristics, I think, of these Internet issues is the way they’ve become elevated politically in recent years.
As somebody who has been a part of our industry for quite a long time at this stage, what has really struck me in one respect is a pretty profound change over the last few years. Up through 2007 you’d go to a country and these kinds of issues were of interest and importance to say the Minister of Justice, and the Minister of Culture, and perhaps the Minister of the Economy, but not typically the Prime Minister, or the President, or head of state. And in the last two years that has really changed. I think it changed in part because people saw the way Barack Obama used Internet-based technology to be elected president. But, today Internet issues are really on the agenda for heads of state, that prime ministers want to meet and talk about them.
It was, I thought, very interesting last week when President Hu Jintao visited Washington, D.C. And intellectual property and software was put in the top tier of issues. It was mentioned by every news report ahead of beef as a trade issue. That just wasn’t the case a few years ago. So, I think as we look to the G8 meeting, in fact, it is altogether possible that this greater focus by heads of state on these issues will now become something that presidents and prime ministers increasingly focus on addressing in a more coordinated way. And I think that, too, is just another sign of the times we’re living in, where these issues may become more suitable for common attention and collaboration than they’ve been in the past.
QUESTION: It was a very interesting speech, thank you very much. You focused your attention on the global phenomenon and problem in firms, after that you spoke only on the bilateral solution between, for example, U.S. and Europe, or member states and the European Commission and don’t you hope for a sort of global regulator?
BRAD SMITH: I do think that you raise a very good point. Increasingly we would benefit if there were some global standards, or global principles that could be applied in some of these areas. The question to me is always a pragmatic one. How does one best get from where we are today to a solution that is more global in character? And if I think about how global norms tend to emerge, and ultimately culminate in global agreements, it’s usually more than a one-step process. That doesn’t mean that it will necessary always be that way. But, I think especially if you take an issue like privacy, data protection, on which there has been some substantial attention, especially in Europe, and to a significant degree in North America, I think a strong first step towards more global principles would be some greater collaboration across the Atlantic.
If you look at the countries around the world that have strong data protection laws today, it’s not as long a list as one might think. It certainly starts with Europe. It includes Canada. It includes principally the states in the United States, and in some specialized fields the federal government. And then you look at a country like Australia, a country like Japan, but there isn’t yet that common a foundation on which to build. And so while it might well be good if one could move quickly towards a more global approach, personally I think that a more pragmatic approach would be to take one step across the Atlantic, and then use that to take another step to follow.
OK. Well, thank you again. Thank you. (Applause.)