Governance frameworks

I will be commenting in a number of brief posts. This is comment 1, relative to the Findings, which are important to set the context for the bill language.

In looking at developing a federal privacy framework, it is crucial to consider that we are in a transitional period, where we are moving through the fading end of the 25 or so years of the first Internet era which was about the Internet as a General Purpose Technology. This period of time saw the US, and other jurisdictions, moving at various rates from an analog world to a digital world. The data laws enacted during this time reflect early growth pains, for example, some of the first identity theft regulations and data breach regulations at the state level were passed as all of us learned about some of the risks of digitized identity and other data. The laws addressed emerging risks in a fairly straightforward way.

Today, choosing the right framework means something different than it did 25 years ago. The right framework will enable the US to be competitive during the era that is arriving in a quick but uneven tide. This era is hallmarked by a rich, highly complex fusion of major trends such as AI and its subsets, including biometrics, large data sets and predictive analytics, Internet of Things, mobile, cloud, fully digital identity ecosystems. The arriving era will be about deep digital transformation, which goes beyond mere digitization of data sets. We are standing at that junction right now.

This junction requires a different approach, because regulations need to address a nexus of transformational forces that are unruly and high-velocity.  Legislative frameworks chosen today will determine outcomes of the next 25 years. To be effective, the right framework needs to do several things simultaneously.

  1. Knowledge Governance needs to be ongoing and iterative, and needs to identify and mitigate a complex and evolving array of risks. Risks should be assessed continually in a continual benchmarking of established rules against reality, and constant adjustment should be allowed based on actual feedback. This is modern knowledge governance.
  2. All stakeholders need to be involved in the conversation about shared resources, such as data and knowledge, and have appropriate power in the conversation.
  3. Governance, to be effective in a fusion environment, needs to be collaborative. The fusion of complex ecosystems creates pooled resources, including data and knowledge; Knowledge governance frameworks are inclusive of data protection frameworks, but are several steps beyond them in complexity. This complexity requires collaboration, not command and control approaches. In a collaborative framework, the structure can be set to allow for all stakeholders to achieve a win. Knowledge governance does not need to make a corporation or a user “lose” in order for another stakeholder to achieve a fair result.
    1. To this end, corporations need to act responsibly as stewards of a shared data resource, in which end users often have a stake.
    2. Individual users need to have agency to empower them to participate in data decision making, where appropriate. There needs to be a give and take with common pool resources. This can happen where treatment is fair, and outcomes are unbiased and checked for risks.
    3. There is a role for government, particularly in enforcement. This should be spelled out and should have clear checks and balances.

Addressing Intel’s proposed federal framework Findings section, the contextualization of the legislation which outlines roles and duties for stakeholders are a positive contribution to the debate. The key is to involve all stakeholders, giving agency where possible and appropriate. Data control only works in a collaborative environment where all of the stakeholders are cooperating. All parties need to have a horse in the race to stay engaged.

Here, in Intel’s Findings, corporations are given explicit responsibilities and duties. Users are given agency. I would like to see language around corporate responsibility for knowledge governance explicitly, versus just data protection. I would increase the details about this idea in the draft legislation. But overall, it is a correct thing that corporations take responsibility for a shared resource and manage it with care. It is also a good direction that the draft sets out to facilitate individuals’ control over their personal data and enable them to participate in decision-making regarding the processing of their personal data.

A key recommendation for the Findings section is to include a graph about the role of government stakeholders. For example, a finding that government stakeholders play a role in enforcement.

A key aspect of the Findings that creates a framework that begins to take a step into the coming world is both the approach to empowering stakeholders, and also the architecture of identifying, assessing, and mitigating privacy risk on an ongoing basis. I would broaden ongoing risk analysis this to knowledge governance, which is inclusive of privacy and allows for a broadened approach to privacy.

9 comments

  1. Marc Groman
    Pam, I assume that the term “knowledge governance” is distinct from “data governance?” If yes, can you please articulate the difference? This is beyond the requirement that a company must ust maintain a comprehensive, accurate, detailed and current inventory of all of the data held by the company, as well as a complete and deep understanding of data flows, data use, and other data processing within the enterprise?

