Connecticut Shows You Can Have It All

On June 3rd, Connecticut Senate Bill 3 (SB 3), an “Act Concerning Online Privacy, Data and Safety Protections,” cleared the state legislature following unanimous votes in the House and Senate. If enacted by Governor Lamont, SB 3 will amend the Connecticut Data Privacy Act (CTDPA) to create new rights and protections for consumer health data and minors under the age of 18, and also make small-but-impactful amendments to existing provisions of the CTDPA. The bill also contains some standalone sections, such as a section requiring the operators of online dating services within the state to implement new safety features, including a mechanism to report “harmful or unwanted” behavior.

The children’s and health provisions of SB 3 appear to be informed by the California Age-Appropriate Design Code (AADC) and the recently enacted Washington State My Health, My Data Act, respectively, but contain numerous important distinctions.  FPF has prepared a comparison chart to help stakeholders assess how SB 3’s youth privacy provisions compare to the California AADC. The provisions related to consumer health data will take effect on October 1, 2023, while the new requirements governing minors’ data and accounts will take effect a year later, on October 1, 2024.

New protections for youth online (Sections 7-13)

Sections 8-13 of SB 3 create new protections for youth online by expanding youth-specific protections to include teens up to 18, placing limits on certain data processing activities, and requiring services to assess risk to minors through data protection assessments. SB 3 appears to draw inspiration from the California Age-Appropriate Design Code Act’s (AADC) obligations and prohibitions but includes many divergences, which are assessed in further detail in a comparison chart. If enacted, these provisions will go into effect on October 1, 2024, with a right to cure until December 31, 2025. Additionally, Section 7 of the bill specifically regulates social media platforms and is largely focused on facilitating requests from a minor or minor’s parent to “unpublish” a minor’s social media account within 15 business days.

1. Scope

The obligations in Sections 8-13 will apply to controllers offering any online service, product, or feature to consumers whom the controller has actual knowledge, or wilfully disregards, are minors. “Minors” is defined as any consumers under 18, in line with recently-passed legislation in California and Florida. SB 3 borrows California AADC’s “online service, product, or feature” scope but retains the CTDPA’s “actual knowledge, or wilfully disregards” knowledge standard rather than the California AADC’s “likely to be accessed” standard. As written, it appears that the data protection and design obligations under the proposal would apply on an individualized basis to minors who the bill aims to protect, rather than governing the entire service. Additionally, there are also no affirmative age estimation requirements within the proposal, meaning that the scope of SB 3 is narrower than the California AADC because it only applies to controllers who have actual knowledge or willfully disregard that minors are using their service. These diversions may be in response to First Amendment objections raised in the Netchoice v. Bonta litigation seeking to strike down the California AADC.

2. Key obligations

SB 3 requires controllers to use reasonable care to avoid “any heightened risk of harm to minors” caused by their service. “Heightened risk of harm to minors” is defined to mean “processing minors’ personal data in a manner that presents any reasonably foreseeable risk of (A) any unfair or deceptive treatment of, or any unlawful disparate impact on minors, (B) any financial, physical or reputational injury to minors, or (C) any physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if such intrusion would be offensive to a reasonable person.” This requirement is reminiscent of the California AADC’s “material detriment” language, though “material detriment” and “harm” are undefined within the California AADC, and thus SB 3 may provide more clarity to controllers in scope.

Building off the data protection assessment requirements set forth in the CTDPA, SB 3 requires controllers to address (1) the purpose of the service, (2) the categories of minors’ personal data processed by the service, (3) the purpose of the data processing, and (4) any heightened risk of harm to minors that is a reasonably foreseeable result of offering the service. The bill specifically notes that a single data protection assessment may address a comparable set of processing operations that include similar activities. If controllers comply with the data protection assessment requirements of the bill, there is a rebuttable presumption in any enforcement action brought by the State AG that a controller used the reasonable care required to avoid heightened risk of harm to minors.

SB 3 includes several data processing limits that are subject to the consent of a minor or minor’s parent. While 2023 has seen the passage of legislation in other states requiring teens to receive parent consent, and thus treating all minors the same for purposes of exercising rights online, SB 3 allows for minors 13 and older to consent for themselves. Absent consent, controllers are prohibited from processing data not reasonably necessary to provide a service, retaining data for longer than necessary, and using any system design feature to “significantly increase, sustain or extend” a minor’s use of the service. Although data minimization is a key privacy principle found in most privacy proposals, it is atypical for this to be subject to consent. Targeted advertising and sale of a minor’s personal data are also subject to the consent of a minor or minor’s parent, expanding the CTDPA’s existing protections for teens that create opt-in requirements for the sale or processing for targeted advertising of data from teens 13-15. 

In addition to the above limits subject to the consent of a minor, SB 3 creates new prohibitions for  controllers offering services to minors. Like the California AADC, there are also limits on collecting precise geolocation information with a requirement to provide a signal when that information is being collected. While neither SB 3 nor the California AADC give guidance or further definition on “signal,” California AADC specifies an “obvious signal.” The bill also includes two design-related prohibitions: controllers are prohibited from providing any consent mechanisms designed to impact user autonomy or choice and are also prohibited from offering direct messaging without providing “readily accessible and easy-to-use safeguards” to limit the ability to receive messages from adults who the minor is not connected with. 

New protections for consumer health data (Sections 1-6)

The CTDPA designates data revealing “health condition and diagnosis” information as a sensitive category of personal data subject to heightened protections, including an affirmative consent requirement for processing. SB 3 aims to expand the CTDPA’s protections for consumer health information by (1) creating a new sensitive data category under the CTDPA of “consumer health data,” (2) creating protections governing the collection and processing of “consumer health data,” applicable to a broad range of entities, and (3) establishing restrictions on the geofencing of healthcare facilities.

1. Definitions

If enacted, SB 3 will add eleven new health-related definitions to the CTDPA, including the terms “abortion,” “consumer health data,” “geofence,” “gender-affirming health data,” and “reproductive or sexual health data.” SB 3 is focused on establishing protections for “consumer health data,” defined as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data” (emphasis added). This is a narrower definition of “consumer health data” than established under the Washington ‘My Health, My Data’ Act (MHMD), which applies to personal information that “identifies” a consumer’s health status, even if not used for a health-related purpose. 

SB 3’s focus on “data used to identify physical or mental health condition or diagnosis” differs slightly from the CTDPA’s original protections for “data revealing mental or health condition or diagnosis” in that it centers on regulated entity use of data, rather than the nature of a data point. Data is subject to these new health data protections when an entity uses it to identify something about a consumer’s health, seemingly including through inference, whether or not that data “reveals” something about a consumer’s health on its face. In addition, SB 3’s definition of “consumer health data” explicitly includes “gender-affirming” and “reproductive and sexual” health information. It remains to be seen what the impact of distinction will be when the CTDPA takes effect.

2. Expanded Protections for the Collection and Processing of “Consumer Health Data”

SB 3 would create several protections exclusive to consumer health data that apply to “persons,” a category that includes non-profits and small businesses, which are otherwise excluded from coverage under the CTDPA. First, SB 3 requires that any employee or contractor with access to consumer health data shall be subject to either a contractual or statutory duty of confidentiality. In addition, the Act will forbid entities that collect and process consumer health data from selling that health data without prior consumer consent.

3. Restrictions on Geofencing

SB 3 follows MHMD in responding to concerns about the geofencing-facilitated digital harassment of individuals visiting abortion and gender-affirming care facilities post-Dobbs v. Jackson Women’s Health Organization by forbidding “persons” from geofencing mental, reproductive, or sexual health facilities for certain purposes. These purposes include the geofencing of health facilities conducted in order to (1) identify, (2) track, (3) collect data from, or (4) send health-related notifications to consumers. The act defines “geofence” broadly, as “any technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, wireless fidelity technology data or any other form of location detection, or any combination of such coordinates, connectivity, data, identification or other form of location detection, to establish a virtual boundary.”

Other modifications to CTDPA

In addition to the substantive changes creating new consumer rights for consumer health data and youth data, SB 3 makes minor but meaningful changes to CTDPA. FPF observes 4 notable changes:

(1) “Data concerning an individual’s status as a victim of crime” is added to the “sensitive personal data” definition, perhaps inspired by pending legislation in Oregon.

(2) Consistent with other state privacy laws, Tribal nation government organizations and air carriers are carved out of scope of the CTDPA.

(3) The knowledge standard for processing youth data was modified from actual knowledge and wilfully disregards to actual knowledge or wilfully disregards. This amendment fixes a likely drafting error and aligns the CTDPA’s knowledge standard with the CCPA and Montana, strengthening privacy protections for children. 

(4) Finally, SB 3 clarifies the Connecticut Attorney General may consider the “sensitivity of the data” involved in a violation of the CTDPA, along with other factors, when determining whether to grant a controller or consumer health data controller a right to cure.

Conclusion

Connecticut’s unanimous passage of SB 3 reflects the urgency of the new priorities around health and kids’ privacy that have permeated the 2023 legislative session. When these provisions take effect in October, the modified CTDPA will provide a template for other states that may wish to integrate protections for consumer health data within their comprehensive privacy laws, rather than passing standalone laws like MHMD. Similarly, Connecticut provides a template for states seeking to increase protections for youth online by first setting baseline standards for all consumers and then building off of that framework to create heightened protections for those under 18.

FPF Submits Comments in Response to the Consumer Financial Protection Bureau’s Request for Information on Data Brokers

On June 5, the Future of Privacy Forum filed comments with the Consumer Financial Protection Bureau (CFPB) in response to their Request for Information (RFI) Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information.

In 2021, FPF explored the landscape of the current data broker industry in testimony presented to the Senate Finance Subcommittee on Fiscal Responsibility and Economic Growth. Since then, emerging data practices have continued to create potential risks for individuals and to raise novel questions about the scope of the Fair Credit Reporting Act (FCRA). Meanwhile, the exclusion of FCRA-covered activities from the state-level comprehensive privacy laws passed in recent years reinforces the critical need for federal leadership to establish jurisdictional clarity and to address privacy risks. 

FPF’s comments encourage the CFPB to analyze the broad range of business activities that can be considered “data brokerage,” and use the Bureau’s regulatory instruments to address specific risks posed by emerging technologies and business practices, including:

FPF’s full comments to the CFPB are available here.

AI Verify: Singapore’s AI Governance Testing Initiative Explained

In recent months, global interest in AI governance and regulation has expanded dramatically. Many identify a need for new governance and regulatory structures in response to the impressive capabilities of generative AI systems, such as OpenAI’s ChatGPT and DALL-E, Google’s Bard, Stable Diffusion, and more. While much of this attention focuses on the upcoming EU AI Act, there are other significant initiatives around the world proposing different AI governance models or frameworks.

This blog post covers “AI Verify,” Singapore’s AI governance testing framework and toolkit, announced in May 2022. Our analysis has three key parts. First, we summarize Singapore’s overall approach to AI governance and the key initiatives that the Singapore Government released regarding AI governance, prior to the launch of AI Verify. Second, we explain the key components of AI Verify.. Finally, as we approach the anniversary of AI Verify’s roll-out, we explore what the future may hold for AI Verify and Singapore’s approach to AI governance and regulation. Briefly, the key takeaways are:

1. Singapore’s overall approach to AI governance

In Singapore’s high-level strategy for AI, the National AI Strategy (NAIS), the country announced it aims to be “at the forefront of development and deployment of scalable, impactful AI solutions,” hoping to cement itself as “a global hub for developing, test-bedding, deploying, and scaling AI solutions.” Among the five “ecosystem enablers” identified in the strategy to increase AI adoption is the development of a “progressive and trusted environment” for AI  – one that strikes a balance between innovation and minimization of societal risks. 

