Pre-Proceedings of International Workshop on Trustworthiness, Accountability and Forensics in the Cloud (TAFC)

The notion of “accountability” is a currently fashionable within the community of scholars, regulators and activists concerned with privacy and data protection. At one level, it has always been a central principle within these laws and policies, and is implicit if not explicit in every attempt to make organizations more responsible for the personal data they collect and process. At one level, there is nothing new. At another level, however, accountability has come to represent a distinct policy approach to the vexing problem of the regulation of international personal data processing, in the past termed “data exports” or “transborder data flows.” Over the last few years, the debate on international data protection has become somewhat polarized between those who would continue to support the EU approach, essentially a prohibition on transfers to countries which do not have an “adequate level” of data protection, and the “accountability approach” which focuses more on the protection afforded by individual data controllers. Scholars of public administration have spilled a lot of ink over the many meanings of the word “accountability.” However, there seems to be a consensus that the process must involve being called “to account” by some authority for one’s actions. Accountability implies a process of transparent interaction, in which an external body seeks answers and possible rectification. That external agent is presumed to have rights of authority over those who are accountable – including the rights to demand answers and impose sanctions if the organization’s “account” is not accurate or complete. If there is no possibility of external compulsion to change practices, there can be no accountability. Thus, there must be a common understanding of who is accountable, for what and to whom. The recent policy discussions about accountability and privacy protection, especially in the context of cloud computing, have not been precise with the result that the word has been expanded and distorted to serve a variety of political and economic interests. Nobody can be against “accountability” in the abstract. But when the concept becomes framed in political discourse, there are a number of questions that need to be raised about its meaning and its relationship to the central goal of protecting privacy. How policy problems get framed shapes how they will be resolved. In this talk, I first review briefly the history of trying to regulate international flows of personal data, with a view to understanding how the “accountability” approach arose. I then review some of the assumptions (implicit and explicit) upon which this current emphasis on accountability seems to be based, and with particular reference to another imprecise phenomenon – “cloud computing”.