Microsoft Privacy Head Driving Innovation Amid 'Regulatory Tsunami'

“We have been going through what we call a regulatory tsunami for years, where we have seen an influx of privacy laws around the world,” Benn told Privacy Daily in Washington. There are laws in about 140 jurisdictions globally, and that doesn’t include statutes in 20 U.S. states, she said. When Benn started in the privacy profession, around 2005, there were far fewer regulations on the books, she noted.

“At the same time, we have just this explosion in innovation,” she said, pointing to Microsoft’s significant involvement in generative AI. A big question, therefore, is “how do we continue to innovate and adopt new technologies” while “complying with this web of privacy laws,” as well as regulations around responsible AI, accessibility, digital safety, competition and telecom laws around the world? “We spend a lot of time trying to think about how you balance those two things.”

Benn applauded the efforts of U.S. and EU regulators to reduce the complexity of privacy compliance. She highlighted an effort to simplify the General Data Protection Regulation (GDPR) and a new consortium by U.S. state enforcers meant to foster collaboration (see 2504110002 and 2504160037).

On GDPR simplification, the Microsoft official said she sees opportunities to enhance coordination among data protection authorities and “streamline some of the documentation that’s required.”

For example, companies currently must complete data protection impact assessments (DPIAs) under both the GDPR and the EU AI act. “There are a lot of core facts that underpin all of this documentation, and to the extent we could have harmonization across some of those requirements, I think it would help.” While Microsoft, as a large company, can manage the work, it’s harder for the company’s small and medium-sized business customers, she said.

With the state regulators’ consortium, Benn said she sees a chance to help companies understand how they can implement policies that cover small differences between U.S. state laws. She added that “it just helps with privacy thought leadership to have a coalition like that.”

While there are differences among U.S. state laws, “they really are harmonized -- or at least interoperable.” However, Microsoft has been advocating for a national U.S. privacy law since the 2000s, Benn said.

“Good regulation is good for everyone,” and the states’ activity in this area shows it’s possible to have regulation that balances people’s right to privacy with what works for businesses, she said. “We have a lot of strong models,” including from Colorado, California, Connecticut and Tennessee. “We would like to see a federal privacy law to make sure that everyone is afforded the same rights regardless of where you live.” While there remains no national U.S. law, Microsoft has publicly committed to honor California- or GDPR-like “data subject rights globally,” she added.

Benn said one enforcement trend she has observed globally is a focus on vulnerable populations, including children and the elderly. In addition, regulators are “trying to figure out how to enable new technology while continuing with strong and meaningful enforcement.”

Applying Privacy to AI

Like many companies, Microsoft is in the midst of layering AI with the company's long-standing regard for privacy. “One of the criticisms of AI can be that it's not very transparent about how personal data is used to create the AI or how personal data is used as people are interacting with AI-based apps,” she said. “We make sure that we do a lot around transparency, to make sure that as we're developing AI … we are clear about what information is being used [and] what controls people have over it.”

“The other thing that we do, which is a requirement under GDPR and some of the state laws, is really related to privacy by design,” said Benn. “As we are building technology, privacy is incorporated into the development process. We do privacy reviews for all of our products" -- including AI -- "to make sure that they’re meeting expectations.”

In response to much initial skepticism about generative AI, Microsoft has talked to regulators about “how sometimes it's important to have different types of data so that the AI works for everyone,” Benn said. For example, to improve AI interactions with people who speak different languages, “it does require that we collect information from users who are interacting in different languages to be able to build a product that works for everyone.”

Some state policymakers have emphasized data minimization requirements, as seen in Maryland’s privacy law and pending bills in Connecticut (see 2504220040), Vermont (see 2504250033) and Maine (see 2504290048). However, Benn said data minimization isn’t a new concept.

“Don't collect data that you don't really need -- or explain why you need it,” she said. “And so, even if you are doing things that require large amounts of personal data, like creating large language models, you can meet data minimization requirements by having a reason for why you're doing what you're doing and really explaining it.”

Microsoft is ready to comply with Maryland’s law, which takes effect this October, Benn said. “We comply with anything that comes our way.”

Microsoft was affected by last year’s health data privacy law in its home state of Washington, she said. In 2022, Microsoft acquired Nuance Communications, which provides voice-assistive technology that doctors use for taking voice notes, she said, plus medical providers use some of Microsoft’s AI products.

With Washington's My Health, My Data Act, "it didn’t change our practices as much as it changed some of the disclosure requirements." As a result, Microsoft’s privacy statement now includes a specific section on that law. “We've heard from other companies that they really like the way that we did that, and so it's kind of become this unofficial model.”

On new data-protection tools, Benn pointed to “a lot of interesting things happening” with privacy-enhancing technologies. Such tools could be used “to enable some targeted advertising while minimizing the data you're processing and changing how you're processing.”

In addition, there’s “a lot of opportunity for AI to help with some of the tasks that privacy professionals engage in,” she said: That might include conducting data inventories and automating the writing or editing of DPIAs.