Ten Principles for a Revised US Privacy Framework

Similar documents
ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Pan-Canadian Trust Framework Overview

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

ITI Comment Submission to USTR Negotiating Objectives for a U.S.-Japan Trade Agreement

Ethics Guideline for the Intelligent Information Society

What does the revision of the OECD Privacy Guidelines mean for businesses?

Digital Identity Innovation Canada s Opportunity to Lead the World. Digital ID and Authentication Council of Canada Pre-Budget Submission

Data Protection and Privacy in a M2M world. Yiannis Theodorou, Regulatory Policy Manager GSMA Latam Plenary Peru, November 2013

EXPLORATION DEVELOPMENT OPERATION CLOSURE

APEC Internet and Digital Economy Roadmap

What We Heard Report Inspection Modernization: The Case for Change Consultation from June 1 to July 31, 2012

The ALA and ARL Position on Access and Digital Preservation: A Response to the Section 108 Study Group

Privacy Policy SOP-031

TOOL #21. RESEARCH & INNOVATION

ICC POSITION ON LEGITIMATE INTERESTS

Submission to the Productivity Commission inquiry into Intellectual Property Arrangements

BSA COMMENTS ON DRAFT PERSONAL DATA PROTECTION ACT

International Seminar on Personal Data Protection and Privacy Câmara Dos Deputados-BRAZIL

Updating Data Protection: Part I -- Identifying the Objectives

Draft executive summaries to target groups on industrial energy efficiency and material substitution in carbonintensive

Executive Summary Industry s Responsibility in Promoting Responsible Development and Use:

The 45 Adopted Recommendations under the WIPO Development Agenda

About the Office of the Australian Information Commissioner

A CALL TO (H)ARMS: THE CRY FOR HARMONIZATION OF SECURITY AND PRIVACY LAWS

National approach to artificial intelligence

the Companies and Intellectual Property Commission of South Africa (CIPC)

RECOMMENDATIONS. COMMISSION RECOMMENDATION (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

WIPO Development Agenda

Protection of Privacy Policy

Committee on the Internal Market and Consumer Protection. of the Committee on the Internal Market and Consumer Protection

Details of the Proposal

Encouraging Economic Growth in the Digital Age A POLICY CHECKLIST FOR THE GLOBAL DIGITAL ECONOMY

Effective Data Protection Governance An Approach to Information Governance in an Information Age. OECD Expert Consultation Boston October 2016

Section 1: Internet Governance Principles

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

Enforcement of Intellectual Property Rights Frequently Asked Questions

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Global citizenship at HP. Corporate accountability and governance. Overarching message

Re: Examination Guideline: Patentability of Inventions involving Computer Programs

Fostering Seed Innovation

PROGRAM CONCEPT NOTE Theme: Identity Ecosystems for Service Delivery

WHO Regulatory Systems Strengthening Program

Digital transformation in the Catalan public administrations

A Guide for Structuring and Implementing PIAs

Some Regulatory and Political Issues Related to Space Resources Exploration and Exploitation

The Role of the Intellectual Property Office

Japan s FinTech Vision

SMART PLACES WHAT. WHY. HOW.

APEC PRIVACY FRAMEWORK

BSA Submission on TRAI Consultation Paper on Privacy, Security and Ownership of the Data

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Global Trade and Personal Data Flows Are the Rules of Engagement Incompatible with Privacy?

TABLE OF CONTENTS OUR MISSION OUR MEMBERS OUR PLAN C_TEC S PRIORITIES WORDSMITH + BLACKSMITH

Introduction. digitalsupercluster.ca

How Explainability is Driving the Future of Artificial Intelligence. A Kyndi White Paper

Food Product Standards to Support Exports

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Digital Government and Digital Public Services

IN THE MATTER OF 2013 SPECIAL 301 REVIEW: IDENTIFICATION OF COUNTRIES UNDER SECTION 182 OF THE TRADE ACT OF Docket No.

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Enabling ICT for. development

ARTICLE 29 Data Protection Working Party

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

GLOBAL RISK AND INVESTIGATIONS JAPAN CAPABILITY STATEMENT

Advancing Health and Prosperity. A Brief to the Advisory Panel on Healthcare Innovation

RBI Working Group report on FinTech: Key themes

SLAVERY AND HUMAN TRAFFICKING

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

INTRODUCTION TO THE RESULTS OF THE IMO PUBLIC CONSULTATION ON ADMINISTRATIVE REQUIREMENTS IN MARITIME REGULATIONS

Seminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you

Government Policy Statement on Gas Governance

Climate Change Innovation and Technology Framework 2017

#Renew2030. Boulevard A Reyers 80 B1030 Brussels Belgium

A/AC.105/C.1/2014/CRP.13

2

EU-GDPR The General Data Protection Regulation

December 7, RE: RIN 1994-AA02 (Proposed revisions to 10 CFR Part 810) Dear Mr. Goorevich,

ESEA Flexibility. Guidance for Renewal Process. November 13, 2014

E Distr. LIMITED E/ESCWA/TDD/2017/IG.1/6 31 January 2017 ENGLISH ORIGINAL: ARABIC

ONR Strategy 2015 to 2020

A stronger system to protect the health and safety of Canadians. Exploring the Future of the Food Regulatory Framework Under the Food and Drugs Act

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Science Impact Enhancing the Use of USGS Science

Q1 Under the subject "Future of Work and the New Economy", which topics do you find important?

