GDPR means Google, Microsoft lawyers must connect engineers with regulators

20 March 2017 1:25pm

14 February 2017. By Mike Swift.

Leading privacy lawyers with Google, Microsoft and Cisco Systems said Tuesday that as they prepare for Europe's new General Data Protection Regulation to take effect next year, it's critical that regulators work with software companies to help them express the specific requirements of that wide-ranging privacy and data security law.

Speaking at a conference* in California, Keith Enright, Google's director of global privacy legal, and Geff Brown, Microsoft's assistant general counsel, both said that that the EU's GDPR will require the companies' engineers to rewrite software code for their products. Starting in May 2018, the GDPR will impose stricter obligations on how companies handle personal information, including data-breach notifications and impact assessments.

They, along with Michelle Dennedy, Cisco's chief privacy officer, said that means that in-house lawyers with technology companies over the next 14 months will have to create a bridge between European regulators and software engineers within their companies.

"The best thing we can do is make a good-faith effort to comply and have a candid conversation with the regulatory community," said Enright, who warned that there could be a "disastrous outcome" if software engineers were "to aim at a different target than the regulators have in mind."

As the GDPR requires more stringent privacy and data security practices, "we're having to explain that to the engineering folks," Brown said. The EU regulation "does require engineers to code new things, new experiences for users."

While Google continuously works with focus groups to determine the proper amount of information to put before users to allow them to make privacy choices, Enright said the search giant also needs to listen to regulators in tailoring those choices.

Dennedy said that it's critical for technology companies to engineer their software with global privacy compliance in mind, not just in Europe but also elsewhere in the world.

"We are so fast paced.…You have to be very global in your view," she said. "Your engineering has to be flexible enough that you can function in many global jurisdictions."

As their companies are owners of the world's two leading search engines, Google and Microsoft's Bing, Enright and Brown both affirmed they will continue to comply with the European Court of Justice's 2014 "Right to Be Forgotten" ruling, even as the GDPR codifies that and other rights to erase data stored by online platforms, and the right of portability of moving data between multiple platforms.

Notably, in a one-hour discussion about global privacy enforcement in Silicon Valley, hardly a word was said about US privacy and data security enforcement. Maureen Ohlhausen, the acting chairman of the US Federal Trade Commission, has said she wants to limit privacy enforcement to cases where there is evidence of concrete harm to consumers.

*RSA Conference; San Francisco, California, Feb. 13-17, 2017.