Peter Cullen here.
The concept of “accountability” has certainly become a recent catch-cry in the wake of the global economic crisis but it has long been an established principle of privacy and data protection. In fact, the concept was first established in data protection by the Organisation for Economic Co-operation and Development (OECD) back in the early 1980s and the principle of accountability is a core principle of the Canadian Data Protection Act (PIPEDA), the APEC Privacy Framework and is a key guiding tenet of the US Safeguards Rule. So too, the accountability principle is inferred in the privacy laws of the European Union and its member states.
Last week, a significant policy paper was publicly released by the Centre for Information Policy Leadership (CIPL) entitled, “Data Protection Accountability: The Essential Elements,” which seeks to reinvigorate the discussion around accountability and data privacy and represents the collective thinking of more than 40 privacy experts from around the world representing industry, government, academia and civil society. The paper, which Microsoft contributed to, not only helps further crystallize the key elements of accountability as a mechanism for global governance of data but also frames the discussion around how an accountability-based system might be designed. Under such a governance model, the Company is responsible for understanding the risks to individuals that comes with the processing of that individual’s data and is also responsible for mitigating those risks. Furthermore, as proposed in this paper, the company is responsible for ensuring that those processes do indeed safeguard their customer’s data. So, in many ways, accountability requires more diligence and vigilance from an organization than basic compliance with the law.
While the concept of accountability for data protection and privacy may not be new, what has changed dramatically over the past few decades is the technology-enabled use and transfer of information since modern-day concepts of privacy or data protection were first advanced. Privacy remains personal and local yet is challenged with today’s collection and global flow of information. Today, the Fair Information Principles, or “FIPs” tend to prioritize the lens for the consumer around individual control and “notice and choice” – a prioritization which is becoming increasingly challenging in the current information environment.
Currently, the “management” of global data flows are governed by law and guidance, which are enacted and enforced by individual governments, through regional or self-regulatory frameworks or by through commonly accepted principles. Yet, under the present scheme, the burden is currently on the consumer who is expected to carry much of the responsibility for policing the appropriate use of their data. Regulators, where data protection laws exist, are charged with ensuring that companies implement the principles of fair information practices that form the basis of law and guidance.
However, this approach is neither well-suited nor sufficient to serve the new information economy. Collection of information from or about individuals has become more ubiquitous and perhaps less transparent, and information about them may be obtained from sources other than the individual. The concept of “primary and secondary use” that underpins traditional privacy governance quickly breaks down when information is used for dozens of purposes across many organizations. New technologies and business models that offer benefits to individuals rely on the use of information in ways that may not always be anticipated at the time the information is collected. Thus, in addition, the complexity of information collection is difficult to explain to even the most well-informed consumer.
Neither companies nor their customers are well-served by the proliferation of complex and potentially conflicting laws that attempt to protect individuals from the misuse of their information. In the end, current governance models do not necessarily afford individuals the protections that they deserve and that would foster increased trust in the marketplace. Yet, the consumer is due fair processing and accountable use of information no matter where it is obtained and whether or not he or she is in a position to control its use.
This is why Microsoft believes that policymakers and other relevant stakeholders need to take a closer look at how accountability might work within existing legal regimes, how organizations can do more to advance accountability and what role third party accountability agents and programs might play in this evolving paradigm. So too, much consideration must be given to how accountability is measured and ultimately enforced. We believe that this paper, which represents some of the collective thinking of some of the most prolific privacy thinkers around the globe, puts an important stake in the ground to ignite further discussion around the role of accountability in privacy and data protection schemes going forward.