USTR NEWS UNITED STATES TRADE REPRESENTATIVE. Washington, D.C UNITED STATES MEXICO TRADE FACT SHEET

SMART CITY VNPT s APPROACH & EXPERIENCE. VNPT Group

FinTech, RegTech and the Reconceptualization of Financial Regulation. Douglas W. Arner, University of Hong Kong Ross P. Buckley, UNSW Sydney

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

ENABLERS FOR DIGITAL GOVERNMENT: A DATA DRIVEN PUBLIC SECTOR

Establishing a Development Agenda for the World Intellectual Property Organization

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Government s Response to the Fourth Industrial Revolution CONSUMER GOODS COUNCIL OF SOUTH AFRICA ( CGCSA ) ANNUAL SUMMIT 2018

An Essential Health and Biomedical R&D Treaty

IV/10. Measures for implementing the Convention on Biological Diversity

1 What is Standardization? 2 What is a standard? 3 The Spanish Association for Standardization, UNE

CUSTOMER SOLUTIONS SMART COMMUNITIES. Exploring the Electric Company Role in Smart Communities

15890/14 MVG/cb 1 DG G 3 C

Canadian Health Food Association. Pre-budget consultations in advance of the 2018 budget

Transcription:

Ten Principles for a Revised US Privacy Framework Our economies and societies are in the midst of the 4 th industrial revolution, with digitalization and datafication transforming the way we live, work and interact. This transformation has brought into sharp focus the question of how we should regulate data use, governance and privacy to enable us to reap the benefits of data driven innovation while mitigating the risks associated with ubiquitous and massive data use. In response, many countries have updated or are in the process of updating their data privacy laws and frameworks. Some are introducing data protection and privacy requirements for the first time. The US has long regulated data in specific sectors. More recently, the US has started to follow the path toward generally applicable data protection regulation with the passage of the California Consumer Privacy Act (CCPA) in 2018, similar legislative proposals in other states and numerous proposals for a comprehensive federal privacy law by various groups, including federal legislators on both sides of the political spectrum. The Centre for Information Policy Leadership (CIPL) believes that the use of personal information and privacy can be most effectively regulated at the federal level. Thus, the present paper focuses on principles for a potential US federal privacy law. This federal law should have the dual objectives of providing appropriate privacy protections for consumers and enabling the digital economy and innovation to ensure US leadership and competitiveness. CIPL believes that the following principles will help ensure that these dual goals are met. 1. Accountability Accountability is a key building block of modern data protection. It requires organizations to: take necessary steps to implement applicable data protection requirements or other privacy standards through comprehensive privacy programs; and be able to demonstrate such implementation on request. A US law should require organizations to implement such accountability-based comprehensive privacy programs, either independently or through formal accountability schemes such as codes of conduct and certifications (e.g. APEC CBPR), that cover the full range of the necessary elements of accountability leadership and oversight; risk assessment; policies and procedures; transparency; training and awareness; monitoring and verification; and response and internal enforcement. The law should also positively incentivize organizations to implement accountability-based privacy programs that go above and beyond minimum requirements. Such incentives should include using demonstrated accountability as a mitigating factor in enforcement. Further, personal information transferred across borders should be encouraged to support global markets but also protected by holding the originating organization accountable for requiring the continued protection of data as it flows across the border. 2. Risk-based Approach Harm prevention has been a key focus of privacy regulation in the US to date. A risk-based approach to privacy facilitates this focus on harm as it requires organizations to assess the risks of harm to individuals and the benefits that are associated with the specific uses of personal information. It also enables risk mitigations that are tailored to the specific risk/benefit assessment. This approach places the burden of protecting consumers directly where it belongs on organizations using personal information. The revised US privacy framework should be based on a flexible risk-based approach that enables 1

