Greetings from Brussels!
An interesting report was released this week by the U.S. Chamber of Commerce and law firm Hunton & Williams, looking at the qualities of an effective privacy regulator. Chief amongst their findings is that regulators ought to be good communicators, both seeking feedback from their regulated communities and working collaboratively to understand technological innovation.
We saw this play out in real time this week, as the WP29 has made inquiries into Microsoft’s privacy settings in Windows 10. The European watchdog had already written to Microsoft last year expressing concerns about the default settings of Windows 10, and users' control over the company's processing of their data, but questions remain, with an emphasis on the "depth and breadth" of user data being sent back to the Redmond HQ company servers.
Microsoft has in the interim introduced an expanded settings menu that gives folks installing the software more information on data privacy. However, the EU's Article 29 Working Party wonders if the changes include enough disclosures to customers. The WP29 has asked for more explanation of Microsoft's processing strategy of personal data for various purposes, including advertising. "Separate to the ongoing inquiries at a national level, even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data," the group said in a statement. Notably, however, it also acknowledged Microsoft's willingness to cooperate.
In a statement Tuesday, Microsoft said it was listening carefully to comments from the EU and "will continue to cooperate with the Working Party and national data protection agencies." Microsoft's views on the protection of user data in Windows 10 were recently elaborated in a blog post by Microsoft Windows and Devices chief Terry Myerson. Myerson outlines the coming changes to the operating system's data-notification settings, stating that the company continually strives to "make choices easy to understand while also providing clear visibility and control over your data."
Talk about transparency. We, the public, are seeing regulatory conversations play out in real time and in full view.
In parallel, and with less than 15 months left before the new GDPR comes into force, Microsoft also announced this week its promise to be compliant with the GDPR across all cloud services by the May 2018 deadline. Brendon Lynch stated that Microsoft is committed to principles of cloud trust, privacy, transparency and compliance. He also added that, while Microsoft is committed to “helping you successfully comply with the GDPR, it is important to recognize that compliance is a shared responsibility." Lynch also acknowledged that the regulation’s new requirements will include greater access and deletion rules, clear risk assessment and data breach notification procedures, as well as data protection officer roles for many organizations.
Clearly, we're seeing the lines of communication open up as data protection becomes a mainstream topic of business conversation. Regulators, consumers and businesses themselves are seeking clarity on where lines will be drawn and how technological development will be affected.
If you want to comment on this post, you need to login.