Microsoft has come out in favour of a national privacy law for the United States. Notably, this proposal calls for the federal law to pre-empt state laws that may be more onerous. From the Microsoft release:

Microsoft Advocates Comprehensive Federal Privacy Legislation: General counsel outlines framework to protect consumers and promote online commerce.:

Related Links

Feature Stories:

• Microsoft Addresses Need for Comprehensive Federal Data Privacy Legislation - Nov. 3, 2005

Microsoft Resources:

• White Paper: Protecting Consumers and the Marketplace: The Need for Federal Privacy Legislation (.doc file, 86 KB)
• Security & Privacy Newsroom

WASHINGTON — Nov. 3, 2005 — Microsoft Corp. today announced its support for a comprehensive legislative approach at the federal level on the issue of data privacy. In a speech delivered to the Congressional Internet Caucus, Brad Smith, senior vice president and general counsel for Microsoft, told Caucus members that “the time has come” for a strong national standard for privacy protection that will benefit consumers and set clear guidelines for businesses while still allowing commerce to flourish.

Smith explained the three key factors that have led Microsoft to support a comprehensive federal legislative response: an increasingly complex patchwork of state, federal and even international laws related to data privacy and security; the potential for consumer fears about identity theft and other online dangers to dampen online commerce; and the increasing consumer desire for more control over the collection and use of online and offline personal information.

“The growing focus on privacy at both state and federal levels has resulted in an increasingly rapid adoption of well-intended privacy laws that are at times overlapping, inconsistent and often incomplete,” Smith said. “This is not only confusing for businesses, but it also leaves consumers unprotected. A single federal approach will create a common standard for protection that consumers and businesses can understand and count on.”

Smith noted an increasing level of concern from Americans on the subject of identity theft over the Internet.

“Individuals will not take full advantage of the Internet or any commercial medium if they believe that their information or data could be compromised or disclosed in unexpected ways,” Smith said. “There is a causal link here: protecting consumers promotes commerce, and that’s good for everyone.”

The third factor — consumers’ increasing desire for more control over the collection and use of their personal information — springs from the response to the increasingly aggressive tactics of computer criminals.

“We’ve seen a spate of legislative activity in the aftermath of several highly publicized data breaches, but for consumers, the reality is still pretty daunting. They do not necessarily have a better experience and in many cases still do not clearly understand how companies are collecting, using and disclosing their personal information in the first place,” Smith said. “We have to make this more transparent and manageable for consumers.”

“Microsoft’s call for strong national privacy legislation is a landmark moment in the cause of establishing and protecting individual privacy rights online,” said Jerry Berman, president of the Center for Democracy and Technology. “Microsoft’s privacy legislation commitment creates momentum for a serious effort to establish consumer privacy expectations for the digital age. While we have not reached consensus on all of the provisions of a privacy bill, we applaud Microsoft’s willingness to work actively with other high-tech companies, consumer organizations and policymakers to make serious privacy legislation a reality.”

Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:

• Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
• Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
• Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals’ consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
• Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

Peter Cullen, Microsoft’s chief privacy strategist responsible for managing and promoting the company’s implementation of privacy across its products, services and processes, reinforced the need for and value of a uniform approach that complements technological advances.

“Microsoft’s overarching goal for privacy continues to be to create a trusted environment for Internet users,” Cullen said. “We have woven privacy into the DNA of Microsoft, from product development to deployment, and decisions are made with privacy in mind. A comprehensive legislative approach to privacy that applies across the country would be part of the solution to give all consumers strong privacy and security protection, and allow everyone to realize the full potential that the Internet and technology can provide.”

There is growing support throughout the technology industry for a more standardized approach to data privacy. Leading companies such as HP have voiced support for a federal legislative approach and have incorporated similar ideals into their standard operating procedures.

Barb Lawler, HP’s chief privacy officer, concurs with Cullen. “HP believes a uniform federal approach to data privacy would provide a consistent level of expectation for consumers and business continuity for corporations,” Lawler said. “HP believes that upholding the highest standards for the protection of personal information is a business imperative and, through our ‘Design for Privacy’ initiative, we integrate privacy into every facet of our business processes, products and services.”

Labels: breach notification, identity theft, information breaches