With the EU’sGeneral Data Protection Regulation(GDPR) having just come into force and discussions on the use of personal data increasing in frequency and intensity, privacy is taking center stage in the U.S. At Workday, we believe privacy is of such vital importance—particularly in an era of rapid technological innovation—that government and industry together need to honor it, including by protecting individuals’ privacy proactively through a legal framework.
At Workday, privacy protections have been a fundamental component of our services from the very beginning. Ourthird-party audit reports and standards certificationsprovide tangible evidence of how we protect our customers’ data. When we develop new offerings we implementprivacy by designfrom the very beginning. We have received approval from EU privacy regulators for ourBinding Corporate Rulesand wereamong the first companiesto certify to the EU-U.S. Privacy Shield protecting personal data transferred from the EU. And we’vebuilt featuresthat enable our customers to comply with GDPR.
Our efforts are complemented by legal frameworks in the U.S., EU, and elsewhere. As my colleague Jason Alberthas explained,美国有着悠久的隐私法的传统,stretching back to the 19th century and providing the doctrinal foundation for the Organization for Economic Cooperation and DevelopmentFair Information Principles. In addition to this heritage, the U.S. currently has a number of strong sector-specific privacy laws governingfinancial institutions,health providers,educational institutions, andchildren, in addition toall 50 states’ data breach notification laws. Overlaying all of these, the Federal Trade Commission enforces prohibitions on unfair and deceptive trade practices.
Together these provisions create a U.S. privacy framework that is stronger than it is often given credit for. However, from the outside, the disparate structure of U.S. privacy law makes it difficult for other countries to determine whether gaps exist in protection. As a result, the EU requires U.S. companies to certify to thePrivacy Shieldor enter into other arrangements to ensure data transferred to the U.S. benefits from substantially similar protections as under European privacy law.
In our view, now is the time for a different—more comprehensive—approach that will benefit customers by creating more clarity for the global community. The U.S. and other countries around the world should adopt privacy laws based on the OECD Fair Information Principles. As privacy is a fundamental value around the globe as well as in the U.S., it is incumbent on the U.S. to lead by having a modern legal framework protecting the privacy of its citizens. While U.S. privacy law must reflect our legal and political traditions, the OECD principles are sufficiently flexible to support country-to-country variation and sufficiently strong to provide international harmonization to ensure that personal data can flow freely across borders in a cloud-enabled world.