How should governments and companies think about data protection?
EARLIER this year, the most challenging data protection and privacy regulation, the European Union’s General Data Protection Regulation (GDPR) came into effect.
However, it led several other governments in this part of the world to re-think their data policies and practices. They now want to make sure that all companies — be it big tech giants such as Facebook and Google or smaller businesses and entities — are taking adequate precautions to protect citizen’s data.
Singapore, India, Malaysia, and Vietnam among others have revisited their data protection law and are in the process of making changes.
However, there’s an argument against going too hard on data protection and privacy. Many experts believe that it’s going to hinder the development and maturity of new technologies such as big data, analytics, and artificial intelligence (AI), all of which feed on data.
To help governments better understand the data landscape, Google has come up with a new framework, announced by its Chief Privacy Office Keith Enright.
The company hopes it’ll offer clarity to regulators and also serve as a benchmark for companies looking for a baseline or best practices when it comes to data privacy.
“This framework is based on established privacy frameworks, as well as our experience providing services that rely on personal data and our work to comply with evolving data protection laws around the world. These principles help us evaluate new legislative proposals and advocate for responsible, interoperable and adaptable data protection regulations,” said Enright.
Called framework for responsible data protection regulation, the crisp, three-page document comprises of a short introduction and two sections – ‘requirements’ and ‘scope and accountability’. Here is a short summary of the pointers involved:
Requirements of the framework
Google recommends that companies endeavor to collect and use personal information responsibly. It also suggests that governments mandate transparency and help individuals be informed.
Regulators should encourage organizations to actively inform individuals about data use in the context of the services themselves, helping to make the information relevant and actionable for individuals.
The tech giant also feels that it is important to place reasonable limitations on the manner and means of collecting, using, and disclosing personal information and that organizations should make reasonable efforts to keep personal information accurate, complete, and up-to-date to the extent relevant for the purposes for which it is maintained.
An important commitment that Google suggests is that organizations be required to provide appropriate mechanisms for individual control, including the opportunity to object to data processing (where feasible) in the context of the service.
It also suggests that individuals must have access to personal information they have provided to an organization, and where practical, have that information corrected, deleted, and made available for export in a machine-readable format.
Finally, Google suggests that organizations must implement reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, modification, and destruction, and should expeditiously notify individuals of security breaches that create significant risk of harm.
Scope and accountability of the framework
The company believes that organizations must be held accountable and that regulators should encourage the design of products to avoid harm to individuals and communities.
The proposed framework also emphasizes that there be a strong differentiation between direct consumer services from enterprise services.
Google believes that the scope of legislation should be broad enough to cover all information used to identify a specific user or personal device over time and data connected to those identifiers, while encouraging the use of less-identifying and less risky data where suitable.
The law should clarify whether and how each provision should apply, including whether it applies to aggregated information, de-identified information, pseudonymous information or identified information.
However, the framework believes that the application of the law should also take into account the resource constraints of different organizations, encouraging new entrants and diverse and innovative approaches to compliance.
The tech giant urges regulators to design laws that improve the ecosystem and accommodate changes in technology and norms. Its framework suggests rewarding research, best practices, and open-source frameworks, and creating incentives for organizations to advance the state of the art in privacy protection promotes responsible data collection and use.
Finally, the framework believes that data protection law should hew to established principles of territoriality, regulating businesses to the extent they are actively doing business within the jurisdiction as extra-territorial application unnecessarily hampers the growth of new businesses and creates conflicts of law between jurisdictions.
From experience, Google proposes that privacy regulation support cross-border data transfer mechanisms, industry standards, and other cross-organization cooperation mechanisms that ensure protections follow the data, not national boundaries.