Our Perspective on the Future of Privacy Legislation

At Workday, privacy isn’t just a word, it’s an action—in fact, it’s a broad range of actions that we undertake on a daily basis. As we’ve previously detailed, privacy protections have been a fundamental component of our services since day one. Building on our robust privacy program, and the key privacy principles we embrace in our efforts to support customers, we’ve been working with policymakers and technology industry leaders to provide adequate protection for all.

Globally, this means collaborating with different countries, companies, and leaders to ensure the free flow of data across borders. This is enabled by our commitment to maintaining compliance with the highest standards and certifications around the world. In the United States, specifically, our efforts are focused on ensuring a comprehensive, national privacy law–which fosters trust, innovation, and economic growth–is put in place in the near term. That’s why we’ve outlined our perspective to help guide this process in a paper titled, “Accounting for Enterprise Cloud Technologies in U.S. Privacy Legislation,” which we’ll detail more below. 

Before we jump into our thoughts on U.S. privacy legislation, we want to provide an update on what we’ve been doing within the industry, around the globe, and at Workday as we remain committed to ensuring adequate privacy protections for all.

• Industry Collaboration: Workday partnered with six other leading providers of enterprise cloud services to co-found the Enterprise Cloud Coalition. The coalition is actively working with U.S. policymakers to foster a deeper understanding of enterprise cloud computing technology across the public sector, while also promoting trust and encouraging growth and innovation among cloud companies of all sizes. We also regularly participate in industry events to hear and share best practices, most recently a CEPS event that focused on the successes, challenges, and impacts of the General Data Protection Regulation (GDPR); and Global Privacy Summit 2019, hosted by the International Association of Privacy Professionals (IAPP), where I spoke on tech advances and key privacy considerations tied to Artificial Intelligence (AI) in Enterprise Systems.
• Ensuring Global Compliance: Workday became the world’s first organization to adhere to the EU Cloud Code of Conduct (CoC) by SCOPE Europe, underscoring our continued commitment to global data protection and validating a robust level of data protection and transparency that aligns with GDPR requirements. Additionally, in an ongoing commitment to cross border data flows, we completed our third annual recertification to the EU-U.S. and EU-Swiss Privacy Shield agreements.
• Ethical AI for the Enterprise: Given the increasing focus on AI and its uses in the enterprise, we published our commitments to ethical AI, which include six principles that guide how we develop machine learning—a subset of AI—for the enterprise responsibly, with a focus on how we’ll uphold the privacy principles and processes that are built into the fabric of product development to ensure compliance.

With more than 14 years invested in understanding data privacy, enhancing protections, and maintaining compliance with comprehensive global privacy standards, we decided now would be a great time to share some of the insights we’ve gained along the way. So, we published a white paper titled, “Accounting for Enterprise Cloud Technologies in U.S. Privacy Legislation,” which explains why we believe there’s an urgent and critical need for federal privacy legislation. It also offers guidance on how we—in the U.S.—can map toward achieving comprehensive data privacy protection for all, in the very near future.

Our hope is that the vision we’ve articulated in-depth—which we released publicly today—will inspire and inform those who are navigating the complexities of developing a federal law that balances emerging technologies and economic growth with the safeguards needed to ensure data privacy protections.

A couple of key themes highlighted within the recently published paper include:

• Technology is not monolithic. Businesses—like Workday—that access other companies’ data in order to provide services to customers (perhaps for business planning or analytics purposes, for example) handle that data very differently than those that directly control—and often monetize–consumer data. Given these substantial differences, it’s important to tailor laws accordingly. By protecting consumers with a reliable and robust privacy framework that’s flexible enough to capture differences among rapidly evolving technologies such as enterprise cloud services, Congress can set the stage for the next wave of technological innovation in data-powered services.  
• Aligning with global standards will enable innovation. When the U.S. government moves forward with the introduction of federal privacy legislation, it will be important to align with existing laws that are already guiding data use around the globe, such as GDPR. It’s also critical that privacy law in the U.S. be based on OECD Fair Information Practices, which have been historically backed by the U.S. Federal Trade Commission (FTC). By aligning with existing frameworks, we’ll enable cross-border data flows and adequate privacy protections for all, without squelching innovation or creating unnecessary inefficiencies. This alignment will also help to ensure continued growth for American businesses that are already operating globally.

We feel it’s vitally important to keep privacy in-focus, whether that means publishing our guidance for the future of national privacy legislation or taking action through other global initiatives to drive progress. Stay tuned for updates on this timely topic!