calibration of legal requirements and compliance measures to the actual risks to individuals associated with any given uses of personal information. This approach will also help smaller organizations and startups avoid unnecessary administrative burdens by allowing them to scale and calibrate their compliance based on risk to consumers. It also ensures that the law is technology-neutral and future proof, as an appropriate risk/benefit assessment process can be applied to any current and future technology, data use and business practice. The law should also enable the relevant federal privacy regulator(s), such as the Federal Trade Commission, to develop guidelines on what types of risks should be considered. 3. Innovative and Contextual Transparency Informing individuals about what happens with their data is essential for building trust in the digital economy. However, in modern digital contexts, individuals are often provided with overly complex, legalistic and long privacy notices that are effectively meaningless. Revising the US privacy framework offers the opportunity for setting a new standard for transparency that is user-centric, contextual and tailored towards specific data uses and audiences, including both push and pull models, proactive notices and on-demand information. There should be an obligation to provide basic information to individuals where data uses, recipients and broader purposes of processing may not be obvious to individuals, along with essential information about any choices that may be available, complaint and redress options, who to contact for more information, etc. Organizations must be allowed the flexibility to provide any additional transparency based on the context of the envisioned data uses in a layered and user-centric format. 4. Individual Empowerment Empowering individuals to participate in the decisions about how their personal information is used and through access and correction rights has formed part of the US approach to privacy from the start. Choice and consent have also played a prominent role in attempting to give individuals control over their information. Empowering individuals in today s digital landscape is vastly different from the time when these concepts were introduced. A new US law should include a robust set of individual rights, and choice and consent should remain available in contexts where they are effective and appropriate. In today s complex data economy and our digital lives, individual participation through consent will no longer be effective or appropriate in many contexts. Failing to distinguish between situations where choice and consent are effective and where they are not will lead to consent fatigue and the illusion of empowerment. Real empowerment for consumers can be delivered through other accountability measures, such as riskbased protections by the organizations, the requirement to demonstrate accountability measures, anonymization or de-identification of personal information, complaint handling and redress mechanisms, as well by individuals rights of access, correction, objection and erasure, where appropriate. 5. Controller/Processor Distinction It is important to distinguish between the obligations of controllers that collect and determine the uses of personal information and processors, typically vendors or service providers, that provide some service with respect to personal information on behalf of controllers. This distinction is important for at least two reasons: It will eliminate confusion around the respective statutory requirements applicable to controllers and processors. Controllers typically determine the permissible uses of personal information and are 2

responsible for ensuring compliance with all legal requirements pertaining to the processing of data. Controllers are typically the ones that have the direct relationship with individuals. Processors typically process personal information to provide a specific service to and on behalf of controllers pursuant to a contract that defines their obligations. If processors use data for their own purposes, they become controllers in their own right. Processors only act on behalf of controllers and follow the requirements specified by controllers. Controllers are responsible for complying with all substantive requirements set forth in a privacy law, including requirements relating to permissible uses of data, individual rights such as access and correction, as well as notice and choice requirements. The direct statutory requirements on processors are typically limited to ensuring reasonable data security and to implementing the relevant contractual requirements specified by the controllers. It is the prevailing global practice to distinguish between and specify controller and processor obligations in data privacy laws. Some US sectoral laws, such as HIPAA, also recognize the distinction. Many organizations are increasingly exposed to these concepts and have learned to work with them and address them both contractually and in privacy compliance program controls. This is especially true given the global nature of IT services and cloud computing technology and providers. Following a similar approach in the US would enhance global interoperability. More importantly, it would help streamline and rationalize the compliance efforts by multinational and other organizations (including many IT and technology service providers in the US) and prevent overlapping and conflicting compliance efforts by controllers and processors. It would also avoid confusion and legal uncertainty that could lead to ineffective protections and diminished trust in the digital economy and, more specifically, in cloud and AI services. However, it is important that the controller/processor distinction is adaptable to the specific contexts of data processing, including contexts where the distinction may not apply. 6. Global Interoperability Rapid globalization and increase in digital trade have resulted in unprecedented volumes of data traveling or being accessed across borders and a plethora of national legislation designed to protect data that leaves its location of origin. In addition to harmonizing its domestic privacy legislation, the US should design its revised privacy framework in a way that harmonizes as much as appropriate with key concepts in major non-us privacy laws to maximize interoperability between different legal and privacy regimes. Global interoperability facilitates the responsible movement of data beyond borders, streamlines business, reduces the costs of implementation and delivers efficiencies in compliance across regions, thus supporting the continued growth of the digital ecosystem and the effective and beneficial use of personal data. Interoperability does not require implementing the same law in every country. Each country must be able to approach legislation based on its own priorities and legal traditions. Thus, adopting a verbatim version of the European Union s General Data Protection Regulation (GDPR) would not be appropriate. For example, US First Amendment principles and traditions may mean that the US should consider a unique approach to regulating data found in public government records or other publicly available data. Similarly, a new US privacy framework should not undercut data uses that may rely on personal information to actually protect consumers and the public interest, such as by furthering the fight against financial crimes, identity theft, modern slavery and other crimes. It also should not undercut the ability to innovate and to generally use data beneficially. 3

