Tech companies need to embrace the need for improved data privacy rules, while regulators need to get better at setting them, says a top Microsoft executive.

“The tech sector needs to step up, and regulators need to work faster,” said Brad Smith, Microsoft’s president and chief legal officer, during his keynote speech at the 41st International Conference of Data Protection and Privacy Commissioners in Tirana, Albania.

Smith said technology companies—especially those that rely on data-driven business models—cannot simply continue to oppose regulatory changes, arguing that revised or new regulation does not mean innovation will be stifled or compliance would be more onerous. Instead, better rules reflecting how data is valued, used, stored, and transferred will help companies understand what guarantees regulators want around data protection and data privacy and how consumer trust will be retained.

“Privacy is not just a fundamental human right. It is a foundational right.”

Brad Smith, President, Microsoft

“Privacy is not just a fundamental human right,” said Smith. “It is a foundational right.” With that right comes a need for data protection rules, and those rules, according to Smith, have developed in three ways:

  • The “first wave,” which stems from the 1970s with the growth of “notice and consent,” a standard legal and compliance practice that became increasingly abused over the course of the next two decades as a way of limiting corporate liability rather than protecting consumers. In Europe, measures to combat such abuses resulted in 1998’s Data Protection Directive.
  • The “second wave,” which emerged when the growth of the internet made personal data a valuable commodity companies could leverage for sales and marketing purposes, often transferring it cross-border (and without safety guards). Largely missed by European regulators under the original data protection directive over 20 years ago, these concerns have now been plugged by the launch last year of the EU’s General Data Protection Regulation (GDPR).
  • And the “third wave,” which Smith said is needed now—a little more than a year after GDPR’s implementation. This is where regulators work together—perhaps beginning at a local level first and then cooperating more widely—while technology companies engage more with governments and regulators and take a “smart approach” to regulation so technology is governed by law and products and services are effectively compliant at rollout.

He added that there should be more specific rules governing the use of some new technologies (though he did not specify which) and that aspects of data privacy law, competition law, and e-Commerce law need to be better aligned so tech companies have a clearer guide as to whether their practices, products, or services breach any rules.

Some of Smith’s views appear to be in sync with some of the EU’s data protection authorities. Elizabeth Denham, the United Kingdom’s information commissioner, told Compliance Week at the conference that punishing companies for data abuses with large fines “will not always be the most effective remedy.” Instead, she said she would prefer tech companies to use the Information Commissioner’s Office’s regulatory sandbox to test product safety or only rollout services when they know they are compliant.

During his speech, Smith did not address a recent update from the European Data Protection Supervisor that said preliminary results from an investigation into the compliance of contractual arrangements between EU institutions and Microsoft has revealed “serious concerns.” Launched in April, the investigation is still ongoing.