    • Pam Dixon
      Marc, yes, and thank you for your question. Data governance is a baseline, knowledge governance goes beyond data governance and is inclusive of it. I use the term knowledge governance nce because as data is evolving, it is not just raw data we need to think about anymore— data when subject to analysis can become greater than the sum of its parts and create new information and in some cases, knowledge. Knowledge governance allows us to fill this gap.

  2. Peter Swire
    Pam’s thoughtful post addresses the findings part of the draft bill. A couple observations on the current, short findings: (1) Those of us who have been working with GDPR know h GDPR know the importance of the “recitals” that come before the GDPR text. Those recitals are far more detailed than the current findings in this bill. (Brevity here makes sense given the early stages of the process.) For consideration of this draft bill, and other draft bills, I suggest the community should be considering the findings/recitals in more depth, in addition to the statutory text.

    (2) The findings currently have a very brief mention in #2 of the sorts of points that organizations such as the Chamber of Commerce currently highlight – the benefits of an information economy, innovation, etc. Going forward, if a goal is to bring more business organizations into the process, there may be ways to make those points while still highlighting and emphasizing the protection of privacy.

    (3) One contested area is the scope of First Amendment restrictions on what a U.S. government can do in the privacy area. I found the brief provision in Section 11 on this topic to be good based on my initial read.

    • Pam Dixon
      Peter, Agreed on the importance of findings — GDPR has taught us that the findings are every bit as important as the bill text. It would be beneficial for this al for this bill’s findings to have more reach and depth. I would like to see the findings take on the governance issues that might not make it into the bill text.

  3. Danny Weitzner
    I’m a big fan of legislative findings to explain broad Congressional intent — especially to address the possible First Amendment challenge as raised by Peter. However, I think it’s actually ally a really bad idea for Congress to write hundreds of recitals. It risks creating a sea of complex and possibly contradictory directions which are more likely to confuse the enforcement process. I would like to see Congress write rules as clearly as possible and then rely on the enforcement agency (the FTC) to provide guidance and explanation as needed. I’ve written about my general view on the enforcement role of the FTC in relation to the statute in another Topic (“How to make a privacy statute that will stand the test of time”). Competition law provides useful guidance here. Both the FTC and DOJ have well-established mechanisms for clarifying their interpretations of the statutes they enforce (FTC Act, Sherman Act and the Clayton Act) both with respect to specific transactions (DOJ Business Review Letters & FTC Advisory Opinions) and broader guidelines regarding areas of antitrust enforcement. Such mechanisms are much more likely to provide useful guidance over time rather than congressional findings. I don’t actually think that the FTC needs legislative authorization to do this with respect to a future privacy statute, but it wouldn’t hurt for Congress to encourage this as good practice.

    • Anne Klinefelter
      If findings are to be included, I agree that the First Amendment needs a nod so that the burden imposed is explained or justified. While calming consumers so that organizations ions can use data to innovate is getting at that point in Section 2(b), I think a direct finding about privacy harms should be included. Perhaps 2(b) could be expanded or a new 2(c) could be added to say something like:

      Use of personal data by organizations can also produce adverse outcomes for individuals including discrimination and loss of liberty and can produce societal harms including avoidance of social and commercial systems and weakening of democratic engagement.

    • Peter Swire
      Danny, I may disagree with you here somewhat. Guidance is all well enough, and the FTC gives guidance now that only sometimes gets followed. Without actual rule making power to er to clarify things, guidance alone will lead to weak protection of privacy rights over time.

      Assuming that the FTC would get rule making power, as the draft bill provides, then legislative findings may actually be useful, as they are in Europe.

      • Danny Weitzner
        I see your concern, Peter. But’s distinguish two choices: 1) findings vs. rule making, and 2) findings vs. rules-developed-by-enforcement. I did not mean to comment directly on (1), though I gh I have strong feelings about it. I was really just speaking against the assumption that Congress can guide either rule making or enforcement activity through findings. I consider these to be half-measures that are as likely to confuse as to guide. If the issue matters, then it should be written as an enforceable provision or included in the scope of rule making (even though I’m not always a fan of that).