Laws to govern the data age are extremely hard to draft. Policymakers will encounter this when they revise competition law to deal with data rich conglomerates. They have already tried to address this in the privacy area through the European General Data Protection Regulation (GDPR) which recently had its one-year anniversary. However, there already are discussions about what revisions to the GDPR are necessary as data rich opportunities are created. The California Consumer Privacy Act (CCPA) goes into effect in 2020, and numerous amendments to the CCPA have been proposed, and several already have been enacted. None of the proposed privacy laws we have seen, either in place currently, under active revision in many parts of the world, or part of the U.S. Federal Privacy legislative debate, recognize that people have a stake both in data being used aggressively and data being used protectively. As Giovanni Buttarelli, the European Data Protection Supervisor, said, “data should serve people.”
Sunday, June 9, 2019, The New York Times editorial board published an editorial entitled “Where Is America’s Privacy Law?” The editorial argues that the U.S. Congress is late because it has not enacted comprehensive privacy legislation. While the IAF agrees that the United States needs an omnibus privacy law, we also believe that it is better to get the law right. The New York Times editorial, from our perspective, saw only one side of the equation — protecting people from data misuse. We believe both sides of the equation – preventing data misuse and allowing innovative use of data that benefits people – is required for privacy legislation that will be in effect for at least a generation.
Washington policymakers have stated that they have seen enough principles and that they need legislative language from which to pick and choose. The IAF has posted to its website [MA1] model legislation entitled, The Fair and Open Use Act. That is the short title. The full title uses the words fair, accountable, innovative, responsible and open. All those words are very important. The draft begins with nineteen findings. The first finding provides: “The information ecosystem is the world’s most innovative. It has not just driven economic growth; it has facilitated positive changes in all sectors.” Other findings state: “The benefits of the information age belong to everyone. Individuals justifiably expect organizations will process their data in a manner that creates benefits for the individual, or if not the individual, for a broader community of people. Data should not just serve the interests of the organization that collected the data.” Lastly, the findings are clear that this model legislation will be complex. The last finding says: “We live in a complex, data-driven world with diverse business models and infinite possibilities for innovation. This reality requires complex, nuanced, innovative and agile policy and regulatory response.” We believe these findings set the conditions for making certain that data serves people.
The IAF model is the first draft legislation that is heavily focused around the OECD accountability principle. It provides controls for individuals, but they are secondary to the safe and fair processing of personal data to ensure data serves people. It allows organizations to innovate with data, but in order to do so they must have sound, robust, accountable and demonstrable processes. These are not checkbox processes, but rather robust activities conducted by employees that must be able to demonstrate that they are doing their jobs with integrity and with competence. These processes must be enforceable by regulators.
There will be comments that the type of accountability described in the IAF model legislation requires staff and systems so that data can be used in an innovative manner. That observation is correct. Those that have implemented the GDPR understand that data governance requires people, processes, tools and infrastructure in order for data to be properly governed. The IAF model legislation argues that data that is used for legitimate purposes and that is well governed should be used; this is where multiple stakeholders receive benefit.
The IAF commissioned the model legislation as an educational endeavor. The IAF does not expect it to be enacted in its entirety or in its current form. But, we do believe it will be informative to those that have the responsibility to legislate.
The IAF model legislation is organized into seven articles:
[MA1]Insert link here
- The first article contains nineteen findings that establish not only the importance of innovative processing to every aspect of human life, and the competitive advantage it has created for America, but also the risks to individuals and society if data are not governed correctly. Findings are not unusual in U.S. legislation, but these findings truly set up the articles that follow. Article One also contains definitions, including definitions of provided, observed and inferred data. This is important because the data type helps set-up the sections that reference risk.
- Article Two restricts data to uses that are legitimate. There are eight legitimate uses that are interoperable with the six legal bases in the GDPR. Knowledge creation is a legitimate use, as are societally beneficial uses. Less anticipated uses may be legitimate, but they require assessments that must be conducted with skill and integrity.
- Article Three discusses the responsibilities of an accountable organization. These align to what would be found in other comprehensive privacy laws. There is a limited right to portability associated with data an individual provides to an organization.
- Article Four requires an organization to have a comprehensive program comparable to the risk that arises from the processing conducted by the organization. The requirements include a strategic vision for data that would be implemented through a comprehensive program. Those program requirements include privacy by design for all processing and data stewardship for automated processing. So, the program completes a full cycle, and internal oversight is required as well.
- Article Five creates five risk bands which are managed through a risk management program aligned with the organization’s institutional risk management program.
- Article Six empowers individuals to engage with the organization’s accountability processes. It gives the individual the right to restrict processing on a sliding scale based on risk.
- Article Seven, while not specifying the enforcement and oversight agency, sets up the agency’s powers. It also creates a safe harbor for compliance through common risk assessment methodologies and enforceable codes of conduct.
- Articles Eight and Nine require the agency to conduct outreach and education and an effective date.
The IAF team asks that you read the legislative model as a demonstration project that illuminates what accountability means in effect. The IAF also asks that you read it with the maxim, “data should serve people,” in mind.