微软宣布数据保护新举措：依法挑战所有政府索取用户信息的要求

美国时间11月19日，微软首席隐私官朱莉·布里尔（Julie Brill）在一篇博客文章中，宣布了针对需要将其数据移出欧盟的公共部门和企业客户的新保护措施，其中包括一项挑战政府数据要求的合同承诺以及相应的金钱赔偿承诺，即如果用户数据以不恰当的方式披露给政府机构，微软将给予用户相应的补偿。

这一声明的背景是，包括微软在内，多家大型科技公司仍在研究如何继续以合法方式从欧盟向美国发送数据。2020年7月，欧盟法院做出标杆性判决，推翻了用于将信息从欧洲发送到美国的主要法律体系，即“隐私盾牌”。欧盟法院表示，做出这一判决是因为担心用户数据遭到美国情报机构刺探，存在安全风险。

此前基于“合同条款”将用户数据发送到美国的公司必须采取额外的隐私保护措施，例如加密。“合同条款”是少数几种发送数据的合法方式之一。如果企业或监管机构认为，客户数据在美国或其他地方不安全，他们可能会彻底停止这样的数据转移。

布里尔说：“我们相信，我们今天宣布的新举措已经超出了法律的范畴。”对执法请求的法律挑战将涉及各国政府，而不仅仅是美国。“我们希望这些额外的措施能增强用户对个人数据的信心。”

欧盟数据监管机构“欧洲数据保护委员会”上周发布指引意见，帮助企业确定，在数据传输之前是否需要采取额外措施，例如使用假名来交换身份信息。

微软此前已经在用户协议中加入了其他承诺，包括对传输中和静态的数据进行加密，以及只有在明显被迫的情况下才会遵守政府对数据的合法要求。

此次微软的公开声明是为了响应欧盟数据保护监管机构的新指引。在这份新声明中，微软将成为第一个对欧盟数据保护局(EDPB)的指导做出回应的公司，另外它还做出了新的承诺来证明他们捍卫客户数据的信念的力量。

首先，微软承诺，只要有合法依据他们就会挑战任何政府对公共部门或企业客户数据的要求。这种强烈的承诺超出了EDPB的建议；

其次，如果这些客户的用户违反了欧盟的《通用数据保护条例(GDPR)》而应政府的要求披露自己的数据，微软将向他们提供金钱补偿。这一承诺也超过了EDPB的建议。微软表示，这些承诺表明了他们相信公司具备了保护公共部门和企业客户的数据的能力。

微软称这些被称为“保护你的数据”的保护措施将立即加入到他们与公共部门和企业客户的合同中。

另外，微软还表示，这增加了他们关于数据隐私的基本隐私承诺，包括：

强加密：无论客户数据在传输中还是静止时微软都会采用高标准加密。在EDPB建议草案中，加密是一个关键点。微软没有向任何政府提供他们的加密密钥或其他破解加密的方法；

维护客户权利：微软不向任何政府提供直接、不受限制的客户数据。如果政府要求他们提供客户数据就必须遵循适用的法律程序。微软只有在明显被迫的情况下才会遵从要求。他们的第一步总是试图将这些命令重新定向给客户或通知他们，而当微软认为这些命令不合法时，他们通常会采取否认或质疑的处理态度；

透明度：多年来，微软一直在公开政府对客户数据要求的信息。微软曾起诉过美国政府披露更多有关国家安全命令的数据，并达成赋予微软这么做的权利的和解。因此，除了定期的执法请求报告之外，微软每年还会公布两次有关其所有业务（消费者、企业和公共部门）的国家安全命令的更详细信息；

法律成功的记录：微软比其他任何公司都有更多的经验去法庭上确定政府监视命令的限制，微软甚至向美国最高法院提起过一个诉讼。他们的努力为客户提供了更大的透明度和更有力的保护。虽然没有任何挑战访问命令的承诺可以确保胜利，但微软对他们迄今为止的成功记录感到满意。

微软指出，隐私是他们的核心价值，因为他们相信，客户只有在信任他们的技术时才会使用它。

前哨综合自微软官方博文以及新浪科技、cnBeta的报道

以下是该博文全文：

https://blogs.microsoft.com/on-the-issues/2020/11/19/defending-your-data-edpb-gdpr/

New Steps to Defend Your Data

Nov 19, 2020   |   Julie Brill - Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer

Our public sector and enterprise customers regularly need to move their data between countries, regions and continents. Today, we’re announcing new protections for our public sector and enterprise customers who need to move their data from the European Union, including a contractual commitment to challenge government requests for data and a monetary commitment to show our conviction. Microsoft is the first company to provide these commitments in response to last week’s clear guidance from data protection regulators in the European Union.

