With the EU’s General Data Protection Regulation (GDPR) having just come into force and discussions on the use of personal data increasing in frequency and intensity, privacy is taking center stage in the U.S. At Workday, we believe privacy is of such vital importance—particularly in an era of rapid technological innovation—that government and industry together need to honor it, including by protecting individuals’ privacy proactively through a legal framework.
At Workday, privacy protections have been a fundamental component of our services from the very beginning. Our third-party audit reports and standards certifications provide tangible evidence of how we protect our customers’ data. When we develop new offerings we implement privacy by design from the very beginning. We have received approval from EU privacy regulators for our Binding Corporate Rules and were among the first companies to certify to the EU-U.S. Privacy Shield protecting personal data transferred from the EU. And we’ve built features that enable our customers to comply with GDPR.
Our efforts are complemented by legal frameworks in the U.S., EU, and elsewhere. As my colleague Jason Albert has explained, the U.S. has a long privacy law tradition, stretching back to the 19th century and providing the doctrinal foundation for the Organization for Economic Cooperation and Development Fair Information Principles. In addition to this heritage, the U.S. currently has a number of strong sector-specific privacy laws governing financial institutions, health providers, educational institutions, and children, in addition to all 50 states’ data breach notification laws. Overlaying all of these, the Federal Trade Commission enforces prohibitions on unfair and deceptive trade practices.
Together these provisions create a U.S. privacy framework that is stronger than it is often given credit for. However, from the outside, the disparate structure of U.S. privacy law makes it difficult for other countries to determine whether gaps exist in protection. As a result, the EU requires U.S. companies to certify to the Privacy Shield or enter into other arrangements to ensure data transferred to the U.S. benefits from substantially similar protections as under European privacy law.
In our view, now is the time for a different—more comprehensive—approach that will benefit customers by creating more clarity for the global community. The U.S. and other countries around the world should adopt privacy laws based on the OECD Fair Information Principles. As privacy is a fundamental value around the globe as well as in the U.S., it is incumbent on the U.S. to lead by having a modern legal framework protecting the privacy of its citizens. While U.S. privacy law must reflect our legal and political traditions, the OECD principles are sufficiently flexible to support country-to-country variation and sufficiently strong to provide international harmonization to ensure that personal data can flow freely across borders in a cloud-enabled world.