[BreachExchange] How should governments and companies think about data protection?

[Audrey McNeil]

https://techwireasia.com/2018/09/how-should-governments-and-companies-think-about-data-protection/

Earlier this year, the most challenging data protection and privacy
regulation, the European Union’s General Data Protection Regulation (GDPR)
came into effect.

However, it led several other governments in this part of the world to
re-think their data policies and practices. They now want to make sure that
all companies — be it big tech giants such as Facebook and Google or
smaller businesses and entities — are taking adequate precautions to
protect citizen’s data.

Singapore, India, Malaysia, and Vietnam among others have revisited their
data protection law and are in the process of making changes.

However, there’s an argument against going too hard on data protection and
privacy. Many experts believe that it’s going to hinder the development and
maturity of new technologies such as big data, analytics, and artificial
intelligence (AI), all of which feed on data.

To help governments better understand the data landscape, Google has come
up with a new framework, announced by its Chief Privacy Office Keith
Enright.

The company hopes it’ll offer clarity to regulators and also serve as a
benchmark for companies looking for a baseline or best practices when it
comes to data privacy.

“This framework is based on established privacy frameworks, as well as our
experience providing services that rely on personal data and our work to
comply with evolving data protection laws around the world. These
principles help us evaluate new legislative proposals and advocate for
responsible, interoperable and adaptable data protection regulations,” said
Enright.

Called framework for responsible data protection regulation, the crisp,
three-page document comprises of a short introduction and two sections –
‘requirements’ and ‘scope and accountability’. Here is a short summary of
the pointers involved:

Requirements of the framework

Google recommends that companies endeavor to collect and use personal
information responsibly. It also suggests that governments mandate
transparency and help individuals be informed.

Regulators should encourage organizations to actively inform individuals
about data use in the context of the services themselves, helping to make
the information relevant and actionable for individuals.

The tech giant also feels that it is important to place reasonable
limitations on the manner and means of collecting, using, and disclosing
personal information and that organizations should make reasonable efforts
to keep personal information accurate, complete, and up-to-date to the
extent relevant for the purposes for which it is maintained.

An important commitment that Google suggests is that organizations be
required to provide appropriate mechanisms for individual control,
including the opportunity to object to data processing (where feasible) in
the context of the service.

It also suggests that individuals must have access to personal information
they have provided to an organization, and where practical, have that
information corrected, deleted, and made available for export in a
machine-readable format.

Finally, Google suggests that organizations must implement reasonable
precautions to protect personal information from loss, misuse, unauthorized
access, disclosure, modification, and destruction, and should expeditiously
notify individuals of security breaches that create significant risk of
harm.

Scope and accountability of the framework

The company believes that organizations must be held accountable and that
regulators should encourage the design of products to avoid harm to
individuals and communities.

The proposed framework also emphasizes that there be a strong
differentiation between direct consumer services from enterprise services.

Google believes that the scope of legislation should be broad enough to
cover all information used to identify a specific user or personal device
over time and data connected to those identifiers, while encouraging the
use of less-identifying and less risky data where suitable.

The law should clarify whether and how each provision should apply,
including whether it applies to aggregated information, de-identified
information, pseudonymous information or identified information.

However, the framework believes that the application of the law should also
take into account the resource constraints of different organizations,
encouraging new entrants and diverse and innovative approaches to
compliance.

The tech giant urges regulators to design laws that improve the ecosystem
and accommodate changes in technology and norms. Its framework suggests
rewarding research, best practices, and open-source frameworks, and
creating incentives for organizations to advance the state of the art in
privacy protection promotes responsible data collection and use.

Finally, the framework believes that data protection law should hew to
established principles of territoriality, regulating businesses to the
extent they are actively doing business within the jurisdiction as
extra-territorial application unnecessarily hampers the growth of new
businesses and creates conflicts of law between jurisdictions.

>From experience, Google proposes that privacy regulation support
cross-border data transfer mechanisms, industry standards, and other
cross-organization cooperation mechanisms that ensure protections follow
the data, not national boundaries.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180928/49227408/attachment.html>