Dunstan Allison Hope, Managing Director, Advisory Services, BSR

Yesterday, Microsoft published its first Law Enforcement Requests Report, disclosing the number and nature of requests law-enforcement agencies globally have asked Microsoft regarding its online and cloud services—and how the company responded to those requests.

The relationship between companies and law-enforcement agencies is a complex one, especially since the activities of law-enforcement agencies can both protect human rights (such as by clamping down on human trafficking) or violate them (such as by using personal data to suppress political speech).

It can be tricky for business to navigate this relationship, so I warmly welcome Microsoft’s transparency as a powerful tool in helping society better understand how the company makes decisions about when to reveal information and which information to share.

The Microsoft report follows similar previous reports from Google and Twitter, and it adds a new layer of detail: By distinguishing between requests for “content data” (such as the body of an email) and “non-content data” (such as an email or billing address), the report sheds even more light on what law-enforcement agencies actually do and do not gain access to.

Now that this level of transparency around law-enforcement requests is more commonplace, this begs the question, what will happen next?

I would like to see four things:

  1. We should create common reporting protocols for how to collect, record, and disclose this data. This would allow readers to compare reports published by different companies and covering different countries.
  2. Other companies in the internet industry should take the opportunity to increase their transparency on this subject, to establish transparency as the industry norm.
  3. Companies in other industries—such as telecommunications, financial services, retail, and health care—should experiment with similar reports. Many companies outside the internet business hold our personal information and are subject to requests from law-enforcement agencies.
  4. The Global Reporting Initiative should use the lessons learned from this increased reporting and transparency to incorporate law-enforcement relationship data into its sustainability reporting guidelines. It is quite extraordinary how little coverage privacy issues receive in the guidelines, given that we live in the digital age.

Most importantly (and this will be easier now that more companies are revealing this data), we as a society should engage in an informed debate about the proper relationship between law enforcement, private companies, and privacy.

I’m a huge supporter of strong personal privacy protections, but it concerns me when these discussions start with the implicit idea that all law-enforcement activities and requests for personal data are bad. Law enforcement should be there to protect us all, and Microsoft’s report illuminates some of the contexts when it makes sense for the company to reveal information—there are all sorts of crimes (think drug crime, human trafficking, racial hatred) for which I, for one, am glad companies collaborate with law enforcement. It’s time we discussed how companies can assist law enforcement responsibly, and how law-enforcement agencies can earn our trust that personal data won’t be misused.