Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Julie Brill, as Microsoft Corp.‘s outgoing chief privacy officer and a longtime federal regulator, has seen privacy compliance from the perspective of both regulator and regulated.

Chief privacy officers, she says, are needed more than ever to educate those on both sides in a climate of regulatory uncertainty and fast-evolving technology.

“Recognize that you’re in an organization that is dealing with a lot of complexity right now and a lot of issues,” Brill, who is retiring from Microsoft’s C-suite next month, said in interview with Bloomberg Law. CPOs want to work with the rest of the executive team “to help them understand how data governance will enable them to do the things they want to do to build out their business and have a more trusted business.”

Part of that is liaising with regulators to help them understand the business.

Brill would know. She served six years on the Federal Trade Commission, where she worked on a range of privacy-related challenges, calling on accountability from data brokers, and forging new partnerships with international data regulators. Before joining the FTC as a commissioner in 2010, Brill was an assistant attorney general in the office of Vermont attorney general.

Engaging with regulators is “one of the most important things” that CPOs can do, Brill said, “because it’s very hard to make rules or write guidance or investigate cases if you don’t really understand the technology.”

Ian Barlow, a lawyer at Wiley Rein and former deputy director of the FTC Office of Policy Planning, said engaging with regulators can help companies, but “to be most effective they must engage with transparency and details.”

“If they want to help ensure the FTC’s agenda is informed by industry perspective, it’s critical for companies to explain how technology is being developed and deployed at the outset, before FTC decision makers have determined a course of action,” he said.

Brill, who was at the FTC when it hired its first chief technology officer, said that while in-house technology helps narrow the gap between regulator understanding and companies, companies are always going to know their product best.

“When I was at the FTC, I felt like we were a year or two behind where companies were in terms of their technological developments, what they were working on, what they were thinking about at that time,” said Brill. “Now I think the FTC and the other agencies around the world have probably narrowed that gap to a year, six months. But what’s happening in that year, in six months, is moving quickly.”

Ashkan Soltani, former chief technologist at the Federal Trade Commission and former executive director of the California Privacy Protection Agency, agreed that regulators need to understand technology, but argued that in-house technologists have the necessary insights to “go beyond the narrow lens of a few powerful firms with the means to lobby.”

Relying on industry for this information “risks skewing our understanding and reinforcing a dangerous cycle of technological determinism,” he wrote.

“Thankfully, the landscape has evolved since Julie and I were at the FTC,” he wrote in a message. “Today, many regulators have technical experts on staff—people with backgrounds in academia or industry—who bring a broader, more independent understanding of technological developments.”

Privacy Shift to Safety

In her more than 30 years in the field, Brill has seen a shift from privacy being about consumers retreating from public view to being able to engage publicly in a trusted way.

Consumers “want to work with entities they feel confident are using their data in responsible ways and not irresponsible ways,” she said.

Those changes towards privacy manifested in three major ways during Brill’s time at Microsoft: the implementation of the European Union’s General Data Protection Regulation in 2018, and a patchwork of US state privacy laws, as well as the proliferation of commercial AI.

Microsoft has been proactively working with regulators on both fronts, Brill said. She pointed to conversations with global regulators, including those in the EU, about complying with the EU AI Act. She also pointed to Microsoft’s recently completed EU Data Boundary, an initiative to improve management and storage of customer data in Europe in compliance with EU laws.

Brill said that current efforts to regulate AI in the United States echo previous data privacy battles, with states taking the lead.

“It’ll be interesting to see what does happen on some of these preemption discussions now at the federal level, but in the meantime, we will see the states move forward, just as they have done with data breach notification and just as they did with comprehensive privacy law,” she said.

At Microsoft, that meant working alongside the company’s first Chief Responsible AI officer as well as leaders in engineering and other departments.

“There will be a partnership, a group within companies, that will work on this,” she said. CPOs will either lead AI efforts or “have a key role because of the data governance that’s required.”

Brill said she looks forward to spending more time with her family and on passions including hiking. She is launching her own consultancy in September with Microsoft as her first client. Microsoft tapped Cari Benn a former general counsel with the tech giant, as Brill’s successor.