Bojana Bellamy and Markus Heyder consider the role that the concept of enhanced accountability can play in creating a sustainable data-driven economy and information society. Bojana is one of the speakers at the IFCLA Conference on the topic ‘Data Protection – Compliance in a Heavily Regulated Environment’
In the modern information age of Big Data, the Internet of Things and cloud computing, new data-driven products and services are enabling scientific and societal developments at a rapid pace and are the key drivers of economic growth. Our digital information society depends and thrives on the ability to generate, collect, aggregate, link and use information, including personal data, through increasingly complex technologies and global processes. Understanding how our personal information is being used in this environment is becoming increasingly difficult if not impossible for the average person. Thus, expecting individuals to take an active role in deciding how their personal information is used in all instances is increasingly unrealistic.
Yet, data protection and privacy are important societal norms and in many countries fundamental or constitutional rights. Individuals must have confidence and trust that their data are being used responsibly and that use is consistent with these norms and rights. Thus, where still possible, individuals must be empowered to make informed decisions that relate to the use of their personal data. Where they can no longer control each particular use of their personal information in this new environment, other protections and mechanisms must be put into place that create the necessary confidence and trust among the public and regulators that personal information is being used responsibly and for purposes that are beneficial to individuals or society.
The existing concept of 'organisational accountability' goes a long way to enable this public trust and the responsible use of data. Indeed, organisational accountability has become a key building block of modern privacy law and policy and is being implemented by enlightened global organisations in their corporate privacy and information management programs. However, to fully realise its potential as the basis for enabling and legitimising modern data uses, the core elements of organisational accountability need to be further developed and supplemented with additional elements, as further described below.
This 'enhanced accountability' will provide the necessary tools to empower and protect individuals with respect to the use of their personal data, through informed consent where possible and appropriate, and through other mechanisms where necessary and appropriate. It will give organisations the tools to take full responsibility for mitigating the harmful impacts of the technologies they deploy, especially in the increasing number of circumstances in which individuals can no longer do so themselves. It will enable a sustainable virtuous cycle of lawful and ethical data collection and responsible and beneficial data use, as well as a data cycle that treats individuals, society and organisations more like partners and joint beneficiaries in this exchange. Indeed, the more organisations adopt a culture of responsible data use and demonstrate a commitment to this enhanced accountability, the more they will be able to innovate, use data productively and drive benefits to individuals and society at large. However, regulators and policymakers must also provide incentives for organisations that implement enhanced accountability and allow the organisations to leverage these additional responsibilities to pursue the multitude of reasonable, beneficial and innovative uses of data available in the modern information age.
II. The Accountability Landscape
The origin of the accountability principle lies in the requirement for organisations to protect and be accountable for the protection of the personal information they collect and use regardless of whether the information stays within their organisation or is shared with third parties, including across borders. In other words, under the concept of accountability, the protections that apply at the point of collection flow with the information, regardless of where it goes, and the organisations that collected the information remain responsible to ensure that such protections continue to be applied.
Organizational accountability already has become a key building block of modern privacy protections in the form of corporate privacy management programs, codes of conduct, corporate rules and cross-border privacy rules. It is also included in an increasing number of laws, not least the recently enacted GDPR, and in legislative proposals and regulatory guidance. Finally, it is being implemented by multinational companies regardless of specific external legal requirements.
Organizational accountability essentially entails the implementation by companies of comprehensive privacy management programs that implement external privacy standards (such as laws or codes of conduct) or internal privacy policies. The traditional core elements of such accountability programs include (1) leadership and oversight, (2) risk assessment, (3) policies and procedures, (4) privacy by design, (5) transparency, (6) training and awareness, (7) monitoring and verification and (8) complaint handling and enforcement. In GDPR terms, these core elements of accountability are 'technical and organisational measures' that 'ensure' and help 'demonstrate' that an organisation's data processing activities are in compliance with applicable requirements.
III. Creating Future-oriented and Responsible Data Management Programs Through Enhanced Organisational Accountability
To fully realize the potential of organisational accountability in the context of Big Data and other modern information uses, the core elements of organisational accountability need to be further developed and perhaps supplemented with additional elements. These include:
1. New transparency
Transparency has always been an essential element of accountability and has been implemented, primarily, through traditional privacy policies and notices. Such policies and notices will continue to be available and helpful to individuals in certain contexts. However, in the modern information age, technological developments and the ever-proliferating new uses of information will always outstrip the ability of individuals to understand fully how and by whom their information is being used. This reality requires a new application of transparency that extends beyond its traditional function of providing legal notice of specific uses.
