Protecting Customer Data in an Evolving Technology Environment
Assuring privacy when processing personal data presents challenges for every enterprise. Peter Fleischer, director of regulatory affairs for Microsoft EMEA, discusses the issue and shares Microsoft’s perspective on compliance with the EU’s stringent regulations.
BRUSSELS, Belgium — 7 September 2005 — Europeans are concerned about their privacy online and want assurances that smart policies and cutting-edge technologies are in place to protect them.
The European Union (EU) requires companies to comply with some of the world’s most comprehensive regulations and standards for the processing of personal data. But the realities of assuring that privacy and the processing of personal data effectively coexist present challenges for every enterprise.
In a world of international commerce and rapidly changing technology, what are the most effective methods for securing personal information, or dealing with notice and informational disclosures? How can policy and technology be enlisted to manage internet cookies, e-mail spam, deceptive software like spyware, and even critical software such as updates and patches?
Microsoft has long used EU regulations as the benchmark for its privacy standards, not just in the Europe, Middle East and Africa (EMEA) region, but worldwide. To promote ideas and dialogue around creating meaningful and strong privacy protections for today, Microsoft has published a white paper outlining strategies for compliance with EU data privacy regulation.
The EMEA Press Centre recently spoke with the white paper’s author, Peter Fleischer, director of regulatory affairs for Microsoft EMEA, to learn more about Microsoft’s approach to privacy issues and how that fits in with what European governments are doing.
EMEA Press Centre: What was your objective in writing a white paper on compliance with EU privacy rules?
Peter Fleischer: To promote the sharing of best ideas and practices. Our businesses, in particular software and online operations, are at the cutting edge, and we have worked hard to find creative ways of ensuring the privacy of our customers, who are using a variety of on-line services across international borders. Compliance with EU privacy regulations is a critical area of focus for us and many other companies, and this paper is an attempt to continue dialogue on how businesses can apply these regulations to protect consumers most effectively.
EPC: What is the most challenging task you are facing in complying with EU privacy rules and how are you approaching it?
Fleischer: Our main challenge is to effectively apply EU privacy rules, established in 1995, to today’s constantly changing technologies while taking into account diverse cultural and regulatory environments across EU countries. In the white paper, I have described several case studies of how we have approached compliance challenges in key areas that have been subjects of debate in privacy circles — and despite differences among them, the common thread is that most of our success came as a result of collaboration with regulators and industry partners, new and better technologies, and consumer education.
EPC: Can adoption of clear consumer privacy practices be an important differentiator for companies?
Fleischer: Absolutely. Protecting personal information shared by customers is one of the pillars of consumer trust, and it is critical that businesses pay a close attention to privacy issues. Businesses that have strong privacy policies and effectively comply with privacy rules benefit by boosting their reputation and business relationships.
EPC: What would you like other companies operating in an online environment to take away from the white paper?
Fleischer: To address privacy challenges successfully, it is vital that businesses show initiative and think creatively about incorporating privacy rules into their operations and services. Where legal requirements are evolving or are subject to different interpretations, the most effective solutions are often achieved through collaboration with other parties, including consumers, regulators and industry partners. We all have the same goal of protecting privacy, and I encourage the industry to view all stakeholders as partners in the compliance process and establish dialogues and partnerships with them to achieve this shared goal.
EPC: Consumers are often concerned about how their private data is handled by businesses. What are you doing to inform consumers about their rights and the use of their personal information?
Fleischer: EU rules on consumer notice and information disclosure are a key component of the European privacy regime and disclosure is one of our top priorities. It is critical to educate consumers about the use of their personal information and empower them to take control of how their data is being used. The reality is that privacy statements have devolved in the last ten years to become very long, complicated and legalistic documents — and most internet users do not read them and, as a result, do not understand their privacy rights. That’s why Microsoft took a leading role working with regulators from around the world, including Europe, to introduce a layered approach to privacy statements. The concept of layered notices is to provide an easy to read one-page summary of a company’s online privacy practices while conforming to all regulatory requirements and giving links to full legal statements and other relevant information.
EPC: Can you give us a glimpse of a collaborative process with European regulators? How did it work and how did you come to agreement?
Fleischer: Our shared work on developing short layered privacy notices is a great example of cooperation. The idea was first discussed at the 2003 International Data Commission Conference in Sydney, and we followed up with more concrete suggestions at a workshop in Berlin the following year, where we worked closely with regulators and industry partners to discuss this approach and incorporate their recommendations. The Article 29 Working Party, composed of representatives of national data protection authorities, then published a paper endorsing short layered notices, and we moved ahead immediately to implement this approach with our MSN privacy notices that are now available to consumers in many countries and languages around the world. This case demonstrates how efficiently industry and regulators can work together to help protect consumers online, and it is certainly an exciting model for us to follow in the future.
EPC: Does Microsoft have a uniform approach to data privacy compliance or does it have to vary its practices in different regions?
Fleischer: Microsoft has a single standard approach to privacy compliance in place worldwide. This is modelled on the European requirements. We feel it is important to treat all of our customers around the world with the same high level of privacy protection. From a pure infrastructure point of view, it’s much more complicated to try to run systems to different standards. And in the online world, you often don’t know where your customers are located, so it’s important to provide a single high standard of privacy that will meet or exceed the legal requirements around the world.
EPC: Tell us a bit about how Microsoft seeks feedback from users on privacy issues.
Fleischer: At the end of our online privacy statement there is an easy-to-use link that encourages feedback from all users. We’ve got some great ideas and helpful tips from an array of people who want to protect online privacy and make the internet a better place to communicate and do business. We also work hard to maintain constant dialogue with privacy advocates and consumer organisations to learn more about the consumer privacy issues they are examining closely.
EPC: Give us an update on Microsoft’s fight against spam, one of consumers’ biggest privacy frustrations.
Fleischer: We all know this is an ongoing battle. One thing we’ve learned in the industry fight against spam is that a sound legal framework and stringent legal rules, while central to addressing spam, are unlikely to solve the problem alone. It is critical that private industry, particularly high-tech companies, contribute resources and become involved in fighting spam. Industry contributions can take various forms, ranging from legal action against spammers — Microsoft has filed more than 135 civil anti-spam lawsuits to date — to setting industry standards and designing technological solutions.
In terms of technology efforts, Microsoft is combating spam at every point along the path of transmission — on networks, on servers, at customer inboxes and at the source. This includes detecting and stopping spam e-mails from reaching customers’ inboxes, disabling or flagging potential threats in e-mails that get through, and offering additional protections in the browser to alert and protect customers from potential threats online. Microsoft has also been playing an active part in various EU initiatives against spam, such as the Safer Internet Plus Programme and the European Commission’s 2004 Workshop on Spam.
EPC: Peter, what trends do you see in the privacy space? What is Microsoft doing with its government and industry partners to stay ahead of the curve and apply current laws to technologies that are changing around the globe?
Fleischer: It is clear that an increasing amount of our lives and business activity will be conducted online. It makes the work we are doing today to protect privacy and promote the integrity of the internet critically important for the future. Because consumers will need a way to more seamlessly manage their profiles and activity online, the development of a reliable digital identity system may be one way to address privacy challenges in the future. Such a system would need to have strong privacy protections and simultaneously provide much more consumer control for manoeuvring online. The convergence of these two things is an advance we’d like to see and be a part of developing.
