Category Archives: Data Protection

Accountability Does Work

143,000,000 people were the victims of a recent data breach when their data was stolen from Equifax, a company that has an obligation to keep their data safe. Data security is tough. The bad guys only need to be successful once, while companies need to win every time. However, from the perspective of many consumers, Equifax has not responded in the most responsible way to this data breach. The company’s website did not have a section to help consumers with this breach. So, people had to find the special website, visit a second time to request free credit monitoring, and many have still not received acknowledgment that their requests were received.
Accountable organizations need to be responsible and answerable. They must be transparent about their processes and stand ready to demonstrate those processes. It seems like Equifax does not reflect these concepts of accountability. So does this mean that accountability does not work? I believe that the opposite is true.
Could the event have been prevented by a different regulatory approach? Like, for example, a regulatory system that describes, in great detail, the data security actions a company would have to follow. The reality is the rules would be dated the moment they were enacted. Instead, appropriate security is explicitly required by the safeguarding rule and implicitly by Section 5 of the Federal Trade Commission Act. So, the obligation is there. Regulators could do spot audits; however, regulators will never have the bandwidth to examine every organization. An accountability approach creates the obligation and requires companies to implement the right tools to meet that obligation. Data breach laws required the company to announce data breaches that are impactful, and Equifax did so, creating the mechanism for being answerable. Once the breach was announced, news reporters began their own investigation. At least three federal regulatory agencies have announced investigations, and they have been joined by 34 state attorneys general. The company’s stock has fallen by a third. Several class action lawsuits have been filed. I have great confidence that the company will be answerable for its behavior. The market and regulatory punishment will be what encourages other companies to behave in a manner that consumers would find more appropriate.
At the end of the day I believe accountability does work. Where laws require accountable behavior and appropriate disclosures the mechanisms to hold companies responsible and answerable do work. And I also believe that accountability allows for the best combination of data driven innovation and individual protections.
As innovation powers forward and companies find new applications of data use, they will increasingly be expected to be accountable for the impact those data uses have on people. The IAF recently issued enhanced essential accountability elements for artificial intelligence that are also applicable to advanced analytics. The IAF is arguing that the price for being trusted to use data robustly is stakeholder focused accountability. So, as data is used more and more robustly, let’s enhance accountability as part of data governance infrastructure.

IAF Releases Ethical Guidance for Artificial Intelligence at Commissioners’ Conference

The terms ethics and ethical data processing are in vogue. With the rapid growth of innovative data-driven technologies and the application of these innovations to areas that can have a material impact on people’s daily lives, enhanced corporate governance focused on ethical objectives is needed. Particularly where data enabled decisions are made without the intervention… Continue Reading

A Data Protection Risk Assessment Is About Ethics – Join IAF Webinar

A Data Protection Risk Assessment Is About Ethics —- Join IAF Webinar Webinar September 6, 2017 We have never read a privacy or data protection law that requires controllers be ethical. Yet implicitly new laws are driving expectations that organizations using data robustly do so in an ethical fashion. What does that mean? The European… Continue Reading

The Colombia Congress Matters

There seems to be a privacy conference every week in the United States or Europe. However, privacy training and policy development in Latin America is not nearly as well developed as that in the United States and Europe. Latin America has one annual conference that is clearly considered the conference of conferences. It is organized… Continue Reading

IAF Policy Call

The ePrivacy Regulation may swallow any flexibility built into the GDPR.  What does mean for effective data protection governance and the ability for companies to build value by thinking with data?  Does the adequacy drive from Latin America cause additional disruption?  Will the International conference in Hong Kong bring balance back to global discussions?  Join… Continue Reading

The Need for An Ethical Framework

The vast amount of data made possible and accessible through today’s information technologies, and the ever-increasing analytical capabilities of this data, are unlocking tremendous insights that are enabling new solutions to health challenges, business models, personalization and benefits to individuals and society. At the same time, new risks to individuals can be created. Against this… Continue Reading

Big Data Ecosystem, Fairness and Enforcement

Big data has become an increasingly scary phrase for all stakeholders in data protection. For privacy advocates, it often means loss of control, asymmetrical power and hidden discrimination. For regulators, it often means regulatory round pegs in operational holes of different sizes, in constantly moving locations, with mismatches that begin with vocabulary. For companies, it… Continue Reading

Abrams Moderates Panel at ICDPPC Open Session – 19 October 2016

Adequacy, Localization and Cultural Determinism Open Session Panel Discussion DATE: 19 October 2016 TIME: 11.30 to 13.00 LOCATION: Atlas Room, Conference Center of the Palmeraie Golf Palace EVENT: 38th International Data Protection & Privacy Commissioners Conference ADMISSION: The discussion is open to all conference attendees. Are adequacy, localization and cultural determinism efficient measures to strengthen/adapt… Continue Reading

Accountability in an Observational, Analytics-Driven Digital Economy

Since a multi-stakeholder group first defined them in 2009, the essential elements of accountability have become well established in the field of data protection. These elements are reflected in guidance from data protection and privacy authorities in Canada, Hong Kong, Australia, Colombia and France. They have been adopted as key elements in the European General… Continue Reading

EDPG Project: Enhancing Benefits from Information Flows While Improving Regulatory Certainty in a Digital Age

Today’s information ecosystems are complex and set to become even more complicated. Business, today, is making increasing use of information as a means to create new products and services and drive value creation. IoT environments offer a terrific example of this complexity as does the whole area of Big Data analytics, which can involve the… Continue Reading