This is a global issue, which requires global solutions. I hope our investigation provides a blueprint for other jurisdictions to take action and sets the standard for future investigations.
Democracy disrupted? Personal information and political influence 11 July 2018
Intel Corporation project to develop a U.S. privacy law
We have drafted a proposed privacy bill and have asked for both experts and the public to comment on it at http://usprivacybill.intel.com . This is an experiment in participatory democracy to use technology to bring out some of the discussion that normally happens behind closed doors and let everyone take part. I have included below some background on the project and an overview of the bill. I am interested to know what members of the list think of our proposal.
Why Pass a US Federal Privacy Law?
Effective privacy regulation is critical to allow technologies like artificial intelligence to help solve the world’s greatest challenges. The combination of advances in computing power, memory and analytics create the possibility that technology can make tremendous strides in precision medicine, disease detection, driving assistance, increased productivity, workplace safety, education and more. At Intel we are developing many of these technologies and are focused on integrating artificial intelligence capability across the global digital infrastructure. At the same time, we recognize the need for a legal structure to prevent harmful uses of the technology and to preserve personal privacy so that all individuals embrace new, data-driven technologies. At Intel we know that privacy is a fundamental human right and robust privacy protection is critical to allow individuals to trust technology and participate in society.
What the US needs is a privacy law that parallels the country’s ethos of freedom, innovation and entrepreneurship. That law needs to protect individuals and enable for the ethical use of data. As noted above, the use of data by new technologies such as artificial intelligence will help us solve some of the most vexing global problems while spurring economic growth. That ethical use of data will be critical as we use the data to train artificial intelligence algorithms to detect bias and enhance cyber security. In short, it takes data to protect data. The US needs a law that promotes ethical data stewardship, not one that just attempts to minimize harm. A non-harmonized patchwork of state legislation will cause companies to default to restrictive requirements and the result will decrease the likelihood of realizing technology’s great potential to improve lives.
How is the proposal structured?
The law uses the Fair Information Practice Principles (FIPPs) from the Organization for Economic Cooperation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The OECD FIPPs are “the Global Common Language of Privacy” and many of the privacy laws around the world are based on them. For the past few years, Intel has worked on a “Rethinking Privacy” initiative to take the OECD FIPPs and show how they can be implemented in law differently to promote the innovative and ethical use of data.
The law encourages organizations to create new mechanisms for individuals to provide meaningful consent for data use. Most uses of data will require a risk/benefit analysis that will restrict an organization from using data in a way that creates undue risk for individuals. However, in many situations, individuals may be ok with these risks, and will want to have the benefits of the use of the data. This bill encourages organizations to create mechanisms where those individuals can make informed choices.
As artificial intelligence tools are deployed across more industry sectors, it will be critical that the data used to train those algorithms has adequate diversity and volume. For example, for precision medicine, it is critical that the algorithms are trained with sufficient data from ethnic and racial minorities. This is one reason that international data flows are so important. This bill allows for the access to the data that creates better quality in the algorithms, while also requiring organizations to measure that data quality and adjust for any deficiencies.
It is critical that organizations state their purposes for collecting and processing data. The law makes clear those purposes must be described narrowly and specifically.
Our proposal requires organizations to analyze the risks and benefits from the use of data. It also requires organizations to control the uses of data from the entities to which it transfers data.
The bill requires organizations to adopt reasonable measures to protect personal data.
It is critical to understand when organizations have data, and for the individuals to whom that data relates to have an ability to object when that data is either incorrect or when its use will disproportionately cause harm.
The law encourages organizations to implement robust privacy programs that will decrease the risk of data misuse and security breaches.
How will the law be enforced?
Robust, harmonized and predictable enforcement is necessary. The US Federal Trade Commission (Commission) has decades of experience protecting privacy. What the Commission needs are: 1. More resources, 2. Authority to oversee all industry sectors, 3. A clear mandate to develop guidance and regulations to communicate to organizations how they should implement the FIPPs, and 4. The ability to enforce meaningful but fair sanctions. Our proposal provides all four of those elements, while also preserving a role for State Attorneys General to apply sanctions in situations where the Commission declines to start an enforcement action. The law uses those sanctions as a way to further encourage organizations to demonstrate their accountability, by allowing those entities that adopt robust privacy programs to have a safe harbor from civil penalties.
To view the complete text and participate in the discussion go to http://usprivacybill.intel.com
David A. Hoffman
Associate General Counsel and Global Privacy Officer
Intel Public Policy Blog: http://blogs.intel.com/policy