Google creates new framework for data protection

How does the US tech giant think about data privacy? Their new framework reveals their thoughts and offers a benchmark for regulators and businesses
26 September 2018 | 18 Shares

Google CEO Sundar Pichai is woking hard to navigate the world of data privacy and protection. Source: Justin Sullivan/Getty Images/AFP

Data is the lifeblood of today’s world of business. It helps companies customize their products and services, optimize their processes, and transform their operations.

However, customers are concerned about their data. In many cases, they don’t know it’s being captured, they’re not providing it willingly, don’t know how it’ll be used, and have no say over who stores it and for how long.

New regulations such as the EU’s General Data Protection Regulation (GDPR) and AB 375, better known as the California Consumer Privacy Act of 2018 offer several protections to customers and gives them more control over their data — but it is only applicable to consumers in certain parts of the world.

To help governments in other countries (and states in the US) still deliberating over data privacy and security, Google has just come up with a new framework, announced by its Chief Privacy Office Keith Enright.

The company hopes it’ll offer clarity to regulators and also serve as a benchmark for companies looking for a baseline or best practices when it comes to data privacy.

“This framework is based on established privacy frameworks, as well as our experience providing services that rely on personal data and our work to comply with evolving data protection laws around the world. These principles help us evaluate new legislative proposals and advocate for responsible, interoperable and adaptable data protection regulations,” said Enright.

Called framework for responsible data protection regulation, the crisp, three-page document comprises of a short introduction and two sections – ‘requirements’ and ‘scope and accountability’. Here is a short summary of the pointers involved:

Requirements of the framework

Google recommends that companies endeavor to collect and use personal information responsibly. It also suggests that governments mandate transparency and help individuals be informed.

Regulators should encourage organizations to actively inform individuals about data use in the context of the services themselves, helping to make the information relevant and actionable for individuals.

The tech giant also feels that it is important to place reasonable limitations on the manner and means of collecting, using, and disclosing personal information and that organizations should make reasonable efforts to keep personal information accurate, complete, and up-to-date to the extent relevant for the purposes for which it is maintained.

An important commitment that Google suggests is that organizations be required to provide appropriate mechanisms for individual control, including the opportunity to object to data processing (where feasible) in the context of the service.

It also suggests that individuals must have access to personal information they have provided to an organization, and where practical, have that information corrected, deleted, and made available for export in a machine-readable format.

Finally, Google suggests that organizations must implement reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, modification, and destruction, and should expeditiously notify individuals of security breaches that create significant risk of harm.

Scope and accountability of the framework

The company believes that organizations must be held accountable and that regulators should encourage the design of products to avoid harm to individuals and communities.

The proposed framework also emphasizes that there be a strong differentiation between direct consumer services from enterprise services.

Google believes that the scope of legislation should be broad enough to cover all information used to identify a specific user or personal device over time and data connected to those identifiers, while encouraging the use of less-identifying and less risky data where suitable.

The law should clarify whether and how each provision should apply, including whether it applies to aggregated information, de-identified information, pseudonymous information or identified information.

However, the framework believes that the application of the law should also take into account the resource constraints of different organizations, encouraging new entrants and diverse and innovative approaches to compliance.

The tech giant urges regulators to design laws that improve the ecosystem and accommodate changes in technology and norms. Its framework suggests rewarding research, best practices, and open-source frameworks, and creating incentives for organizations to advance the state of the art in privacy protection promotes responsible data collection and use.

Finally, the framework believes that data protection law should hew to established principles of territoriality, regulating businesses to the extent they are actively doing business within the jurisdiction as extra-territorial application unnecessarily hampers the growth of new businesses and creates conflicts of law between jurisdictions.

From experience, Google proposes that privacy regulation support cross-border data transfer mechanisms, industry standards, and other cross-organization cooperation mechanisms that ensure protections follow the data, not national boundaries.