I will be commenting in a number of brief posts. This is comment 1, relative to the Findings, which are important to set the context for the bill language.
In looking at developing a federal privacy framework, it is crucial to consider that we are in a transitional period, where we are moving through the fading end of the 25 or so years of the first Internet era which was about the Internet as a General Purpose Technology. This period of time saw the US, and other jurisdictions, moving at various rates from an analog world to a digital world. The data laws enacted during this time reflect early growth pains, for example, some of the first identity theft regulations and data breach regulations at the state level were passed as all of us learned about some of the risks of digitized identity and other data. The laws addressed emerging risks in a fairly straightforward way.
Today, choosing the right framework means something different than it did 25 years ago. The right framework will enable the US to be competitive during the era that is arriving in a quick but uneven tide. This era is hallmarked by a rich, highly complex fusion of major trends such as AI and its subsets, including biometrics, large data sets and predictive analytics, Internet of Things, mobile, cloud, fully digital identity ecosystems. The arriving era will be about deep digital transformation, which goes beyond mere digitization of data sets. We are standing at that junction right now.
This junction requires a different approach, because regulations need to address a nexus of transformational forces that are unruly and high-velocity. Legislative frameworks chosen today will determine outcomes of the next 25 years. To be effective, the right framework needs to do several things simultaneously.
- Knowledge Governance needs to be ongoing and iterative, and needs to identify and mitigate a complex and evolving array of risks. Risks should be assessed continually in a continual benchmarking of established rules against reality, and constant adjustment should be allowed based on actual feedback. This is modern knowledge governance.
- All stakeholders need to be involved in the conversation about shared resources, such as data and knowledge, and have appropriate power in the conversation.
- Governance, to be effective in a fusion environment, needs to be collaborative. The fusion of complex ecosystems creates pooled resources, including data and knowledge; Knowledge governance frameworks are inclusive of data protection frameworks, but are several steps beyond them in complexity. This complexity requires collaboration, not command and control approaches. In a collaborative framework, the structure can be set to allow for all stakeholders to achieve a win. Knowledge governance does not need to make a corporation or a user “lose” in order for another stakeholder to achieve a fair result.
- To this end, corporations need to act responsibly as stewards of a shared data resource, in which end users often have a stake.
- Individual users need to have agency to empower them to participate in data decision making, where appropriate. There needs to be a give and take with common pool resources. This can happen where treatment is fair, and outcomes are unbiased and checked for risks.
- There is a role for government, particularly in enforcement. This should be spelled out and should have clear checks and balances.
Addressing Intel’s proposed federal framework Findings section, the contextualization of the legislation which outlines roles and duties for stakeholders are a positive contribution to the debate. The key is to involve all stakeholders, giving agency where possible and appropriate. Data control only works in a collaborative environment where all of the stakeholders are cooperating. All parties need to have a horse in the race to stay engaged.
Here, in Intel’s Findings, corporations are given explicit responsibilities and duties. Users are given agency. I would like to see language around corporate responsibility for knowledge governance explicitly, versus just data protection. I would increase the details about this idea in the draft legislation. But overall, it is a correct thing that corporations take responsibility for a shared resource and manage it with care. It is also a good direction that the draft sets out to facilitate individuals’ control over their personal data and enable them to participate in decision-making regarding the processing of their personal data.
A key recommendation for the Findings section is to include a graph about the role of government stakeholders. For example, a finding that government stakeholders play a role in enforcement.
A key aspect of the Findings that creates a framework that begins to take a step into the coming world is both the approach to empowering stakeholders, and also the architecture of identifying, assessing, and mitigating privacy risk on an ongoing basis. I would broaden ongoing risk analysis this to knowledge governance, which is inclusive of privacy and allows for a broadened approach to privacy.