Ask any data protection officer or privacy counsel what tops their list of trepidations and engaging global data services’ vendors will be up there. The combination of security threats and burdens, restrictions on international data transfers and data-hungry law enforcement authorities has turned delegating any data processing or storage operations to cloud service providers into an unnerving proposition. This is unfortunate given all the practical benefits and crucial role of cloud computing for the world’s economy and the information society. If we add to this the incessant scrutiny of Safe Harbor and the growing distrust surrounding technology giants which is part of the legacy of the post-Snowden era, things are not looking very rosy for the global guardians of our information. It needs not be this way.
As a starting point, we must acknowledge the reality of today’s data handling ecosystem. Data processors – using European data protection jargon – know a lot more about the data uses going on than the customers themselves. Modern data processors often make key operational decisions about the way in which personal data is handled without any significant input from the controller. In addition, it is normally in the customers’ interest to delegate any decisions concerning the appropriate measures in place to safeguard the data to their suppliers. On top of that, we live in a world where global access to information is a given, so providers of global data services invariably rely on the open nature of the Internet in order to maximise accessibility and cost efficiency.
This challenging situation urgently requires a solution that is aligned with the decisive role that data services’ vendors play in making decisions about the right level of protection of our information and hence our privacy. This solution already exists and it consists of motivating global providers of data processing services to adopt and implement their own set of data protection rules from which their clients will benefit. These rules should be recognised by policy makers and regulators as providing appropriate safeguards that give customers the comfort they need whilst allowing operational flexibility to the provider. The good news is that this concept – popularly known in Europe as Binding Corporate Rules for processors or Binding Safe Processor Rules (BSPR) – has now received the unconditional support of the EU data protection authorities, who are eager to secure full legislative recognition for this model.
However, this is just the beginning. BSPR must evolve and come out of its European shell to become a global model for privacy protection. All responsible processors and leading cloud providers should feel compelled to follow this model, not just because of legal compliance requirements, but because the market will demand it and those who fail to adopt it will be outdone by their competitors. Crucially, as off-putting as following a European-flavoured approach to data protection rules may be for global data service providers, those rules can still be moulded so that they become truly global and more importantly, practically viable.
If that is the case, safe processors will have a very compelling message to give to their customers: please let us process your data and we will guarantee that wherever in the world the processing takes place, irrespective of the technology involved, the data will be protected in accordance with our own universally applied and internationally recognised standards. The real winners will not be the service providers or their customers. All of us – humble data subjects – will benefit from the protection deployed by those who best understand the technology and processes employed. Safe processors have a huge role to play in the quest for technology-savvy privacy protection. Those who take the lead through mechanisms such as BSPR will make a highly commendable contribution towards achieving the goal of protecting our privacy whilst delivering innovation.
This article was first published in Data Protection Law & Policy in August 2014.