The European Commision and the U.S. government announced its new Trans-Atlantic Data Privacy Framework earlier this year, and Microsoft was quick to champion the move given its legal history with international data privacy concerns, but the Biden administrations recent executive order could fast track its implementation.
Last week, the Biden administration signed an executive order which implements the previously announced Data Privacy Framework and marks the third such effort by the two regions to tackle trans-Atlantic handling of data since 2015.
As a refresher, the Trans-Atlantic Data Privacy Framework adds restraints on Washington’s signals intelligence gathering in the EU in addition to setting up processes for data collection and establishes an appeals system that European citizens can access when they feel American Intelligence agencies have violated the principles of the agreement in pursuit of ‘information.’
This framework addresses two concerns of the Court of Justice in the EU related to U.S. surveillance laws: (1) the scope and proportionality of permissible U.S. national security surveillance activities; and (2) the availability of redress mechanisms for Europeans whose personal data is improperly collected and used by U.S. intelligence agencies. The new framework rightfully makes clear that U.S. surveillance practices must be both necessary and proportionate. And critically, it creates an independent data protection review court to provide effective review and redress for Europeans impacted by improper surveillance.
Back in 2018, several US officials came to an agreement to pass the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which aimed to facilitate cross-border access to data as it pertained to investigations of serious crimes. The effort to pass the CLOUD act was entirely a US led effort but helped clarify Microsoft’s position as a data broker in a publicized suit between the company and the US Justice Department over emails originating from Ireland on Irish servers but ultimately held by an American-based software company.
With Biden fast tracking safeguards and implementing more clear frameworks for the handling of international data sought or held by US-based organizations, it’s no wonder Microsoft publicly offered its own commitment statement for the effort back in March of this year.
First, Microsoft will confirm that any demand for personal data from the U.S. government complies with the newly announced Trans-Atlantic Data Privacy and Security Framework. If we believe the demand is not compliant, we will use all lawful means to challenge it.
Second, Microsoft will support the redress process under the new agreement by putting our full legal resources to work and seeking to actively participate in the judicial review of an individual’s claim of harm related to Microsoft’s public sector and commercial cloud services.
As of this month, Biden’s executive order simply expedites the long-term efforts to establish frameworks for the investigation, handling and limits to the use of international data in criminal cases, which takes the onus off of Microsoft dancing between the various data privacy rules established by each country and determining which ones take precedent.