Microsoft on Monday became the first major US tech company to say it would transfer users’ information to the United States using a new transatlantic commercial data pact and would resolve any disputes with European privacy watchdogs.
Data transfers to the United States have been conducted in a legal limbo since October last year when the European Union’s top court struck down the Safe Harbour framework that allowed firms to easily move personal data across the Atlantic in compliance with strict EU data transferral rules.
EU data protection law bars companies from transferring personal data to countries deemed to have insufficient privacy safeguards, of which the United States is one, unless they set up complex legal structures or use a framework like Safe Harbour.
Microsoft said it would sign up to the EU-US Privacy Shield, the new framework that was agreed by Brussels and Washington in February to fill the void left by Safe Harbour and ensure the $260 billion in digital services trade across the Atlantic continues smoothly.
“I’m pleased to announce today that Microsoft pledges to sign up for the Privacy Shield, and we will put in place new commitments to advance privacy as this instrument is implemented,” John Frank, vice-president of EU government affairs, wrote in a blog.
The US company’s endorsement of the Privacy Shield comes amidst criticism of it by privacy groups for failing to address concerns about US surveillance practices and one day before EU data protection regulators sit down for a two-day meeting on whether to endorse it themselves.
Revelations by former intelligence contractor Edward Snowden of mass US government surveillance programmes sparked outrage in Europe and set in motion the legal challenge that eventually led to the quashing of Safe Harbour.
The European Commission, which negotiated the framework on behalf of the EU, has urged companies to comply with decisions from the 28-member bloc’s data protection authorities in disputes to help the Privacy Shield survive an expected future court challenge.
Companies transferring human resources data will have to submit to the jurisdiction of European regulators, but for other companies it will merely be voluntary. The main enforcers of the framework will be the US department of commerce and the US federal trade commission.
The European Commission welcomed Microsoft’s announcement, noting that EU individuals were more likely to turn to their national regulator to complain about the handling of their data.
“We welcome the fact that companies already commit to using the Privacy Shield and complying with its obligations,” said Christian Wigand, a commission spokesperson.