Striking a balance when data has no borders


There have never been more column inches and broadcast minutes devoted to data leaks, security breaches and the misuse of personal information. How we reap the benefits of data analysis while protecting personal privacy and public safety is one of the great questions of this age.

Tech companies are under increased scrutiny, with everybody from lawmakers and investors to employees and consumers examining the relationship between what’s good for business and what’s good for individuals. Microsoft has played a leading role in helping customers strike the right balance.

That’s why Microsoft, like the Australian Government, welcomed the passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act by the US Congress in late March. The collective impact of the CLOUD Act, and the international agreements that it lays the legal foundation for, is a much-needed modernisation of the law as it relates to data. The Act strengthens protections for customer data held by US cloud service providers (CSPs) including Microsoft, no matter where that data is held.

The CLOUD Act will reduce the likelihood of conflict over government access to data, while providing a clearer legal process to follow when conflicts arise. This will most certainly have an impact on Australians and the use of their data.

Over the last four years, leading up to the passage of this law, Microsoft has taken the US government to court four separate times to defend the privacy of our customers when we felt that the government didn’t have a right to access data. Indeed, the CLOUD Act itself is arguably the direct result of a case we took to all the way the US Supreme Court contesting a government demand that we turn over data hosted outside the country. This is an indication of how seriously we take this issue.

While litigation is important, we argued that there was great need for updated legislation and a new generation of international agreements. These will modernise the process used by law enforcement authorities the world over to gather digital evidence and investigate crimes.

The need for change

During this time, several other factors have amplified the voices calling for a change in how we legally treat data. These include the rising use of cloud services by individuals and companies as well as the growing recognition of data as the fuel for digital transformation. It’s also a powerful way to trace the movements of people and identify their preferences.

Where data was once stored on our home computers or servers in our offices – meaning anyone seeking access would have to make their intentions known by physically entering that space with a warrant – the privacy equation changed when data moved to the cloud. By serving a CSP with a warrant, a government could potentially gain access to personal data without an end user ever knowing. Although we at Microsoft have both the interest and resources to support our customers by pushing back and even litigating when appropriate, this approach is fraught with legal complexity and uncertainty.

The CLOUD Act is part of the answer to these concerns – and the first stepping stone in a continuing journey. It allows CSPs like Microsoft to help ensure that customers are protected in the global data arena.  It also helps us fulfil our central role in public safety and privacy protection more coherently.

One of the ways it does this is by recognising and entrenching a vital right to challenge search warrants if we see a conflict between different countries’ laws. This is fundamental in a digital age where those holding data are subject to cross-border legal expectations.

The CLOUD Act also empowers CSPs with added legal rights to inform foreign governments when their citizens are impacted by a US warrant. The right to raise comity concerns in such cases, and to increase transparency around these requests, is one we will use to ensure the right balance between public safety and consumer privacy.

The impact of GDPR

The comity provision is particularly relevant as Europe brings sweeping new citizen protections into place under the General Data Protection Regulation (GDPR). Under this legislation, set to take effect on 25 May, regulators will harmonise data privacy laws across Europe while giving greater protection and rights to individuals.

It’s the biggest change in European data protection laws in more than 20 years, bringing this area of law into the digital age. It impacts any organisation – including many here in Australia with no physical presence in Europe – that handles certain types of European data.

For all of these reasons, the CLOUD Act is a critical milestone in the journey towards modernising and aligning the legal framework around data protection. We accept the responsibility to do right by our customers and are well aware of the high stakes involved.

Microsoft will continue to play a leading role in this new era of digital privacy. The Australian Government supports the CLOUD Act and we eagerly anticipate it Australia being one of the first to reach an international agreement with the US, adding greater certainty and local input into this critical cross-border framework.

It’s crucially important that governments cooperate and agree on clear standards to govern investigative requests for digital evidence. We must strike the right balance between reaping the benefits of data analysis while protecting personal privacy and public safety.

This article was originally published in the Australian Financial Review.

Related Posts