Data privacy: Consumers want it, businesses need it — it’s time our government delivers it

When the European Union’s Global Data Protection Regulation went into effect one year ago, it was a huge step forward for privacy rights in Europe and around the world. The GDPR provides a framework for protecting consumers and organizations from breaches of their personal data. Unfortunately, the U.S. has not yet moved to provide similar protections to citizens and consumers.

In my role as head of global privacy and regulatory affairs at Microsoft, I draw on my three decades of enforcing consumer protection and competition laws at the state and federal level, including as a commissioner at the U.S. Federal Trade Commission.

I know the challenges of creating comprehensive, meaningful rules that hold organizations accountable.  I applaud the work underway by Sens. Roger Wicker (R-Miss.), Maria Cantwell (D-Wash.), and the other members of Congress who are working to make sure a comprehensive bipartisan bill takes into account what consumers need, what businesses should be expected to provide, and what is in the best interest of the future of our digital economy.

GDPR’s one-year anniversary provides us with an opportunity to reflect on where we are in this country in achieving the goal of creating a federal privacy law that incorporates proven concepts, is uniquely American, and works for consumers and businesses in order to ensure the privacy of all Americans is prioritized.

At Microsoft we believe that privacy is a fundamental human right, and have supported a national privacy law in the U.S. since 2005. Microsoft was also the first company to voluntarily extend the core privacy rights defined in GDPR, called data subject rights, to our customers around the world — including the right to know what data is collected, the right to correct it, and the right to delete it or take it somewhere else.

Since GDPR went into effect, we’ve observed intense interest in these data subject rights from customers globally. Consumers worldwide both want and would benefit from privacy frameworks that provide consumers with these tools of empowerment.

Here in the U.S., consumers are even more interested than their counterparts in Europe in exercising control over their data. While a U.S. law should not copy GDPR, the consumer controls in the regulation from across the pond should inspire U.S. policymakers to provide similar empowerment tools to American consumers.

Since GDPR, California has led the way in providing consumers with the ability to control their data. The passage of the California Consumer Privacy Act last summer was a watershed moment for privacy in this country. A federal law can build on the California law by adding obligations for companies to act as responsible stewards of consumers’ personal data. Companies should be accountable for how they collect, share, and sell people’s data, by carefully weighing the benefits that may flow from data processing against the risk to the individual whose data is being processed.  

This additional requirement is important, because trust cannot be achieved solely through a consent model where consumers need to either opt in or opt out on every website they visit or online service they use. Individual empowerment is critical, but standing alone it places too much of the burden of privacy protection on individuals, without requiring due diligence by companies. A strong federal law can require companies to be responsible stewards of consumer data and hold them accountable when they do not live up to their obligations, in addition to empowering consumers to control their data.

And a federal law must contain strong enforcement provisions. As I experienced first-hand, the laws that the FTC enforces are simply not strong enough to police today’s complex digital economy.

Finally, while a U.S. privacy law should be distinctly American, it should work with GDPR. For U.S. businesses, interoperability between a U.S. law and GDPR allows companies to make a singular investment in infrastructure, rather than building duplicative and complex systems to comply with various requirements in different jurisdictions.

Congress should act to engender consumer trust, preserve an open and democratic society, and keep pace with innovation through a bold privacy law inspired by the privacy norms established in GDPR. It’s time.

Julie Brill is Microsoft Corporate Vice President & Deputy General Counsel for Global Privacy and Regulatory Affairs. She served as commissioner of the Federal Trade Commission from 2010 to 2016.