The Redmond, Wash.-based software giant will become the 41st company to sign onto the agreement, called Safe Harbor, which protects consumer information as it flows between European and U.S. companies. Other U.S. companies to join include Hewlett-Packard, Dun & Bradstreet and Navigant International.
Despite a threat of legal action under European privacy laws, U.S. companies have largely neglected to sign on to the agreement, sparking fears that the U.S. and European countries will be at loggerheads over privacy protections in coming years. The lack of commitment from the United States also highlights the vast differences between American businesses' privacy practices and those of other countries.
"We could very easily be headed for a showdown in which European officials will have to protect the privacy of EU citizens and assert that U.S. companies are just not providing protections that they're already guaranteed under EU law," said Andrew Shen, policy analyst at the Washington-based Center for Democracy and Technology.
The Safe Harbor agreement, effective July 1, springs from the European Commission's data-privacy law, passed in October 1998, which protects EU citizens from the unfettered collection and sharing of personal information between businesses, among many other provisions. The law is widely regarded as too strict for American business standards, which are largely governed by self-regulation.
Safe Harbor was designed as a middle ground where EU countries and U.S. companies could conduct business and maintain much of the privacy standards outlined in the directive, although on a less-stringent level. Safe Harbor prohibits the transfer of personal data to non-EU nations that do not meet the European "adequate" standards for privacy protection. Although joining Safe Harbor is voluntary, U.S. companies signing on to the agreement can avoid prosecution by European authorities under their privacy laws.
Safe Harbor is open to all businesses governed by the Department of Transportation and the Federal Trade Commission, including retailers and marketers. Though businesses can continue to join the agreement after July, privacy advocates say that the small number of companies aligned reflects poorly on the United States.
Earlier this year, legislators called the Safe Harbor agreement into question, saying it could pose a threat to U.S. trade and cost companies millions of dollars to comply with.
"If enough companies don't sign on, obviously this won't be the solution," Shen said.
As a result, the European Union is also looking at letting businesses negotiate deals under model contract agreements, which would place privacy provisions on international deals case by case.
Privacy advocates say Microsoft's participation signals an important step for American businesses. Because Microsoft is one of the biggest multinational companies in the world, advocates say its endorsement of the privacy provisions shows that any company can sign on with ease.
"If Microsoft can do this, then anyone can do it," said Larry Ponemon, a privacy expert and president of Guardent Technologies.
Microsoft spokesman Rick Miller explained: "It takes an enormous amount of time to go through all of your different properties and areas, and make sure that we were compliant with the Safe Harbor agreement. But we've acted under the fair information practices for some time."
Fear of the fine print
"There is some general concern and distrust that the Safe Harbor agreement is in the best interest of American business," Ponemon said. "A lot of companies are worried about the fine print and not being able to live up to the requirements of the agreement."
U.S. companies have also been concerned about the finality of the agreement, which makes it difficult to rescind an association.
Under the agreement, companies are required to give consumers clear notice of information-gathering practices, choice to "opt out" of such practices, and access to data that is held about them. It also requires companies to take security measures to protect personal information from loss or misuse.
"Joining Safe Harbor indicates that you're following more than the norm than what's practiced in the United States," Shen said.
By agreeing to comply with the principles, U.S. companies are in essence applying self-regulatory guidelines to their businesses. In the event of stepping outside the guidelines, U.S companies could also face scrutiny from the FTC, which polices deceptive trade practices. U.S. businesses that comply with Safe Harbor must announce the affiliation publicly by signing up with the Department of Commerce.
The EU postponed the law's implementation during two years of negotiations with Washington that culminated in agreement on the "safe harbor" rules in March 2000.