Policy recommendation: Trusted cloud
Protecting personal privacy
If the cloud is the technology that will underpin the Fourth Industrial Revolution, the fuel that will power it is data. From AI, to machine learning, to data analytics, the tools that will generate the insights on which we can build healthier, cleaner, more prosperous societies are not just data-driven but data-hungry. The more data that these systems can process, the more valuable their outputs, allowing businesses to save costs and build better products and services, and allowing researchers to gain better insights into difficult problems.
When businesses and governments hold data that people generate in the ordinary course of daily life using mobile and smartphones and other devices, it understandably creates concerns about the loss of personal privacy, raises fears about the loss of control over decisions made based on algorithms, and increases the risk that observations and predictions based on data analytics will create negative outcomes for individuals. People will be reluctant to adopt cloud services if they do not have confidence that their data will be private and secure.
Governments can establish broadly applicable binding legal norms to provide people with legal assurances, giving them confidence that their data is safe in the cloud and that businesses and governments are accountable for the fair use of advanced analytics and algorithmic decision-making.
Governments should establish clear, enforceable privacy frameworks that include strong privacy protections while enabling citizens to take advantage of the benefits of cloud computing that are dependent upon data. Privacy frameworks should provide meaningful autonomy for individuals and require organizational accountability for strong privacy protections and fair data use.
Privacy frameworks for the cloud should build on longstanding privacy principles. Chief among these is that people should have reasonable choice over whether personal data is collected and how it is used.
To enable informed decision-making, organizations must provide clear explanations about how they collect, store, use and share personal data.
These and other key principles should be reflected in laws so it is clear to technology companies how they can achieve compliance, but without government mandates for the approaches that companies should take to achieve compliance, as these may become outdated, inhibit innovation or be counterproductive.
Governments may want to consider the following goals in crafting privacy frameworks for the cloud era:
Promote transparency and control. People should have meaningful control over the use and disclosure of their personal data. To achieve this, privacy information should be provided at key points in the user experience, and people should have access to tools that make it easy to control how their data is collected and used. Where complex data analytics make simple transparency and granular user control impossible, consumers should expect higher levels of accountability from industry to help ensure the fair use of data, including plain language explanations of analytic processes and steps for remediation of unfair outcomes.
Maintain strong requirements for consent. Consent is an important legal ground for processing data, and the requirements for obtaining consent should be strong. For instance, affirmative consent should be required in circumstances where people may not reasonably expect that data is being collected or when the data being collected is sensitive and presents risks of significant privacy harms.
Permit data processing on grounds other than consent. Providing notice and obtaining affirmative consent is at times either impractical or unnecessary. Governments should consider data processing to be legitimate even in the absence of consent when processing is reasonably expected by an individual, there is minimal impact on an individual’s interests and rights, or any impact on an individual’s rights has been sufficiently mitigated through safeguards. Allowing for processing on such grounds is vital for enabling companies to collect data that is necessary to support, deliver and improve a variety of services for the benefit of organizations, individuals and society.
Require organizations to establish sound privacy practices. Privacy laws should require organizations to demonstrate that they have established sound privacy policies that, at a minimum, ensure compliance with legal requirements. This principle should apply to organizations that determine the purposes and means of processing data and those that process data only on behalf of other organizations. It should also apply regardless of where an organization transfers data or whether it engages other organizations to process the data.
Enable data analytics. Privacy frameworks should not be so restrictive that they prevent governments, businesses and other organizations from using data analytics to draw insights in an ethical manner. Privacy frameworks can achieve this balance by encouraging the deidentification of data sets, allowing researchers to continue to innovate but not at the expense of the personal data of specific individuals. To encourage the maximum possible privacy protection, governments should encourage the use of deidentification techniques that reduce aggregate privacy risk for individuals, even if those techniques may not be able to guarantee full, permanently irreversible deidentification of an individual.
Facilitate cross-border data flows that are protected through appropriate safeguards. As well-intentioned as laws restricting the cross-border transfer of data or data residency requirements might be, they can also be difficult to implement, have chilling effects on the economy, and be unable to address the primary privacy concerns associated with data processing. A more effective approach is to adopt regulation aligned with global standards or contracts that protect personal data regardless of its location. Such an approach can also help to improve resiliency and security and make data processing services more efficient by reducing latency. Furthermore, it should be incumbent on data processing companies to understand the laws in each country of origin and make sure that data is managed accordingly
Evidence and further reading
Microsoft EU Policy blog: EU-U.S. Privacy Shield: Progress for privacy rights
World Economic Forum report: Rethinking Personal Data: Trust and Context in User-Centered Data Ecosystems
IPAA blog: Ten Steps to a Quality Privacy Program, Part Three: Privacy By Design Tools
Microsoft On the Issues: For everyone to benefit from technology, we need to ensure the free flow of information