The Internet has transformed the way we think about innovation and how we achieve economic growth. There are close to three billion users connected to the Internet and that number will continue to grow. Virtual computing, and now cloud computing, has expanded the potential of the Internet by offering greater options and improved services—from e-mail to social networking to consumers, and online shared services for business that reduce costs, improve efficiencies, and expand reach. But with this new form of IT comes new risks that must be addressed.

Regulators worldwide have growing concerns about upholding the right to privacy in the cloud. The amount of data in play, how it may be collected, who can access it and how it may be used have fundamentally changed.

The majority of our privacy and data protection laws were created before widespread use of the Internet, let alone the cloud. These laws and associated regulations must be modernized to match a global Internet-based economy and data-rich environment. Given the importance of Internet-based services to the economy and consumers, these new frameworks must balance the tension between innovation and legitimate privacy rights. The key is organizational accountability and social responsibility.

Organizations need to become good data stewards and be held accountable for achieving an appropriate level of protection without being hindered in their ability to innovate globally. Unless we evolve our legal frameworks, our current laws will continue to struggle to keep pace with new technologies and business models, and organizations will further lose clarity on how to comply.

A successful approach to modernizing these frameworks should focus on a principles-based approach, keeping the following in mind:

  • Outcomes. Clearly stating what needs to be achieved, not how an organization achieves it.

  • Clarity. The obligation should be clear so organizations know if they are compliant.

  • Implementation. Outcomes need to be practical, both technically and commercially.

  • Technological Neutrality. It must avoid specifying specific solutions in achieving a requirement to ensure flexibility and scalability.

  • Encouragement of Innovation. Respect for privacy should not be mutually exclusive of innovation.

  • Global Interoperablity. New frameworks need to harmonize goals and outcomes and allow data and associated protections to flow freely.

  • Respect for Context. Not all consumers, data, relationships, or social norms are equal. Allow for a range of different situations.

  • Predictable Enforcement. Compliant organizations should have a level of certainty that bad actors will be the subject of meaningful enforcement actions.

In an environment where more and more data is being collected ubiquitously, analytic tools are making it easier to discover and apply insights. The environment is shifting from traditional, single data controllers to distributed controllers and processors. Lawmakers and regulators must evolve to an outcomes-based approach to ensure data protection. Individual participation and autonomy have become less effective in some of these new environments, and we need solutions that respect privacy rights when concepts like consent are not feasible or practical. Collection is an important principle, but harms generally emerge based on how data is used. Shifting the nexus from collection to use may be a solution when consent is impractical.

Moving to this new paradigm is going to require change in the private sector as well. We need to encourage lawmakers to evolve these frameworks, but we also need to demonstrate that we can be trusted, that we have comprehensive programs that allow us to understand the risks we may create, and that we proactively work to mitigate those risks effectively. The only way we’ll achieve the changes that are necessary to ensure privacy protection in the new IT is to work together—lawmakers, regulators, civil society and industry.