Security Experts:

Microsoft Chief Calls for 'Global Standard' on Privacy

Microsoft Joins Apple in Calling for Strong Privacy Legislation

In an interview this week at the World Economic Forum Annual Meeting in Davos, Switzerland, Microsoft CEO Satya Nadella praised the EU's GDPR and called it a "fantastic start on really treating privacy as a human right." 

He went on to say, "In fact I will hope that the world over, we all converge on a common standard. One of the things we do not want to do is fragment the world and increase transaction costs, because ultimately it's going to be born in our economic figures. I hope we all come together, the United States and Europe first, and China. All the three regions will have to come together and set a global standard." 

Word Economic Forum Logo

The implication is that GDPR should be used as a blueprint for worldwide user privacy protections. But is this realistic? The U.S. is already considering a federal privacy law -- but most people suspect a federal law will weaken some existing state laws, such as the California Consumer Protection Act (CCPA) due to come into force next January.

The latest proposal, the ADD Act, put forward by Sen Marco Rubio, is already weaker than GDPR in the exemptions it makes. In fact, Rubio's proposal highlights the huge cultural difference between the U.S. and Europe: Europe believes that business must not impede legitimate personal privacy while the U.S. believes that personal privacy must not impede legitimate business.

But difficulties between Europe and the U.S. will be nothing compared to aligning China with western views on personal privacy. China's culture, and not just in modern times, has always been focused on the state and the collective rather than the individual. China is also pursuing a policy of economic parity -- if not supremacy -- with the west. It is difficult to see China not using international laws to protect its own companies against the western giants.

In fact, suspicion of protectionism is even a possibility between the EU and the U.S. It has been suggested that if Europe imposes a series of multi-billion-dollar fines against the U.S. tech giants, it could be seen as protectionism in favor of newer and smaller European companies.

It is difficult to see how a single overarching legislation could satisfy the divergent cultural views of the U.S., Europe and China. But the Nadella interview was an interview at Davos -- and Davos has been described as a 'mix of pomp and platitude'. Microsoft has never been afraid of making public appeals that have public but not government support. Its call for international norms of cyber behavior overseen by a panel of independent international experts has gained zero traction.

More recently, Brad Smith called for a Cyber Geneva Convention that would involve worldwide governmental cyber weapon disarmament. Both the U.S. and UK governments have made it clear that they retain, and will continue to retain, selected zero-day vulnerabilities for operational use. This call for an international privacy law may well go the same way as Microsoft's norms and Geneva convention -- a good idea with public support ignored by government.

But there is another point worth making. Microsoft is not alone among the U.S. tech giants calling for strict privacy rules. In an opinion piece in Time this week, Apple CEO Tim Cook did similar. While he did not name 'GDPR', he described something with a similar effect. He called for the minimization of data collection; the right for users to know what is collected; the right for users to access, correct or delete collected data; and the right to have that data securely protected. To this he added the right to track the movement of personal data through data brokers. All of this is covered by GDPR.

Apple has, for several months now, been attempting to differentiate itself from its competitors via a strong stance on personal privacy. Has Microsoft decided to do similar? It is, after all, noticeable that the two giants who gain at least most of their income from selling products rather than data are supportive of personal privacy. The two giants that depend upon selling data rather than products (Google and Facebook) have not taken a similar stance.

Related: State vs. Federal Privacy Laws: The Battle for Consumer Data Protection 

Related: U.S. Unveils First Step Toward New Online Privacy Rules 

Related: Intel Asks for Comments on Draft Federal Privacy Law 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.