Discussion and debate about international privacy-related standards have been around since the 1940s, when the recognition of privacy as a basic right was ratified by the United Nations (U.N.) Declaration of Human Rights of 1948. Since then, the number of data privacy requirements has grown dramatically, as nations seek to protect the personal information of their citizens without sacrificing their participation in a global economy increasingly built on the back of the Internet.
But with this rapid growth of individual national policies and data security standards comes great complexity. At the macro-level, multinational corporations struggle to do business across borders due to confusing governmental regulations or distrust about how their citizens’ personal information will be protected once it passes the “water’s edge.” At the operational level, security and compliance teams want to understand the requirements with which they should comply and how to best ensure the compliance, while still keeping the business running efficiently and securely in every corner of the world.
Without a clear directive on the best privacy standards to ensure a secure and efficient digital market, highly regionalized privacy and data security mandates will continue to grow, inequitably, and often in direct conflict with each other. This will only serve to increase the attack surface for cyber criminals who are experienced at carefully researching IT infrastructures, searching for points of vulnerability to exploit. For example, when looking for lucrative assets, it’s always easier for cybercriminals to gain entry through a remote office of a multinational corporation located in a nation that doesn’t enforce industry standards for data protection and privacy.
The solution, of course, is the creation of a single data privacy standard to secure the global digital market and pay off the moral imperative begun with the Declaration of Human Rights of 1948. In 2016, nations must commit to a common goal of protecting the private information and data of the world’s citizens and then enforce that standard with the rule of law in each nation. By creating an enforceable global standard, rather than bilateral or multilateral agreements based on reciprocity and accountability, nations can overcome the distrust of governmental activities and motives most recently created by Edward Snowden and the National Security Agency (NSA). This will also create a trusted framework that security and compliance teams within multinational corporations can build security programs around, with the assurance that their compliance efforts will be leveraged across industries, markets and borders.
A universally accepted international privacy standard should be comprised of the most effective data security and privacy requirements from around the world. For example, in May 2016, the European Commission intends to announce a single standard for online privacy, copyright, and consumer rights in an effort to knit together the region’s fragmented online data-protection systems. Already, the International Organization for Standardization (ISO), which defines itself as a non-governmental organization (NGO), has established a uniform, international approach to protecting privacy for personal data stored in the cloud. It’s known as ISO/IEC 27018, and earlier this year, Microsoft became the first major cloud provider to adopt the standard. The standard should also reflect the different data security and privacy considerations faced by the public and private sectors. For example, public sector organizations typically carry a lot of personal information about individuals—social security numbers, property ownership, addresses, and car registrations. Quite often, one governmental organization will store and have access to everything. This is not the case with private sector companies, who do store sensitive information, such as credit card information or e-mail addresses, but one organization does not have access to everything. This creates a very different liability in terms of data protection and privacy. The creation of a single standard by an NGO, with input, review, and approval from data protection authorities from across public and private sectors, is the ideal way to create a standard that will be universally accepted.
In 2016, once the standard is created and accepted, it should be enforced, and this should be accomplished through rule of law in individual nations. It’s important to note that the adoption of the standard shouldn’t result in a flurry of new legislation. It also shouldn’t mean that large private companies, such as Microsoft, Google, or Apple, step in to fill the gaps, either in creation of the standard itself or by attempting to self-regulate. Such attempts have already met resistance because of perceived harms to consumer privacy. Rather, law makers should take a fresh look at existing data security and privacy legislation (some created as recently as the 1990’s) and update them for modern times.
The creation of a single standard that both reflects the values of those nations that handle a substantial amount of personal information and securely enables the global digital market is a lofty goal. But such a data privacy standard is necessary. The main reason I believe we’ll see this emerge in 2016 is because it will allow nations to strike a balance between privacy, free expression, and public safety while allowing corporations to complete globally. It will ease the burden of security and compliance teams challenged to comply with the myriad of requirements and policies every country enforces. A universally accepted international privacy standard will enable the Internet-driven global economy, while keeping our privacy concerns at the “water’s edge.”