New transparency will have to focus on the bigger picture and effectively explain the general value exchange between individuals that provide the data and the organisations that use their data. It will have to explain the value of unexpected, out-of-context and non-obvious future beneficial uses of information. New transparency must also explain how the organisation will protect individuals against any potential risks associated with such uses and give them the confidence that they can go about their lives in our digital society without having to burden themselves with detail and daily decisions about the potential uses of their personal information.
Organisations have already experimented with better transparency over the past years, for example by making legally required notices more user-friendly through layered notices, informational videos and other means. A shift towards new transparency suitable for the modern information age will empower organisations to continue to refine their transparency mechanisms, for example through innovative and user-friendly methods embedded in the technology itself, or through dashboards, portals, interactive apps and other mechanisms. In an era when there will be less opportunity for consent and individual control and more reliance on organisations to protect the individual without his or her input, new transparency is essential for creating the public trust that will enable this shift.
2. Better risk assessment
Risk management and the need to assess, understand and mitigate privacy risks to individuals is an integral part of organisational accountability. Risk management is becoming even more important in the era of Big Data and the IoT, as it enables organisations to achieve and go beyond privacy compliance while also enabling the beneficial uses of data. From formal privacy impact assessments and privacy by design for new products and services to consideration of risk and harm to individuals when deciding on appropriate security measures or whether to notify a data breach, organisations need to understand and weigh the benefits to the individual and society of proposed data processing as well as any risks to individuals. This is essential in order to implement and prioritise effective privacy protections and compliance measures internally. As such, risk management is one of the most important elements of organisational accountability. However, to fully realise this function of risk management, consistent and universally accepted methodologies for identifying and assessing both the benefits and risks of processing and for determining the appropriate mitigations and controls still remain to be developed.
3. Fair processing
Fair processing has been a stand-alone data protection principle in many data privacy laws in Europe and beyond. For example, under the EU Data Protection Directive, the first principle of data processing is that data must be 'processed fairly and lawfully'. However, often the interpretation and implementation of the 'fair processing' principle has been limited to providing privacy notices to individuals. Fair processing, however, goes beyond providing privacy notices.
In its 2014 report on Big Data and data protection, the UK Information Commissioner's Office elaborated on the concept of fair processing in the context of Big Data. The report suggests that organisations should consider factors such as whether the proposed use of data was known or reasonably 'expected' by individuals, whether it may result in 'drawing conclusions or making decisions about individuals', whether individuals were deceived or misled about how their data will be used, the impact of the proposed processing on the individual and the integrity and accuracy of data.
In the USA, section 5 of the US Federal Trade Commission Act prohibits 'unfair' business practices. Under the FTC's unfairness standard, business practices are unfair if they cause substantial consumer injuries that are not reasonably avoidable by consumers and not outweighed by countervailing benefits to consumers or competition.
Regulators and privacy practitioners in accountable organisations should refocus on this important principle of 'fairness' and develop policies and procedures that operationalise it consistently throughout their organisations. The implementation of this principle will become tremendously helpful in the age of Big Data when enhanced accountability by organisations can be used to legitimise data uses in contexts in which individual consent is not possible or practicable.
4. Data ethics
There is an increasing recognition that decisions on whether and how to process information must occur with reference to an appropriate ethical framework. This notion is encapsulated in the recent opinion of the European Data Protection Supervisor (EDPS) titled 'Towards a new digital ethics', in which the EDPS calls for 'developing an ethical approach to data protection' and announces the creation of an 'Ethics Advisory Board' that will 'help define a new digital ethics'. Of course, regardless of how the exploration of data ethics as well as this particular initiative develop, the elements of accountability and the tools for ethical decision-making on information uses will likely interrelate and overlap in many ways. For example, ethical considerations may be part of privacy by design or impact what harms we consider and how we weigh them in any privacy risk assessment, influence our selections of mitigations and controls, and inform our assessments of the benefits of specific data uses.
An organisation that adopts and demonstrates its commitment to enhanced accountability is sending a clear signal on its commitment to data privacy and security. This is partly a matter of policies, procedures and practices but also a matter of culture, brand and reputation and how the organisation wants to be perceived by its customers, suppliers, employees, investors and regulators. There is no 'one-size-fits-all' formula for implementing this next generation of accountability. Each organisation must find its own way to embed, implement and communicate its approach to organisational accountability and the responsible use of information.
