5 Highlights from FPF’s “AI Out Loud” Expert Panel

On Wed., April 14th, FPF hosted an expert panel discussion on “AI Out Loud: Representation in Data for Voice-Activated Devices, Assistants.” FPF’s Senior Counsel and Director of AI and Ethics, Brenda Leong, moderated the panel featuring Anne Toth, the Director of Alexa Trust, Amazon; Irina Raicu, Internet Ethics Program Director, Markkula Center for Applied Ethics, Santa Clara University, and Susan Gonzales, CEO, AIandYou.

The panel discussed voice-activated systems, such as at home, on mobile devices, and in cars or other commercial applications, to consider how design choices, data collection, and ethics evaluations can affect bias, fairness, and accessibility concerns. This technology offers many benefits and opportunities for quality of life–accessibility for young/aging or disabled populations, convenience, and interactivity across devices and services. But it also carries specific risks including privacy concerns, responsible data management frameworks, legal compliance, and equity and fairness values.

Here are 5 key highlights from “AI Out Loud”: 

1. Irina Raicu pointed out the need for improvements to design and development processes to ensure inclusiveness, equity, accessibility, and safety for users of these systems. She recommended including all stakeholders to share how these technologies directly impact them. She also pointed out the need for caution on new applications of these systems, such as for emotion detection or medical diagnosis, until the supporting research is strong enough to justify such uses.

2. Susan Gonzales pointed out that the technology behind these systems still faces significant accuracy challenges. A Stanford study found some error rates almost twice as high for blacks as whites. In general, word error rates, the most common metric for evaluating these systems, show lower accuracy for those with strong accents, speaking a second language, with heavy dialects, and in many cases, across age and gender.

3. The potential harms caused by inaccuracies can vary with context and use case. While poor song recommendations or inaccurate recipe ingredients are relatively low impact, mistakes for those asking about medication, or relying on voice assistants for access to personal accounts and services might carry greater repercussions. Those most dependent on these systems may also be those most at risk for poor results. Ethical standards demand that reliability be sufficiently high for all users. 
   
4. Anne Toth pointed to the significant advances in accuracy and representation in recent years, as more people engage with these devices in a broader variety of contexts. She confirmed Amazon’s commitment to continuous improvement based on the increased, and more diverse, amounts of voice data available, while also prioritizing personal privacy, and personal access and control by users over their data.
   
5. To ensure fairness, inclusiveness, and accessibility in designing these technologies, designers and developers must address diversity at all stages from inception to launch. Companies should collaborate with advocacy groups, civil society, and academia to seek outcomes that provide equitable services to all potential users.

Watch the expert panel on FPF’s YouTube Channel and visit our events page for upcoming opportunities. 

U.S. Department of Education Opens an Investigation into Pasco County’s Predictive Policing Program

This post was originally released on studentprivacycompass.org, and can be found here.

On Friday, the U.S. Department of Education opened an investigation into the data-sharing practices between Florida’s Pasco County sheriff’s office and school district. First uncovered in November 2020 by reporting by the Tampa Bay Times, the Department will be investigating the school district’s partnership with the sheriff’s office, which allowed the sheriff to use student grades, attendance, disciplinary records, and aspects of their home life to identify and target students “at-risk” of criminal activity. FPF applauds the Department’s decision to investigate this concerning partnership. Any school data-sharing partnership must value student privacy and build in community trust and transparency—before the Tampa Bay Times story, parents and students in Pasco County were completely unaware of the sheriff’s practices. 

In December 2020, FPF analyzed the sheriff’s public documentation and contract with the school board, concluding that the sheriff’s office unlawfully accessed and used student records for their database in violation of the Family Educational Rights and Privacy Act, FERPA, as well as their contract with the school board. Amelia Vance, FPF’s Director of Youth and Education Privacy, was quoted in the original Tampa Bay Times article revealing the program, noting that

“The law does say school resource officers can access education records because they can be considered ‘school officials.’ But under most circumstances, they can’t share the records with the rest of the department. And they can’t use them in a law enforcement investigation without permission from a parent, unless there is a court order or a health and safety emergency.”

The Department’s announcement follows significant public outcry. Unfortunately, the Department has refused to share the letter during the early stages of its investigation. In January, Representative Bobby Scott (D-VA), Chair of the House Education and Labor Committee, called on the Department to investigate the program for FERPA violations. In his letter Rep. Scott decried the program, noting “this use of student records goes against the letter and spirit of FERPA and risks subjecting students, especially Black and Latino students, to excessive law enforcement interactions and stigmatization.”

FPF Report Outlines Opportunities to Mitigate the Privacy Risks of AR & VR Technologies

A new report from the Future of Privacy Forum (FPF), Augmented Reality + Virtual Reality: Privacy & Autonomy Considerations in Emerging, Immersive Digital Worlds, provides recommendations to address the privacy risks of augmented reality (AR) and virtual reality (VR) technologies. The vast amount of sensitive personal information collected by AR and VR technologies creates serious risks to consumers that could undermine the adoption of these platforms and limit their utility.

“XR technologies are rapidly being adopted by consumers and increasingly being used for work and for education. It’s essential that guidelines are set to ensure privacy and safety while business models are being established,” said FPF CEO Jules Polonetsky. 

The report considers current and future use cases for XR technology, and provides recommendations for how platforms, manufacturers, developers, experience providers, researchers, and policymakers should implement XR responsibly, including: 

• Policymakers should carefully consider how existing or proposed data protection laws can provide consumers with meaningful rights and companies with clear obligations regarding XR data;
• Hardware makers should consider how XR data collection, use, and sharing can be performed in ways that are transparent to users, bystanders, and other stakeholders;
• XR developers should consider the extent to which sensitive personal data can be processed locally and kept on-device;
• XR developers should ensure that sensitive personal data is encrypted in transit and at rest;
• Platforms and XR experience providers should implement rules about virtual identity and property that mitigate, rather than increase, online harassment, digital vandalism, and fraud;
• Platforms and XR experience providers should establish clear guidelines that mitigate physical risks to XR users and bystanders; 
• Researchers should obtain informed consent prior to conducting research via XR technologies and consider seeking review by an Institutional Review Board (IRB) or Ethical Review Board (ERB) if consent is impractical;
• Platforms and XR experience providers should provide a wide-range of customizable avatar features that reflect the broader community, encouraging representation and inclusion; and
• Platforms and XR experience providers should consult with the larger community of stakeholders including, industry experts, advocates, policymakers, XR users, and non-XR users, and integrate community feedback into decisions about software and hardware design and data collection, use, and sharing.

“XR technologies provide substantial benefits to individuals and society, with existing and potential future applications across education, gaming, architectural design, healthcare, gaming, and much more,” said FPF Policy Counsel and paper author Jeremy Greenberg. “XR technology systems often rely on biometric identifiers and measurements, real-time location tracking, and precise maps of the physical world. The collection of such sensitive personal information creates privacy risks that must be considered by stakeholders across the XR landscape in order to ensure this immersive technology is implemented responsibly.” 

The release of the report kicks off the start of FPF’s XR Week of activities, happening from April 19^thto 23^rd. XR Week will explore key elements of the report in greater detail, including the differences between various immersive technologies, their use cases, important privacy and ethical questions surrounding XR technologies, compliance challenges associated with XR technologies, and how XR technology will continue to evolve. 

