Statement by Peter Cullen on the Spanish Data Protection International Standards Proposal

In the first week of November, hundreds of representatives from government, industry and civil society will be descending upon Madrid for the 31^st International Conference of Data Protection and Privacy Commissioners to discuss a range of issues related to privacy, security, emerging technologies and the changing nature of global data flows. Microsoft looks forward to engaging in this multi-stakeholder dialogue and will directly be involved in discussions around children’s privacy as well as safeguarding privacy in the cloud computing era.

Another important dialogue will ensue around the “Joint Proposal for a Draft International Standard on the Protection of Privacy with Regard to the Processing of Personal Data,” a laudable effort which has been spearheaded by the conference’s host, Mr. Artemi Rallo Lombarte, Director of the Spanish Data Protection Agency (AEPD) based on a resolution  adopted at the 30^th International Conference of Data Protection and Privacy Commissioners The proposal was developed in consultation with other data protection authorities, leaders of business and members of civil society. It seeks to encourage the development of a universal and binding legal instrument for the guarantee of privacy, or a “global privacy standard.”

As the patchwork of worldwide laws has become increasingly difficult to navigate, Microsoft has repeatedly called for a comprehensive, workable global privacy framework that is consistent, flexible, transparent and principles-based. Doing so will not be an easy task; some of the regulatory models in place today are outdated, while others take a piecemeal approach, with still new privacy models emerging in the developing world. That said, there are certainly common, over-lapping principles in all of these approaches can help inform a comprehensive approach that can provide greater legal certainty to information providers while enhancing protections for the rights of individuals and their data. However, a global framework or consistent, principles are just part of the puzzle. Any principles or standards will need to be implemented in a consistent way to avoid creating further regulatory differences.

With the evolution of cloud computing, in particular, global data flows have changed to become continuous and multi-point rather than linear and point-to-point. Chances are that data will flow differently in ten years than it does today, and privacy rules will need to anticipate these inevitable changes. At the same time, privacy laws, by their very nature, are local. This dynamic creates inherent tension. As such, new privacy paradigms and governance models, such as one governed by accountability need to be considered in the context of global such frameworks.

We thank the Spanish Authority for its vision and leadership around this important debate and look forward to continued collaboration in promoting consistent global data privacy structures. The theme of this year’s conference is “Privacy: Today is Tomorrow,” which is apt given the imperative for all of us to address the data protection needs of the future, while helping to facilitate the rich benefits of our information age.

Peter Cullen, Microsoft Chief Privacy Strategist