IV. Enhanced Accountability as Enabler of a Sustainable Digital Society and Economy
To better understand the benefits of organisational accountability, it helps to examine not only its essential elements, but also its specific 'deliverables'. What does it get us? What does it deliver?
There are at least six such 'deliverables,' all of which are essential for creating a sustainable digital society and economy:
1. Accountability as an 'Interoperability Bridge' and Enabler of Cross-Border Data Flows
Accountability can bridge between different legal regimes and enable cross-border data flows in two ways.
First, a company's internal accountability program allows it to align its privacy policies and practices with the various requirements of the different countries in which it does business. The company thus creates a practical bridge between different legal requirements by setting a uniform and high level of privacy protections for the company across multiple countries or even globally.
Second, certain existing certified accountability schemes, such as the EU Binding Corporate Rules (BCR) and the APEC Cross-Border Privacy Rules (CBPR), are designed to meet an agreed privacy standard of multiple countries and to serve as a recognized cross-border transfer mechanism in countries whose laws include data transfer restrictions.
2. Accountability as an Enabler of Legal Compliance
Implementing an accountability-based program, whether certified or not, helps companies ensure and prove local law compliance because such programs are consistent with or implement local legal requirements.
3. Accountability as an Enabler of Proactive Privacy Protections
Accountability-based programs also create an infrastructure for organisations to proactively implement strong and effective privacy protections for individuals that in some instances even go above and beyond applicable legal requirements, including in contexts in which no privacy laws exist at all. For example, many accountable organisations voluntarily apply internal security breach reporting and response practices even in countries where there is no legal requirement to notify the breaches. Similarly, some organisations voluntarily extend the right of access to all its customers and employees, even when there is no legal obligation to do so. Finally, some organisations might certify to the APEC CBPR even in countries where the privacy protections of the CBPR exceed those found in any national laws.
4. Accountability as an Enabler of Trustworthy Big Data
Today's advanced technology causes much of data processing to occur outside the knowledge and awareness of the public. This reality challenges the established interpretation of traditional privacy principles that emphasize notice and consent. However, organisational accountability when implemented correctly will create the necessary trust among the public and regulators that organisations will process personal data responsibly even in the absence of direct individual engagement.
5. Accountability as Enabler of Flexible Application of Privacy Principles
If they are to remain relevant in the modern information age, traditional privacy principles such as notice, consent, purpose specification and collection limitation must be open to flexible and context-specific interpretation and implementation. For example, the principle of 'notice' must be re-conceptualized to a broader vision of transparency as we described earlier. Also, where specific consent is not feasible, the European concept of 'legitimate interest' processing can be used to accomplish the same underlying goal of empowering and protecting the individual. Legitimate interest-based processing allows for processing in the absence of consent if the legitimate business reasons for processing are not outweighed by certain harms to the individual. Thus, in many modern information use contexts, the goals of traditional privacy principles of empowering individuals and protecting their legitimate privacy interests must be accomplished through broader interpretations coupled with alternative mechanisms of protection, such as privacy risk management. Accountability enables such new interpretations by providing the necessary additional mechanisms of protection.
6. Accountability as an Enabler of Regulatory Oversight
It is not surprising that privacy enforcement authorities around the world are increasingly embracing various accountability frameworks. Authorities charged with enforcing privacy laws have limited budgets and resources. Accountability schemes, such as the APEC CBPR, in which a third-party certifying organisation has front-line implementation and 'enforcement' responsibility, can augment the limited capacity and reach of data privacy authorities.
Privacy enforcement authorities also increasingly need to cooperate with their counterparts across borders. Cooperation is usually possible only when there is agreement on the underlying principle that is being vindicated. In recognized cross-border accountability schemes, that agreement is inherently present.
Moreover, privacy enforcement authorities often investigate factually complex matters. Accountability requires comprehensive written internal privacy programs and the ability to provide that information to regulators and enforcement authorities on request. This 'investigation readiness' helps both the authorities and the organisation under investigation.
In sum, implementing and adhering to enhanced organisational accountability enables effective protections of the individual and helps create the public trust necessary for a sustainable digital economy in which both innovation and privacy can thrive. However, it is important that regulators and policymakers incentivize such enhanced organisational accountability by allowing accountable organisations to leverage their implementation of accountability to pursue the full range of reasonable, beneficial and innovative uses of data that are available in the modern information age.
Bojana Bellamy is President at the Centre for Information Policy Leadership, a global information policy think tank: BBellamy@hunton.com
Markus B. Heyder is VP and Senior Policy Counselor at the Centre for Information Policy Leadership firstname.lastname@example.org