Microsoft: A Pro-Privacy Company?
posted by Daniel Solove
Microsoft has recently announced that it supports comprehensive national privacy legislation. According to a white paper by Microsoft Senior Vice President and General Counsel Brad Smith:
Over the past few years, however, several factors have altered the privacy landscape in such a way and to such a degree that we now believe the time has come to support national privacy legislation as a component of a multifaceted approach to privacy protection. As a strong supporter of free-market solutions, Microsoft did not come to this decision without careful consideration. But it is one we now believe is the right course in order to provide meaningful protections for individuals, while avoiding unnecessary obstacles to legitimate business activities.
I applaud Microsoft’s shift from calling for self-regulation to calling for comprehensive privacy regulation. I have long believed that self-regulation has not worked effectively.
My main concern with Microsoft’s proposal is its call for federal preemption of state regulation:
To address the current patchwork of state and federal law, federal privacy legislation should pre-empt state laws that impose requirements for the collection, use, disclosure and storage of personal information. Only a uniform national standard can address the complexities, inconsistencies and incompleteness of current laws, and bring the clarity and consistency needed to benefit consumers and businesses.
Federal legislation must do more than just create a “floor” above which states are free to impose additional requirements. . . . The only realistic solution that protects consumers, while minimizing the operational burdens on responsible businesses, is to adopt a nationwide privacy standard. That standard should certainly be robust, but it should apply uniformly.
Although I’m sympathetic to business concerns about dealing with many different state standards, I am wary of federal preemption for several reasons.
First, many of the most innovative solutions to privacy problems have emerged at the state level. The data security breach notification emerged in the states, not in Congress.
Second, Congress has often been slow to respond to privacy problems. Congress is still wrangling out a response to the litany of data security breaches that occurred earlier this year. A number of states had strong protections against identity theft in place long before; and many quickly passed legislation afterwards while Congress spun its wheels. Things seem to get done at the state level. They don’t seem to get done in Congress.
I used to quickly dismiss notions of federalism and extolled the efficiency and power of national laws. But I’ve increasingly warmed to the virtues of giving states more power to experiment with regulation, even when it can be less efficient and more unweildy. That’s because in the privacy field, states have been more creative, more effective, more responsive, and more expeditious.
Third, the preemption power is often seized upon by companies as a way to reduce privacy protection rather than increase it. Thus, a low federal standard replaces and preempts stronger state standards, thus locking in a uniform weak standard. From my experience following privacy legislation thus far, it appears that many states have produced more balanced laws. Of course, a truly strong and effective federal standard would be welcome, but I’m increasingly wondering whether that’s just a dream.
So part of IBM’s call may be answered — we’ll get a federal standard that preempts state laws — but it could be a low and ineffective standard that will lead to a net reduction in privacy protection. I don’t believe that this is what IBM wants — IBM strikes me as acting in good faith — but it may be what the process ultimately yields after companies in countless industries deploy their lobbyists to tenderize any comprehensive federal privacy bill.
Therefore, I view Microsoft’s new pro-privacy stance with great enthusiasm, but also with some trepidation.
See also Chris Hoofnagle’s blog for a good discussion of the issue.
November 4, 2005 at 12:50 am
Posted in: Privacy, Privacy (Consumer Privacy)
Print This Post
Leave a Reply