The FTC held its hearing on its Approach to Consumer Privacy on April 9 and 10 In Washington DC. At that Hearing, the questions discussed included: what are the existing and emerging legal frameworks for privacy protection, and if the U.S. were to enact federal privacy legislation, what should such legislation look like? In response to these questions and others, “information fiduciaries” were suggested as a way to protect consumers from harms resulting from data collection, sharing and use. The IAF believes that conceptually “information fiduciaries” is too limiting and instead the discussion should be about “data stewards.”
Jack Balkin’s 2016 law review article is frequently referenced as the authority on the concept of “information fiduciaries.” Because doctors, lawyers and accountants have special relationships of trust and confidence with their clients, often because of their collection, analysis, use and disclosure of information, Balkin describes these individuals as “information fiduciaries”. According to Black’s Law Dictionary, a fiduciary is invested with rights and powers to be exercised for the benefit of another person. Recognizing that applying the concept of “information fiduciaries” to businesses that use personal information might be too broad because businesses then could not make any money at all from personal data that might be used to the individual’s disadvantage, Balkin recommends that businesses should be thought of as “special-purpose information fiduciaries.” When thought of this way, the nature of their services should be guided by what kind of duties it is reasonable to impose on them; the kinds of duties information fiduciaries should have, according to Balkin, should be connected to the kinds of services they provide.
Listening to the Opening Remarks of FTC Chairman Simons last week, it became apparent that the concepts of “information fiduciaries” and “special-purpose information fiduciaries” should not apply to businesses that use personal data to benefit both themselves and individuals (and maybe society as well). In his speech, Chairman Simons asked: “What approach will protect consumers’ privacy interests while fostering the innovation and competition that has brought us so many benefits?” What, exactly, are the harms that we are trying to address? And what are the countervailing considerations, like the effect on innovation and competition?”
As Chairman Simons said, we should be finding ways for businesses to both protect consumers’ privacy interests and foster innovation and competition. Redefining the legal concept of fiduciary, from one whose duty is to protect the interests of the individual to one that can protect both the interests of the business and the individual, is not the answer. Rather than torturing the concept of “fiduciary” to fit a situation it definitionally does not cover, other appropriate governance concepts should be considered. All those trying to determine what kind of privacy legislation should be enacted in the U.S. should look to data stewardship, a concept essential to the governance concept of Accountability.
Accountability was first articulated by the 1980 OECD Privacy Guidelines as principle 8 which states: “A data controller should be accountable for complying with measures which give effect to the principles stated above.” In 2009, a group known as the Global Accountability Dialogue met in Dublin to explore how the OECD accountability principle might be used to create confidence in data transfers from one country to another. This group, comprised of diverse stakeholders, reached a consensus on essential elements to guide organizational accountability in the Galway Paper. In the Galway Paper, the concept of data stewardship was discussed. “Accountability is the obligation to act as a responsible steward of the personal data of others, to take responsibility for the protection and appropriate use of that information beyond mere legal requirements, and to be accountable for any misuse of that information.” Thus, under Accountability as it was conceived in 2009, data users must take responsibility for the data they use. This description of data stewardship is data use focused. Data stewards are custodians for data, and any obligations that run with the data are recognized.
As data use has expanded, the concept of Accountability has evolved too into Enhanced Accountability which takes data stewardship to a new level. With advanced analytics, the systems can make decisions that impact people. For example, credit scores assess the risk related to loans, insurance, mobile phones and many other services, and often these credit decisions are made without any human involvement. The systems make decisions, based on objectives set by humans, but the direct human accountability is absent. To regain that accountability, it will be necessary to depend on people to build accountable governance into the objectives for the systems. Therefore, it is necessary that stewards make decisions that consider the interests of external stakeholders, the parties impacted by the processing. By doing so, the role of the data steward has moved beyond custodian of the data and the obligations that come with the data to one that ascertains the outcomes are legal, fair and just to the various stakeholders. Future data stewards must be stakeholder interest focused. This concept of understanding stakeholders, both the business itself and the individuals and even society if appropriate and their interests, is foundational to Enhanced Accountability.
Requiring businesses to be data stewards if they want to use personal data for their own benefit and for the benefit of the individuals from whom the personal data are provided, observed, derived and inferred is a more easily understood and applied concept. It also has the benefit of having broader application; it is not limited to businesses who hold themselves out to the public as privacy-respecting organizations in order to gain the trust of those who use them, when they give individuals reason to believe that they will not disclose or misuse their personal information, and when individuals reasonably believe that they will not disclose or misuse their personal information, as Balkin limits the concept of “special-purpose information fiduciaries.” In order to use data from sensors, employ artificial intelligence and machine learning, create inferred data, or make probability-based decisions on people, businesses need to be data stewards not “information fiduciaries” or “special-purpose information fiduciaries.”