To create this “progressive and trusted environment,” Singapore has adopted so far a light-touch and voluntary approach to AI regulation. This approach recognizes two practical realities about Singapore’s AI ambitions. First, the Singapore Government sees AI as a key strategic enabler in developing its economy and improving the quality of life of its citizens. This explains why Singapore is not taking a heavy-handed approach in regulating AI lest it stifles innovation and investment. Second, given its size, Singapore is aware it is also likely to be a price-taker rather than a price-setter as AI governance discourse, frameworks and regulations develop globally. Thus, rather than introducing new AI principles afresh, the current approach is to “take the world where it is, rather than where it hopes the world to be.”

Before the release of AI Verify in 2022, Singapore’s approach to AI regulation – as overseen by the Personal Data Protection Commission of Singapore (PDPC) – had three pillars: 

  1. The Model AI Governance Framework (Model Framework). 
  2. The Advisory Council on the Ethical Use of AI and Data (Advisory Council).
  3. The Research Programme on the Governance of AI and Data Use (Research Program). 

As we aim to highlight the substantive aspects of Singapore’s AI regulatory approach, the following paragraphs will focus on the Model Framework. 

The Model Framework

The Model Framework, first launched at the World Economic Forum Annual Meeting (WEF) in 2019, is a voluntary and non-binding framework that guides organizations in the responsible deployment of AI solutions at scale, noting that this framework does not concern the development phase of these technologies. As a guide, the Model Framework sets out practical recommendations for AI deployments for private sector entities, as the public sector’s use of AI is governed by internal guidelines and AI and data governance toolkits. The Model Framework is billed as a “living document,” as it is meant to evolve through future editions alongside technological and societal developments. The Model Framework is also technology-, industry-, scale- and business-model agnostic. 

Substantively, the Model Framework is guided by two fundamental principles to promote trust and understanding in AI. First, organizations using AI in decision-making should ensure that the decision-making process is explainable, transparent and fair. Second, AI systems should be human-centric: the protection of human well-being and safety should be primary considerations in designing, developing and using AI.

The Framework translates these guiding principles to implementable practices in four key areas of an organization’s decision-making and technology-development processes:

(a) Internal governance structures and measures;

(b) Determining the level of human involvement in AI-augmented decision-making;

(c) Operations management; and

(d) Stakeholder interaction and communication.

The table prepared below shows a summary of some suggested considerations, practices, and measures falling under each of these key areas.

Internal governance structures and measuresHuman involvement in AI-augmented decision-makingOperations managementStakeholder interaction and communication
Clear roles and responsibilities
Use existing or set up new corporate governance and oversight processes

Ensure staff are appropriately trained and equipped

Internal controls Monitoring and reporting system to ensure awareness at appropriate level of management

Manage personnel risk
Periodic reviews		Appropriate level of human intervention
Use probability-severity of harm matrix to determine level of human involvement

Incorporate corporate and societal values in decision-making		Good data accountability 
Data lineage, quality, accuracy, completeness, veracity, relevance, integrity, etc.

Minimizing bias in data / model
Heterogeneous datasets

Separate training, testing and validation datasets

Repeatability assessments, counterfactual testing, etc.

Regular review and tuning		General disclosure
Being transparent when AI is used in products and services

Use simple language, with communication appropriate to the audience, purpose and context.

Increased transparency Information on how AI decisions may affect individuals

Feedback channels
Avenues for feedback and review of decisions

Other initiatives accompanying the Model Framework

When Singapore released the second edition of the Model Framework at the WEF in 2020, it was released alongside two other documents: the Implementation and Self-Assessment Guide for Organisations (ISAGO) and the Compendium of Use Cases (Compendium – Volume 1 and Volume 2). The ISAGO is a checklist helping organizations assess the alignment of their AI governance processes with the Model Framework. The Compendium provides real-life examples of the adoption of the Model Framework’s recommendations across various sectors, use cases, and jurisdictions. 

Collectively, the Model Framework and its suite of accompanying documents anchored and outlined substantive thinking on AI regulation in Singapore. These initiatives led to Singapore winning a United Nations World Summit on the Information Society Prize in 2019, recognizing its efforts as a frontrunner in AI governance. 

2. AI Verify in a Nutshell

January 2020 marked a turning point for global discourse on AI regulation. On January 17, 2020, a leaked white paper from the European Commission brought international attention to the increasing possibility of government regulation of AI technology. In February 2020, the European Commission formally issued a White Paper on Artificial Intelligence, which, among other things, set out plans to create a regulatory framework for AI. In the following months, the European Commission began to make available drafts of a forthcoming AI Act. For the first time, a major government was making a serious attempt to introduce substantive rules to horizontally regulate the development and use of AI systems. Due to the expected extraterritorial nature of the AI Act, companies developing AI systems outside of Europe could potentially be covered by the new law. 

These developments influenced thinking about the future of Singapore’s AI regulatory and governance landscape. While the PDPC maintained its voluntary and light-touch approach to AI regulation, it acknowledged a future in which AI faces heightened oversight. The PDPC seemed to also be mindful of growing consumer awareness and demand for trustworthiness from AI systems and developers, a need for international standards on AI to benchmark and assess AI systems against regulatory requirements, and an increasing need for interoperability of AI regulatory frameworks. With these in mind, Singapore began developing the framework that eventually coalesced into AI Verify.

FPF Training: The EU’s Proposed AI Act

The EU’s Artificial Intelligence (AI) Act is in the final stages of adoption in Brussels, and will be the first piece of legislation worldwide regulating AI. Join us for an FPF Training virtual session to learn about the act’s extraterritorial reach, the legal implications for providers and deployers of AI, and more.

Register today!

What is AI Verify?

Launched by the Infocomm Media Development Authority (IMDA) – a statutory board under the Singapore Ministry of Communications and Information, and the PDPC, AI Verify is an AI governance testing framework and toolkit. By using AI Verify, organizations are able to use a combination of technical tests and process-based checks to conduct a voluntary self-assessment of their AI systems. The system, in turn, helps companies attempt to objectively and verifiably demonstrate to stakeholders that their AI systems have been implemented in a responsible and trustworthy manner. 

Given that AI testing methodologies, standards, metrics and tools continue to develop, AI Verify is also currently at a “Minimum Viable Product” (MVP) stage. This has two implications. First, there are several technical limitations to the MVP version, and limitations to the types and size of AI models or datasets that it can test or analyze. Second, it is expected that AI Verify will evolve as AI testing capabilities mature. 

The four aims for developing an MVP version of AI Verify are:

(a) First, IMDA hopes that organizations are able to use AI Verify to determine performance benchmarks for their AI systems, and demonstrate these claimed benchmarks to stakeholders such as consumers and employees, thereby helping organizations enhance trust.

(b) Second, given that it was developed with various AI regulatory and governance frameworks, as well as common trustworthy AI principles in mind, AI Verify seeks to help organizations find commonalities across various global AI governance frameworks and regulations. IMDA is also continuing to engage regulators and standards organizations to map AI Verify’s testing framework onto established frameworks. These efforts are aimed at allowing businesses to operate and offer AI-enabled products and services in multiple markets, while allowing Singapore to act as a hub in AI governance and regulatory testing.

(c) Third, as organizations trial AI Verify and use its testing framework, IMDA will be able to collate industry practices, benchmarks and metrics. These can facilitate input into the development of international standards on AI governance, considering Singapore is participating in global AI governance platforms such as the Global Partnership on AI and ISO/IEC JTC1/SC 42, to contribute valuable perspectives towards the development of international standards on AI governance.

(d) Fourth, IMDA hopes AI Verify will allow Singapore to create a local AI testing community, consisting of AI developers and system owners (who are seeking to test AI systems), technology providers (who are developing AI governance implementation and testing solutions), advisory service providers (specializing in testing and certification support), and researchers (who are developing testing technologies, benchmarks and practices). 

It is also important to clarify several potential misconceptions about AI Verify. First, AI Verify is not an attempt to define ethical standards. It also does not attempt to classify AI systems with a clear bright line. Instead, AI Verify provides verifiability, as it allows AI system developers and owners to demonstrate their claims about the performance of their AI systems. Second, an organization’s use of AI Verify does not guarantee that tested AI systems are free from risks or biases, nor that they  are completely “safe” or “ethical.” Third, AI Verify is intended to preclude organizations from unintentionally divulging sensitive information from their AI systems (such as their underlying code or training data); one key safeguard – AI Verify will be used by AI system developers and owners themselves to conduct self-testing. This allows the organization’s data and models to remain within the organization’s operating environment. 

How does AI Verify work?

AI Verify consists of two parts. The first is a Testing Framework, which references eleven internationally accepted AI ethics and governance principles, grouped into five pillars. The second is a Toolkit that organizations use to execute technical tests and to record process checks from the Testing Framework.

AI Verify’s Testing Framework

The five pillars and eleven principles in AI Verify’s Testing Framework, as well as their expected assessment, are:

PillarPrinciplesAssessment method(s)
Transparency on Use of AI and AI systems:
This pillar is about disclosing to individuals about AI use in a technological system, so that they can be aware and make informed choices on whether to use the AI-enabled system.		Transparency:
Providing appropriate information to individuals impacted by AI systems.		Assessed through process checks of documentary evidence (e.g., company policy and communication collaterals) providing appropriate information to individuals who may be impacted by the AI system.

The information includes (subject to the need to avoid compromising IP, safety, and system integrity): the use of AI in the system, its intended use, limitations, and risk assessments.
Understanding how an AI model reaches a decision:
This pillar is about allowing individuals to understand the factors contributing to an AI model’s output, while also ensuring output consistency and accuracy in similar conditions. 		Explainability:
Understanding and interpreting the decisions and output of an AI system.		Assessed through a combination of technical tests and process checks.

Technical tests are conducted to identify factors contributing to an AI model’s output.

Process checks include verifying documentary evidence of considerations given to the choice of models, such as rationale, risk assessments, and trade-offs of the AI model.
Repeatability / reproducibility: Ensuring consistency in AI output by being able to replicate an AI system, either internally or through a third party.Assessed through process checks of documentary evidence, including evidence of AI model provenance, data provenance, and use of versioning tools.
Ensuring safety and resilience of the AI system:
This pillar is aimed at helping individuals understand that the AI system will not cause harm, is reliable, and will perform according to its intended purpose even despite encountering unexpected input.		Safety:
Ensuring safety by conducting impact / risk assessments, and ensuring that known risks have been identified / mitigated.		Assessed through process checks of documentary evidence of materiality assessment and risk assessment, including how known risks of the AI system have been identified and mitigated.
Security:
Ensuring the cyber-security of AI systems.		Presently NA
Robustness:
Ensuring that the AI system can still function despite unexpected input.		Assessed through a combination of technical tests and process checks.

Technical tests attempt to assess if a model performs as expected even when provided with unexpected inputs.

Process checks include verifying documentary evidence, review of factors that may affect the performance of AI model, including adversarial attacks.
Ensuring fairness:
This pillar is about evaluating whether the data used to train the AI model is sufficiently representative, and testing to ensure that the AI system will not unintentionally discriminate. 		Fairness:
Avoiding unintended bias, ensuring that the AI system makes the same decision even if a certain attribute is changed, and ensuring that the data used to train the model is representative.		Assessing the mitigation of unintended discrimination through a combination of technical tests and process checks.

Technical tests check that an AI model does not produce biased results based on protected or sensitive attributes specified by the system owner, by checking the model output against the ground truth.

