The Future of Privacy and Regulation

In his June 24 remarks on the future of privacy and regulation, Microsoft General Counsel Brad Smith described how, by 2020, 50 billion devices will connected to networks around the world.  The exponential growth of data will ensure that privacy “is an issue that will continue to become more important.”

Turning to what this data-driven society means for privacy policy, Smith spoke about “how the two halves of this issue may come together” ― both “the relationship between citizens and between consumers and companies.”   He laid out “four questions” ― a set of issues or principles ― that need to be addressed in both sectors to insure that both governments and technology “continue to serve people.”  These are (1) transparency, a right to know what information is collected and how it is used; (2) “appropriate control” over personal information; (3) accountability; and (4) international norms and collaboration.

Privacy in the Public and Private Spheres

Smith spoke about how these principles may operate differently in the public and private sectors.  For example, in the public sector, control belongs to “the public as a whole … through the rule of law” but, in the private sector, control should reside with individual consumers through mechanisms of “notice and consent and management.”  To this end, “companies should be accountable to regulators through regulation.  It needs to be well-designed regulation, it needs to be thoughtful, it needs to be balanced, but we cannot live in the Wild West when talking about information that is this important.”  In conversation, he said that legislation is “long overdue” and “I think and hope the Administration will send something to Congress” building on good information practices and principles in existing legislation.

A Roadmap for Regulation

Transparency, control, and accountability are key elements of the Consumer Privacy Bill of Rights that was the centerpiece of the 2012 White House privacy blueprint; international engagement is another key element of that blueprint.  The Consumer Privacy Bill of Rights was rooted in time-tested Fair Information Practice Principles updated to reflect the world of personal devices, social media, and new and evolving uses of data.  These same principles underlie the protections federal agencies put in place to control their use and management of data.

As the recent reports by the White House Big Data task force and President’s Council of Advisors on Science & Technology (PCAST) found, reliance on notice and consent doesn’t work in a world of sensors and automated collection and places the burden on consumers rather than companies to manage privacy protection.  Brad Smith acknowledged this reliance is “under stress” because “everybody is asked so much to click” they simply do so “without reading.”  Thus, in a Big Data world,  other principles  ―  use, accountability, access to data that is collected ― take on much greater importance and require companies to be thoughtful stewards of information.   Even so, notice and consent have a role to play.  “We should not throw that principle overboard,” Smith said, because it is part of a right to control information.