BRUSSELS, Belgium, May 15, 2001 — Microsoft Corp. today announced its plan to sign the Safe Harbour Agreement, a data protection agreement between the United States and the European Union (EU) that allows the uninterrupted flow of personal information from the EU to the United States, based on firmly established Fair Information Principles. Richard Purcell, Microsoft's director of Corporate Privacy, made the announcement today in Brussels. The announcement makes Microsoft among the first U.S.-based multinational corporations to agree to sign the Safe Harbour Agreement, which comes into full effect on July 1, 2001.
"Microsoft has a worldwide commitment to protecting our customers' privacy and providing them with control over personal information. This commitment to stateside and international data protection policies, as defined by the Fair Information Principles, is well established," said Purcell, as he addressed a group of European Commission officials in Brussels. "Because our company privacy policies are consistent with the EU principles for data protection, Microsoft is able to sign the Safe Harbour Agreement with the U.S. Department of Commerce this summer."
Jean Philippe Courtois, president of Microsoft Europe, Middle East and Africa (EMEA), echoed Purcell's commitment. "Microsoft is dedicated to the continuation of trusted systems and relationships. Our announcement today to sign the Safe Harbour Agreement is a natural step along that path and reinforces our continued commitment to protect our European customers' data and to making sure they feel safe whenever they do business with us."
Background on Safe Harbour
The European Commission issued the Directive on Data Protection to protect the privacy of EU citizens. The directive states that for those countries outside the EU whose privacy practices are not deemed "adequate," transfers of personal information from Europe to those countries would be stopped. To ensure that personal data flows to the United States are not interrupted, the U.S. Department of Commerce (under the Clinton administration) and the European Commission developed a "safe harbour" framework that will allow U.S. organizations to satisfy the European Directive's requirements.
U.S. organizations that decide to participate in the Safe Harbour Agreement must comply with its requirements and publicly declare that they do so by signing up with the U.S. Department of Commerce. Although the decision by U.S. organizations to participate is voluntary, organizations that transfer data from the EU to the United States and do not sign up by July 1 may be subject to enforcement actions in Europe.
The Fair Information Principles
The Safe Harbour Agreement inherently involves a dedication to the Fair Information Principles of Notice, Choice, Access, Security and Enforcement. It also adds the compliance principles of onward transfer and data integrity. For Microsoft and other companies to comply with the Safe Harbour implementation of the Fair Information Principles, the following criteria must be met:
Notice. Notice involves informing online and offline users, in a clear and conspicuous manner, about the purpose(s) for which information about them is collected and used; the choice mechanism(s) available for limiting use and transfer; the types of third parties to which data is transferred; and how to contact the organization for inquiries or complaints.
Choice. Choice involves offering users a clear and conspicuous opt-out mechanism for any secondary uses of data and for disclosures to third parties. Opt-in choice must be available for sensitive information such as medical or health conditions, race or ethnic origins, political opinions, or religious or philosophical beliefs.
Access. Access involves ensuring that individuals can obtain reasonable access to personal information about them held by the organization. With some exceptions, organizations must provide consumers with the ability to correct, amend or delete information that is inaccurate.
Security. Security ensures that an organization takes reasonable precautions to protect personal information from loss, misuse, unauthorized access, unauthorized disclosure, unauthorized alteration and unauthorized destruction. This involves technologies such as encryption, access controls and physical security of the data.
Enforcement. The enforcement mechanism requires the existence of a readily available and affordable independent recourse for individuals, as well as consequences for the organization when the principles are not followed.
Onward transfer. Onward transfer dictates that an organization disclosing personal data to a third party must adhere to the Notice and Choice principles, unless the third party is acting as an agent of the company; and either the third party specifies, by way of a contract, that it provides at least the same level of protection as is required by the relevant principles, or the third party subscribes to the Safe Harbour Principles or is subject to the EU directive or another adequacy finding by the EU.
Data integrity . Data integrity means that personal information collected must be relevant to the purposes stated in the notice, and that reasonable steps should be taken to ensure that the data is reliable, accurate, complete and current.
The U.S. Department of Commerce is responsible for implementing the Safe Harbour Agreement for companies based in the United States. More information on the Safe Harbour Agreement can be found at the department's Safe Harbour Web site at http://www.export.gov/safeharbor/ .
Microsoft's internal processes to confirm that its practices aligned with the Safe Harbour Agreement involved detailed evaluations based on the Fair Information Principles. Evaluation processes include annual surveys of customer data handling; employee training; in-depth reviews of major properties and systems; education on requirements, guidelines and best practices; and the active participation of internal audit groups and third-party consultations.
Microsoft and Privacy
Microsoft has made privacy a priority from both a technical and policy standpoint by working with privacy organizations and incorporating technology into many of its products and services to enable the trusted exchange of personal information.
From a technical perspective, Microsoft has been a leading participant in the W3C Platform for Privacy Preferences (P3P) effort and, in March, released a public preview of the first broad-distribution implementation of the P3P-based privacy tools, which will be part of the Microsoft® Internet Explorer 6 technologies in Windows® XP, the next version of the Windows operation system, due out this fall. In addition, the Microsoft Privacy Wizard, a privacy statement generator found on bCentral™ , Microsoft's small-business Web portal at http://privacy.bcentral.com/ , has helped more than 26,000 businesses and noncommercial entities develop privacy statements.
For consumers, Microsoft recently launched Safe Internet ( http://www.microsoft.com/safeinternet/ ), a user-friendly Web site that provides helpful and easy-to-use privacy and security tools and advice to parents and consumers. The company has led the industry in addressing some of the most pressing issues facing security and privacy through its SafeNet 2000, an event that brought together leaders in industry, law enforcement, policy, academia and consumer protection.
Founded in 1975, Microsoft (Nasdaq "MSFT" ) is the worldwide leader in software, services and Internet technologies for personal and business computing. The company offers a wide range of products and services designed to empower people through great software -- any time, any place and on any device.
Microsoft, Windows and bCentral are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft's corporate information pages.