Protecting our data infrastructure through some new approaches to privacy

In 1824, the Avenue des Champs-Élysées in Paris, France, became the first asphalt roadway. The Champs-Élysées literally paved the way for the city’s future and ushered in new physical infrastructure that changed how contemporary society moved, worked, lived and organized itself.

Governments, civil society and industry are beginning to understand the value of data to society in much the same way they considered the importance of thoroughfares 200 years ago. Just as these roads ushered in a new era of physical infrastructure that helped society thrive then, today we are beginning to understand the need to invest in modern approaches to our data infrastructure that will enhance economic growth and innovation, support individual empowerment and protect us from harm.

During the pandemic we saw many vivid examples of the value of our data infrastructure and its extraordinary potential to help humanity through necessary advances in health care and research.

The Covid-19 crisis became the mother of invention that incentivized organizations around the world to shift their approach to enable more immersive sharing of data while building trustworthy frameworks that enhanced privacy. We have also seen that the lack of clarity around regulatory requirements for health data inhibited responsible sharing and, in some parts of the globe, important research has been suspended or is at risk.

Privacy regulation: critical support for our data infrastructure

One of the lessons we should take away from the pandemic is that we need to reframe how we talk about data and regulation. The question civil society, business, academics and governments should be asking is not if we can use data but rather how we can enable responsible data use to create a better world and protect fundamental human rights.

Accompanying this new framing, we need new metaphors to describe how data is a critical building block for our economies going forward. Rather than talking about data as “the new oil,” as academics, politicians and industry leaders have been claiming for years, let’s start to think about data as “infrastructure” that will be the foundation for helping us construct a resilient and responsible global society.

Just as our physical infrastructure of roads and highways needs to be used appropriately, maintained and protected, so does our data infrastructure. To maximize the benefits and minimize the harms of our data use, we need privacy regulations to serve as our global rules of the road that preserve our ability to use and data across borders, supported by innovative tools and solutions that protect privacy and empower individuals.

A strong regulatory foundation with clear guardrails will allow our data infrastructure to thrive.

New approaches to regulation to support our data infrastructure

As we reframe our focus to support data use, let’s examine the regulatory approaches that have been working, and develop new approaches where needed to enable the responsible use and sharing of data.

Among the approaches we should consider:

• Incentivize the use of privacy enhancing technology and operational controls. In many circumstances, the most impactful data will be personal data. Modern regulatory infrastructure needs to encourage protections for the responsible use of this data through new technical and operational solutions. New technologies such as differential privacy and privacy protective advertising solutions like PARAKEET can allow data sharing while, at the same time, honoring privacy. Privacy-enhancing technologies should be encouraged and even required in appropriate circumstances, along with strong governance structures that include technical access controls, purpose and use limitations, and operational standards that drive accountability and facilitate outside review. Our regulatory frameworks should support more immersive data use where technical and operational controls are in place. Anonymization will never be perfect, and we shouldn’t require perfection to enable responsible data use.

• Build consumer controls that truly empower individuals. Many privacy laws around the globe provide consumers with the power to access, correct and delete their own information. We need to question choice mechanisms that are unclear and burdensome for consumers and instead provide them with meaningful choice and control universally. Microsoft was the first to extend the control rights to consumers offered in the EU’s General Data Protection Regulation (GDPR) worldwide and the first to extend the California Consumer Privacy Act rights to consumers throughout the U.S. Providing individuals with seamless access to their data can help them more easily move to services that provide the level of protection and safety they desire and encourage healthy competition in the industry. Yet, as a society, we have only scratched the surface of what is possible. We should develop regulatory frameworks that don’t just require organizations to provide people with the tools to control their data, but also require organizations to provide people with the means to control their digital identities so they can seamlessly move to services most respectful of their privacy.

• Address both traditional and new business models. One of the greatest shortcomings of the U.S. regulatory infrastructure is that there is no comprehensive law governing the use of data. A mix of U.S. laws protects health and financial data, but those laws are decades old and don’t account for the myriad of entities that now hold very sensitive data beyond hospitals, banks and other traditional health care and financial services bodies. People use apps to make payments, buy and sell securities and cryptocurrencies, and monitor their diet and health. Privacy laws should recognize that sensitive data can be held by traditional and nontraditional players, should treat all these organizations equally, and should ensure that they collect, use, store and sensitive data responsibly and with appropriate controls.
• Provide appropriate redress to people harmed by data abuse. Society benefits from data use in countless ways. Yet not all uses of data are good. Consumers can be harmed by data abuse by unfair, biased and deceptive data practices in the marketplace. Our regulatory frameworks must provide appropriate redress to harmed individuals. These redress rights must include independent oversight and ensure that inappropriate practices are rectified. Microsoft has been an advocate for individual redress in privacy laws and we equally support individual redress in international frameworks. 

• Develop innovative legal approaches that respect national sovereignty. The rise of the data economy does not mean national borders and sovereignty are outdated concepts. It is crucial that a global legal infrastructure respects national rights, including the use of personal data and how that data flows across borders. If coupled with innovative ideas about how to access data without requiring that the data physically leave the jurisdiction and other technical advances, we help maintain the global promise of the public internet while respecting the national rules that apply to data.
• Embrace regulatory iteration to move progress forward. Policymakers, industry and civil society need to embrace progress and move forward with meaningful privacy legislation where it is now missed or outdated. Early approaches should be improved over time through iterations based on several inputs. First, policymakers should review the effectiveness of regulations in the context of ever-evolving technologies and business models. Second, we should expect courts to have additional input through challenges that provide opportunities for principles-based guidance on how to interpret and improve legislation. And, third, industries and organizations will gain important insights as they test drive the regulatory frameworks. Regulatory infrastructure should not be viewed as a “one-and-done” project.

Addressing an urgent challenge

Our challenge of enabling the responsible use of our data infrastructure through a robust global regulatory framework has never been more urgent. We need to modernize our approach, innovate and leverage technological advancements that protect privacy and ensure data use for society’s benefit.

Above all, we should embrace an appreciation for data as a strategic part of our infrastructure that needs to be used, maintained and protected, and create regulatory support that will unlock insights to help us build a healthier and safer planet.

Tags: data privacy, Data Protection, differential privacy, Privacy