Permissible uses for personal data, a key component of the FAIR and OPEN USE ACT, were invented in the United States 50 years ago. The FAIR and OPEN USE ACT is the IAF’s forward looking risk-based model legislation.
Congress’s enactment of the Fair Credit Reporting Act (FCRA) created the infrastructure for the modern consumer economy. It took consumer reporting from paper files to the digital systems that made consumer credit widely available. Credit markets were local in 1970, and within a generation they were national. The FCRA also enhanced consumer equity by making possible the 1974 Equal Credit Opportunity Act (ECOA). Fair decision making requires complete data for the specific purpose of making decisions when individuals apply for credit, insurance, employment, and other critical consumer benefits. The FCRA mandates that key actors, credit bureaus, reporters of data, and users of consumer reports use that data only for permissible purposes, be transparent, and provide consumer protections such as the right to access and to dispute data.
The central point is that consumer reports are powerful and therefore should only be used for legitimate purposes when substantive decisions are being made related to consumer requests and benefits. The processing must be fair, particularly because credit reporting is mandatory with all credit active individuals in the credit reporting systems. The law does not require just permissible purposes; it also requires transparency and responsible processing by all parties. There are rules that cover practices by the credit reporting agencies, the parties that report data, and those that use the consumer reports to make decisions. There is a duty of care to obtain the maximum possible accuracy. There are specific consumer rights to know there are credit reporting agencies, to access the data, and to dispute data thought to be inaccurate. The FCRA is fair processing legislation.
Legacy privacy legislation, however, is focused on procedures so individuals can control when their data are collected. The latest privacy legislation, like the European General Data Protection Regulation (GDPR), is built, first and foremost, on the premise that processing personal data should be lawful and fair. This means the purposes for which personal data are processed must be specific, and the GDPR specifies that personal data must be processed under one of six lawful bases. Specific purpose and lawful basis have always been important, but the emphasis on a “risk based” system has shifted the attention. Fairness becomes ever more important, while the focus on individual control still is less emphasised. Fair processing is not new; the FCRA was enacted two generations ago.
With today’s complex data ecosystems, it is time to place the onus on the organization to first and foremost achieve fair processing rather than placing the burden on the consumer. The IAF model legislation, the FAIR and OPEN USE ACT, does so by building on the FCRA’s concept of permissible purpose. The FCRA requires that personal data only be processed for specific legitimate uses. The IAF model legislation contains eleven legitimate uses:
- Compliance with a legal obligation;
- Information security:
- Routine business processes;
- Requested product or service;
- Protection against unlawful activity;
- Public safety and health;
- Affirmative express consent;
- Knowledge discovery;
- Advertising or marketing purposes (subject to conditions); and
The IAF model legislation has more purposes than the GDPR because the IAF has learned from the European experience. For example, knowledge creation, that powers innovation, is a specific legitimate use. The FAIR and OPEN USE ACT compliments the legitimate uses with requirements that covered entities operate in a responsible and answerable fashion. Article IV of the IAF model legislation fully describes the responsibilities of an accountable organization, and Article V spells out the specifics for managing the risk to other stakeholders. Individual rights are described in Article III.
So, while the FAIR and OPEN USE ACT may seem to break new ground in fair processing legislation, it really is built on key concepts first enacted by Congress in 1970. Many of the provisions which have been expanded for today’s observational world have their roots in legislation that successfully facilitated the consumer revolution of the latter part of the 20th century. Today, a similar legal infrastructure for complex digital ecosystems is needed.