FPF’s featured XR Week event, AR + VR: Privacy & Autonomy Considerations for Immersive Digital Worlds will include a conversation between FPF Policy Counsel Jeremy Greenberg and Facebook Reality Labs Director of Policy James Hairston, followed by a panel discussion with Magic Leap Senior Vice President Ana Lang, Common Sense Media Director of Platform Accountability and State Advocacy Joe Jerome, and behavioral scientist Jessica Outlaw. 

To register and learn more about FPF’s other XR Week events, read this blog post.

FPF Testifies on Automated Decision System Legislation in California

Last week, on April 8, 2021, FPF’s Dr. Sara Jordan testified before the California House Committee on Privacy and Consumer Protection on AB-13 (Public contracts: automated decision systems). The legislation passed out of committee (9 Ayes, 0 Noes) and was re-referred to the Committee on Appropriations. The bill would regulate state procurement, use, and development of high-risk automated decision systems by requiring prospective contractors to conduct automated decision system impact assessments. 

At the hearing, Dr. Jordan commented as an expert witness alongside Vinhcent Le, who represented The Greenlining Institute. Dr. Jordan commended the sponsors for amending the definition of “automated decisionmaking” to account for the wide range of technical complexity in automated systems. In addition, Dr. Jordan testified that the government contract stage is an appropriate stage for the introduction of algorithmic impact assessments for high-risk applications of automated decisionmaking. This would allow authorities in California to evaluate technology before it is implemented using transparent and actionable assessment criteria.

• Read FPF’s comments on AB-13 here.
• Read AB-13 (Public contracts: automated decision systems) here. 
• Find FPF’s infographic “The Spectrum of Artificial Intelligence” (Jan. 2021) here. 
• Read FPF’s Paper “Unfairness by Algorithm: Distilling the Harms of Automated Decision-Making” (Dec. 2017) here.
• Read FPF’s “Ten Questions on AI Risk” (July, 2020) here. 
• For an international perspective, read the European Commission’s draft AI rules proposing to regulate certain uses of high-risk AI systems (leaked April 13, 2021) here. 

FPF partners with FCBA -The Tech Bar and LOEB & LOEB to Launch New Law Student Diversity Internship

FPF and The Tech Bar announced the FPF Loeb & Loeb Diversity Pipeline Internship, a first of its kind partnership among three organizations committed to diversity, equity, and inclusion in the legal and policy profession, especially in the technology, media, and telecom (TMT) sector. The inaugural FPF Loeb & Loeb Diversity Pipeline intern will join approximately 20 other law students interning this summer at leading TMT organizations through the FCBA Diversity Pipeline Program. 

Currently, in its first year of operation, the Diversity Pipeline Program is an employment program with a legal skills development component that connects first-year law students from historically underrepresented and disadvantaged groups with paid summer legal internship opportunities in the private sector and at non-governmental organizations (NGOs).

“FPF could not be more pleased to host the inaugural FPF Loeb & Loeb Diversity Pipeline Summer Internship,” said John Verdi, FPF’s VP of Policy.  “We are grateful for Loeb’s generous support and the FCBA’s partnership.  We all have a responsibility to create a more inclusive tech policy community; this internship promises to highlight and support the voices of early-career professionals with diverse backgrounds and experiences.” 

Building on the first phase of the Diversity Pipeline Program that focused on private sector internships, we are thrilled to enter this next phase: a groundbreaking partnership with FPF and Loeb & Loeb. “If we truly want to increase diversity in TMT law and policy work, we have to push beyond firms, companies, and associations to ensure that students from historically underrepresented and disadvantaged groups have access to paid internships in the non-profit sector as well. Working with firms that can help support such efforts is a critical step.  This creative partnership will serve as a model for ongoing FCBA initiatives to enable diverse law students to get valuable first-hand experience at researching, analyzing, and formulating policy proposals on the many exciting issues at the cross-section of technology, law, and policy,” said Natalie Roisman, FCBA President. “We are grateful to see the success of the Diversity Pipeline Program in supporting more diversity in the tech space and eager to learn from FPF, an organization with an established TMT law and policy internship program and related alumni network.”

Ken Florin, Chair, Loeb & Loeb, LLP, said, “Loeb is thrilled to be partnering with FCBA—The Tech Bar and FPF by participating in the FCBA Diversity Pipeline Program.  We look forward to the opportunity to work alongside FPF to mentor and support a diverse law student in a summer internship at FPF on legal and policy issues at the intersection of technology and privacy.  We recognize that building diversity into the legal talent pipeline is critical, and we hope this opportunity will support this year’s intern on their path toward a successful legal career.”

The FPF Loeb & Loeb Diversity Pipeline Summer Intern will work on cutting-edge TMT law and policy issues in areas such as consumer privacy, youth privacy, algorithms, and privacy-enhancing technologies.

 “We hope this non-profit/law firm partnership to advance diversity in the TMT is the first of many,” said Rudy Brioche, Diversity Pipeline Committee Co-Chair.  “We welcome the opportunity to work with other non-profits as we expand the program next Fall for the 2022 Summer Internship Program.” 

Join FPF For XR Week: April 19th-23rd, 2021

Adoption of augmented and virtual reality hardware and software technologies – collectively known as extended reality or “XR” – is taking hold among businesses and individuals. If you’d like to engage in the discussion about the ethical and privacy considerations of XR tech, join our XR Week activities April 19^th to 23^rd! 

After decades of development, demonstrations, and improvements to hardware and software, immersive technologies are increasingly being implemented in education and training, gaming, multimedia, navigation, and communication. Emerging use cases will let individuals explore complicated moral dilemmas or experience a shared digital overlay of the physical world in real time. But XR technologies typically cannot function without collecting sensitive personal information – data that can create privacy risks. 

FPF’s XR Week will explore key privacy and ethical questions surrounding augmented reality (AR), virtual reality (VR), and related immersive technologies. The week will feature several events, including a roundtable discussion with expert participants and several conversations hosted in virtual reality. 

April 19^th, 1:00 – 1:20PM EDT: Reel Virtuality

To kick off XR Week, FPF Policy Counsel and lead on XR technology Jeremy Greenberg and FPF Vice President of Policy John Verdi will discuss a report, Augmented Reality + Virtual Reality: Privacy & Autonomy Considerations in Emerging, Immersive Digital Worlds, to be released on the same day. Greenberg and Verdi will discuss the differences between various immersive technologies, primary use cases, and key privacy and ethical questions. The conversation, originally recorded in Real VR Fishing, can be viewed in 2-D on LinkedIn Live – register for the event on LinkedIn to receive a notification when it begins. 

April 21^st, 2:00 – 3:30PM EDT: AR + VR: Privacy & Autonomy Considerations for Immersive Digital Worlds

Our featured XR Week event, AR + VR: Privacy & Autonomy Considerations for Immersive Digital Worlds, will include a conversation between FPF Policy Counsel and lead on XR technology Jeremy Greenberg, and Facebook Reality Labs Director of Policy James Hairston. A panel, moderated by Greenberg, will discuss the recorded conversation. Panelists will include: 

• Ana Lang, Senior Vice President, General Counsel, Magic Leap.
• Joe Jerome, Director of Platform Accountability & State Advocacy, Common Sense Media.
• Jessica Outlaw, Behavioral Scientist, The Extended Mind. 