Process checks include verifying documentary evidence that there is a strategy for the selection of fairness metrics aligned with the desired outcomes of the AI system’s intended application; and the definition of sensitive attributes are consistent with legislation and corporate values.
Data governance:
Ensuring the source and quality of data by adopting good data governance practices when training AI models.		Presently NA
Ensuring proper (human) management and oversight of the AI system:
This pillar is about assessing human accountability and control in the development and/or deployment of AI systems, and whether the AI system is aimed at beneficial purposes for general society. 		Accountability:
Ensuring proper management oversight during AI system development.		Assessed through process checks of documentary evidence, including evidence of clear internal governance mechanisms for proper management and oversight of the AI system’s development and deployment.
Human agency and oversight:
Ensuring that the AI system is designed in a way that will not diminish the ability of humans to make decisions.		Assessed through process checks of documentary evidence that the AI system is designed in a way that will not reduce human’s ability to make decisions or to take control of the system. This includes defining the role of humans in the oversight and control of the AI system such as human-in-the-loop, human-over-the-loop, or human-out-of-the-loop.
Inclusive growth, societal and environmental well-being:
Ensuring beneficial outcomes for people and the planet. 		Presently NA

The actual Testing Framework has several key components:

(a) Definitions: The Testing Framework provides easy-to-understand definitions for each of the AI principles. For example, explainability is defined as the “ability to assess the factors that led to (an) AI system’s decision, its overall behavior, outcomes and implications.”

(b) Testable criteria: For each principle, a set of testable criteria is provided. These criteria are a mix of technical and/or non-technical (e.g. processes, procedures, or organizational structures) factors that contribute to the achievement of the desired outcomes of that governance principle.

Using the example of explainability, two testable criteria are provided. A developer can run explainability methods to help users understand the drivers of the AI model. A developer can also demonstrate a development preference for AI models that can explain their decisions or that are interpretable by default.  

(c) Testing process: For each testable criteria, AI Verify provides the processes or actionable steps to be carried out. The steps could be quantitative (such as statistical or technical tests) or qualitative (such as producing documented evidence during process checks). 

For explainability, a technical test could involve empirically analyzing and determining feature contributions to a model’s output. A process-based test would be to document the rationale, risk assessments, and trade-offs of an AI model. 

(d) Metrics: These are quantitative or qualitative parameters used to measure, or provide evidence for, each testable criterion.

Using the explainability example above, the metric for determining feature contributions could examine contributing features of a model output as obtained from a technical tool (such as SHAP and LIME). The process-based metric could be documented evidence of evaluations when choosing the final model, such as risk assessments and trade-off weighing exercises.

(e) Thresholds (where applicable): Where available, the Testing Framework will provide recognized values or benchmarks for selected metrics. Such values or benchmarks could be defined by regulators, industry associations, or other recognized standard-setting organizations. For the MVP model of AI Verify, thresholds are not provided given the rapid evolution of AI technologies, their use cases, as well as methods to test AI systems. Nevertheless, as the space of AI governance matures and the use of AI Verify increases, IMDA intends to collate and develop context-specific metrics and thresholds to be added to the Testing Framework.

AI Verify’s Toolkit

While AI Verify’s Toolkit is currently only available to organizations that have successfully registered for AI Verify’s MVP program, IMDA describes the Toolkit as a “one-stop” tool for organizations to conduct technical tests. Specifically, the Toolkit packages widely-used open-source testing libraries. Such tools include SHAP (Shapley Additive ExPlanations) for explainability, the Adversarial Robustness Toolkit for robustness, and AIF360 and Fairlearn for fairness.

Users of AI Verify can deploy the Toolkit within their internal environment. Users will be guided by a user interface to navigate the testing process. For example, the Toolkit contains a “guided fairness tree” for users to identify fairness metrics relevant for their use case. At the end, AI Verify produces a summary report that helps system developers and owners interpret test results. For process checks, the report provides a checklist stating the presence or otherwise of document evidence specified in the Testing Framework. The test results are then packaged into a Docker® container for easy deployment. 

3. Conclusion

When IMDA released AI Verify, the wave of interest in generative AI seen today had yet to materialize. With the wave currently upon us, interest in demonstrating governance, testability and trustworthiness of AI systems has grown significantly. Initiatives like AI Verify appear poised to respond to this interest.

Singapore has previously demonstrated its ability to contribute to global discourse and thought leadership on AI governance and regulation, namely through the Model Framework. The stakes for AI Verify are high, but so is the global need for such an initiative. To succeed, AI Verify will likely require greater recognition and adoption. This depends on several factors. First, the tool’s accessibility is critical: AI-driven organizations hoping to use AI Verify will need to be able to access it at little or no cost. Second, convincing organizations of its value is key. This will require IMDA to demonstrate that AI Verify is technically and procedurally sound, that it can be effectively used on more (and newer) kinds and sizes of AI models and data sets, that it does not impinge on commercial sensitivities around proprietary AI models and datasets. Third, and perhaps most importantly, it must remain relevant to international regulatory frameworks. IMDA will need to ensure that AI Verify can continue to help organizations address and interoperate within key emerging global AI regulatory frameworks, such as the EU AI Act, Canada’s AI and Data Act, the NIST AI Risk Management Framework in the US, and even Singapore’s own Model Framework.

Optum & The Mayo Clinic Win the 2022 Award for Research Data Stewardship

Author: Randy Cantz, U.S. Policy Intern, Ethics and Data in Research and former Communications Intern at FPF

On Wednesday, May 10, 2023, the Future of Privacy Forum (FPF) honored representatives from Optum and the Mayo Clinic for their outstanding corporate-academic research data-sharing partnership at the 3rd annual Awards for Research Data Stewardship. The awards honor companies and researchers that prioritize privacy-oriented and ethical data sharing for research.

In a keynote address, United States Congresswoman Lori Trahan applauded the winning partnerships for their ongoing commitment to responsible data sharing. “Ensuring that independent researchers can take a look under the hood of companies is essential to holding big tech executives accountable to the promises they make to their users,” Trahan said. “That’s why the work that you all do is so important, proving that this can be done in a responsible way on both the researcher and company sides.”

screenshot 2023 05 10 at 1.15.39 pm

SHARING HEALTH DATA WHILE PROTECTING PRIVACY

Dr. Mehwish Qasim provided an overview of the award-winning research partnership. She emphasized that any collaboration that utilizes data from Optum must follow strict guidelines, and there are careful protections to ensure the appropriate use of data.

“This collaboration enabled important research that led to a broader public benefit and impact on diabetes management,” said Dr. Qasim, emphasizing the importance of accessible private data.  She added this was possible because of the variety of data and rigorous and standardized data cleaning, validation, and comprehensive safeguards.

LEVERAGING HEALTH DATA FOR RESEARCH

Dr. Rozalina McCoy introduced her research team’s study, explaining that their research was helping to understand how different communities receive different advice for diabetes-related incidents and how best to improve patient care at all stages of a person’s life.

“One out of every seven adults has been touched by diabetes in some way, and one out of every four healthcare dollars in the US is spent caring for people with diabetes,” said Dr. McCoy, describing the importance of diabetes research. In response to an audience question, Dr. McCoy recommended that researchers understand the benefits and risks of research data from the beginning and establish a clear data-sharing policy that has safeguards in place.

KEY QUESTIONS & ANSWERS

Audience members posed their most pressing questions to the winning team about the inherent challenges in data sharing for research. Below are some of the main takeaways.

What are some of the tensions between access to data and the limitations that may have been part of the research considerations?

Dr. McCoy: Optum has very strict privacy controls; they have the data, but they can’t give it to researchers all at once. We have to be strategic about what our specific questions are and what combination of variables we can look at to still answer our questions, but maintain patient privacy. We’re able to do a lot for privacy, for example, making sure that all the data linkages are done by someone besides the researcher to ensure that privacy is protected. This way, we can maintain privacy, objectivity, and rigor.

What are your thoughts on how we encourage more organizations to do this type of data sharing?

Dr. Qasim: From a corporate perspective, there are a couple of things that I would advise or look for in terms of best practices. The first is to understand the benefits and risks. Have a clear data-sharing policy that outlines what can be shared and what safeguards are in place to establish those data-sharing agreements. Of paramount importance are the data security requirements and privacy protections.

Do you see trade-offs that have to be made, given some of the challenges of ensuring that datasets are de-identified?

Dr. Qasim: There are legal requirements and ethical considerations that are critical, including controls that balance encryption and secure data storage. These comprehensive safeguards are the kinds of factors that would help me evaluate the utility of the research while maintaining the protection and privacy of the individuals.

FINAL THOUGHTS

Jules Polonetsky, CEO at FPF, communicated FPF’s appreciation for the research of the award runners-up, Gravy Analytics and the University of Florida, which is a public land-grant institution and an emerging Hispanic-Serving Institution. Polonetsky emphasized that FPF is eager to promote responsible data-sharing practices.

“This is hard, grinding work. Kudos to the team,” Jules said. “It’s not something that a broad range of companies are able to do without real and significant expert partnership and collaboration. The end goal is to advance science and the broader social good.”

For more information on privacy-oriented and ethical data sharing for research, see The Playbook: Data Sharing for Research or join the Ethics and Data in Research Working Group.

The Right to be Let a Lone Star State: Texas Passes Comprehensive Privacy Bill

Over Memorial Day weekend Texas lawmakers passed the Texas Data Privacy and Security Act (TDPSA) with unanimous votes in both the State House and Senate. If enacted by Governor Abbott, Texas will become the tenth U.S. state (and fifth in 2023) to enact broad-based data privacy legislation governing the collection, use, and transfer of consumer data. TDPSA contains several drafting innovations that drove backers of the bill to call it the “strongest data privacy law in the country.” While this is likely to be a controversial statement (especially to regulators in states such as California, Colorado, and Connecticut), TDPSA’s novel provisions deserve close attention by stakeholders:

  1. Coverage thresholds are tied to the U.S. Small Business Administration’s standards;
  2. Small businesses must obtain consent to sell sensitive personal data;
  3. ‘Opt-Out Preference Signals’ are included (with caveats);
  4. Standalone disclosures are required for certain data sales;
  5. Pseudonymous data is explicitly treated as personal data under certain circumstances.

Despite these unique attributes, TDPSA shares a common underlying framework with every non-California state to enact comprehensive privacy legislation and contains many rights, obligations, and exceptions that will be familiar to stakeholders. For example, the bill includes consumer rights to access, correct, and delete personal information, opt-in requirements for the processing of sensitive data, and opt-out requirements for data sales (defined broadly), targeted advertising, and significant profiling decisions. TDPSA also contains routine business obligations including transparency, security, data protection assessments, non-retaliation, and contractual terms for service providers. Finally, TDPSA would be exclusively enforced by the Attorney General with a right-to-cure that does not expire.   

Below we examine the unique provisions of TDPSA in greater depth.

1. Coverage thresholds are tied to the U.S. Small Business Administration’s standards

To date, both state and federal data privacy framework laws and pending proposals have carved out certain small businesses from coverage. Typically, businesses will fall within the scope of a state privacy law based upon the number of in-state residents about whom it processes data, ranging between 50,000 individuals (Montana) to 175,000 (Tennessee). TDPSA breaks from this trend by exempting companies if they meet the United States Small Business Administration’s (SBA) definition of “small business.”

The SBA designates organizations as “small businesses” using an industry-specific model that incorporates both revenue and employee thresholds. While the typical small business carve outs in state privacy laws have long been recognized as inherently arbitrary and inconsistent between states of different populations, it is not clear whether TDPSA’s approach is inherently superior. For example, a company in a non-data intensive line of business may have a large number of employees, whereas a startup or other organization with very few employees could still process massive amounts of sensitive consumer data for privacy-diminishing purposes.

According to the SBA there are only just over 20,000 U.S. firms that do not meet its definition of “small business”. Given that the large population of Texas (nearly 30 million in 2021) would make it relatively easy for organizations to meet the typical consumer-data threshold if TDPSA used standard coverage provisions, the incorporation of the SBA definition means that TDPSA will likely apply to a far narrower range of organizations than it may have otherwise. 

