Normal view

Protecting privacy as a fundamental right while supporting transatlantic data flows

At Microsoft, we are committed to our customers’ fundamental right to privacy. In a world defined by rapid technological change and geopolitical volatility, this commitment has remained constant. It’s rooted in decades of experience building trusted technologies that our customers rely on every day to manage their data. Many of these organizations depend on the ability to move data across the Atlantic, from the EU to the U.S., in a way that protects their privacy. That’s why we support the European Commission in its defense of the EU-U.S. Data Privacy Framework. And that’s why we have formally intervened in the Latombe v. Commission case before the Court of Justice of the European Union. This case puts at stake two principles that are important for Microsoft – the protection of our customers’ privacy and their ability to do business on both sides of the Atlantic.

To intervene in a case before the Court of Justice, a company must apply for permission. In this case, the Court granted our application, finding that Microsoft has a direct and existing interest in its result. Put simply, the outcome of this case will determine whether Microsoft and its enterprise customers may continue to use the EU-U.S. Data Privacy Framework to transfer data to participating U.S. companies, including vital customers and suppliers. This critical legal bridge promotes stability, beneficial trans-Atlantic ties, economic growth, and prosperity, while upholding strong privacy safeguards. The Latombe case seeks to dismantle it. As an intervener, we can now file legal briefs in support of the European Commission, participate in oral hearings, and share our perspective on the importance of upholding a framework that directly benefits the European economy.

Supporting the European Commission’s adequacy decision on the EU-U.S. Data Privacy Framework before the Court of Justice of the European Union

Companies across the globe rely on data flows to manage their people, produce their goods and services, and distribute products to their customers. We understand that data flows trigger questions about differences in legal traditions. They should. And for that reason, the European Commission and the U.S. administration worked diligently, in the decade since the Safe Harbour ruling, to harmonize EU and U.S. law. As a result of that hard work, and as required under the European General Data Protection Regulation (GDPR), the U.S. has now created an independent review court for any complaints regarding U.S. surveillance and implemented other required measures to provide an “adequate” level of data protection that is essentially equivalent to that in the EU.

This equivalence is a key point. The law entitles our customers to privacy on both sides of the Atlantic. This is the principle on which the Data Privacy Framework rests. And our intervention in the Latombe case is just one part of a long history in which we have stood up for that principle in Europe, as well as in the U.S. As far back as 2014, Microsoft challenged the FBI’s secret attempt to use its national security authorities to obtain information about an account that belonged to one of our enterprise customers. After we filed the case, the FBI withdrew its request. In 2016, we sued the U.S. government to challenge its practice of seeking indefinite secrecy orders—i.e., orders that prevented Microsoft from ever notifying its enterprise customers when the government sought their data. As a result of that case, the U.S. Department of Justice changed its policy to place strict limits on the duration of secrecy orders. In the decade since that first constitutional challenge, we’ve launched a series of successful court challenges to ensure that secrecy orders, of any duration, are the exception, not the rule. As a result of our litigation, numerous secrecy orders have been vacated or modified to allow notification to our customers.

We don’t confine our advocacy to courts. We are a steadfast proponent of strong privacy regulation on both sides of the Atlantic. That’s why we are specifically pushing Congress to update the U.S. Electronic Communications Privacy Act to place stricter limits on the use of secrecy orders and ensuring they are subject to meaningful judicial review. This legislative reform is gaining momentum in Congress and will greatly enhance our continued ability to protect our customers’ data.

Stable and trusted data transfers are not an end in themselves. They are a means to enable innovation, economic opportunity, and public services—while upholding the fundamental rights that are at the core of EU and U.S. law. Our intervention in the Latombe case reflects that principled balance and follows a long line of legal actions we have taken to protect our customers.

Looking ahead

At Microsoft, we have long recognized that trust is not a given—it is earned through sustained action, thoughtful design, and a willingness to engage openly with governments, customers, and individuals. Microsoft has consistently advocated for strong, clear, and globally interoperable privacy frameworks, recognizing that trust in technology depends on the strength of the rules that govern it.

Our customers in Europe can rely on us to continuously improve and update our privacy practices as technology and legal standards evolve. In 2018, we were the first major technology company to extend GDPR subject matter rights to all our customers around the world. And recent positive assessments of our privacy compliance by the European Data Protection Supervisor and the Hessian DPA in Germany underscore our continuous commitment to our customers’ fundamental right to privacy.

In support of this work, we’ve updated the Microsoft Privacy Statement to use clearer structure, simplified language, and more precise explanations of our data practices—making it easier to understand what data we collect and how it’s used, without changing our underlying privacy protections or commitments.

The future of technology will be shaped not only by what we build, but by the principles that guide us. By grounding innovation in respect for people and organizations, and strong legal protections, we can help ensure that technology continues to be a force for good.

The post Protecting privacy as a fundamental right while supporting transatlantic data flows appeared first on Microsoft On the Issues.

Flock Cameras Can Surveil Cars Without License Plates

3 July 2026 at 13:15

This is from a 2024 company presentation:

Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags.

Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the company’s presentation shows.

The company gives police officers the ability to search that data as well, to “build stronger cases with less information upfront.” That includes being able to locate multiple vehicles law enforcement officials believe are moving together and what Flock calls a “multi geo search.”

This kind of thing is older than AI; I wrote about it in my 2014 book Beyond Fear. Edward Snowden revealed that the NSA was using cell phone location data to track phones that were habitually near each other.

As bad as Flock is, remember that anyone with broad access to cell phone location data can do the same thing.

Papa Johns Surveillance-Based Advertising

1 July 2026 at 12:53

Papa Johns is spying on people’s buying activities to predict when they are low on food:

The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge without being too creepy,” said Carrie Drinkwater, chief investment officer at Carat.

To achieve that goal, NBCU and Instacart created a custom audience of shoppers who regularly purchase grocery staples on Instacart, such as eggs, milk, meat and produce. Based on that data, Papa Johns can determine which days of the week certain consumers are likely to run out of groceries and serve them an ad on NBCU streaming content accordingly. The brand served custom creatives to consumers based on their food preferences—such as whether they buy meat regularly—with QR codes and calls to action such as, “Light on groceries?” or “Empty fridge?”

Back in 2012, we learned (from Target and its campaign that detects when someone is pregnant) that the trick is to hide the knowledge in other, wrong, information. So the way for Papa John’s to not be “too creepy” is to deliberately get it wrong sometimes.

But still, ugh.

The Realities of AI Video Surveillance

30 June 2026 at 14:05

The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia.

I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions about video footage to AIs—and AIs can answer them.

In contrast with older tools restricted to a few dozen preset searches, these new tools allow an almost unlimited range of enquiries by enabling language-based searches on video.

That lets intelligence officers hunt through massive streams of videos using simple search terms, such as two men handing a bag to each other; a person who has changed their appearance, or has changed clothes multiple times in a day; or a vehicle that has recently been painted over, or has driven past the same spot several times in a short period.

“This is the holy grail of surveillance,” said a European official whose country uses the technology on its cities. “We are able to look for behaviour, not objects ­ it has created a world of new possibilities.”

❌