Protecting data and privacy is at the forefront of issues in the tech industry. Given the growing intersection of policy, law, politics and technology, PublicAffairsAsia spoke with Microsoft’s Head of Global Government Affairs, John Galligan
What may be considered appropriate legislation in this context and can ‘trust’ in business ever be adequately legislated?
Legislation and regulation play an important role in how technology is designed, deployed and, ultimately, used. Perhaps this role is more apparent than ever before. This is because technology is no longer simply a product or stand-alone sector; it is increasingly a universal platform on which business and business models are being built. Today it’s difficult to draw a line between the analogue economy and the digital economy, between commerce and e-commerce. And just as we are seeing the convergence of technologies, we are witnessing the convergence of policy and regulation too. Given this, we absolutely think that there is a role for regulators and policy makers to govern and oversee these technologies and ensure that users – be they individuals, businesses, governments – feel confident that their information is secured, their identity respected and that they have confidence in the integrity of the service.
But recent events have called into question the role of government in overseeing these technologies. Some say we are living in a ‘post-Snowden world’, where governments themselves have breached the trust of citizens and businesses. This has sparked a call for increased transparency at every level; governments, law enforcement, and tech companies themselves. This question of transparency affects the very foundation of how technologies are being designed as well as business models themselves. We now are talking as much about trust as we are innovation. Privacy is the ‘new black’ and this has created fundamental shifts in the expectations of users, regulators and service providers.
As a consequence I think that we shall see a steep increase in the level of regulatory activity. We have already seen nationalistic tendencies creeping into technology policy such as the requirement to have cloud and internet services located ‘on shore’ This is in direct response from governments wanting to have more control over what other governments may have access to, especially citizen and government data. For public affairs professionals, it is hard to challenge this with logic alone. Much of this debate is fuelled by emotion and we need to respect that this emotion is not without foundation. To be effective, we need to frame these issues from a domestic context and educate stakeholders on what the trade-offs may be in taking this nationalistic approaches.
Previously we used to talk about ‘how’ tech was going to help governments, business, society. Now we’re back to the ‘why’: why you should trust the technology?; why is it important to your economy and citizens?; and why might it be more effective for a there to be a borderless digital economy.
Ultimately, the central question comes down to ‘what are the trade offs?’ and helping governments make an informed choice.
If legislation is to be supportive and conducive, what should it address?
I think it’s a little of both; stick and carrot
First, protecting information and identity are paramount. And whilst privacy laws need to be updated they also need to take into account a global flow of information. Many business and citizens are using a myriad of services from providers from across the worlds. As a consequence, the interpretability of these laws is very important. Here in Asia Pacific, APEC has done a good job in promoting privacy principles and a regional regulatory framework to promote a free flow of information. Now the European Union is also advancing a Digital Single Market strategy with data protection and security policy at the very heard of this initiative.
Second, cybersecurity laws need to be updated to protect against wilful and malicious attacks and provide better coordination between law enforcement and security agencies. This of course means that surveillance laws need to be transparent and codified to build the confidence of users about the potential over-reach of local and foreign law government access. What’s interesting in the debate about the Snowden revelations is that US may get the most attention around the world in this respect, but the irony is that its laws are some of the most codified of almost any government in the world and the recent passage of the Freedom Act provides even more transparency.
Third, an omnibus style legislative approach may not be effective as approaching this from a principles-based framework and building laws, regulation, codes of practice that align with these principles. I fear that the time it would take to create a comprehensive, end-to-end piece of legislation that would cover all these ‘trust’ issues would take so much time that it would be out-of-date by the time of its enactment. If we promote more confidence-building frameworks, then we have the opportunity for regulators and policy makers to fill the gaps rather than try to completely cover the surface. That’s the carrot if you like. In terms of the stick, there also need to be clearly enforced penalties and enforcement with some level of restitution that an individual, company or government can make in the case that that something happens.
Finally, tech companies play a huge role in educating and informing the debate around data protection, surveillance, security and privacy. For instance, the legal action that the industry took against the US government to reveal the number of surveillance requests has not pushed people away from our service; ironically, it has provided users with the transparency that they now require in order to take an informed decision on which services to use.
Having the rule of law is incredibly important irrespective of whether you’re Microsoft or a small business. It brings a virtuous circle of predictability, confidence, investment and dissuades and disrupts criminals.
What are the viable alternatives to legislation and is self-regulation sufficient, necessary, or even relevant to this debate?
Self-regulation can be a very valuable framework, especially when combined with a certain level of oversight and the use of transparency policies by companies. Think about how that has been used by the environmental lobby and how companies are providing more information on their carbon footprints as a matter of consumer information rather than being regulated to do so. There is no reason to think that this same approach would not work for tech and transparency around these trust issues.
Industry codes of conduct, industry self-regulatory frameworks and set of guiding principles can be helpful, but these are the baseline.
Industry codes of conduct, industry self-regulatory frameworks and set of guiding principles can be helpful, but these are the baseline. You can have industry codes that drive a way of operating and companies can innovate on top of that. In technology its going to be a race to the most trustworthy platform, not just the most innovative. That said, there will still be space for innovative companies to incorporate these privacy and trust expectations. Think of products like SnapChat that have already proven that you can innovate and provide a more private and ephemeral technology experience. With this incentive to being trustworthy and innovative, the importance of being open about the way you run your services, monetise information and protect the information and identity of consumers will be critical. People can then make a judgement based on utility, availability and cost.
Interestingly, though, the World Economic Forum looked at deferential privacy in 2014 and they found that some users in Asia Pacific were far more willing to give up some level of privacy in return for low cost, highly tailored services than users in the EU and US. But does this mean that Asian consumers should have to a trust trade-off? I don’t think so. I think more education about what that these trade-off mean with government and technology companies building more awareness of privacy and promoting more trustworthy computing, including enacting data protection and security laws to give users even more confidence
Does legislation support innovation?
Absolutely, but not in the way that many would think. While I don’t believe that you can have innovation legislation, you can have legislation that provides the incentive to innovate. We have always relied on legislation to fill in the gaps where there has been market failure. We would not have seen some of the innovation today had it not been for various privacy, security and IP laws being in place. It’s hard to have an innovation policy directly, but it is possible to create an environment in which people feel they can innovate in confidence.
John Galligan is Microsoft’s Head of Global Government Affairs