2. Small businesses must obtain consent to sell sensitive personal data

Perhaps the most significant impact of TDPSA (which has already influenced Florida’s Digital Bill of Rights, passed on May 4) is a novel requirement that small businesses operating within the state obtain prior consent of an individual before selling their sensitive personal data. TDPSA defines “sale of personal data” broadly to include transfers for both monetary “or other valuable consideration” by a controller to a third party, likely implicating data transfers as part of the online advertising ecosystem. For ‘large businesses’ in scope of the full bill, TDPSA broadly requires consent for ‘processing’ sensitive personal data, consistent with several other state privacy laws.

3. ‘Opt-Out Preference Signals’ are included (with caveats)

TDPSA will be the fifth U.S. state privacy law that explicitly permits individuals to exercise certain rights on a default basis through technological signals, such as those sent by an Internet browser setting or extension. While these provisions should significantly ease the burdens of privacy self-management for individuals, TDPSA will also give businesses greater leeway to ignore these signals than other states if certain conditions are met. For example, TDPSA will not require a covered entity to respond to an otherwise valid signal if it “does not possess the ability to process the request” or “does not process similar or identical requests” for the purpose of complying with other state privacy laws.

4. Standalone disclosures are required for certain data sales

Like all other state privacy laws, TDPSA will require controllers to post a privacy notice that includes descriptions of the data that it collects, their processing purposes, and under what circumstances data may be transferred to third parties. However, TDPSA is unique in requiring that businesses, where applicable, post the following disclaimers, verbatim, in the same location and in the same manner as their privacy notices: “NOTICE: we may sell your [sensitive personal data / biometric personal data.]”

5. Pseudonymous data is explicitly treated as personal data under certain circumstances

The treatment of personal data that has been pseudonymized is a significant, but commonly overlooked aspect of state privacy laws. Like Virginia, Connecticut, and some other states, TDPSA’s individual rights of access, correction, and deletion do not extend to data that is demonstrably pseudonymized (though consumer opt-out rights are not included in this carveout). However, Texas is unique in explicitly including pseudonymous data in the definition of “personal data” in circumstances where such data is used “in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” In practice, whether this addition proves to be a meaningless tautology or expands consumer protections is likely to depend on evolving interpretations, business practices, and enforcement priorities both in Texas and other states.

During Asian Pacific American Heritage Month, a look at how better data can benefit AANHPI individuals and communities

May is Asian Pacific American Heritage Month (APAHM), a celebration of Asian Americans, Native Hawaiians, and Pacific Islanders (AANHPIs) in the United States. However, there are challenges that this rapidly growing racial group experiences, specifically regarding the collection and use of AANHPI data. In honor of APAHM, we are highlighting the gaps in research and data collection around AANHPI populations that have led to, among other things, a loss of political representation and valuable resources, as well as concrete steps that can be taken today and into the future to ensure more equitable outcomes. 

Individuals from AANHPI communities hail from more than 40 countries and include even more ethnic identities. This term captures a collection of people with diverse languages, histories, ethnicities, idiosyncrasies, and cultures. It also represents the fastest-growing racial and ethnic group within the U.S. However, errors in data collection and management mean that individuals from these communities are politically under-represented and economically and socially under-resourced. An analysis of data from the 2020 U.S. Census revealed that 68% of U.S. counties undercounted their Asian populations, and 55% undercounted the number of Native Hawaiian and Pacific Islander (NHPI) individuals.

Data plays a critical role in policymaking by providing empirical evidence and offering insights that inform decision-making processes helping to ensure that policymaker choices are grounded in facts. The U.S. decennial census provides a wellspring of data from across the country every ten years. This data determines the number of seats each state receives in the U.S. House of Representatives and is used for redistricting at various levels of government, including state legislatures, county commissions, and city councils. Census data is also instrumental in allocating federal funding to communities for community and social services. More generally, census data provides valuable insight into the characteristics and needs of a community and can reveal disparities across different communities. Policymakers and government leaders can tailor policies and programs to their communities by using census data like race, income levels, education levels, and housing conditions; researchers and analysts may use that same data to recommend interventions to address economic, healthcare, housing, and educational needs. 

In addition to contributing to a lack of resource and political allocation, data quality issues related to AANHPI individuals may also perpetuate common themes of racism and stereotyping. For example, aggregated data for AANHPIs hides the health and economic struggles of some Asian subgroups, subjecting them to false beliefs that all AANHPIs are successful and well-adapted, when in reality, their struggles are rendered invisible.

When it comes to ensuring proper representation, recognizing the problem is only the first step. The following recommendations are necessary to start the process of better accounting for and serving the diverse needs of all individuals in the U.S., including individuals from AANHPI communities:

1. Create pathways for privacy-protective data disaggregation: It is crucial to recognize the heterogeneity within the AANHPI population and avoid treating it as a monolithic group in data analysis and policy formulation. Disaggregated data breaks down population-level information by detailed sub-categories and can reveal details about sub-groups that are experiencing deprivations and inequalities that are not fully reflected in aggregated data. Civil rights groups have consistently advocated for disaggregated data to better understand the needs of the AANHPI community. While there are privacy risks with disaggregation that need to be recognized and accounted for, disaggregated data for the AANHPI population can also provide detailed information on specific ethnic subgroups within the population allowing for an understanding of disparities and tailoring of policies to address unique needs. For example, disaggregated data for AANHPI populations reveals that while Indian Americans have an average poverty rate of 6%, Mongolian Americans and Burmese Americans have a poverty rate of 25%. Disaggregated data also reveals that while 75% of Taiwanese Americans hold a bachelor’s degree, only 14% of Laotian Americans do.

2. Avoid stereotyping and generalization: Stereotypes and generalizations about AANHPIs can influence how data is collected, analyzed, and interpreted. Researchers conducting studies on certain populations may overlook conducting the same studies on AANHPI populations due to harmful assumptions, including the model minority myth. For instance, a 2017 report on perinatal morbidity and mortality of AANHPI women found that despite a higher socioeconomic status, AANHPI women “experience higher rates of maternal morbidity and mortality.” Additional studies on perinatal experiences of women during COVID-19 pointed out that AANHPI women had been “largely underrepresented in study samples” and emphasized a need for targeted research for culturally responsive care for perinatal women. Another similar report stated that data on AANHPI women was “limited due to scarcity of existing studies.”

3. Knockdown language barriers: AANHPIs, particularly those with limited-English proficiency or who are recent immigrants, may face barriers to accessing and participating in data collection processes. Language barriers and cultural differences can hinder accurate data collection and representation in datasets, leading to underreporting of important data. The methods used to collect data, such as surveys, should be available in multiple languages, especially in the language spoken by the communities it is targeting. In 2020, the U.S. Census made strides in this area by ensuring respondents could respond to questions directly in 12 different languages, up from six in 2010. In addition, surveys should also be developed and reviewed by trusted community members to ensure translations are accurate and understandable.

4. Ensure accurate reporting: The COVID-19 pandemic and the rise in anti-Asian hate created a climate of fear and distrust towards the AANHPI community that resulted in horrific violence and discrimination. Each year the FBI releases its report on hate crimes statistics, mandated under the Hate Crimes Statistics Act of 1990. However, reporting by law enforcement to the FBI on this information is voluntary, meaning it is likely very under-representative of what is happening. Civil rights organizations have argued against the “voluntary” nature of reporting and argue that the resulting data is likely unreliable and incomplete. FBI Director Christopher Wray stated to Congress that, “Some jurisdictions fail to report hate crime statistics, while others claim there are no hate crimes in their community.” In contrast, AAPI Data released a report that found that 10% of AANHPI adults experienced “hate crimes and hate incidents in 2021,” significantly higher than the national average. Only about 30% of AANHPI individuals report feeling comfortable reporting a hate crime to law enforcement and have cited fear of retaliation, lack of confidence that justice will be served, and concerns about undue attention to their families as their reasoning.

5. Where possible, adjust for bias and underrepresentation in data sets: If the aforementioned barriers to participation in data collection are not addressed, the result will be continued underrepresentation in datasets. As companies, organizations, and government agencies further deploy algorithmic tools for a wider variety of tasks and programs, this under-representation in the data those tools are trained on may lead to even more significant impacts on individuals from impacted communities. Organizations developing tools need to be aware of potential data quality issues and appropriately and ethically adjust for bias and underrepresentation when possible to ensure that decisions made by these tools do not exacerbate the existing challenges for individuals and communities.

Addressing underrepresentation in data requires improved data collection methodologies that acknowledge the diversity within the AANHPI population, allocate resources to support comprehensive data collection efforts, and promote disaggregated reporting. Policymakers and researchers should work collaboratively with AANHPI communities to ensure accurate and representative data collection, analysis, and interpretation to inform policies that address the unique needs and challenges faced by different AANHPI groups.

What to Expect from the Review of Australia’s Privacy Act

The author thanks Anna Johnston and Alex Kotova (Salinger Privacy) for their review and comments and Gabriela Zanfir-Fortuna, Josh Lee Kok Thong, Lee Matheson, and Isabella Perera (FPF) for their support with editing this post. 

On February 16, 2023, Australia’s Attorney-General’s Department (AGD) released a final report (Review Report) on its multi-year review of Australia’s main privacy law, the Privacy Act 1988 (Privacy Act). The Review Report presents over a hundred concrete proposals to reform the Privacy Act. 

A common trend across many of these proposals is the AGD’s desire to bring the protections in the Privacy Act, which was first enacted over 30 years ago, closer to those provided by other major data protection laws internationally, in particular, the GDPR. Notably, the Review Report proposes: 

Other notable proposals in the Review Report include heightened transparency requirements for automated decision-making (ADM), and the introduction of a direct right of action for breaches of the APPs and separate statutory tort for serious invasions of privacy.

The Australian Government will likely translate at least some of the Review Report’s proposals into a Bill to amend the Privacy Act, which may be introduced in Parliament later in 2023.

Background

Australia’s Privacy Act, which was passed by the Australian Parliament in 1988 and took effect in 1989, was one of the world’s first data protection laws.

In the three decades since the Act was passed, it has been regularly updated through legislative amendments. While the Act originally only extended to federal government agencies, major reforms in 2000 expanded the scope of the Act to the private sector for the first time. Further amendments in 2014 introduced a unified set of 13 “Australian Privacy Principles” (APPs) applying to all “APP entities” – a broad term which comprises a wide range of public- and private-sector entities other than small businesses and registered political parties. 

The APPs establish rights and obligations regarding:

The latest round of amendments to the Privacy Act, which were passed in December 2022 in response to several high-profile data breaches, increased penalties under the Act and expanded the enforcement powers of the privacy authority, the Office of the Australian Information Commissioner (OAIC).

In 2019, the Australian Competition and Consumer Commission (ACCC) published a final report on its three-year “Digital Platforms Inquiry” (DPI Report), which focused on the impact of online search engines, social media platforms, and other digital aggregation platforms on competition in the advertising and media markets. Broadly, the DPI Report recommended amending the Privacy Act to increase protection of personal information, including strengthening notice and consent requirements, enabling individuals to request erasure of their personal information, and providing individuals with a right of action against entities that interfere with their privacy.   

In 2020, the AGD initiated a comprehensive review of the Privacy Act in response to the ACCC’s recommendations in the DPI Report. To that end, the AGD held two rounds of public consultation before releasing its final Review Report.

Overview of the Review Report’s Proposals

The Report makes 116 proposals to reform the Privacy Act in 28 key areas. Broadly, these proposals aim to strengthen the protection of personal information and individuals’ control over how their personal information is collected, used, and disclosed.

Several of the most notable proposals from the Review Report include:

  1. Amending the definition of “personal information” to broaden it and bring it in line with other modern data protection laws, like EU’s General Data Protection Regulation (GDPR);
  2. New requirements around de-identified information;
  3. Removing the “small business exemption” for private-sector entities with an annual turnover below AU$3 million;
  4. Amending the Privacy Act’s notice, consent, and transparency requirements;
  5. A new “fair and reasonable” test for all forms of processing of personal information;
  6. A new requirement to conduct a PIA for high-risk activities;
  7. New requirements concerning children’s privacy;
  8. New rights for individuals, such as the right to erasure of one’s personal information, to be delisted from online search engines, and to opt out of certain forms of processing, including ADM;
  9. New transparency requirements for ADM;
  10. New protections against direct marketing, targeting, and trading in personal information;
  11. A new controller-processor distinction;
  12. Refining the Privacy Act’s cross-border data transfer mechanisms;
  13. Introducing a tiered penalty framework;
  14. Introducing a direct right of action for breaches of the APPs and separate statutory tort for serious invasions of privacy; and
  15. Amending the Privacy Act’s data breach notification requirements.

1. The definition of “personal information” would be broadened (Proposals 4.1-4.4)

The Review Report proposes amending the definition of “personal information” in the Privacy Act so that the term would no longer refer to information “about” an individual but, rather, information that “relates to” an individual. This proposed change would bring the Privacy Act’s definition of “personal information” closer to the definitions of similar terms in other leading data protection laws, such as the EU’s General Data Protection Regulation (GDPR).

The Report also makes several other proposals to clarify the scope of the term “personal information,” including suggesting examples of personal information to be included in the Act and encouraging the OAIC to issue guidance on the relevant factors for determining whether information relates to an individual and how entities should assess whether an individual is “reasonably identifiable.”

2. De-identified information would be defined and included under some of the provisions of the Privacy Act (Proposals 4.5-4.8)

The Review Report proposes:

In particular, APP entities would be required to take reasonable steps to protect de-identified information from:

The Report proposes that, when disclosing de-identified information overseas, an APP entity would be required to take reasonable steps to ensure that the overseas recipient does not breach the APPs, including ensuring that the recipient does not re-identify the information or further disclose the information in a way that would undermine the effectiveness of de-identification.

The Report also proposes prohibiting re-identification of de-identified information, subject to exceptions, and holding further consultations on creating a criminal offense for malicious re-identification.

3. The small business exemption would be removed (Proposals 6.1-6.2)

The Privacy Act currently applies to private sector entities only if they either have an annual turnover of AU$3 million or above or if they undertake certain activities, such as providing a health service. The Review Report proposes removing the exception for small businesses whose annual turnover is below AU$3 million, based on community expectations that entities should protect personal information regardless of their annual turnover and the risk posed by serious data breaches.

However, the Review Report also proposes that before the exception is removed, an impact assessment should be conducted, and other measures should be undertaken, to ensure that small businesses are in a position to comply with the Privacy Act’s requirements.

4. The requirements for notice, consent, and transparency would be toughened (Proposals 11-12)

The current version of the Privacy Act generally requires an entity to provide individuals with a collection notice containing certain prescribed information when the entity collects personal information directly from those individuals (see APP 5). 

However, the Act generally only requires the entity to obtain the individuals’ consent in a limited set of circumstances, such as collection of sensitive information, and use or disclosure of personal information for a secondary purpose (see APP 6) or for direct marketing (see APP 7). 

The Review Report does not alter these fundamental requirements but instead, proposes clarifying these requirements by:

The Report also encourages the OAIC to develop guidance on how online services should design consent requests, and on standardized templates and layouts for privacy policies and collection notices, using standardized terminology and icons.

5. A requirement that collection, use, and disclosure of personal information must be “fair and reasonable in the circumstances” would be introduced (Proposal 12)

The Privacy Act currently requires that the collection of personal information must be done by lawful and fair means (APP 3.5). The Review Report proposes replacing this with a much broader requirement that any collection, use, or disclosure of personal information by an APP entity must be “fair and reasonable in the circumstances.” This requirement would apply regardless of whether the entity had obtained consent for collecting, using, or disclosing the personal information in question.

The Report proposes that the reasonability of any given processing activity be assessed objectively based on some or all of the following factors:

6. A PIA would be required for high-risk activities (Proposal 13.1)

The Review Report proposes introducing a new requirement that entities conduct a PIA prior to commencing any activities that are “likely to have a significant impact on the privacy of individuals,” and provide the PIA to the OAIC on request.

The Report also recommends that the OAIC should issue guidance on the relevant factors for determining whether an activity is likely to have a significant impact on individuals’ privacy and provide examples of such activities, which may include:

7. The Review Report seeks to enhance children’s privacy (Proposals 16 and 20)

Proposal 16 of the Review Report proposes introducing several new provisions on children’s privacy in the Privacy Act, including a statutory definition of a “child” as an individual who has not reached 18 years of age.

On children’s capacity to consent to processing of their personal information, the Review Report proposes introducing an express provision in the Privacy Act stating consent is only valid if:

This provision would also cover circumstances in which it would be appropriate or inappropriate for an entity to obtain consent from a child’s parent or guardian.

In line with the Review Report’s proposal to grant the OAIC the power to determine codes of practice, the Report proposes that the OAIC should issue a “Children’s Online Privacy Code” for online services that are likely to be accessed by children. The Code would align with the UK’s Age Appropriate Design Code, and would provide guidance on how collection notices and privacy policies should be designed with children in mind.

Proposal 20 of the Report also proposes prohibiting:

8. A right to erasure and a right to be delisted would be introduced  (Proposals 18, 19, and 20)

The Privacy Act currently provides individuals with the rights to access personal information about them that is held by an APP entity (see APP 12) and if the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, require the APP entity to correct the information (see APP 13). 

The Review Report proposes establishing several new rights for individuals over their personal information in addition to those under APPs 12 and 13. The proposed new rights would include the rights to:

These rights would be subject to exceptions for countervailing public interest or legal interests, or where compliance would be impossible, unreasonable, frivolous, or vexatious.

The Review Report also proposes introducing new obligations for entities to help individuals to exercise their rights under the Privacy Act, including obligations to:

9. A right to explanation of substantially automated decision-making is proposed (Proposal 19)

The Review Report proposes introducing several new transparency requirements concerning the use of ADM in processing of personal information. In particular:

10. Absolute opt-out from direct marketing and targeting is included in the reform (Proposal 20)

The Review Report proposes expanding the Privacy Act’s provision on direct marketing to:

The Report proposes that the Privacy Act should grant individuals an unqualified right to opt-out of the use and disclosure of their personal information for direct marketing purposes and to receiving targeted advertising. Entities would also be required to obtain individuals’ consent before trading in individuals’ personal information and, more broadly, provide information about targeting, including their use of algorithms and profiling to recommend content.

11. A controller-processor distinction would be made (Proposal 22)

Currently, the APPs apply to entities that “hold” personal information. This includes both entities that control such information and those that simply possess a record of it. During the review of the Privacy Act, the AGD received feedback that this scope of application presents compliance challenges for APP entities that hold an individual’s personal information but do not have a direct relationship with the individual (e.g., outsourced service providers).

The Review Report, therefore, proposes introducing the concepts of “controllers” and “processors” into the Privacy Act. This would expand the scope of the Privacy Act to non-APP entities that process personal information on behalf of APP entity controllers and would bring the Act closer to other data protection laws that recognize a controller-processor distinction, such as the GDPR and the data protection laws of Brazil, Hong Kong, Japan, New Zealand, Singapore, and South Korea.

If the AGD’s proposal is adopted in its current form, the Privacy Act would be amended to include the new concepts of:

12. New requirements around cross-border data transfers would be added (Proposal 23)

The Review Report recommends retaining the Privacy Act’s existing framework for cross-border data transfers (see APP 8) but proposes several additions to this framework, including:

Notably, in its 2021 discussion paper, the AGD proposed removing consent as a basis for transferring personal information out of Australia in situations where the entity has not taken reasonable steps to ensure the overseas recipient does not breach the APPs. 

However, as this proposal met resistance from numerous stakeholders, the Review Report proposed retaining consent as one of several options to transfer personal information out of Australia. However, the AGD also proposed adding a requirement for entities that seek to rely on consent for this purpose to consider, and specifically inform individuals of, any privacy risks that may result from cross-border transfers of their personal information.

13. Penalties would be restructured (Proposal 25)

The Review Report proposes replacing the Privacy Act’s existing penalty framework with a three-tiered framework on a scale of severity spanning:

As an alternative to issuing low-tier penalties, the Review Report proposes empowering the OAIC to issue infringement notices. The amount payable under an infringement notice is typically 20% or less of the maximum amount of the related civil penalty provision.

14. Direct right of action and statutory tort for invasion of privacy would be introduced (Proposals 26 and 27)

The Review Report proposes introducing:

The proposed direct right of action would be available to any individual or group of individuals (i.e., in a class action) who have suffered loss or damage due to a privacy interference by an APP entity. Loss or damage would need to be established within the existing meaning of the Act, including injury to the person’s feelings or humiliation.

To exercise the direct right of action, a claimant would first need to make a complaint to the OAIC and have their complaint assessed for conciliation by the OAIC or a recognized External Dispute Resolution scheme. If the complaint is deemed unsuitable for conciliation, or if conciliation is unlikely to resolve the dispute, the complainant would have the option to pursue the matter further in the Federal Court or the Federal Circuit and Family Court of Australia. Available remedies would be any order that the Court sees fit, including any amount of damages.

The proposed statutory tort for serious invasions of privacy would require a claimant to prove that there had been an intrusion into seclusion or misuse of the claimant’s private information that was committed intentionally or recklessly, in circumstances where the claimant otherwise had a reasonable expectation of privacy. The claimant would not need to prove that the invasion caused actual damage, as damages could be awarded for emotional distress. However, the claim would be subject to a “balancing exercise” in which the Court would need to be satisfied that the public interest in privacy outweighs any countervailing public interests.

Proposed defenses to the statutory tort would include:

15. Data breach notification requirements would be clarified (Proposal 28)

The Review Report also proposes amending Section 26WK(2)(b) of the Privacy Act to require an entity to prepare a statement regarding a suspected data breach and give a copy of the statement to the Information Commission within 72 hours.

The Report also proposes introducing new requirements that the statement must set out the steps that the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates. This requirement would be subject to exceptions for any disclosure that would require the entity to reveal personal information or where the harm from disclosure would outweigh any benefit. 

Concluding Notes

While there is still some way to go before these proposals are reflected in actual legislation, several observations can be made. First, the proposed changes in the Review Report represent some of the most extensive proposed reforms to the Privacy Act since its enactment. Second, while several of these reforms bring some parts of Australia’s privacy regime closer in line with other global equivalents like the GDPR (such as in the case of the definition of “personal information” and the controller-processor distinction), they also continue to ensure that Australia’s privacy regime remains uniquely Australian (such as the “fair and reasonable” requirement for the processing of personal data). Third, these proposals come at a time when Australia has been rocked by major data breaches, such as the Optus and Medibank data breaches, and more recently, the Latitude Financial data breach in March 2023. These data breaches may supply additional political will to implement these changes to Australia’s privacy regime. With the government’s response to these proposals expected sometime in 2023 or 2024, the FPF APAC office will continue to track these developments closely.

Shining a Light on the Florida Digital Bill of Rights

On May 4, 2023, the Florida ‘Digital Bill of Rights’ (SB 262) cleared the state legislature and now heads to the desk of the Governor for signature. SB 262 bears many similarities to the Washington Privacy Act and its progeny (specifically the Texas Data Privacy and Security Act). However, SB 262 is unique given its narrow scope of businesses regulated and other significant deviations from current trends in U.S. state privacy legislation, as well as its inclusion of a section in the style of Age-Appropriate Design Code (AADC) regulations but with broader application than the “comprehensive” parts of the bill. This blog highlights five unique and key features of the Florida Digital Bill of Rights: 

1) SB 262 includes a section on “Protection of Children in Online Spaces”, which draws inspiration from the California AADC but diverges in many key aspects.

2) The scope of the comprehensive privacy provisions of SB 262 covers only businesses making $1 billion in revenue and meeting other threshold requirements. 

3) SB 262 creates both familiar and novel consumer rights surrounding sensitive data and targeted advertising, raising compliance questions. 

4) Under SB 262, controllers and processors will have new responsibilities including creating retention schedules and disclosure obligations for the sale of sensitive or biometric data. 

5) Businesses regulated under SB 262 that utilize voice or face recognition, or have video or audio features in devices, will be subject to heightened restrictions for data collected through these services, regardless of whether the device can identify an individual.

Additionally, FPF is releasing a chart to help stakeholders assess how SB 262’s “Protections for Children in Online Spaces” compares to the California Age-Appropriate Design Code Act (California AADC).

1. The “Protection of Children in Online Spaces” Section Draws Inspiration from the California AADC but Diverges in Many Key Aspects

Many amendments were added to SB 262 at the eleventh hour, including several provisions on the ‘Protection of Children in Online Spaces’ (“Section 2”). FPF’s comparison chart assesses each requirement of Section 2 against the California AADC. Section 2 will govern a far broader set of covered entities than the bulk of SB 262’s provisions on privacy, and while it clearly incorporates language and concepts from the California AADC, it contains significant deviations in both scope and substance.

Scope of covered entities

The scope of entities subject to Section 2 is both broader and narrower than the California AADC. While the California AADC broadly applies to all online products, services, and features that are “likely to be accessed by children” under age 18, Section 2 only applies to “online platforms,”  covering social media and online gaming platforms. The definition of “social media platform” includes “a form of electronic communication through which users create online communities or groups to share information, ideas, personal messages, and other content” and does not list any exemptions. “Online gaming platforms” is undefined. While seemingly narrower in scope than the California AADC, Section 2 contains no minimum revenue or user applicability thresholds, meaning that smaller businesses not subject to California’s law may be within scope. Additionally, it is possible that the scope of “social media platform” could encompass a number of non-obvious organizations, depending on how broadly the definition is construed.

No explicit DPIA or age estimation requirements

While Section 2 does not require a data protection impact assessment (DPIA) as required by the California AADC, it instead places a burden of proof on online platforms to demonstrate that processing personal information does not violate any of the law’s prohibitions. Covered platforms may therefore ultimately need to conduct a DPIA or similar assessment to meet this burden of proof.

Like the California AADC, Section 2 defines a child as an individual under 18, though, unlike the AADC, Section 2 does not affirmatively require age estimation. Section 2 also modifies the California AADC’s “likely to be accessed by children” standard to include predominantly likely to be accessed by children, but does not lay out any factors for assessing whether a service is likely to be accessed by children.

Prohibitions

Two key points on which Section 2 of SB 262 diverges from the California AADC are in the restrictions on processing and profiling.

Under Section 2, covered services may not process the personal information of a person under 18 if they have actual knowledge or willfully disregard that processing may result in “substantial harm or privacy risk to children.” The absence of affirmative age estimation requirements and the inclusion of an “actual knowledge or willfully disregard” knowledge standard modifier could be a response to First Amendment objections raised in the NetChoice v. Bonta litigation seeking to strike down the California AADC. The “substantial harm or privacy risk” language is reminiscent of California AADC’s prohibition on processing children’s data in a materially detrimental manner. However, while “material detriment” is undefined in California AADC, Section 2 defines “substantial harm or privacy risk” to include: mental health disorders; addictive behaviors; physical violence, online bullying and harassment; sexual exploitation; the promotion and marketing or tobacco, gambling, alcohol, or narcotic drugs; and predatory, unfair, or deceptive marketing practices or other financial harms.

Both the California AADC and Section 2 contain limits on profiling of people under 18 except in certain circumstances. While both contain an exception for when necessary to provide an online service, product, or feature, the California AADC contains an exemption if the business can demonstrate a “compelling reason that profiling is in the best interests of children.” In contrast, Section 2 contains an exemption if an online platform can demonstrate a compelling reason that profiling does not “pose a substantial harm or privacy risk to children.” It is possible that the affirmative showing required by the California AADC may be a higher threshold to meet than that of Section 2, especially given that the “best interests of children” standard is undefined and is not an established U.S. legal standard outside of the family law context. Furthermore, profiling is defined more broadly in Section 2 to include “any form of automated processing performed on personal information to evaluate, analyze, or predict personal aspects relating to the economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of a child,” rather than “any form of automated processing of personal information to evaluate aspects relating to a person.”

2. The Digital Bill of Rights’ ‘Comprehensive’ Privacy Provisions Will Cover Very Few Businesses.

The types of entities subject to the remaining bulk of SB 262’s ‘comprehensive’ privacy provisions outside of Section 2 are much narrower than comparable U.S. state privacy laws, even the more limited ones. Florida SB 262 will only apply to a handful of companies that meet a threshold annual gross revenue requirement of $1 billion and either (1) make over 50% of revenue from targeted advertising, (2) operate a “consumer smart speaker and voice command component,” or (3) operate an app store with at least 250,000 software applications. This can be compared to recently enacted privacy laws in Iowa and Indiana, which will apply to businesses that either process personal data of at least 100,000 state residents or derive 50% of gross revenue from the sale of personal data of at least 25,000 consumers. Though the terms “targeted advertising” and “consumer smart speaker” in SB 262 could be construed liberally, the revenue requirement means that Floridans will not receive new rights or protections with respect to the vast majority of businesses that collect their personal data in the Sunshine State.

3. The Bill Creates A Complex Stack of both Familiar and Novel Consumer Rights 

SB 262 will establish many rights that are now familiar from U.S. state privacy laws, including confirmation of processing, correction of inaccuracies, deletion, obtaining a copy of a person’s personal data in a portable format, and the ability to opt out of “solely” automated profiling in furtherance of decisions that produce legal or similarly significant effects. However, there are a number of new and unique provisions in the consumer rights sections: 

4. Controllers and Processors Will Have New Responsibilities for Purging Data and Disclosing Certain Practices

Unlike existing comprehensive state privacy laws, SB 262 would require that covered businesses and their processors implement a retention schedule for the deletion of personal data. The text of this provision appears influenced by the Illinois Biometric Information Privacy Act (BIPA). Under SB 262, controllers or processors may only retain personal data until (1) the initial purpose for the collection was satisfied; (2) the contract for which the data was collected or obtained is expired or terminated; or (3) two years after the consumer’s last interaction with the regulated business (subject to exceptions). However, unlike BIPA, SB 262 would not require that the retention schedule be made publicly available and would permit retention necessary to prevent or detect security incidents.

Further, in addition to the typical privacy notices required by state comprehensive laws, SB 262 creates two distinct disclosure requirements. First, again similar to Texas HB 4, if a controller sells sensitive or biometric data, they must provide the following notice: “NOTICE: This website may sell your [sensitive and/or biometric] personal data and/or biometric personal data.” Second, a controller that operates a search engine is required to disclose the main parameters in ranking results, “including the prioritization or deprioritization of political partisan or political ideology” in search results.

5. Businesses that Utilize Voice or Face Recognition, or Have Video or Audio Features in Devices, Have Particular but Perplexing Obligations

Finally, one of SB 262’s most unique provisions is a requirement that covered businesses may not provide consumer devices that engage in “surveillance” when not in active use unless “expressly authorized” by the consumer. Though “surveillance” and “active use” are not defined, the prohibition applies to devices that have any of the following features: voice recognition, facial recognition, video recording, audio recording, “or other electronic, visual, thermal, or olfactory feature” that collects data. SB 262 further fails to define “express authorization,” raising questions as to whether express authorization is analogous to “consent” under the bill, or if a higher standard will be required for express authorization, such as that required in the recently enacted Washington State “My Health, My Data” Act.

SB 262 further provides consumers with the right to opt out of personal data collected by voice or face recognition systems. Voice recognition is broadly defined as collecting, storing, analyzing, transmitting, and interpreting spoken words or other sounds – seemingly encompassing almost all audio-based consumer-facing systems. Facial recognition and the other features are not defined, though one can infer they would have a similarly broad definition as voice recognition. As a result, despite SB 262’s requirement that “biometric data” be used for unique identification of an individual in order to be subject to the legislation’s requirements for sensitive data, most general voice and face systems unrelated to identification will still need to provide consumers’ the ability to opt-out under these provisions. These restrictions and requirements may prove difficult for the functionality of some products that rely on these features, such as accessibility features that use natural language processing to transcribe spoken words. Moreover, despite SB 262’s revenue threshold, these prohibitions and restrictions will likely flow down to any other entity utilizing (or has a software plug-in to) voice assistant devices like Amazon Echo or Apple Siri for customer service, customer ordering, or other forms of user engagement through contractual agreements and requirements.

Conclusion

Given that many of the consumer rights and business obligations of SB 262 will directly apply to very few businesses, it is understandable why the Florida Digital Bill of Rights may have flown under the radar thus far. However, SB 262 is worth a close read, particularly the short-but-impactful section on “Protection of Children in Online Spaces” and provisions creating novel consumer rights. Given Governor DeSantis’ public support for the legislation, we can anticipate the Digital Bill of Rights will be enacted shortly and will go into effect on July 1, 2024–giving stakeholders just over a year to understand compliance obligations. We note, however, that the specific consumer rights and business obligations under SB 262 may evolve as the State Attorney General’s office is granted both mandatory and permissive rulemaking authority. 

New FPF Report: Unlocking Data Protection by Design and by Default: Lessons from the Enforcement of Article 25 GDPR

On May 17, the Future of Privacy Forum launched a new report on enforcement of the EU’s GDPR Data Protection by Design and by Default (DPbD&bD) obligations, which are outlined in GDPR Article 25. The Report draws from more than 92 data protection authority (DPA) cases, court rulings, and guidelines from 16 EEA member states, the UK, and the EDPB to provide an analysis of enforcement trends regarding Article 25. The identified cases cover a spectrum of personal data processing activities, from accessing online services and platforms, to tools for educational and employment contexts, to “emotion recognition” AI systems for customer support, and many more.

The Report aims to explore the effectiveness of the DPbD&bD obligations in practice, informed by how DPAs and courts enforced Article 25. For instance, we analyze whether DPAs and courts find breaches of Article 25 without links to other infringements of the regulation and what provisions enforcers tend to apply together with Article 25 the most, including the general data protection principles and requirements related to data security under Article 32. We also look at what controls and controller behavior are and are not deemed sufficient to comply with Article 25.

The GDPR’s DPbD&bD provisions in Article 25 oblige controllers to: 1) adopt technical and organizational measures (TOMs) that, by design, implement data protection principles into data processing and protect the rights of individuals whose personal data is processed; and 2) ensure that only personal data necessary for each specific purpose is processed. Given the breadth of these obligations, it has been argued that Article 25 makes the GDPR “stick” by bridging the gap between its legal text and practical implementation. GDPR’s DPbD&bD obligations are seen as a tool to enhance accountability for data controllers, implement data protection effectively, and add emphasis to the proactive implementation of data protection safeguards.

Our analysis on the enforcement, and ultimately the effectiveness, of Article 25 is all the more important, given the increasing development and deployment of novel technologies involving very complex personal data processing, like Generative AI, and rising data protection concerns. Understanding how Article 25 obligations manifest in practice and the requirements of DPbD&bD may prove essential for the next technological age.

This Report outlines and explores the key elements of GDPR Article 25, including the:

Additionally, we analyze the individual concepts of “by Design” and “by Default,” identify divergent enforcement trends, and explore three common applications of Article 25 (direct marketing, privacy preservation and Privacy Enhancing Technologies (PETs), and EdTech). This Report also includes a number of Annexes that seek to provide more information on the specific cases analyzed and a comparative overview of DPA enforcement actions. 

Our analysis determines that European DPAs diverge in how they interpret the preventive nature of Article 25 GDPR. Some are reluctant to find violations in cases of isolated incidents or where Article 5 GDPR principles are not violated, while others apply Article 25 preventively before further GDPR breaches or even planned data processing. Our research also finds that most DPAs are reluctant to specify appropriate protective measures and to explicitly outline the role of PETs. Ultimately, the Report shows that despite the novelty of Article 25, and the criticism surrounding its vague and abstract wording, it is a frequent source of some of the highest GDPR fines, highlighting the need for organizations to maintain a firm grasp over the concepts of DPbD&bD.

Download the Report

Vietnam’s Personal Data Protection Decree: Overview, Key Takeaways, and Context

Author: Kat MH Hille

The following is a guest post to the FPF blog from Kat MH Hille, an attorney with expertise in corporate, aviation, and data protection law. She graduated with a J.D. from the University of Iowa, School of Law, and has extensive experience practicing law in both the United States and Vietnam (contact: https://www.linkedin.com/in/katmhh/). The guest blog reflects the opinion of the author only. Guest blog posts do not necessarily reflect the views of FPF.

On April 17, 2023, the Vietnamese Government promulgated the Decree of Personal Data Protection (Decree), which was initially published as a draft on February 9, 2021 and went through several revisions. Before the Decree’s issuance, personal data protection in Vietnam was governed by 19 different laws and regulations, resulting in a fragmented legal framework. The Decree aims to fill these gaps and provide a comprehensive and uniform approach to personal data protection in Vietnam, extending safeguards for personal data to over 97 million people.

This post provides an overview of the Decree, including key dates, context, legal effects, requirements and how they fare with other comprehensive data protection law regimes around the world. Building on this foundation, certain key provisions and notable features of the Decree that warrant attention, including:

These provisions will be discussed in detail below.

1. Overview

The Decree is significant despite its lower status in Vietnam’s hierarchy of laws

As personal data protection is a new and developing area of law in Vietnam, Vietnam’s first legislative instrument on personal data protection takes the form of a “decree,” which is ranked lower in Vietnam’s statutory hierarchy than a code or law, and it is the result of executive action. A benefit of enacting a decree is that it can be done so more easily, without the need for approval from the National Assembly. Nevertheless, the Vietnamese Government’s goal is to ultimately enact a comprehensive and robust law for effective and enforceable personal data protection in 2024, according to a Decision issued by the Prime Minister in January 2022.

However, the Decree’s status means that in the event of conflicting regulations on the same issue, codes and laws would take precedence over the Decree. That said, the Decree remains the first comprehensive personal data protection regulation in Vietnam. Despite its lower legal status,  the Decree still carries significant weight and impact in regulating personal data protection in Vietnam, and those who fail to comply with its provisions will still face legal consequences.

The Decree incorporates a unique blend of global standards and Vietnamese characteristics

Like other data protection laws inspired by the European Union (EU)’s General Data Protection Regulation (GDPR), the Decree sets out the responsibilities of organizations and individuals that process personal data, as well as the rights of  individuals over their personal data. 

However, the Decree also includes unique provisions that are specific to Vietnam’s context, such as a prohibition on the sale and purchase of personal data through any means, unless otherwise provided by law (Article 3.4), which may have significant consequences on the activity of data brokers and other businesses engaged in commodification of personal data. Additionally, organizing the collection, transfer, purchase, or sale of personal data without the consent of the data subject or the act of establishing software systems, as well as implementing technical measures for these purposes constitutes a violation of the Decree.

The Decree introduces the concept of “Personal Data Controllers and Processors,” which are entities or individuals that function both as Personal Data Controllers and Personal Data Processors. This definition is unique to the Decree and distinguishes it from other data protection laws around the world that typically only recognize the separate categories of Personal Data Controllers and Personal Data Processors. While the inclusion of Personal Data Controllers and Processors is meant to provide greater clarity and precision in defining the roles and responsibilities of different actors involved in personal data processing, it may actually add unnecessary complexity to the already complex landscape of privacy laws. This is because a single entity could be classified as both a Personal Data Controller and a Personal Data Processor depending on the specific definition being used, making it difficult to navigate and comply with the requirements of different privacy laws across different jurisdictions.

Further, the enacted Decree does not include a specific fine structure for violation of the Decree (the 2021 draft of the Decree proposed specific fines for single violations of the Decree, including fines of up to 5% of a personal data processor’s revenue for the most serious violations). Rather, the enacted Decree outlines a general provision that violators may be subject to disciplinary action, administrative penalties, or criminal prosecution, depending on the seriousness of the offense. 

Furthermore, compared with the 2021 draft of the Decree, the final Decree does not provide for the establishment of a personal data protection commission to enforce the regulation. Rather, the Decree assigns responsibility for enforcing its requirements to an existing agency within the Ministry of Public Security (MPS), the Cybersecurity and High-Tech Crime Prevention Department (A05).

While MPS will need to clarify key provisions in subsequent regulations, the Decree creates the first comprehensive foundation to govern data processing activities in Vietnam. The Decree will take effect on July 1, 2023, giving organizations only two months to make the necessary adjustments to their business and operations in order to comply with the new regulations. Significant aspects of the Decree are explored below in greater detail.

2. The (extra)territorial scope introduces a nationality criterion for covered entities

The Decree applies to Vietnamese agencies, organizations, and individuals (whether based within or outside of Vietnam), and to foreign agencies, organizations, and individuals that are either based in Vietnam or that are based overseas and directly participate in or are otherwise involved in personal data processing activities in Vietnam. 

Note that “personal data processing” covers a wide range of activities in relation to personal data, including collection, recording, analysis, verification, storage, alteration, disclosure, combination, access, retrieval, erasure, encryption, decryption, copying, sharing, transmission, provision, transfer, and deletion, as well as other related actions (Article 2.7).

There is still ambiguity as to the distinction between being “involved in” and “directly participating in” personal data processing activities, as well as the level of involvement with such activities that would bring a party within the scope of the Decree. Clarity on these issues through further regulations or guidance would be useful, especially considering that many third-party service providers or software vendors may arguably have some involvement in processing personal data.

3. The Decree recognizes a slightly different set of covered actors than other data protection laws

The Decree covers four categories of parties who process personal data:

In recognizing a distinction between controllers and processors, the final Decree removes ambiguity that was present in the 2021 draft of the Decree, which only provided for two categories of actors: personal data processors and third parties.

4. New processing principles, such as “no sale and purchase of personal data by any means”

The Decree outlines eight principles that govern data processing activities, which are similar to those recognized by the GDPR, including lawfulness, transparency of processing, purpose limitation, data minimization, accuracy, storage limitation, and appropriate measures to ensure the security of personal data. However, there are some notable differences.

Sale or Purchase of Personal Data: The Decree takes a more stringent stance than the GDPR by explicitly prohibiting the sale and purchase of personal data in any form, unless otherwise permitted by law. However, another provision in the Decree states that the act of “setting up software systems, technical measures or organization of the … purchase and sale of personal data without the consent of the data subject” is a violation (Article 22). Read together, the two provisions appear to imply that the purchase or sale with consent from the data subject could be permissible. Due to its ambiguity, further clarification is needed.

This stringent prohibition is a direct response to the numerous cases of personal data misuse that have occurred in Vietnam in recent years, including identity theft, financial fraud, intrusive advertising, and the exploitation of vulnerable individuals. A report showed that in 2022 alone, more than 17 million pieces of personal data were illegally harvested and sold for fraud and each personal data entry has been traded 987 times per day. However, the inclusion of a strict prohibition may conversely have a significant impact on industries that rely heavily on the use of personal data to drive innovation and business growth. It is possible that future circulars or guidelines may provide more clarity on this issue, including potential exceptions or allowances for certain use cases.

Notwithstanding this broad prohibition, PDCs and PDCPs may still share personal data with others if they obtain the data subject’s consent to do so, except when such sharing could harm national defense, national security, or public order and safety or could affect the safety or physical or mental health of others (Article 14). However, business entities and individuals providing marketing, product launching, and advertising services may only utilize personal data of their customers collected through their own business activities for conducting such services, if they obtain the data subject’s consent (Article 21).

Purpose Limitation: The Decree imposes a stricter purpose limitation compared to the GDPR, which allows for additional processing if it is compatible with the original purpose. Under the Decree, personal data can only be processed for the specific purposes that have been “registered” or “declared” by the PDC, PDP, PDCP, or TP. This requires these entities to ensure that their data processing activities do not deviate from or expand upon the registered and declared purposes. However, it is important to note that the Decree does not provide any guidance on how processing purposes are to be registered.

5. Covered data: broad definition of sensitive personal data, and stricter accountability rules for its processing

The Decree provides a broad definition of personal data, aligned with other comprehensive data protection laws. It defines personal data as any information that is expressed in the form of symbol, text, digit, image, sound or in similar forms in an electronic environment that is associated with a particular natural person or helps identify a particular natural person. Personally identifiable information means any information that is formed from the activities of an individual and, when used with other maintained data and information, can identify such particular natural person.

The Decree categorizes personal data into two groups: basic personal data and sensitive personal data, and includes an additional set of rules for the latter. 

Basic personal data includes the following forms of personal data:

Sensitive personal data is defined as personal data related to an individual’s privacy, a breach of which would directly affect the individual’s legitimate rights and interests. 

The Decree provides a non-exhaustive list of types of personal data that would be considered sensitive, including:

The list of sensitive personal data provided is more extensive than the GDPR’s definition of sensitive personal data. It includes types of data such as customer information from financial institutions and location data obtained through location services. As non-cash transactions and targeted advertising become increasingly prevalent in Vietnam, these types of data are frequently collected by most businesses. As a result, a wider range of entities, including small and medium businesses, may be subject to sensitive personal data protection requirements due to the broad scope of the list.

The Decree imposes more stringent protection measures for sensitive personal data than for basic personal data. For instance, regulated entities that process sensitive personal data must specifically notify data subjects of any processing of their sensitive personal data. Organizations that are covered by the Decree also must designate a department within their organization and appoint an officer which will be responsible for overseeing the protection of sensitive personal data and communicating with the A05.

Nevertheless, it is important to note that small, medium, and start-up enterprises are given a grace period of 2 years from their establishment to comply with these sensitive data requirements, unless such enterprises are directly engaged in processing personal data (Article 43). To qualify for the exemption, companies in agriculture, forestry, aquaculture, industrial, and construction sectors must have fewer than 200 employees and annual revenue below 200 billion Vietnamese dong (equivalent to approximately 8.7 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD), while commercial and service sector companies must have fewer than 100 employees and annual revenue below 300 billion Vietnamese dong (approximately 13 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD) in accordance with Decree No. 80/2021/ND-CP (2021) on Elaboration of Articles of the Law on Provision of Assistance for Small and Medium Enterprises.

6. Legal bases for processing personal data: no “legitimate interests,” but introducing “publicly disclosed” personal data

The Decree recognizes six legal bases for processing personal data, namely:

Additionally, under Article 18 of the Decree, competent governmental agencies may obtain personal data from audio and video recording activities in public places without the consent of data subjects. However, when conducting recording activities, the authorized agencies and organizations are responsible for informing data subjects that they are being recorded.

Notably, the Decree does not provide a “legitimate interests” lawful ground like the GDPR. Nevertheless, legitimate interests are recognized in other provisions of the Decree. In particular, Article 8 stipulates “Prohibited Acts,” including processing personal data to create information that affect “legitimate rights and interests of other organizations and individuals”.

As for “valid consent”, there are several conditions that must be met when obtaining it, pursuant to Article 11 of the Decree:

The given consent remains valid until it is withdrawn by the data subject or until a competent state agency requests otherwise in writing. PDCs and PDCPs bear the burden of proof in case of a dispute regarding the lack of consent from a data subject. 

Data subjects may request to withdraw their consent to processing of their personal data (Article 12). When a data subject does so, the PDC or PDCP must inform the data subject of any potential negative consequences or harms from the withdrawal of consent.

If the data subject still wishes to proceed, all parties involved in processing the personal data, including the PDC or PDCP and any PDPs or TPs, must cease processing the personal data. There is no set time frame for fulfilling this obligation, but it should be done within a reasonable period of time. 

The withdrawal of consent must be in a format that can be printed, copied in written form, or verified electronically. The withdrawal of consent shall not render unlawful any data processing activities that were lawfully performed based on the consent given prior to the withdrawal.

7. The rights of the data subject include transparency and control rights, but also rights to legal remedies

Article 9 of the Decree provides data subjects with 11 rights over their personal data, which are linked to corresponding obligations on entities that process personal data:

Note that all of these rights are subject to exceptions provided by the Decree or other relevant laws.

7.1. Transparency requirements include detailed notices and access rights on a tight deadline

According to Article 11 and 13, before processing a data subject’s personal data, a PDC or PDCP must provide a notification to the data subject containing the following information:

However, such notification is not required when personal data is being processed by a competent state authority or if the data subjects have been fully informed of, and have given valid consent to, the processing of their personal data.

Data subjects have the right to request that PDCs and PDCPs provide them with a copy of their personal data or share a copy of their personal data to a third party acting on their behalf (Article 14). The PDC or PDCP must fulfill such a request within 72 hours of receiving it. 

The request must be submitted in the Vietnamese language and made in a standardized format as set out in the Appendix to the Decree. The request must include the requestert’s full name, residential address, national identification number, citizen identification card number, or passport number; fax number, telephone number, and email address (if any); and the form of access and the reason and purpose for requesting the personal data. The data subject must also specify the name of the document, file, or record to which their request pertains (Article 14.6). This requirement can impose a significant burden on data subjects as they may not always be fully aware of which documents or records their personal data is contained within. Additionally, the complexity of data processing can further complicate matters and make it difficult for the data subject to identify the relevant documents.

It is important to note that, unlike the GDPR, the Decree does not require a PDC or PDCP to provide data subjects with comprehensive information about the processing of their personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. 

Moreover, there are certain circumstances in which a PDC or PDCP are not required to provide the data subject with a copy of their personal data. These include where:

7.2. The Decree provides for an absolute right to object to processing, as well as correction and deletion rights

A PDC or PDCP must promptly fulfill a data subject’s request to access their personal data, correct their personal data, or have their personal data corrected, according to Article 15.

The PDP and any third party shall be authorized to edit the personal data of the data subject only after obtaining written consent from the PDC and PDCP and ensuring that the data subject has given their consent

If the PDC or PDCP is unable to fulfill the request due to technical or other reasons, the PDC or PDCP must notify the data subject within 72 hours. 

If a data subject requests that the processing of their personal data be restricted or otherwise objects to the processing of their personal data, the PDC or PDCP must respond to the request within 72 hours of receiving it (Article 9). 

One important difference between this requirement and the one in the GDPR is that the Decree does not provide any exceptions to this requirement. Under the GDPR, a controller may be able to demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or may be able to claim that they need the data for the establishment, exercise, or defense of legal claims.

According to Article 16, the PDC or PDCP must delete personal data about a data subject within 72 hours of a request by the data subject, if:

Personal data shall be deleted irretrievably by the PDC, PDCP, PDP, and/or TP if it was processed for improper purposes or the consented purpose(s) has been fulfilled, if storage is no longer necessary, or if the entity responsible for the data has dissolved or terminated business operations due to legal reasons.

Like the GDPR, the Decree recognizes certain exceptions to the right to delete personal data, such as where:

However, unlike the GDPR, personal data that has been lawfully made available to the public is also exempt from the right to deletion (Article 18). As a result, the PDC or PDCP may reject a data subject’s request to delete personal data that has become public, regardless of whether there are any other lawful grounds for retaining such data. This differs from the GDPR, which does not provide exceptions based solely on the public availability of data.

8. Obligations of Controllers and Processors, from written processing agreements to data security and accountability obligations

PDPs are under an obligation to only receive personal data from a PDC after signing an agreement on data processing with the PDC and only process the data within the scope of that agreement (Article 39). The Decree also provides that personal data must be deleted or returned to the PDC upon completion of the data processing.

8.1. Data security and data breach notification requirements

The Decree has dedicated data security requirements for PDCs. For instance, Article 38 asks them to implement organizational and technical measures, as well as appropriate security and confidentiality measures to ensure that personal data processing activities are conducted lawfully. They also need to review and update these measures as necessary, and record and store a log of the system’s personal data processing activities.

Appropriate security measures are also relevant in the PDC – PDP relationship, as PDCs must select a suitable PDP for specific tasks and only work with a PDP that has in place appropriate protection measures. Interestingly, both PDCs and PDPs have a distinct obligation to cooperate with the MPS and competent state agencies by providing information for investigation and processing of any violations of the laws and regulations on personal data protection.Organizations and individuals involved in personal data processing must implement measures to protect personal data and prevent unauthorized collection of personal data from their systems and service devices. Article 22 of the Decree also prohibits the use of software systems, technical measures, or the organization of activities for the unauthorized collection, transfer, purchase, or sale of personal data without the consent of the data subject.

Under Article 23 of the Decree, in the event of a violation of personal data protection regulations, both the PDC and the PDP, or PDCP, are required to promptly inform the A05. The notification must be made no later than 72 hours after the violation occurred. If the notification is delayed, the reason for the delay must be provided. The current wording in the Decree is broad and without further clarifications and guidance it could be interpreted as meaning a notification is required for any violation of the Decree, not just for data breaches. 

The notification must include a detailed description of the violation, such as the time, location, act, organization or individual involved, types and amount of personal data affected, contact details of those responsible for protecting personal data, potential consequences and damages of the violation, and measures taken to resolve or minimize harm. If it is not feasible to provide a complete notification at once, it can be done incrementally or progressively.

However, Decree 13 does not provide a specific procedure for A05 to handle complaints related to personal data protection violations. Further guidance or clarifications may be issued in the future.

8.2. “Impact Assessment Reports” that have to be made available for inspection

Article 24 of the Decree requires PDCs and PDCPs to compile an impact assessment report (IAR) from the commencement of personal data processing and make the report available for inspection by the A05 within 60 days thereafter.

The IAR must contain:

PDPs are also required to compile an IAR. However, the required content is slightly different, reflecting the difference in roles between PDCs/PCDPs and PDPs. For instance, the Decree requires a PDP to provide a description of the processing activities and types of personal data processed, rather than stating the purpose(s) for processing the data.

9. Cross-Border Data Transfers have a legal definition and a registration requirement

Article 25 of the Decree defines a cross-border transfer of personal data as:

This definition includes the:

In the absence of further specification and relying on a literal reading of the wording in Article 25, a possible interpretation of this definition is that processing outside of Vietnam the personal data of Vietnamese citizens who live outside Vietnam would also qualify as a cross-border data transfer under the Decree. If this interpretation is correct, it would mean that all foreign organizations or individuals processing personal data outside of Vietnam would be subject to the Decree’s “cross-border data transfer” requirements even if there is no actual border of Vietnam involved, insofar as they process the personal data of Vietnamese citizens. It should be noted that the scope of the Decree, as stipulated in Article 1.2, only applies to foreign agencies, organizations, and individuals that are in Vietnam or that directly participate or are involved in the personal data processing activities in Vietnam. This ambiguity may be clarified in a guidance document in the future.

Before a covered entity may transfer personal data out of Vietnam, the Decree requires that the entity must:

The DTA must contain the following information:

In light of the consent disclosure required as part of the DTA and in the absence of further regulatory guidance, it seems that consent is the only basis for cross-border transfers. In addition to all requirements for a valid consent, in the context of cross-border transfers, the consent shall include a clear explanation of the feedback mechanism and the available procedures for lodging complaints in the event of incidents or requests, ensuring a comprehensive understanding for the individuals involved.

The MPS will conduct inspection of the DTA annually unless a violation, data incident, or leakage occurs. The MPS may cease transfers in cases where:

It should be noted that data localization is separately governed under Decree No. 53/2022/ND-CP, which implements the Law on Cybersecurity. The decree applies to both domestic and foreign companies operating in Vietnam’s cyberspace, specifically those providing telecom, internet, and value-added services that collect, analyze, or process private information or data related to their service users. According to the decree, these companies must store the data locally and have a physical presence in Vietnam. They are also required to retain the data for a minimum of 24 months. The types of personal data subject to localization include “(i) personal information of cyberspace service users in Vietnam in the form of symbols, letters, numbers, images, sounds, or equivalences to identify an individual; (ii) data generated by cyberspace service users in Vietnam, including account names, service usage timestamps, credit card information, email addresses, IP addresses from the last login or logout session, and registered phone numbers linked to accounts or data; (iii) data concerning the relationships of cyberspace service users in Vietnam, such as friends and groups with whom these users have connected or interacted.” (Article 26, Decree 53). The governing authority responsible for these regulations is A05 as well.

However, it remains unclear from the provided information whether personal data falling within the scope of Decree 53 can be transferred cross-border after fulfilling all requirements, including obtaining valid consents from data subjects. It is possible that the regulations are strictly interpreted to prohibit cross-border transfers for such types of data.

10. Specific Requirements for Children Personal Data

Like the GDPR, Article 20 of the Decree provides special protection for children’s personal data, with a focus on safeguarding their rights and best interests. However, the age threshold for obtaining valid consent differs between the two laws. In Vietnam, the Decree requires the consent of a parent or legal guardian and of children aged seven or older, while the GDPR only allows individuals over 16 to give consent independently for processing of their personal data. 

It is important to note that in Vietnam, children under the age of 16 are not considered to have legal  capacity, meaning that they cannot legally enter into contracts on their own behalf except in exceptional cases. As such, the effect of the child’s consent absent that of a parent or legal guardian is not entirely clear, although the requirement to obtain consent from the child was likely included in the Decree to reflect the child’s opinion on the processing of their personal data.

PDCs, PDPs, PDCPs, and TPs must verify the age of children before processing their personal data. However, the Decree does not explicitly provide an age verification process. Processing of children’s personal data must cease, and the personal data must be deleted irretrievably, where:

The Decree states that only the child’s parent or legal guardian can withdraw consent for the processing of the child’s data, leaving it unclear whether the child can revoke their consent and have their data deleted if they wish to do so.

Conclusion

Vietnam’s new Decree on Personal Data Protection marks a significant milestone in protecting personal data in the country. The Decree introduces key concepts and principles of personal data protection, and sets out specific requirements for data processors and controllers. It also establishes a regulatory framework for obtaining consent for data processing activities, cross-border data transfers, and children data protection, which can contribute to safeguarding the privacy and security of individuals’ personal data.

While the Decree addresses many of the current challenges facing personal data protection in Vietnam, there are still gaps that need to be addressed in forthcoming guiding documents, including the lack of a specific procedure for handling complaints related to personal data protection violations, the conflicting provisions on the sale of personal data need to be clarified, the impact of cross-border data transfers and clear guidelines and requirements for such transfers and a more defined fine structure. It should also provide guidance on automated processing and establish regulations for biometric data. As Vietnam continues to develop its data protection laws, it is important for the law to address key issues such as automated personal data processing, biometrics or facial recognition, global data transfer baseline standards, and the need to balance business development with data protection.

In conclusion, the country’s commitment to personal data protection and privacy is a crucial step in the digital age. As Vietnam continues to strengthen its data protection framework, it will be interesting to see how it aligns with, and how it contributes to emerging frameworks in the region and around the world.

Editors: The success of this article would not have been possible without the dedicated efforts of Dominic Paulger, Josh Lee Kok Thong, and Isabella Perera, as well as the tremendous encouragement of Dr. Gabriela Zanfir-Fortuna from the Future of Privacy Forum.