Register here.

April 22^nd, 1:00 – 1:10PM EDT: Sculpting XR Compliance

On the Thursday of XR Week, Greenberg and BakerHostetler Data Protection Attorney Carolina Alonso will discuss the legal compliance challenges associated with XR technologies. The conversation, originally recorded in SculptrVR, can be viewed in 2-D on LinkedIn Live – register for the event on LinkedIn. 

We hope you’ll join us!

A New Era for Japanese Data Protection: 2020 Amendments to the APPI

Authors: Takeshige Sugimoto, Akihiro Kawashima, Tobyn Aaron from S&K Brussels LPC; Authors can be contacted at [email protected].

The recent amendments to Japan’s data protection law (the Act on the Protection of Personal Information, henceforth the ‘APPI‘) contain a number of new provisions certain to alter – and for many foreign businesses, transform – the ways in which companies conduct business in or with Japan. In addition to greatly expanding data subject rights, most notably, the amendments to the APPI (the ‘2020 Amendments‘): 

(i) eliminate all former restrictions on the APPI’s extraterritorial application; 

(ii) considerably heighten companies’ disclosure and due diligence obligations with respect to overseas data transfers; 

(iii) introduce previously unregulated categories of personal information (each with corresponding obligations for companies), including ‘pseudonymously processed information’ and ‘personally referable information’; and 

(iv) for the first time, mandate notifications for qualifying data breaches.

The 2020 Amendments will be enforced by the Personal Information Protection Commission of Japan (the “PPC”), pursuant to forthcoming PPC guidelines alongside the amended Enforcement Rules for the Act on the Protection of Personal Information (the ‘amended PPC Rules‘) and the amended Cabinet Order to Enforce the Act on the Protection of Personal Information (the ‘amended Cabinet Order‘) (both published on March 24, 2021).

As the 2020 Amendments are set to enter into force on April 1, 2022, Japanese and global companies that conduct business in or with Japan, have just less than one year to bring their operations into compliance. To facilitate such efforts, this blog post describes those provisions of the 2020 Amendments likely to have the greatest impact on businesses, as well as current events in Japan which will affect their implementation and should inform the manner by which companies address enforcement risks and compliance priorities.

1. LINE Data Transfers to China: A Wake-Up Call for Japan

To appreciate the effect that the 2020 Amendments will have on the Japanese data protection space, one must first consider the current political and societal contexts in Japan in which the 2020 Amendments will be introduced – and enforced – beginning with a recent incident of note involving LINE Corporation. 

In March 2021, headlines across Japan shocked locals: Japan-based messaging app LINE, actively used and trusted by approximately 86 million Japanese citizens, had been transferring users’ personal information, including names, IDs and phone numbers, to a Chinese affiliate. It is neither unusual nor unlawful for Japanese tech companies to outsource certain of their operations, including personal information processing, overseas. But for Japanese nationals, the LINE matter is different for a number of important reasons, not least of which is the Japanese population’s awareness of the Chinese Government’s broad access rights to personal data managed by private-sector companies in China, pursuant to China’s National Intelligence Law.

LINE is not only the most utilized messaging application in Japan; it also occupies a special place in the country’s historical and cultural consciousness. When Japan was hit by the 2011 earthquake, use of voice networks failed and email exchanges were delayed, as citizens struggled to communicate with, and confirm the safety of, their loved ones. And so, LINE was born – a simple messaging and online calling tool to serve as a communications hotline in case of emergency. A decade on, LINE has become the major – and for many the only – means of communication in Japan – particularly in today’s socially-distanced world.

For the Japanese Government too, LINE serves a crucial role: national – and municipality – level government bodies use LINE for official communications, including of sensitive personal information such as for COVID-19 health data surveying. News of LINE’s transfer of user data to China, including potential access by the Chinese Government, therefore horrified private citizens and public officials both.

On March 31, 2021, the PPC launched an official investigation into LINE and its parent company, Z Holdings, over their management of personal information. Until such investigation is concluded, whether and to what extent LINE violated the APPI (and in particular, its provisions governing third party access and international transfers) will remain uncertain. Regardless, the impact of this matter on the Japanese data privacy space is already unfolding. In late March, a number of high-ranking Japanese politicians (including Mr. Akira Amari, Chairperson of the Rule-Making Strategy Representative Coalition of the Liberal Democratic Party of Japan) sent the PPC and other relevant Government ministries strongly-worded messages urging immediate action with respect to LINE, and more broadly, calling for a risk assessment to be conducted vis-à-vis all personal information transfers to China by companies in Japan.

Several days later, Japanese media reported that the PPC had requested members of both the KEIDANREN (the Japan Business Federation, comprised of 1,444 representative companies in Japan) and the Japan Association of New Economy (comprised of 534 member companies in Japan), to report their personal information transfer practices involving China, and to detail the privacy protection measures in place with respect to such transfers. For any APPI violations revealed, the PPC will issue a recommendation potentially followed with an injunctive order, the latter of which carries a criminal penalty (including possible imprisonment) if not implemented.

Importantly, recent political support for stronger data protection measures extends beyond transfers to China. For instance, Mr. Amari has also reportedly called on the PPC to broadly limit permissible overseas transfers of personal information to those countries with data protection standards equivalent to the APPI (a limitation which, if implemented, would greatly surpass restrictions on transfer under both the current APPI and the 2020 Amendments).

Although the PPC has yet to respond, it is evident that both political and popular sentiment in Japan strongly favor enhanced protections for Japanese persons’ personal information. The inevitable outcome of such sentiment, which may be further amplified depending on the PPC’s forthcoming conclusions regarding the LINE matter, will be the increasingly stringent enforcement of the APPI and its 2020 Amendments, and potentially, further amendments thereto. As recent events in Japan demonstrate, this transformation has already begun to take effect. Companies conducting business in or with Japan, whether Japanese or foreign, should therefore pay close attention to the Japanese data privacy space over the course of this year.

2. Broadened Extraterritorial Reach and International Transfer Restrictions

For ‘Personal Information Handling Business Operators’ (henceforth ‘Operators‘, a term used in joint reference to controllers and processors, upon which the APPI imposes the same obligations) arguably the greatest impact of the 2020 Amendments will derive from their drastic revisions to Article 75 (extraterritoriality) and Article 24 (international transfer).

To date, the APPI’s extraterritorial reach has been limited to a handful of its articles, primarily those governing purpose limitation and lawful acquisition of personal information (‘PI‘) by overseas Operators. From April 2022, however, Article 75 of the amended APPI will, without exception, fully bind all private-sector overseas entities, regardless of their size, which process the PI, pseudonymously processed PI or anonymously processed PI of individuals who are in Japan, in connection with supplying goods or services thereto.

With respect to international transfers, Article 24 of the current legislation prohibits the transfer of PI to a ‘third party’ outside of Japan absent the data subject’s prior consent, unless (i) the recipient country has been white-listed by the PPC or (ii) the recipient third party upholds data protection standards equivalent to the APPI (in practice, these would generally be imposed contractually). Otherwise, international transfers may also be conducted pursuant to legal obligation or necessity (for the protection of human life, public interest or governmental cooperation, provided that for each, the data subject’s consent would be difficult to obtain). The APPI’s international transfer mechanisms generally conform to those prescribed by other global data protection regimes, loosely resembling the EU GDPR’s adequacy decisions (with respect to (i) above), and standard contractual clauses or binding corporate rules (with respect to (ii) above, although there are no PPC-provided contractual clauses, and non-binding arrangements such as the APEC CPBR System are PPC-approved).

The 2020 Amendments and amended PPC Rules do not modify the above transfer mechanisms, but they do narrow their scope in two key aspects. First, pursuant to Article 24(2) of the 2020 Amendments, transfers conducted on the basis of data subject consent will henceforth require the transferring Operator (on top of preexisting notification obligations) to inform the data subject in advance as to the name of the recipient country, and the levels of PI protection provided by both that country (assessed using an “appropriate and reasonable method”) and the recipient third party. Absent such information, data subject consent will be rendered uninformed and the transfer, invalid.

Of greater impact on the transferring Operator, however, will be the second modification (pursuant to Article 24(3) of the 2020 Amendments): in the event that an international transfer is conducted in reliance on contractually or otherwise imposed APPI data protection standards (the primary transfer mechanism on which Operators in Japan rely), such contractual safeguards alone are to be rendered insufficient. Going forward, the transferring Operator must, in addition to imposing APPI-equivalent obligations upon a recipient third party, (i) take “necessary action to ensure continuous implementation” of such obligations by the recipient; and (ii) inform the data subject, upon request, regarding the actions the Operator has taken.

With respect to (i) above, the amended PPC Rules interpret “necessary action to ensure continuous implementation” as requiring the transferring Operator to: (1) periodically check the implementation status and content of the APPI-equivalent measures by the recipient third party, and assess (by an “appropriate and reasonable method”) the existence of any foreign laws which might impact such implementation; (2) take necessary and appropriate actions to remedy any obstacles that are found; and (3) suspend all PI transfer to the third-party recipient, should its continuous implementation of the APPI-equivalent measures become difficult.

In addition, following receipt of a data subject’s request for information (pursuant to (ii) above), the amended PPC Rules specify that the transferring Operator must, without undue delay, inform the requesting data subject of each of the following:

(1)  the manner by which the APPI-equivalent measures were established by (or presumably with) the recipient third party (such as a data processing agreement or memorandum of understanding, or in the case of inter-group transfers, a privacy policy);

(2)  details of the APPI-equivalent measures implemented by the recipient third party;

(3)  the frequency and method by which the transferring Operator checked such implementation;

(4)  the name of the recipient country;

(5)  whether any foreign laws may affect the implementation of the APPI-equivalent measures, and a detailed overview of such laws;

(6)  whether any obstacles to implementation exist, and a detailed overview of such obstacles; and

(7)  the measures taken by the transferring Operator upon a finding of such obstacles.

Only if provision of the above items to the data subject is likely to ‘significantly hinder’ an Operator’s business operations, might that Operator refrain from such (complete or partial) disclosure.

In practice, Operators primarily rely upon contractual safeguards and consent (in that order) to transfer PI outside of Japan. Indeed, the PPC’s list of “adequacy decisions” on which transferring Operators may alternatively rely is significantly shorter than that of the European Commission: to date, only the UK and EEA members have been deemed adequate recipients of a PI transfer from Japan. Therefore, the onerous informational and due diligence obligations incumbent upon Operators from April 2022, which affect precisely these two transfer mechanisms, are certain to impact business operations in Japan. And, given the 2020 Amendments’ unbridled extraterritoriality, this burden will be equally felt overseas. Most importantly, in the wake of the March 2021 LINE matter, compliance with the current and amended APPI, and in particular its overseas transfers restrictions, will be at the top of the PPC’s enforcement priorities.

3. Mandatory Data Breach Notifications

In addition to expanding the types of security incidents subject to the amended APPI, more notably, data breach notifications will henceforth be mandatory (in contrast, data breach notifications are subject to ‘best efforts’ under current legislation). Going forward, Operators will be required – pursuant to Article 22-2 of the 2020 Amendments and the amended PPC Rules – to promptly notify both the PPC and data subjects of the occurrence and/or potential occurrence of any data leakage, loss, damage or other similar situation which poses a ‘high’ risk to the rights and interests of data subjects (henceforth, a ‘breach‘).

The types of breaches which meet this ‘high’ risk threshold, and thus trigger a notification obligation, are described by the amended PPC Rules as those which involve, or potentially involve, any of the following: (i) sensitive (‘special care-required’) PI; (ii) financial injury caused by unauthorized usage; (iii) a wrongful purpose(s) as the cause; or (iv) greater than 1,000 affected data subjects. However, a notification is not required in the event that the Operator implemented ‘necessary measures’ to safeguard the rights and interests of data subjects (such as sophisticated encryption).

The amended PPC Rules also stipulate the required content for such notifications, although Operators are granted thirty days to provide details unknown at the time of the initial notice:

(1) overview of the breach;

(2) the types of PI affected or possibly affected by the breach;

(3) the number of data subjects affected or possibly affected by the breach;

(4) causes of the breach;

(5) existence and nature of secondary damage or risks thereof;

(6) status and nature of communications to affected data subjects;

(7) whether and how the breach has been publicized;

(8) measures implemented to prevent a recurrence; and

(9) any additional matters which may serve as a useful reference.

For those Operators ‘entrusted‘ by another Operator with the processing of PI, the 2020 Amendments provide a second option: in lieu of notifying the PPC and data subjects, such “entrusted” Operators may instead alert the “entrusting” Operator as to the breach. In practice, this likely equates to the EU GDPR’s requirement for processors to notify controllers in the event of a breach (although under the 2020 Amendments, direct accountability to the PPC and data subjects is still the default, including for “entrusted” Operators).

In the event of a breach, amended Article 30(5) additionally confers upon data subjects the right to request deletion, suspension of use and suspension of transfer, of affected PI.

4. Expansion of ‘Personal Information’ Concepts and Categories

Another major modification to the APPI is the expanded scope of the types of PI covered. In addition to eliminating the APPI’s differential treatment of temporary PI (retained for up to six months), the 2020 Amendments introduce a new category of information, ‘pseudonymously processed information‘, thereby bringing the Japanese data protection regime one additional step closer to the EU GDPR framework.

As currently drafted, the APPI recognizes only two major types of information: PI and anonymously processed information. Notably, the method of rendering anonymously processed information under the APPI – in contrast to the EU GDPR– need not be technically irreversible (unless such data originates in the UK or EEA and the transfer is based on the European Commission’s adequacy decision on Japan, in which case special PPC-drafted Supplementary Rules do require irreversibility); instead, the APPI endeavors to preserve anonymity by requiring Operators to implement appropriate security measures to prevent reidentification.

Pseudonymously processed information is defined by the 2020 Amendments as information relating to an individual, which cannot identify such individual unless collated with additional information. The stated intention behind the drafters’ introduction of the pseudonymization process is to enable Operators to (i) utilize pseudonymously processed information for internal purposes including business analytics, the development of computational models, etc., and/or (ii) retain rather than delete, for potential future statistical analysis usage, pseudonymously processed information derived from PI which are no longer necessary for the original purpose(s) for which they were collected.

The 2020 Amendments and amended PPC Rules model the pseudonymization process on anonymization, requiring the removal of any (i) description, (ii) unique ‘personal identification code’ (as defined in the APPI), and (iii) information relating to the processing method performed to enable the removal of (i) and (ii) above. The immediate result is the creation, by separation, of two types of information: pseudonymously processed information and ‘removed’ PI, where the latter is the ‘key’ enabling reidentification.

The removed PI are treated as PI under the 2020 Amendments, and as such are subject to all of the same requirements and restrictions, although Operators in possession of both removed PI and pseudonymously processed information are additionally obligated to provide enhanced security in order to safeguard the integrity of the pseudonymously processed information (pursuant to the amended PPC Rules and amended Article 35-2(2)).

Notably, and in divergence from the EU GDPR approach to pseudonymously processed information, the 2020 Amendments’ rules governing treatment of such information vary according to the Operator involved. With respect to pseudonymously processed information handled by an Operator in simultaneous possession of the removed (and separately handled) PI, amended Article 35-2 stipulates the following specific requirements:

(i)         a prohibition of the collation of such information with other data, such as the removed PI, in a manner which could identify data subjects;

(ii)       strict application of the principles of purpose limitation and necessity thereto;

(iii)     a prohibition on usage of any contact information contained therein to phone, mail, email or otherwise contact data subjects;

(iv)      a prohibition of any transfer thereof to third parties (excluding, amongst others, “entrusted” Operators pursuant to Article 23(5)), unless such transfer is permitted by law or regulation (alternatively, the transfer of pseudonymously processed information by data subject consent is permissible if such information are instead handled as PI);

(v)       in the event of their acquisition or the intended alteration of their processing purpose, limitation of the Operator’s disclosure obligation to that of notice by publication;

(vi)      non-applicability of breach notification obligations pursuant to amended Article 22-2, provided that the removed PI are not also subject to the breach; and

(vii)    the elimination of data subjects’ rights regarding their pseudonymously processed information, with the exception of their Article 35 right to receive a prompt and appropriate response to their complaints (subject to the Operator’s best efforts).

In addition to the above, the APPI’s ‘general’ requirements pursuant to Articles 19-22 will apply to pseudonymously processed information handled by an Operator which simultaneously (but separately) possesses the removed PI. Such Operator will be required to:

(i) maintain accuracy of the pseudonymously processed information (for the duration their utilization remains necessary, after which their immediate deletion – alongside the deletion of the removed PI – is required, subject to the Operator’s best efforts);

(ii) implement necessary and appropriate security measures to prevent leakage, loss or damage of the pseudonymously processed information; and

(iii) exercise necessary and appropriate supervision over employees and entrusted persons handling the pseudonymously processed information.  

In contrast, with respect to pseudonymously processed information handed by an Operator which does not simultaneously possess the removed PI, amended Article 35-3 prohibits such Operator from acquiring the removed PI and/or collating the pseudonymously processed information with other information in order to identify data subjects, and limits the applicable provisions of the 2020 Amendments to the following:

(i) the implementation of necessary and appropriate security measures to prevent leakage (a simplified version of Article 20);

(ii) the exercise of necessary and appropriate supervision over employees and entrusted persons handling such information (pursuant to Articles 21 and 22);

(iii) a prohibition on usage of any contact information contained in the pseudonymously processed information to phone, mail, email or otherwise contact data subjects;

(iv) a prohibition of any transfer of such information to third parties (excluding, amongst others, “entrusted” Operators pursuant to Article 23(5)), unless such transfer is permitted by law or regulation (alternatively, the transfer of pseudonymously processed information by data subject consent is permissible if such information are instead handled as PI); and

(v) the elimination of data subjects’ rights regarding their pseudonymously processed information, with the exception of their Article 35 right to receive a prompt and appropriate response to their complaints (subject to the Operator’s best efforts).

In addition to pseudonymously processed information, the 2020 Amendments, pursuant to Article 26-2, introduce an additional, fourth category of information – namely, ‘personally referable information’. This fourth category includes cookies and purchase history (for example), which items may not independently be linkable to a specific individual (and thus would not constitute PI) but which could, if transferred to an Operator in possession of additional, related data, become PI. To account for such qualifying transfers, the 2020 Amendments introduce a consent requirement (such as an opt-in cookie banner).

In the case of overseas transfers, the transferring Operator must additionally inform the data subject as to the data protection system and safeguards of the recipient country and third party, as well as take ‘necessary action to ensure continuous implementation’ of APPI-equivalent safeguards by such recipient third party. Unlike for PI, the data subject does not have a right to request additional details regarding the ‘necessary action’ taken by the Operator with respect to an overseas transfer of personally referable information.

5. Preparing for the 2020 Amendments: Next Steps for Japanese and Foreign Operators

Companies conducting business in or with Japan should be mindful of the demanding nature of the 2020 Amendments to the APPI, and the stringency with which the PPC will seek to enforce them – particularly in view of the dismay caused by the LINE matter and the likelihood of efforts by the PPC to avoid similar incidents in the future.

Moreover, as the European Commission finalizes its first review of its 2019 adequacy decision on Japan, the PPC’s interpretative rules and enforcement trends may further intensify, with the aim of bringing Japanese data protection legislation closer to global standards, including the EU GDPR framework. Bearing this in mind, companies – including those not currently subject to the APPI, but which provide goods and/or services to individuals in Japan – would be wise to proactively conduct necessary modifications to their internal data protection policies and mechanisms, in order to ensure operational compliance with the amended APPI by April 2022.

For those Operators involved in international transfers of PI from Japan, absence of a PPC-issued “standard contractual clauses” template renders difficult, and from a compliance standpoint uncertain, any reliance on contractually-imposed APPI-equivalent standards pursuant to amended Article 24(3). However, one potential solution for Operators preparing to rely on this transfer mechanism for overseas PI transfers (excluding to the EEA or UK) may be the European Commission’s revised Standard Contractual Clauses (‘New SCCs‘), which are due to be published in early 2021. Subject to certain necessary modifications (of jurisdictional clauses and so forth), Operators may consider utilizing the New SCCs as a starting point, to bind recipient third parties to the stringent data protection standards and obligations of the 2020 Amendments.

Operators engaged in transferring PI should also be mindful of the 2020 Amendments’ onerous due diligence obligations with respect to overseas third parties. Prior to and during any cross-border engagements involving Japan-origin PI, Operators must actively ensure that their third-party recipients of such PI (including partners, vendors and subcontractors, as well as each of their respective partner, vendor and subcontractor recipients, and so forth) successfully implement, and continuously maintain, APPI-equivalent measures.

The 2020 Amendments’ enhanced disclosure obligations invite data subjects to hold Operators accountable with respect to the preventative and/or reactive measures Operators take – or fail to take – to protect their PI. Operators engaging foreign third parties should therefore consider reviewing and amplifying their due diligence of such entities, in addition to assessing the laws in each recipient country, in order to proactively identify and devise solutions to address potential obstacles to APPI adherence overseas.

The 2020 Amendments’ broadened extraterritorial application will also require non-Japanese companies to modify their internal data breach assessment and notification systems, to ensure that the PPC and data subjects in Japan are appropriately notified in the event of a qualifying breach; and to implement any necessary changes to their data subject communications platforms or data subject rights request forms, to enable data subjects in Japan to successfully exercise their amended APPI rights from April 1, 2022.

Once published, the PPC guidelines to the 2020 Amendments will further clarify (and potentially amplify) Operators’ compliance obligations with respect to each of the topics addressed in this blog post. The PPC’s findings in regard to LINE’s conduct may also have significant bearing on future APPI enforcement trends and risks. Therefore, in addition to implementing necessary measures to ensure operational compliance with the 2020 Amendments, companies processing covered PI and interested data privacy professionals should look out for these items over the next several months.   

Photo Credit: Ben Thai from Pixabay

For more Global Privacy thought leadership, see:

The right to be forgotten is not compatible with the Brazilian Constitution. Or is it?

India: Massive overhaul of digital regulation, with strict rules for take-down of illegal content and automated scanning of online content

Russia: New law requires express consent for making personal data available to the public and for any subsequent dissemination

Supporting Responsible Research and Data Protection

Scientific research is often dependent on access to personal information, whether collected directly from individuals or collected for a real-world use and then accessed for research. For research to be trusted, processing of personal information must be lawful, ethical and subject to privacy and security protections. Supporting responsible research is a priority for FPF:

• Data held by companies is often essential for research, so we develop best practices for access to corporate data and ethical review structures to provide oversight.
• Machine learning techniques can raise issues of research transparency and fairness and bias, so we work on methods to identify and counter bias. 
• De-identification can reduce the risks involved with research, so we work to advance de-identification that supports the utility of data. 
• We work with policymakers to develop legislative protections that support research with strong safeguards.
• We develop and support leadership networks to facilitate privacy-protective data sharing and working partnership opportunities between academic researchers and industry practitioners.
• We work to ensure access and protections for cross border data flows for research. 

Access to Corporate Data & Ethical Review

Data held by companies is useful for researchers striving to discover new scientific insights and expand human knowledge. When corporations open their data stores and responsibly share this data with university researchers, they can support progress in medicine, public health, education, social sciences, computer science, and many other fields.

But access to the data needed is often unavailable due to a range of barriers – including the need to connect with appropriate partners, protect privacy, address commercial concerns, maintain ethical standards, and comply with legal obligations.

Issuing best practices and contract guidelines for companies sharing data with researchers. The Best Practices for Sharing Data with Academic Researchers were developed by the FPF Corporate Academic Data Stewardship Research Alliance, a group of more than two dozen companies and organizations. The best practices favor academic independence and freedom over tightly controlled research, and encourage broad publication and dissemination of research results, while protecting the privacy of individual research subjects. Specific best practices include having a written data sharing agreement, practicing data minimization, and developing a common understanding of relevant de-identification techniques, among many others. In addition, FPF published Contract Guidelines for Data Sharing Agreements Between Companies and Academic Researchers. The guidelines cover best practices and sample language that can be used in contracts with companies that supply data to researchers for academic or scientific research purposes. FPF’s Corporate Academic Data Stewardship Research Alliance and these resources, including FPF’s report, Understanding Corporate Data Sharing Decisions, were supported by the Alfred P. Sloan Foundation.

Establishing the Ethical Data Use Committee (EDUC). Through the generous support of the Schmidt Futures Foundation, FPF is preparing to launch an independent ethical review panel to evaluate the risks and benefits of organizations’ data sharing projects with academic researchers. The Ethical Data Use Committee will conduct prospective reviews of research projects using data not explicitly gathered for research purposes, such as data shared by companies to academic researchers. The EDUC is designed to work in compliment with the remainder of the research review process. The purpose of the EDUC review is to offer organizations recommendations to improve the privacy, security, and ethical profile of the research data that is not subject to review by other components of the research review infrastructure such as Institutional Review Boards or Institutional Biosafety Committees. 

This work builds on FPF’s project, Beyond IRBs: Designing Ethical Review Processes for Big Data Research, supported by the Alfred P. Sloan Foundation and U.S. National Science Foundation, which brought together government, industry, civil society, and researchers in law, ethics, and computer science to consider ethical review mechanisms for data collected in corporate, non-profit, and other non-academic settings.

Building Communities of Practice

Honoring effective data-sharing partnerships for research and sharing best practices. The FPF Award for Research Data Stewardship is a first-of-its-kind award recognizing a research partnership between a company that has shared data with an academic institution in a responsible, privacy protective manner. The 2020 award-winning partnership was between University for California, Irvine, Professor of Cognitive Science Dr. Mark Steyvers and Lumos Labs. In an FPF virtual event on September 22, 2020, Professor Steyvers and Bob Schafer, General Manager at Lumosity, discussed their award-winning collaboration and lessons learned for future data sharing partnerships between companies and academic researchers. The annual FPF Award for Research Data Stewardship is supported by the Alfred P. Sloan Foundation.

FPF has continued this award and is currently working on reviewing submissions and looks forward to announcing a 2021 winner in the early summer months.

Bringing the best academic privacy research into practice. Through its Applied Privacy Research Coordination Network, a project supported by the U.S. National Science Foundation, FPF introduces academic researchers to industry practitioners to develop working partnership opportunities and share best practices. This project builds on FPF’s first NSF-supported Research Coordination Network established to foster industry-academic collaboration on priority research issues identified in the National Privacy Research Strategy (NPRS) and inform the public debate on privacy. These projects have provided ongoing support to FPF’s Privacy Papers for Policymakers program which brings academic expertise to members of Congress and leaders of executive agencies and their staffs to better inform policy approaches to data protection issues.

Providing governments and researchers tools and guidance for evidence-based policymaking. Integrated Data Systems (IDS) use data that government agencies routinely collect in the course of delivering public services to shape local policy and practice. FPF and Actionable Intelligence for Social Policy (AISP) created the Nothing to Hide: Tools for Talking (and Listening) About Data Privacy for Integrated Data Systems toolkit to provide stakeholders with tools to lead privacy-sensitive, inclusive government IDS efforts. In addition, FPF worked with the Administrative Data Research Facilities Network (ADRF) to develop a guide for researchers and practitioners who want to share administrative data for evidence-based policy and social science research. FPF’s paper Privacy Protective Research: Facilitating Ethically Responsible Access to Administrative Data published in The Annals of Political and Social Science, Vol 675 (2018) outlines the infrastructures that will need to be built to make sure data providers and empirical researchers can best serve national policy needs. FPF’s work on administrative data research was made possible by the support of the Alfred P. Sloan Foundation.

Exploring Legal Structures and Policies to Support Processing Personal Data for Research

Hosting expert discussions about processing personal data for research under the GDPR. The topic of the Brussels Privacy Symposium 2020, organized by FPF and the Brussels Privacy Hub of Vrije Universiteit Brussel (VUB), was “Research and the Protection of Personal Data Under the GDPR.” The symposium, which brought together a mix of industry practitioners, academic researchers, policymakers, and international data protection regulators, focused on striking a balance during the Covid-19 pandemic between the utility of research, on one hand, and the rights to privacy and data protection on the other. Panelists discussed strategies to mitigate risks to data protection in scientific research, including vulnerabilities related to AI and machine learning systems; consent structures; and the role of international frameworks and cross-border data flows. In a closing keynote, European Data Protection Supervisor Wojciech Wiewiórowski discussed the need to intensify the dialogue between Data Protection Authorities and ethical review boards to develop a common understanding of what qualifies as scientific research, and on codes of conduct for it. 

Examining country-level legal frameworks for secondary uses of healthcare data. On January 19-20, 2021, the Israel Tech Policy Institute (ITPI), an FPF affiliate based in Israel, co-hosted a virtual workshop in collaboration with the Organization for Economic Cooperation and Development (OECD) and the Israel Ministry of Health (IMoH), titled “Supporting Health Innovation with Fair Information Practice Principles.” The workshop furthered international dialogue on issues critical for the successful use of health data for the benefit of the public, focusing on the implementation of privacy protection principles and the challenges that arise in the process. The discussion included lessons learned during Covid-19. It provided an opportunity for delegates of the OECD Health group (HCQO) and the OECD Data Governance and Privacy in the Digital Economy group (DGP), together with experts in these fields, to discuss progress made toward implementing the 2017 OECD Recommendation on Health Data Governance, and to contribute to the ongoing review of the 2013 OECD Privacy Guidelines. Specific topics discussed included: 

• Significant national health data governance reforms implemented recently by four countries, which lead legal and operational reforms to strengthen health data governance. These examples were viewed in the context of the WHO Global Strategy on Digital Health.
• Safeguards for health data sharing to promote innovation while protecting people’s privacy. These may include: 1) ethical review board oversight; 2) de-identification; 3) administrative, technical, and contractual safeguards; and 4) safeguards around cross border data flows. 
• Privacy by Design and state-of-the-art solutions for safeguarding digital health data against unauthorised access and use. The mechanisms available are context-dependent and present unique benefits and limitations.
• Individual & community perspectives on using health data for research. Some focus on alternative legal bases, other than consent, for the secondary use of patient data for research, and the imperative to respect the individual’s interest alongside that of the community and society. 

The workshop was attended by delegates from approximately 40 governments from all over the world, as well as industry and academia participants.  

In conjunction with the OECD event, FPF and the Israel Tech Policy Institute have conducted a study (to be published soon) on the laws underpinning secondary uses of healthcare data for research purposes in eight countries: Australia, England, Finland, France, India, Ireland, Israel, and the U.S. We found large commonalities across legal systems and regimes, permitting secondary use of healthcare data for research purposes under certain conditions, such as review by ethical boards, proper de-identification, and other administrative, technical, and contractual safeguards. Still, differences and ambiguities remain around specific situations such as the use of ‘Consent’ or other legal bases allowing data processing, the level of anonymization and de-identification employed and how it is regarded in different countries, and a variety of approaches to transborder data flows and data localization requirements.

Guidance to government, companies and civil society on responsible data sharing in a public health crisis. FPF launched its Privacy & Pandemics series immediately after the COVID-19 pandemic began to provide information and guidance to governments, companies, academics and civil society on responsible data sharing to support public health. As a featured part of the series, FPF’s Corporate Data Sharing Workshop on March 26, 2020 convened ethicists, academic researchers, government officials and corporate leaders to discuss best practices and policy recommendations for responsible data sharing. FPF’s international tech & data conference in October 2020, presented in collaboration with the US National Science Foundation, Duke Sanford School of Public Policy, SFI ADAPT Research Centre, Dublin City University, and Intel Corporation, produced a roadmap for research, practice improvements, and development of privacy-preserving products and services to further inform responses to COVID-19 and prepare for future pandemics and crises.

Summarizing U.S. federal and state laws that apply to health data research. As a resource for policymakers, researchers, and ethicists, FPF canvassed federal and state laws and regulations regarding health data research. Regulations like the Common Rule include a wide range of protections, but only apply to certain situations, while other safeguards are triggered by high-stakes research or particularly sensitive categories of data or vulnerable research subjects.

Educating policymakers on the value of data for research and strategies for oversight. FPF has shared model bill language with lawmakers developing comprehensive privacy laws in California, Washington, and Virginia to encourage them to both protect data-driven research and create oversight by requiring it to be approved, monitored, and governed by an independent oversight entity.

Exploring how the GDPR can work for health scientific research. On October 22, 2018, FPF, together with the European Federation of Pharmaceutical Industries and Associations (EFPIA), and the Centre for Information Policy Leadership (CIPL) hosted a workshop in Brussels, “Can GDPR Work for Health Scientific Research?,” to discuss the processing of personal data for health scientific research purposes under the European Union’s General Data Protection Regulation (GDPR). The workshop identified several challenges that researchers are facing when trying to comply with the GDPR, such as identifying the appropriate lawful ground for processing personal data for clinical trials and for secondary use of health data for health scientific research purposes, the relationship between the EU Clinical Trials Regulation and the GDPR, or the lack of clarity surrounding institutional responsibility and the role of ethical committees. 

Providing guidance to US based higher education institutions on how to align their research and educational activities to the GDPR. In May 2020, FPF released, “The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions.” The report includes a 10-step checklist with instructions for executing an effective GDPR compliance program. Many of the case-studies and examples used in the report focus on academic research. It is designed to assist both organizations with established compliance programs seeking to update or refresh their understanding of their obligations under GDPR, as well as those that are still in the process of creating or sustaining a compliance structure and seeking more in-depth guidance.

Advancing tools to support responsible research in artificial intelligence. Tofacilitate discussions around bias in artificial intelligence, FPF produced a framework to identify, articulate, and categorize the types of harm that may result from automated decision-making, see Unfairness by Algorithm: Distilling the Harms of Automated Decision-Making (December 2017). FPF has recently provided resources and guidance to state policymakers on this topic.

Sharing methods and techniques for de-identification. FPF is recognized for its signature expertise in de-identification, publishing A Visual Guide to De-Identification (April 2016), as well as law review articles like Shades of Gray: Seeing the Full Spectrum of Practical Data De-identification, 56 Santa Clara L. Rev.593 (2016).

Facilitating ethically responsible access to administrative data for privacy protective research. A paper titled Privacy Protective Research: Facilitating Ethically Responsible Access to Administrative Data was featured at a Bill and Melinda Gates Foundation funded workshop along with other white papers written by researchers and practitioners that help inform the development of a roadmap identifying what data infrastructures need to be built to ensure that data providers and empirical researchers can best serve national policy needs. The paper – by FPF CEO Jules Polonetsky, FPF Senior Fellow Omer Tene, and Alfred P. Sloan Foundation Vice President and Program Director Daniel Goroff – provides strategies for organizations to minimize risks of re-identification and privacy violations for individual data subjects.

Privacy Impact Assessment Policies Help Cities Use and Share Data Responsibly with their Communities

As the world urbanizes, local governments are turning to “Smart City” initiatives and the data they generate to more effectively manage transportation systems, support real-time infrastructure maintenance, automatically administer public services, enable transparent governance and open data, and support emergency services in public areas. Data held by public and private organizations have the potential to lead to urban planning insights that can benefit governments and communities worldwide – if it can be collected, stored, and accessed in a responsible manner that respects personal privacy. 

Click on image to watch on YouTube

As part of its work on smart communities in 2020 FPF co-led a task force of experts to develop a Model Privacy Impact Assessment (PIA) Policy for governments and communities that are considering sharing personal data collected from “smart city” solutions. This Model PIA Policy was developed as part of the G20 Global Smart Cities Alliance on Technology Governance, a partnership of leading international organizations and city networks working to source tried-and-tested policy approaches to govern the use of smart city technologies. Its institutional partners — including FPF — represent more than 200,000 cities and local governments, leading companies, startups, research institutions, and civil society communities.

Privacy Impact Assessments in “Smart Cities”

Cities that adopt a clear policy about how and when to conduct PIAs are taking an important first step in being able to consistently and confidently identify, evaluate, and mitigate privacy risks. PIAs (or similar privacy or data protection risk assessments) are already considered a best practice by public and private organizations around the world. In some places they are even required by law, such as cities covered by the EU’s General Data Protection Regulation. 

Although PIAs traditionally focus on identifying privacy risks, they can also be an important mechanism for organizations to articulate the specific value and benefits that they expect to achieve from new smart city data flows and technologies. While PIAs are only one part of a comprehensive privacy program and should sit alongside other safeguards (such training, data minimization, and regulation), cities acquiring or using smart city technologies will find PIAs to be valuable tools to: 

• increase transparency and accountability and earn public trust, 
• embed privacy by design throughout Smart City project and data lifecycles,
• mitigate potential privacy harms or disparate impacts before they occur, 
• improve compliance or reduce legal risk, 
• encourage innovation by supporting ethical decision-making, 
• facilitate internal and external communication and cooperation, and
• enable more confident and consistent decision-making about data and technology by city officials, their partners, and the public.

Cities must balance their own need to use and share data to conduct business with the broader public welfare and individual privacy interests in a way that builds and maintains public trust. Without public trust, the benefits of smart city technologies will be ultimately unsustainable. Cities must invest in policies and practices that will help individuals, local communities, and technology providers maximize the benefits of responsible data use while minimizing privacy risks to individuals and communities.

The Model Policy

This Model PIA Policy is a flexible, scalable policy framework based on proven best practices that cities around the world are already beginning to adopt. Every component of the policy reflects real-world practices and examples by leading cities and counties, including policies and templates from Seattle, Wellington, Helsinki, Santa Clara, Huron, and Toronto. The framework also builds on expert guidance from organizations like NIST, the Article 29 Working Party, and UN Global Pulse. 

The Model PIA Policy is divided into two parts: a “foundations” section that describes the process that cities should follow to conduct PIAs and a “fundamentals” section describes the issues that cities should consider in their PIAs. There are also optional guidance and examples throughout the policy framework for cities that have a greater privacy maturity level or that wish to conduct PIAs in more participatory ways. 

In the “Foundations” section, cities are provided with a recommended process for conducting PIAs, which includes:

• Identifying organizational values, legal requirements, and risk tolerance around data and privacy, 
• Defining what types of activities that should be evaluated through a PIA and when to conduct PIAs (such as before a smart city technology is acquired, or whenever there are material changes to existing data processes), 
• Incorporating threshold assessments and outside expertise to ensure higher risk activities are prioritized and to reduce the likelihood of bottlenecks,
• Recognizing the key roles and responsibilities needed to effectively carry out a PIA (including senior privacy officials, executive supporters, and program staff), 
• Ensuring that PIAs are regularly reviewed and integrated into monitoring and recordkeeping systems, and
• Providing options to encourage transparency and engagement around the results of PIAs. 

In the “Fundamentals” section, cities are provided with recommended issues for their PIAs to consider when evaluating a proposed smart city technology. These include: 

• Identifying who within the city will be using the proposed smart city technology, for what purposes and public benefit, and under what authority (as appropriate),
• Articulating the city’s public values and relevant principles, privacy commitments, legal standards, or organizational risk frameworks, 
• Describing the proposed smart city technology, including its technical capabilities and potential privacy impacts on individuals and communities, 
• Documenting how the city will respond to any anticipated privacy risks (including potential impacts on civil rights and disparate impacts on marginalized communities), including any safeguards or controls that may be used to mitigate those risks and any data use or management policies for the proposed smart city technology, 
• Discussing the availability of funding and resources to provide for ongoing privacy and data protection costs related to the smart city technology, and
• Articulating any additional factors or contextual considerations that may be relevant, such as any community engagement conducted or exigent circumstances that could impact the current privacy risks or safeguards.

Supporting ethical data collection and sharing to enable governments and municipalities to use data from their respective community members is a priority for FPF. Drafting a model PIA policy for a global audience is a complicated process, as wide variation exists in cultural and legal approaches to privacy and data protection around the world. Smart city initiatives also vary considerably in their size and complexity. Our hope is that by providing a model policy for local governments to follow, we can increase the likelihood that cities will consider and address privacy risks in a manner consistent with community expectations. 

Acknowledgements: This Model PIA Policy was a collaborative effort by members of the Privacy & Transparency Task Force and other G20 Smart Cities Alliance contributors and reviewers. Special thanks to Task Force Co-Chair Michael Mattmiller (Microsoft) and Task Force Members Pasquale Annicchino (Lex Digital), Sean Audain (Wellington City Council), Chandra Bhusan (Quantela), Dylan Gilbert (NIST), Eugene Kim (Sidewalk Labs), Naomi Lefkovitz (NIST), Jacqueline Lu (Helpful Places), and  Daniel Wu (Immuta). 

FPF’s participation was funded in part by the National Science Foundation (NSF SPOKES #1761795).

The Future of Privacy Forum works on privacy issues regarding smart communities. To learn more, please contact [email protected] and [email protected]. 

Future of Privacy Forum Releases New Youth Privacy and Data Protection Infographic

WASHINGTON, D.C. – The Future of Privacy Forum (FPF) today released a new infographic, Youth Privacy and Data Protection 101 which provides an overview of the opportunities and risks for kids online, along with potential protection strategies. It also features young people’s voices from around the world on their preferences and attitudes toward privacy.

“We all want to keep kids safe online, but the desire to shield them from risk can also limit their access to important opportunities,” said Amelia Vance, FPF’s Director of Youth and Education Privacy. “When considering any protection strategies, policymakers must carefully evaluate both opportunity and risk in order to foster the development of a robust, thriving online ecosystem that is also suitable for kids. We hope that this infographic effectively conveys that challenge, as well as the diversity of approaches to youth privacy protections being considered and implemented around the world.”

View the infographic and an accompanying blog post here. 

Risks for youth online include well-known concerns such as coming across age-inappropriate content, encountering predators, and being a victim of cyberbullying or cyber harassment. Other, less visible risks include commercial exploitation through profiling and targeted marketing as well as societal shifts such as surveillance normalization, as young people may become accustomed to constantly being watched and recorded.

Of course, there are also a wealth of opportunities for youth online. With school closures due to the pandemic, many students now access their education virtually. Unable to connect with their friends and communities in person, young people rely on social media and other online tools to play, build their communities, explore their identities, and participate in civic and political forums. Online spaces are also integral to fostering creative expression and providing resources related to health and well-being.

The Youth Privacy and Data Protection 101 infographic highlights the range of strategies that governments, online service providers, educators, parents, and others can use and encourage to find that appropriate balance between protecting kids online and not limiting their opportunities. These strategies include things like limiting access to age-inappropriate content, requiring age verification prior to accessing a service, and incorporating privacy into services by default. Those strategies and others that policymakers may wish to consider are discussed in detail in FPF’s latest blog post, available here.