Microsoft announced Monday that it’s planning to expand the European Union’s General Data Protection Regulation (GDPR) requirements beyond its EU customers to its worldwide client base.
The move is similar to steps some tech companies have taken in recent weeks as GDPR’s Friday, May 25 enforcement deadline approaches. Under GDPR, companies and organizations that target services and products to residents living in Europe, or have business partners and employees in the EU and UK, are required to inform these users of their privacy rights. These rights include the ability to know what data is being collected about them, make corrections if they are needed, deletions if they desire, transfer the data to another vendor, and file a complaint with the appropriate EU compliance authority.
While state and local governments in the United States are expected to face little impact from GDPR, because few government agencies target EU and UK citizens with U.S.-based government services and products, companies that go after consumers in the European market have much to fear if they are out of compliance with GDPR. Under the enforcement penalties, companies and organizations can be fined up to 4 percent of their annual revenue or 20 million euros, whichever is greater.
And although the U.S. and other countries do not have requirements as rigorous as GDPR, Microsoft and a smattering of other tech companies are willing to apply the higher privacy bar when it comes to interacting with customers outside of the EU and UK.
“As an EU regulation, GDPR creates important new rights specifically for individuals in the European Union. But we believe GDPR establishes important principles that are relevant globally,” Julie Brill, Microsoft vice president and deputy general counsel, stated in a Microsoft blog post, adding that “... we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide.”
Some GDPR Changes Go Worldwide
Facebook in April announced that it would apply some of GDPR’s privacy requirements to its more than 2 billion users around the world.
In a blog post, Facebook’s Erin Egan, vice president and chief privacy officer, policy, and Ashlie Beringer, vice president and deputy counsel, stated, “We’re introducing new privacy experiences for everyone on Facebook as part of the EU’s General Data Protection Regulation (GDPR), including updates to our terms and data policy. Everyone — no matter where they live — will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook.”
Facebook took a turnabout and is now allowing residents in Europe and Canada to turn on, or opt in, to its automatic facial recognition feature that identifies people in photos. Previously, European residents were not allowed to access that feature, according to the Associated Press. Facebook’s blog post notes that all of its users have the ability to make the face recognition entirely optional, however, it is currently set to automatically opt in users for those outside of Europe and Canada.
One Size Does Not Fit All
An editorial from Bhaskar Chakravorti, senior associate dean of International Business and Finance at The Fletcher School at Tufts University in the Harvard Business Review, points out that GDPR cannot easily address privacy issues for all countries outside of Europe.
“Support for regulation varies widely from country to country — and of course, within countries. Public opinion in some EU member states shows support for stringent rules, but that support is not always shared in other countries,” he said.
For example, Chakravorti cites a Pew Research Center survey question in which 85 percent of Germans surveyed favored more stringent European data privacy standards, while only 29 percent of Americans surveyed felt the same.