Category Archives: Accountability

Accountability Does Work

143,000,000 people were the victims of a recent data breach when their data was stolen from Equifax, a company that has an obligation to keep their data safe. Data security is tough. The bad guys only need to be successful once, while companies need to win every time. However, from the perspective of many consumers, Equifax has not responded in the most responsible way to this data breach. The company’s website did not have a section to help consumers with this breach. So, people had to find the special website, visit a second time to request free credit monitoring, and many have still not received acknowledgment that their requests were received.
Accountable organizations need to be responsible and answerable. They must be transparent about their processes and stand ready to demonstrate those processes. It seems like Equifax does not reflect these concepts of accountability. So does this mean that accountability does not work? I believe that the opposite is true.
Could the event have been prevented by a different regulatory approach? Like, for example, a regulatory system that describes, in great detail, the data security actions a company would have to follow. The reality is the rules would be dated the moment they were enacted. Instead, appropriate security is explicitly required by the safeguarding rule and implicitly by Section 5 of the Federal Trade Commission Act. So, the obligation is there. Regulators could do spot audits; however, regulators will never have the bandwidth to examine every organization. An accountability approach creates the obligation and requires companies to implement the right tools to meet that obligation. Data breach laws required the company to announce data breaches that are impactful, and Equifax did so, creating the mechanism for being answerable. Once the breach was announced, news reporters began their own investigation. At least three federal regulatory agencies have announced investigations, and they have been joined by 34 state attorneys general. The company’s stock has fallen by a third. Several class action lawsuits have been filed. I have great confidence that the company will be answerable for its behavior. The market and regulatory punishment will be what encourages other companies to behave in a manner that consumers would find more appropriate.
At the end of the day I believe accountability does work. Where laws require accountable behavior and appropriate disclosures the mechanisms to hold companies responsible and answerable do work. And I also believe that accountability allows for the best combination of data driven innovation and individual protections.
As innovation powers forward and companies find new applications of data use, they will increasingly be expected to be accountable for the impact those data uses have on people. The IAF recently issued enhanced essential accountability elements for artificial intelligence that are also applicable to advanced analytics. The IAF is arguing that the price for being trusted to use data robustly is stakeholder focused accountability. So, as data is used more and more robustly, let’s enhance accountability as part of data governance infrastructure.

Latin American Data Export Governance

Data flows are global, but privacy laws are local. I first uttered that statement in the last century during initial discussions on whether the United States had adequate privacy protection as defined by the 1995 European Union Data Protection Directive. At the time, I argued that privacy protections in the United States were a mosaic… Continue Reading

Europe Sets the Standard – Other Regions Follow

Europe Sets the Standard – Other Regions Follow The Ibero-American Data Protection Network (“network”) adopted “Standards for Personal Data Protection for Ibero-American States“ (“SPDP”) on June 20, 2017 at its meeting in Santiago, Chile, with the official English translation now available. Most data protection experts have predicted that the adequacy provisions of the European General… Continue Reading

The Need for An Ethical Framework

The vast amount of data made possible and accessible through today’s information technologies, and the ever-increasing analytical capabilities of this data, are unlocking tremendous insights that are enabling new solutions to health challenges, business models, personalization and benefits to individuals and society. At the same time, new risks to individuals can be created. Against this… Continue Reading

Detailed Overview of the Effective Data Protection Governance Framework and Components—A Data- and Use-Based Approach

In the Information Accountability Foundations blog in Sept, the Effective Data Protection Governance (EDPG) project was introduced. The EDPG proposes a re-alignment of responsibilities, the introduction of new obligations and a different way to think about obligations for each participant in increasingly complex information ecosystems. The objective the framework is to better align responsibilities while… Continue Reading

IAF/FPF Side Event at ICDPPC – 18 October 2016

Technology, Challenges and Effective Governance Side Event, Co-Hosted by Future of Privacy Forum and IAF DATE: 18 October 2016 TIME: 14.15 to 16.15 LOCATION: Roseraie Room, Conference Center of the Palmeraie Golf Palace EVENT: 38th International Data Protection and Privacy Commissioners Conference ADMISSION: To register for this event, contact us at, or RSVP via… Continue Reading

Accountability in an Observational, Analytics-Driven Digital Economy

Since a multi-stakeholder group first defined them in 2009, the essential elements of accountability have become well established in the field of data protection. These elements are reflected in guidance from data protection and privacy authorities in Canada, Hong Kong, Australia, Colombia and France. They have been adopted as key elements in the European General… Continue Reading

IAF Holds Brainstorming Event on Ethics, Created Data, AI and Accountability

On 13 September, IAF held its Annual Brainstorming Meeting. HP Inc. hosted the event. This year’s sessions focused on ethics and data protection, created data and accountability, and artificial intelligence and governance. Below are documents related to the meeting and photos of the event. Meeting Documents Brainstorming Session Agenda Session Attendee List Background Reading IAF… Continue Reading

Autonomy and Fair Processing: Proportioning the Governance

The free flow of data to facilitate individual, business and societal needs as well as to facilitate the protection of individuals to whom the data pertains has always required proportionality. That proportionality is demonstrated in privacy law that protects both individual autonomy and fair processing. The constant evolution of information and communications technologies further emphasises… Continue Reading

IAF Co-hosts Workshop and Gives Presentations During APEC 2016

During the 2016 APEC meetings in Peru, IAF sponsored a workshop entitled “Building a Dependable Framework for Privacy, Innovation and Cross-Border Data Flows in the Asia-Pacific Region“ on 22 February. The event was co-hosted with CIPL, TRUSTE and IIS. Marty Abrams of IAF provided a discussion during the meeting about “Accountability and Trust.” On 24 February,… Continue Reading