Posted by Peter Cullen
Chief Privacy Strategist
This week, more than 400 policymakers, privacy advocates and industry representatives will be converging in Israel for the 32nd International Conference of Data Protection and Privacy Commissioners.
The conference has commenced this morning in Jerusalem, a city of both ancient traditions and thoroughly modern influences, and I was reminded of how that same dynamic is true of privacy in the Internet age. Yesterday marked the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These privacy guidelines have served as the basis for numerous privacy laws in place across the globe. Yet, even these privacy principles need to keep pace with the changing information environment. In my remarks today at a panel discussion titled “Notice and Consent: Illusion or Reality?”, I suggested that individual participation through mediums such as notice and consent remains important to safeguarding users’ privacy, but by itself does not afford enough protection. This is particularly true given the explosion of information collection and use that is the fuel of today’s Internet economy. The same is true of the various legal frameworks that govern data collection, usage, and sharing. Both are important, but neither is sufficient on its own.
Alongside individual participation and regulatory oversight, another vital aspect of privacy protection is often overlooked: the role and responsibility of the organization in maintaining and protecting personal data.
Microsoft’s view, as outlined in a new white paper released today at the conference, is that organizations’ privacy policies and data management practices most directly influence whether users’ personal information is kept safe or exposed to risk. Therefore, we believe that organizations—including Microsoft—must hold themselves accountable for acting to protect users’ interests and taking appropriate measures to safeguard privacy and personal data, even in the absence of specific regulatory mandates.
This includes adhering to the essential elements of an accountability-based data governance approach identified by the Centre for Information Policy Leadership (CIPL) and other participants in the 2009 Galway Project. CIPL today is releasing its paper on Demonstrating and Measuring Accountability, an outcome of the 2010 Paris Project. Accountability is also central to the use-and-obligations model of data privacy management, in which each organization that receives access to individuals’ personal information is directly responsible for protecting data however it gets used or shared.
Another key dimension of accountability for organizations is establishing a privacy governance framework that encompasses strong data management policies, standards, and procedures along with privacy-enhancing protections that are integrated into the organization’s technology systems and its online services for customers. Microsoft strives to achieve this through our corporate Privacy Principles and Online Privacy Statement, which define specific obligations for data use and protection in terms that customers can readily understand. Also, the company’s Security Development Lifecycle (SDL) process requires our developers to analyze and address potential privacy threats.
In meeting with others who believe in the importance of privacy at this week’s conference, I am encouraged to hear so many new ideas about how our industry can better protect personal information. I believe that shining the spotlight on organizational accountability is crucial for strengthening public confidence in online privacy and fostering continued growth in the computing ecosystem.