The 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) will take place in late October in Tirana, Albania. The ICDPPC is a conclave of enforcement agencies seeking the means to create commonalities in a world where data flows ubiquitously. ICDPPC will explore a key dilemma that challenges the growing community of data protection authorities and their constituencies in civil society, academia and business. In particular, one of the sessions will explore the expanding observational ecosystem, where data equals power, and whether and how the key accountability concepts necessary to drive ethical data use are truly enforceable. This discussion highlights the tension between hard law – that expressed in statutes and regulations – and soft law – that expressed through guidance.
To be perfectly clear, leading an entity called the Information Accountability Foundation (IAF), I have a prejudice for soft law – for policy that guides accountability processes that drive legitimate, responsible, answerable data use. Accountable organizations must make data driven decisions that are legal, fair and just. To achieve legality, one needs enforceability. Enforceability may not be needed to drive trustworthy behavior at all organizations, but it is a necessary prerequisite for trust in ecosystems where organizations have varying motivations.
So, what drives enforceability? Enforceability is driven both by mandated obligations designed to achieve processing that is fair as well as legal and by agencies that have authority to enforce those obligations. The IAF has put forward fair processing legislation in the United States that defines new obligations and balances the interests of stakeholders but also creates the authority to enforce those obligations. Similar legislative debates are being held in other jurisdictions. Still other countries are exploring guidelines so that there is definition on how organizations should make reasoned and responsible decisions even as they stretch the mandate of legacy law.
The European General Data Protection Regulation (GDPR) requires accountability processes such as data protection officers (responsible parties), privacy by design, data protection impact assessments, and balancing interests when legitimate interest is used as a legal basis to process personal information. However, European hard law will be challenged by the Internet in Things (yes in) and, for example, its ties to health research and practice. So soft law, where there are already mechanisms for it in the GDPR, will play a role in achieving legal, fair and just processing in ecosystems where the Internet in Things and Artificial Intelligence (AI) will play massive roles. This may be soft law, but there is the authority to enforce in the GDPR. It is soft law in that an obligation for process is mandated but the description of the process is not mandated. That description must be driven by the context of the processing to be conducted. In effect, soft law can and should be enforceable.
There are countries, such as Mexico and Canada, where accountability is contained in the law, but typically, accountability is described through guidance rather than firm structures in the law. The IAF has found, on average, Canadian businesses have better institutionalized accountability structures because of regulator guidance, even though enforcement powers as related to accountability are not mandated by the law. Furthermore, Hong Kong and Singapore are using accountability to give guidance on behavior related to AI.
So, one has hard law in Europe in terms of requiring the structures for accountability, and soft law in other jurisdictions that present a clear picture for accountable processes. We have much to learn from the entire data protection and privacy regulatory community.
As we enter the debate that will take place in Tirana, I, as a member of the debate, will stipulate that the obligation for both basic and advanced accountability processes, and the ability to enforce related to those processes, should be part of the hard law and that they should not be overly prescriptive. Specifically, this obligation should be part of the laws that enhance human kind by protecting us from both inappropriate processing and the absence of processing. I would also suggest that the laws need to create the space for processing that is ethical but can’t even be anticipated by today’s law makers.
The IAF, along with the OECD and CIPL, is organizing a side event in Tirana on building the ground rules for Accountability 2.0. When the IAF talks about accountability 2.0, it is referring to the added accountability elements such as stated organizational values, assessment processes that include defined stakeholders, risks and benefits for those same stakeholders, and controls that facilitate both internal audits and external validation as key components. The session will begin the next stage of debating enforceable soft law to protect the interests of people.
I am so looking forward to this discussion at the ICDPPC.