User privacy rights must move with their data: Microsoft

Microsoft has proposed a solution to data transfers between the European Union and United States after an EU court recently ruled the long-standing "Safe Harbour" regime invalid.

The company's top legal officer, Brad Smith, said the only way a new "Safe Harbour" regime could be devised was if governments on both sides of the Atlantic respected the privacy rights and protections enjoyed by EU and US citizens, even if their data left the countries they live in.

Like the EU court, Smith pointed to revelations by Edward Snowden as the reason the existing data transfer system was struck down, and referred to an earlier case in an Irish high court that found US mass surveillance ran counter to Irish citizens' right to privacy.

"As the European court reasoned, the case [in Ireland] had raised real concerns that once personal data was moved to the United States, it might be accessed through governmental bulk collection and without any right by Europeans to defend themselves before a US court," Smith wrote.

"Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud."

The "Safe Harbour" deal had been in place for around 15 years, and a new approach is needed to tailor today's technological advances to demands for privacy, he said.

Privacy is a fundamental human right, a principle that has been enshrined in constitutional law on both sides of the Atlantic and must be protected, Smith wrote.

Microsoft has lobbied hard for data not to be forcibly localised through data sovereignty and similar provisions, and the recently agreed Trans Pacific Partnership trade agreement bars the 12 participating countries from preventing information moving across borders.

Smith said a global internet where cross-country data flows are permitted was needed lest commerce grind to a halt and the world "return to the digital dark ages."

"Imagine trying to complete a purchase online and being told that your purchase has been blocked because your credit card information needs to be processed somewhere else," he wrote.

"Imagine having your airline reservation rejected because your passport information cannot be transmitted by the airline to the country where you want to fly."

He proposed a "Rubik's Cube" solution with four steps that would revive the defunct "Safe Harbour" system, starting with people's legal rights moving with their data across the Atlantic.

If the US government wanted access to information belonging to EU nationals, stored in America, it would have do so in a manner that conforms to EU law, Smith said.

EU governments and agencies would likewise have to follow US legal procedures to access data belonging to Americans stored in Europe.

There needs to be a better, expedited process between US and EU government entities seeking access to personal data and authorities who review and authorise this, Smith said.

People who move between the EU and the US need to be taken into account as well, he said. If an EU citizen moves to the US, the American government could only ask US courts to authorise data disclosure for that person.

Governments should also seek access to data of legitimate businesses only by serving an order on those organisations, even when the information is stored in the cloud, Smith said.

Such an agreement would address "one of the principal areas of current legal concern for businesses that are relying on cloud services," he argued.