Every day, our customers move data through their global networks to serve their clients, work with suppliers or partners, and manage payroll for their global workforce. These cross-border data transfers have been the subject of recent litigation and regulatory action including a ruling earlier this year from the Court of Justice for the European Union and draft recommendations issued last weekby the European Data Protection Board (EDPB) about how companies can comply with this ruling.

With today’s announcement, we are moving to be the first company to respond to the EDPB’s guidance with new commitments that demonstrate the strength of our conviction to defend our customers’ data. Microsoft has already demonstrated that we provide strong protections for our customers’ data, we are transparent about our practices and we defend our customers’ data. We believe the new steps we’re announcing today go beyond the law and the EDPB draft recommendations, and we hope these additional steps will give our customers added confidence about their data.

First, we are committing that we will challenge every government request for public sector or enterprise customer data – from any government – where there is a lawful basis for doing so. This strong commitment goes beyond the proposed recommendations of the EDPB.

Second, we will provide monetary compensation to these customers’ users if we disclose their data in response to a government request in violation of the EU’s General Data Protection Regulation (GDPR). This commitment also exceeds the EDPB’s recommendations. It shows Microsoft is confident that we will protect our public sector and enterprise customers’ data and not expose it to inappropriate disclosure.

We call these protections Defending Your Data, and we will begin adding them to our contracts with public sector and enterprise customers immediately.

Defending Your Data makes a substantial addition to our foundational privacy promises, and builds on the strong protections we already offer customers.

We use strong encryption: We encrypt customer data with a high standard of encryption both when it is in transit and at rest. Encryption is a critical point in the draft EDPB recommendations. We do not provide any government with our encryption keys or any other way to break our encryption.

We stand up for customer rights: We do not provide any government with direct, unfettered access to customer data. If a government demands customer data from us, it must follow applicable legal process. We will only comply with demands when we are clearly compelled to do so. Our first step is always to attempt to re-direct such orders to customers or to inform them, and we routinely deny or challenge orders when we believe they are not legal.

We are transparent: We have, for many years, published information about government demands for customer data. We sued the U.S. government over the ability to disclose more data about the national security orders we receive seeking customer data and reached a settlement enabling us to do so. As a result, twice a year, we disclose more detailed information about these national security orders across all our businesses (consumer, enterprise, and public sector), in addition to our regular Law Enforcement Request Report. 

We have a track record of legal success.We have more experience than any other company going to court to establish the limits of government surveillance orders, and we have even taken one case to the U.S. Supreme Court. Our efforts have provided customers with greater transparency and stronger protections. No commitment to challenge access orders can assure victory, but we feel good about our record of success to date.

 Some of the public discussion about the impact of U.S. government data demands focuses on U.S.-headquartered companies. But it is clear that U.S. laws regarding government access to data apply to companies that do business in the U.S., even if they are headquartered in Europe or elsewhere.

Privacy is a core value for us at Microsoft because we believe people will only use technology if they can trust it. That’s why we were the first cloud provider to work with European data protection authorities for approval of Europe’s model clauses, the first to adopt new technical standards for cloud privacy, and enthusiastic supporters of the GDPR since it was first proposed in 2012. We have extended core rights under the GDPR to consumers around the world, and we have honored core rights of the California Consumer Privacy Act for all our consumers in the United States. In addition, we have launched the Tech Fit for Europe initiative to develop digital solutions based on European values and rules.

We hope the steps we have announced today demonstrate to our enterprise and public sector customers that we will go above and beyond the law to defend their data, and the data of their users.