Privacy legislation again is a hot topic in the United States. The California Consumer Privacy Act has added to the pressure provided by the European Union General Data Protection Regulation (GDPR). Think tanks, trade groups and consumer organizations are all proposing frameworks for the United States. The Information Accountability Foundations (IAF) is one of those groups. Even the U.S. Chamber of Commerce has published principles and indicated it is time for a new law.
In part, the proposal of these frameworks is defensive to preempt the new California Consumer Privacy Act. However, for many of us, it is an opportunity to set the guiderails for the fourth industrial revolution (FIR). According to Wikipedia, the FIR is “characterized by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres, collectively referred to as cyber-physical systems.” These proposed frameworks in the United States are part of a global movement to define the rules for the FIR.
The IAF sees the efforts in the United States as fitting into the fourth privacy legislative wave. Each wave links governance to the accelerating pace of change, and the fusion of everything digital and genomic surely meets the test of technology change.
The first privacy legislative wave was the 1970’s legislation that began with privacy laws in the German state of Hessen and the U.S. Fair Credit Reporting Act. The trigger was the adoption of mainframe technologies. Wave two began with the enactment of the 1995 EU Data Protection Directive and was responsive to the integration of data into all forms of commerce. The GDPR is the third wave driven by advanced analytics and observational technologies. Wave four will be the new laws that emerge as countries deal with both the adequacy requirements and expectations created by the GDPR and the observational, interactive, predictive, and action-oriented nature of cyber-physical systems.
Privacy Legislative Waves
Wave One (early 1970s):
The first wave began with privacy legislation in the German state of Hessen, in Sweden and the U.S. Fair Credit Reporting Act. The wave was triggered by the growing use of mainframe computers. It continued with the OECD Privacy Guidelines, the Council of Europe Treaty 108, numerous sector specific laws in the United States, and European privacy laws that predate the EU Directive. These laws were designed to create controls for individuals related to their data and/or to fix specific risks of harm related to a particular data use, such as drivers’ license information.
Wave Two (mid-1990s):
Wave two began with the EU Data Protection Directive which required each of the EU states to enact conforming legislation. The problem being solved was concern that different privacy standards would limit commerce that was increasingly driven by data. There was clear understanding that fundamental rights needed to be protected to facilitate continent wide data flows. The adequacy provisions in the Directive had the effect of encouraging privacy legislation in trading partner countries. While the Directive established the requirement that all processing be conducted under one of six legal bases, with consent being one of those legal bases, the conforming laws were mostly consent based. Most legislation adopted outside Europe also required consent. Laws were enacted in the Americas, Asia, Africa and non-EU European states. Accountability, for the most part, was inferred rather than being explicit. The exceptions were Canada and Mexico where accountability was an express provision of the privacy law. As advanced analytics and communications technologies, such as smart phones, emerged, the drive to add accountable practices, such as privacy by design, became increasingly encouraged.
Wave Three (mid-2010s):
The GDPR is wave three. The Internet drove the expansion of observational data, which in turn drove a revolution in analytics. In this more complex ecosystem, explicit accountability requirements are seen as necessary. Therefore, the GDPR places greater emphasis on six legal bases to process data and limits consent to where it is fully effective. It requires accountability measures, such as privacy by design, data protection officers, and data protection impact assessments. While it broadens use by placing less emphasis on consent, it restricts use by prohibiting profiling with legal effect unless one has consent. The GDPR is intended to drive comparable laws in other regions. Brazil’s new privacy law is comparable (dependent on the enforcement mechanism that has yet to be developed). However, the size and complexity of the GDPR and its link to concepts of European citizenship make replication difficult. Furthermore, it is not fully responsive to cyber-physical systems.
Wave Four (2020s):
Wave four privacy laws will take the positive innovations in the GDPR and add processes that let society benefit from the data driven FIR. Organizations that wish to use data beyond the common understanding of individuals will have to demonstrate they have mechanisms for good data stewardship. Further, they will need to be transparent about their values and have effective governance structures that include ethics by design, comprehensive assessments and independent oversight. Persons will have understandable and actionable individual rights. Wave four regimes will have the necessary provisions to be interoperable with the GDPR.
One might ask if part of the motivation is GDPR adequacy and expectations, why this next wave is not just an extension of wav three? The answer lies in the interplay between the cyber and physical worlds that is critical for the FIR to actually operate. As new devices are added to the personal ecosystem, they will be interactive with every other sensor driven device. Sensors will trigger actions that will avoid collisions, interact to maximize medical treatments, and make crosswalks safe for children and seniors. At the same time, autonomy must be respected, and fair processing will need to be mandated to avoid loss of freedom, unfairness and digital predestination.
The GDPR has pioneered provisions that are absolutely necessary for the FIR, like legitimate use, use within context, and accountable persons and processes. However, the GDPR is conflicted on research, analysis (i.e., profiling) and automated decision making that is a fundamental part of how the new technology operates. In part, the global discussion of ethics by design reflects the greater complexity when sensors need to be interactive with each other to operate. These ecosystems continually will profile, learn and make decisions for people. The fourth wave will provide guiderails for this fast movement from big data to big action. Concepts, like a two-phased – thinking and learning – approach to big data, will be challenged by this new environment. Governance needs to address this challenge.
The purpose of the IAF’s U.S. Framework is to generate discussion on legislative objectives and design in the U.S. and other places around the world that might adopt the governance demanded by the FIR. Furthermore, IAF is working with the Privacy Commissioner for Personal Data in Hong Kong on the data stewardship tools necessary to help organizations make sound decisions in their use of observational data and advanced analytics.
The IAF West Coast Summit on September 26 will focus on these topics. Furthermore, the IAF will begin a U.S. privacy framework discussion group and will make future frameworks part of its Americas and Asian discussion groups’ agenda.
Please let us know what you think.