Embracing technology changes and futureproofing the new Regulation

Microsoft believes that each provision of any proposed legislation should be tested against certain fundamental criteria such as certainty, flexibility – focusing on accountability and desired outcomes (for example, on consent), consistency and technology neutrality – avoiding preferences for particular technological solutions.

Any reform needs to seek to strike this balance in requiring organisations to commit to strong protections and be transparent and accountable, while balancing the many benefits that today’s technology can provide. Specifically, we propose further clarity over rules that promote secure data transfers in the cloud, notion of consent be based on a context-based approach, and meaningful, but proportionate, penalties.

It is essential in a cloud computing and Big Data era to define clearly the role of controllers and processors so as to make companies’ obligations in relation to its different processing activities workable. It is key that organisations understand when they are operating as controllers and when they are processors. The line between the two shall be made clear: when an organisation determines why data is processed (i.e. for what purposes), it is a controller. When an organisation only determines how data is processed (i.e. the means and conditions of the processing), it is a processor. This approach is consistent with a recommendation made in the Parliament Policy Department study prepared for the Internal Market and Consumer Protection (IMCO) Committee, ‘Reforming the Data Protection Package’ (‘the Parliament Study’). Similarly, it is crucial to have the same test for organisations that are both controllers and processors; this will pinpoint which supervisory authority has jurisdiction.

In the cloud environment, Microsoft also finds it important to extend standard contractual clauses to sub-processors, as recommended by the Parliament Study [1]. Today, cloud providers often rely on sub-processors. This approach is also consistent with the Article 29 Working Party’s Opinion 05/2012 on Cloud Computing, where it suggested that‘a written agreement which imposes the same obligations on the sub-processor as are imposed on the processor in the [EU Standard Contractual Clauses] should be put in place’.

In the EU, notice-and-consent remains the approach in online privacy policies and is enshrined as a Fundamental Right [2]. In today’s data-centric world, we need to rethink about options that accomplish the same essential informational goals, without relying so heavily on the consumers to fend for themselves by reading notices. The true value of data may not be understood at the time of collection and some usage may be unforeseen at the time. In relying on the traditional notice and consent model, future uses not enumerated at the time of collection that may have significant individual and societal benefit may be lost. The use of data, rather than its collection, may serve as a better focal point for defining the obligations related to data.

In doing so, we shift the burden of managing risks to organisations that should more accountable for managing more of the risks. This approach has been mentioned in the updated OECD Privacy Framework 2013 [3] that strengthens the accountability principle and focuses on a risk based approach.

This OECD Framework is an interesting step at international level to reflect changes in data usage as well as new approaches to privacy protection. The current draft Regulation already takes inspiration from the international concept of accountability in requiring controllers and processors to be‘responsible’ for how they handle data, though this is not enough and we believe that accountability and risk-based approaches should be encouraged. Well-defined and adapted to an EU context, those key notions should be enshrined into the new regime to make it future proof.

This article was originally published on Data Guidance

Footnotes
1. Reforming the Data Protection package
2. Charter of the Fundamental Rights of the European Union, Article 8 § 2
3. Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data