Federal privacy legislation in the United States is stuck. There are many reasons for this, but the fact is that the old privacy paradigm that individual control is the keystone for effective fair processing is no longer fit for its purpose. Yet, the old paradigm is the starting point for most privacy legislation.
Georgetown law professor Julie E. Cohen captured this dilemma in her recent article, “How (Not) to Write a Privacy Law.” Individual control has strong emotional pull. The concept that individuals can control who has their information and how it can be used is compelling. However, the fact is that this is an observational age where individuals’ information can be obtained and used without them knowing about it, and the data obtained through that observation drives advanced analytics, including artificial intelligence (AI), which, in turn, drives today’s digital society and economy.
There is a different privacy paradigm. It is one where the keystones are responsible and answerable behavior by companies processing data pertaining to individuals and where this behavior is overseen by strong regulatory authorities. The one word for responsible and answerable is accountability. There is one legislative model where the keystone is accountability and that is the model legislation of the Information Accountability Foundation (IAF), the FAIR AND OPEN USE ACT.
This model legislation is based on all the IAF has learned over the past three years. State legislation has been enacted in California and Virginia, much has been learned due to greater experience with the GDPR, and proposed federal bills contain unique features. The IAF model legislation references where it relies on these sources.
While other bills claim to be risk based, they fail to define the risk that is to be prevented or managed. The IAF model legislation is clear that the risk to be managed is adverse processing and provides guidance on how to determine processing is adverse. Accountability and robust oversight pave the way for flexible innovation.
The IAF model legislation has its roots in accountability’s essential elements, and the preamble to the IAF model legislation has three accountability principles that are color coded:
- Accountable and Measured
- Informing and Empowering
- Competency, Integrity and Enforcement
While the legislative keystone is accountability, the IAF model legislation still requires full transparency and individual control where individual control is effective.
The IAF’s mission is research and education. The IAF refers to the FAIR and OPEN USE ACT as model legislation. It is the IAF’s desire that its model legislation be debated and hopefully that parts of it be used in enacted legislation. Over the next few months, the IAF will look for opportunities to introduce the elements of this model legislation to the privacy community. The IAF also will publish blogs on specific features in the FAIR and OPEN USE ACT.
Marc Groman, former White House Senior Advisor for Privacy and the first CPO of the FTC, is the lead author of the model legislation. Marty Abrams is the IAF chief strategist. Barb Lawler, IAF COO, brings two decades of experience in leading CPO offices. The three of them are ready and willing to engage in a dialog on the FAIR and OPEN USE ACT.