7. Supportive of Responsible Innovation Any revised privacy framework should support and reward responsible innovation that takes into account privacy issues, effectively manages the associated risks and ensures that data is used in an accountable way. The US is a world leader in innovation. Its revised framework must ensure the US s continued ability to lead through flexible and technology-neutral measures and requirements that remain relevant and effective as technology, data uses and business practices evolve. It must not impose unnecessarily restrictive rules on any particular types of technology, such as artificial intelligence or machine learning, and it must facilitate the use of data for the benefit of both society and individuals. 8. Oversight and Smart Regulation Ideally, there should be a single, appropriately resourced federal regulator responsible for regulatory oversight and enforcement under a federal US privacy law. That regulator could be an existing federal agency such as the Federal Trade Commission (FTC), which has deep expertise and experience with privacy oversight. In addition, State Attorneys General should play a role in enforcing this law, subject to FTC leadership, guidance and coordination to ensure consistency. In enumerating regulatory powers and obligations under a new framework, the law should place emphasis on and prioritize regulatory leadership and engagement and collaboration with organizations ahead of enforcement, for instance, through incentivizing organizational accountability and the development of innovative regulatory policy. With respect to incentivizing accountability, both lawmakers and regulators must reward accountable organizations that are able to demonstrate their commitment to and implementation of comprehensive privacy management programs, including through formal certification schemes or by participation in codes of conduct. The regulatory incentives can range from using demonstrated accountability as a mitigating factor or safe harbor in enforcement contexts, to reducing certain regulatory burdens by providing license to engage in broader beneficial data uses, to public recognition of best in class practices, to using demonstrated accountability as evidence of due diligence in the contexts of selecting service providers and vendors or of government procurement contracts, among many other possible incentives. Furthermore, regulatory oversight and enforcement agencies should be specifically encouraged to develop innovative regulatory policies and methodologies that are more appropriate to the agile and fastpaced nature of the subject that they regulate. These can include regulatory sandboxes, iterative compliance reviews and collaborative co-regulation. 9. Effective Enforcement While a new federal privacy framework should include sensible and meaningful penalties for violations, the law should enable and prioritize alternative approaches to traditional enforcement. Extreme and disproportionate penalty levels may have the unintended consequences of chilling innovation and encouraging selective punishment. The alternatives can be various forms of constructive engagement and collaboration between regulators and industry (see Oversight and Smart Regulation above) to identify potentially problematic products, services and business practices and the ability for regulators to issue orders mandating outcomes to be achieved, with fines being reserved for the most serious violations. Even then, penalty processes and fines should be proportionate to the harm, take into account company size (employees, revenue, profits, etc.), be reduced or mitigated for demonstrated accountability and compliance efforts, and should only be a last resort to deal with negligence, willful or systematic failures. 4

10. Comprehensive and Harmonized Framework The US should craft an approach that will capitalize on the large US digital market and that provides regulators and organizations with consistent rules and legal certainty, as well as uniformly strong privacy protections to consumers, irrespective of the state or industry. A harmonized framework must aim to preempt a patchwork of inconsistent state laws and thereby avoid a balkanized approached to US data regulation which could burden innovation directed at the US digital market, hamstring SMEs and new market entrants, as well as undermine consistent privacy protections for consumers. That framework should provide comprehensive baseline privacy protections applicable to all industries and, where appropriate, amend or replace existing inconsistent federal privacy laws, particularly where such existing laws fall below the new baseline. In expanding privacy protections, the US should thus depart from its traditional sectoral focus in privacy and develop a comprehensive horizontal framework that regulates data use consistently across industries, with appropriate exceptions, as information is increasingly crosssectoral and data-driven innovation is premised on the ability to use data sets from different sectors. If you have any questions or would like additional information about the above principles, please contact Bojana Bellamy, bbellamy@huntonak.com; Markus Heyder, mheyder@huntonak.com; Nathalie Laneret, nlaneret@huntonak.com; or Sam Grogan, sgrogan@huntonak.com. CIPL is a global data privacy and cybersecurity think tank in the law firm of Hunton Andrews Kurth LLP and is financially supported by the law firm and 74 member companies that are leaders in key sectors of the global economy. CIPL s mission is to engage in thought leadership and develop best practices that ensure both effective privacy protections and the responsible use of personal information in the modern information age. CIPL s work facilitates constructive engagement between business leaders, privacy and security professionals, regulators and policymakers around the world. For more information, please see CIPL s website at http://www.informationpolicycentre.com/. Nothing in this submission should be construed as representing the views of any individual CIPL member company or of the law firm of Hunton Andrews Kurth LLP. 5

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback