Microsoft: One federal privacy law better than 50 state laws
- By William Jackson
- Nov 03, 2005
Faced with a patchwork of state privacy laws, Microsoft Corp. today came out in favor of federal regulations to set minimum standards for securing personal data.
Speaking Thursday to a Capitol Hill audience of congressional staffers, Microsoft vice president and general counsel Brad Smith said bills now pending in the House and Senate take important steps toward standardizing privacy requirements but do not do the entire job.
'We are enthusiastic about the range of bills being considered now,' he said. 'They take important steps. But none of the bills does the full range of things that need to be done."
Those things, according to Microsoft, are:
- Set a baseline standard for securing both electronic and paper-based data that would pre-empt state laws
- Provide consumer transparency on the collection, use and security of personal data by companies
- Give individuals control over their data by allowing them to opt in or out of data sharing programs and
- Establish flexible requirements for security technology.
Recent high-profile security breaches that have exposed personal data held by companies have led to data privacy laws in more than 20 states and calls for federal legislation.
Microsoft's stance is not an endorsement of federal regulation so much as a recognition that regulation already is being forced on industry at the state level. Industry will be better off with a single, coherent standard than with a patchwork of conflicting requirements, Smith said.
The IT industry also is facing a crisis in consumer confidence due to data breaches that could damage its bottom line.
'This is a technology that depends on retaining the confidence of the public,' and that confidence is waning, Smith said.
Smith's comments were made as the House Commerce Subcommittee on Commerce, Trade and Consumer Protection was considering HR 4127,
the Data Accountability and Trust Act. It would require holders of electronic data to take reasonable efforts to secure the data and to notify individuals if data is compromised. It would pre-empt state law and be enforced by the Federal Trade Commission, and would let state attorneys general bring civil suits under the act.
The bill would not apply to nonelectronic data, however, and makes no provision to let consumers control how the data is used.S 1789
, the Personal Data Privacy and Security Act being considered in the Senate, would impose similar requirements as the House bill, but would exempt many federally regulated businesses. It would not apply to financial institutions governed by the Gramm-Leach-Bliley Act or to organizations that fall under the Health Insurance Portability and Accountability Act.
Smith said such multiple data security requirements undermine efforts to provide adequate security. He was realistic about the unlikely prospects for undoing existing federal regulation, but said that eventually data security and privacy requirements would have to be harmonized not only across federal regulations but with international law as well.
Industry groups are split on the need for legislation.
Jerry Berman, president of the Center for Democracy and Technology, praised the move in a statement, saying, 'While we have not reached a consensus on all of the provisions of a privacy bill, we applaud Microsoft's willingness to work actively with other high-tech companies, consumer organizations and policymakers to make serious privacy legislation a reality.'
But the Progress and Freedom Foundation issued a statement today calling the House legislation misguided. Senior fellow Tom Lenard said the bill opens the door to federal regulation of technology and could cost industry more than the expected losses to consumers.
William Jackson is a Maryland-based freelance writer.