A day after Apple CEO Tim Cook called for a U.S. federal privacy law from the keynote stage at the IAPP Global Privacy Summit 2022, Microsoft President and Vice Chair Brad Smith took the urging up a notch in his own keynote address Wednesday.
Smith not only made clear that Microsoft was in favor of U.S. Congress acting on federal privacy legislation, but went further with criticism regarding the lack of action on Capitol Hill. He noted that legislation is "not just needed, but long overdue" and continuing to "sit on our hands" puts the U.S. further behind in the global privacy discussion.
"Think for a moment about where we are today. I would argue in some ways that it is shocking," said Smith, noting his company's first call for a federal privacy law came in 2005. "Let's look at what's happened around the world while our Congress has been frozen in time. … The United States increasingly stands alone. The fact of the matter in my view is there is a critical element we are failing to think about. The failure of the U.S. to legislate doesn't stop global regulation. It doesn't even slow it down. It just makes our country less influential in the world."
Smith's comments implied an ongoing deadlock on privacy, whether it be among federal lawmakers or between lawmakers and industry, which he believes stems from the U.S. not being "signed up to embrace the importance of compromise." The pointed remarks also came after U.S. Senate Committee on Commerce, Science and Transportation Senior Advisor John Beezer hinted at potential progress toward federal legislation in a breakout session Tuesday, saying ongoing "serious, bipartisan" dialogue could generate "something soon."
An all-encompassing US digital regulator?
The absence of federal regulation makes the work of U.S. enforcement agencies focused on the digital space that much more important. But instead of boosting and equipping separate agencies to help them properly regulate, Smith entertained the idea of a whole new commission dedicated to all digital affairs.
"Would we be better served to place in the hands of people, pursuant to the rule of law, the ability to learn and master the facts for an industry and craft carefully very thoughtful rules?" Smith said. "Is that a better future than asking a Congress or a legislature or a Parliament go to on a piecemeal basis and change each and every law separately, and with less coordination?"
The example Smith provided to tee up his argument was the U.K. Digital Regulation Cooperation Forum, formed in July 2020 to "ensure a greater level of cooperation, given the unique challenges posed by regulation of online platforms and digital services." He added that folks can get "a little nervous" when it comes to government regulation over self-regulatory standards, but it's a conversation that needs to happen for "thoughtful regulation" to come together in a world "where regulation is a reality."
Cooperation, creativity required
The idea of a new regulator and much of the general dialogue around privacy regulation, in the U.S. or elsewhere, requires more than just knowledgeable proposals.
Working across borders will be one of the essential pieces in Smith's view, noting the potential inability to "manage this level of regulatory growth" and subsequent "creation of complexity" without the cross-border cooperation. He used EU-U.S. data flows dilemma as an example, with the original Privacy Shield agreement taking four months while the latest political agreement to stand up trans-Atlantic data flows took 18 months so far.
The other important aspect Smith alluded to was the need for creativity in the broadest sense to generate appropriate and strong policies.
"It's in my opinion where you all will be critical," Smith said. "We need privacy regulators, professionals and practitioners who recognize that privacy itself is much less siloed than it used to be. Some of the leading privacy issues of our time involve the intersection of privacy and say the protection of children. With digital safety its privacy and cybersecurity. And then there is the intersection of protection of privacy and public health.
"We need to think across the traditional intellectual boundaries that have in some ways have perhaps too nearly subscribed our thinking in the past."