30 Jan 2023

Why security matters for upholding privacy and data protection

Guest blog: Maria Palmieri, Senior Public Policy Manager at Cloudflare writes about they are helping businesses to navigate an increasingly complex regulatory environment for data protection compliance.

With Data Privacy Day 2023 having just passed on January 28, we at Cloudflare think it’s important to focus on all the ways security measures and privacy-enhancing technologies help keep personal data private and why security measures are so much more critical to protecting privacy than merely implementing the requirements of data protection laws or keeping data in a jurisdiction because regulators think that jurisdiction has stronger laws than another. 

Most data protection regulations recognize the role security plays in protecting the privacy of personal information. That’s not surprising. An entity’s efforts to follow a data protection law’s requirements for how personal data should be collected and used won’t mean much if a third party can access the data for their own malicious purposes.  


A missing piece

The laws themselves provide few specifics about what security is required, however. For example, the EU General Data Protection Regulation (“GDPR”) and similar comprehensive privacy laws in other jurisdictions require data controllers (the entities that collect your data) to implement “reasonable and appropriate” security measures. But it’s almost impossible for regulators to require specific security measures because the security landscape changes so quickly. 

Enforcement actions by regulators, such as the Federal Trade Commission in the US following privacy breaches provide a bit more guidance.These actions commonly tend to require a comprehensive security program that includes a number of technical measures to protect data from unauthorized third parties. The enforcement actions tend to be data location-agnostic, however. It’s not important where the data might be stored – what is important is putting the right security measures in place. We couldn’t agree more.

Cloudflare’s portfolio of products and services helps our customers put protections in place to thwart would-be attackers from accessing their websites or corporate networks. By making it less likely that users’ data will be accessed by malicious actors, Cloudflare’s services can help organizations save millions of dollars, protect their brand reputations, and build trust with their users. We also spend a great deal of time working to develop privacy-enhancing technologies that directly support the ability of individual users to have a more privacy-preserving experience on the Internet.

Even though we believe that deploying effective cybersecurity measures is the best way to protect the privacy of personal information, we hear from customers in Europe, India, Australia, Japan, and elsewhere that, as part of their privacy programs, they need solutions to localize data in order to meet what they see as their regulatory obligations under data protection laws.


A complex regulatory environment 

So as we think about Data Privacy Day, we are in the interesting position of disagreeing with those who believe that data localization is a proxy for better data privacy, but of also wanting to support our customers who have to comply with certain regulations whether they agree with them in principle or not.

For this reason, we introduced our Data Localization Suite (DLS) in 2020 to help customers navigate a data protection landscape that focuses more and more on data localization. With the DLS, customers can use Cloudflare’s powerful global network and security measures to protect their businesses, while keeping the data we process on their behalf local.  

While we are eager to help our customers meet their compliance needs, we remain concerned about the growing tendency around the world in the last decade to ring-fence the Internet and erect new barriers to international data flows, especially personal data. In some cases this has resulted in less choice and poorer performance for users of digital products and services. In other cases it has limited free access to information, and -- paradoxically -- in some cases this has resulted in even less data security and privacy, which is contrary to the very rationale of data protection regulations. 


The free flow of data with trust

Fortunately, we are seeing lawmakers move toward more support for cross-border data flows. In early 2022, the US joined Canada, Japan, the Republic of Korea, Singapore, and other Asia-Pacific countries in the Global Cross-Border Privacy Rules Forum, which aims to develop a certification program so organizations can demonstrate compliance with international data protection standards. Then, on December 13,the European Commission published its long-awaited draft adequacy decision, taking another step closer to a new EU-US Data Privacy Framework. Just one day later, the US, EU, and the 37 other OECD countries, adopted a first-of-its kind agreement to enhance trust in cross-border data flows between rule-of law democratic systems. 

On this Data Privacy Day 2023, Cloudflare urges policymakers globally to focus on stable, multilateral frameworks with specific privacy protection requirements and to focus on how regulations can be adapted or enforced in a way that more meaningfully protects privacy – notably by prioritizing the use of security and privacy-enhancing technologies over prohibitive approaches that harm the global economy. Read more here.


Maria Palmieri

Maria Palmieri

Senior Public Policy Manager, Cloudflare

Maria is Senior Public Policy Manager at Cloudflare, having recently worked as Director of Policy at Yapily, a scaling Fintech company. Prior to this Maria was at Tech Nation leading Government Relations working closely with the DCMS on how to make the UK the best place to grow and scale a tech business. Maria trained as a lawyer and started off her career in Investment Banking. 



techUK - Getting Regulation Right for a Digital Society

Visit our Digital Regulation Hub to learn more or to register for regular updates.

techUK forums provide members the opportunities to showcase the ways in which they are helping to improve privacy and protect data protection rights. Our working groups, networks, and events - including our annual Digital Ethics Summit and Tech Policy Conference - enable cross-sector collaboration and are crucial sources of insight and thought leadership. Get in touch to see how we can support your policy work. Visit our Digital Regulation Hub and complete the ‘contact us’ form.