Category Archives: Data Policy

IAF Releases Model Legislation Summary

The California Consumer Privacy Protection Act went into effect on January 1, and a ballot initiative to update that law is slated for November.  State privacy legislation has been reintroduced in Washington state, and Nevada is following.  Privacy Shield may be overturned by the European Court of Justice, and more countries are adopting legislation that requires adequacy for transfers.  Pressure for the United States to enact comprehensive federal privacy legislation continues to accelerate, and more Congressional committees are trying to determine what type of privacy legislation should be enacted, and what would it take to break the political logjam. 

The United States needs comprehensive federal privacy legislation.  However, it needs privacy legislation that does not look backward to yesterday’s issues, but rather looks forward to the issues that will emerge in the next decade.  With that in mind, the Information Accountability Foundation (IAF) published a model bill in 2019 called the “Fair Accountable Innovative Responsible and Open Processing New Uses that Secure and Ethical Act” or the “Fair and Open Use Act.”  The linked eight-page summary  is a guide to reading the key points in that model legislation.

The model legislation is based on the core principles that organizations must be responsible stewards of data that pertains to people, so the benefits of an information age belong to everyone.  It specifies the FTC as the enforcement and oversight agency and provides the FTC with the mandate and resources to conduct both tasks.  The model bill includes individual rights but does not put the onus on individuals to enforce the law through consent and complaints.  Additionally, the model legislation:

  • Requires risk mitigations through assessments, and links the risk mitigation to five risk bands;
  • Covers all data that is personally impactful, not just personal data;
  • Defines observed and inferred data with an understanding that data is increasingly observed and created, not just collected;
  • Is globally interoperable because it requires that data can be processed only for legitimate purposes and defines those purposes; and
  • Defines the obligations of an accountable organization, and requires the organization to be demonstrably accountable

It is not the IAF’s intent to enact this model legislation; rather the IAF’s intent is to use the model language to inform the legislation that is being written by others.  The IAF wants to work with all stakeholders to enact legislation so that the benefits of the information age belong to everyone, and so that, in today’s data-driven economy, organizations are responsible stewards of personal data and are accountable for their actions.   It is the IAF’s desire to use this summary of the model legislation to open the door to understanding legislation that is first and foremost aimed at responsible use of data that pertains to us by organizations in a demonstrably accountable manner.

Please let us know what you think.

Digital Activities go Beyond Privacy and Data Protection

Sunday, November 10, the New York Times ran a story on the ability of bad persons to hide and distribute child pornography on the Internet.  Tuesday, November 12, the New York Times ran a story on a unit of Google assisting Ascension, the second largest U.S. health organization, to mine data on millions of patients… Continue Reading

The Fair Information Policy Development Vacuum

Over the past decade, policy development in the data protection field has been very robust, with some good and bad results and some results that are a muddle.  Yet, with all this activity, there still seems to be a sense that there is a policy vacuum that cries to be filled.  In the simplest terms,… Continue Reading

A great Visionary Has Died

My good friend Giovanni Buttarelli has passed away far too soon.  Giovanni was the European Data Protection Supervisor when he died on 20 August.  However, I wish to think of Giovanni as a visionary and philosopher.  You will often see Giovanni’s words quoted in IAF research papers.  Those words, “data should serve people” is more… Continue Reading

Data Driven Knowledge Creation Needs to be Protected

Our collective desire to have a space where we are free from observation is increasingly under pressure from modern technology, and our confidence that data that pertains to us will be used fairly is in a deficit mode. At the same time, data are being used to create new knowledge by gaining insights that would… Continue Reading

Evolving Ethical Data Impact Assessments

Last fall, the Information Accountability Foundation (IAF) completed work, commissioned by the Office of the Hong Kong Privacy Commissioner for Personal Data, that explored what Ethical Data Stewardship would consist of and what an Ethical Data Impact Assessment would look like. As Hong Kong Commissioner Wong so aptly put, “In order to encourage innovation in… Continue Reading

IAF Issues “Trusted Digital Transformation, Considerations for Canadian Public Policy”

Many consider Canadian privacy law as the pragmatic mid-point between European omnibus rights driven data protection and U.S. sectoral privacy laws balanced against free expression and risk of harm.  The Personal Information Protection and Electronic Documents Act (PIPEDA) is probably the cleanest translation of the OECD Guidelines into law and by extension is a principles-based… Continue Reading

Information Policy – The Transition from 2018 to 2019

The transition for information policy from 2018 to 2019 might best be characterized as out with the year of the lion and in with the year of the juiced-up lion. Further, given the complexities and tensions in play, the juiced-up lion may morph into a hybrid. 2018 came in with the heavy task of compliance… Continue Reading

Evolving Accountability to Ethical Data Stewardship – A Key Part of Wave Four Privacy Laws

In order to encourage innovation in their regions, digital information strategies are being adopted which recognize that the internet and digital technologies are transforming the world. These strategies address the needs of business, government and the public to impact the competitiveness of their country’s economy, while recognizing the protection of personal data and fair data… Continue Reading

IAF creates U.S. Privacy Framework Discussion Group

The United States is in the early stages of creating a privacy framework to govern data for the next generation. Over the past two weeks the IAF has issued blogs putting forward a framework that preserves thinking and learning with data and that is interoperable with other regimes.  We also issued a blog that placed… Continue Reading