FPF Advisory Board member, Alisa Bergman, Vice President, Chief Privacy Officer at Adobe Systems, recently wrote an article in the IAPP Tech Privacy Advisor that we think is very useful. The article started from a presentation Bergman did for Adobe engineers (the key slide from the presentation is above).
For those participating in FPF’s Privacy War Games, the article is particularly useful as it provides a practical look at how to operationalize privacy. Bergman is a member of the Advisory Committee for the PWG. To learn more about the event and to register, please visit www.privacywargames.com.
Bergman writes:
Whether you’re a privacy professional or a software engineer, you likely have many stories about the opportunities, challenges and spirited debates within your organization, particularly in the recent run-up to EU General Data Protection Regulation. Privacy and engineering teams ultimately share a common goal: to create great customer and user experiences. Getting there, however, can feel like the other team comes from a different planet. To engineers, privacy principles advanced by privacy professionals may appear to come from Venus, while to privacy pros, engineering rules may appear to come from Mars.
September 24th in Detroit, MI: Data and Privacy for Autonomous Vehicles
Join the Future of Privacy Forum and PwC for a roundtable: “Data and Privacy for Autonomous Vehicles”
Autonomous vehicles are positioned to transform the future of mobility—a change enabled by new on-board sensors that collect and transmit growing types and quantities of data. While the existence of data in vehicles is not entirely new, autonomous vehicles promise an explosion in the variety, connectivity, volume of such data—raising new and unique considerations around what happens with it. As the automotive industry becomes more data-driven, getting consumer privacy right will become increasingly important.
Monday, September 24, 2018 from 1:30 PM to 4:30 PM in Detroit, Michigan
Industry leaders will discuss:
Mapping, Geolocation, and Video Data: What unique considerations may need to be applied to these compilations of high resolution and potentially sensitive data—of both the inside and outside of vehicles?
Monitoring of Vehicles, Drivers, and Passengers: What are best practices for fleet monitoring to ensure safety and cleanliness of vehicles while preserving passenger privacy?
Data Sharing: Given that many consider data sharing crucial to AV development, what considerations should be taken into account around how to do so while protecting privacy – both among industry, with municipalities, and with researchers?
Law Enforcement Access: How do we balance access during exigent circumstances and through legal process with enhanced sensitivities around mobility data?
Changing Expectations of Privacy: Do consumers’ expectations of privacy diminish in the post-ownership, shared vehicle model? How should we think about privacy considerations for members of the public whose movements may be tracked with the externally-facing videos or mapping that may be common with AVs?
These are all early-stage questions, so we are convening industry leaders for an off-the-record discussion on how to tackle these issues moving forward.
Please contact Lauren Smith at [email protected] to request an invitation.
FPF Launches AI and Machine Learning Working Group and Releases New AI Resource Guides
The opportunities created by machine learning range across every sector of the economy and will impact every area of daily life. Better health care, safer transportation, greater efficiencies in manufacturing, retail, and online services are all already on the horizon. But concerns about the privacy impact, ethical consequences and real world harms of the technology are real and may lead to dangers large and small if not countered.
FPF has convened a leading group of its members to consider priority areas for technologies and companies to address ML privacy and ethics concerns. Our AI and Machine Learning Working Group, composed of FPF member companies with an interest in AI and Machine Learning privacy and data management challenges, meets monthly to discuss various relevant issues regarding new updates, hear from experts regarding AI in the EU and under GDPR, the occurrence and defense against bias, and other timely topics. A subset of members is currently working on developing a set of Best Practices for internal governance procedures for companies implementing products or services which rely on machine learning technologies.
We recently released, in partnership with Immuta, a framework for practitioners to manage risk in artificial intelligence and machine learning (ML) models. The joint whitepaper, Beyond Explainability: A Practical Guide to Managing Risk in Machine Learning Models, provides business executives, data scientists, and compliance professionals with a strategic guide for governing the legal, privacy, and ethical risks associated with this technology.
Today we announce the launch of our Resource Guides which collect current and leading news, academic publications, and multi-media training, providing in-depth sources for the technical, educational, and policy-focused perspectives.
In October, we will be holding one of the official side events at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels, providing an introduction to how AI and ML work, targeted to privacy professionals and regulators, with an emphasis on the unique privacy questions or impacts raised by these technologies.
To learn more about FPF’s AI and ML Working Group, and membership opportunities, contact Brenda Leong, [email protected].
John Verdi Appears on Comcast Newsmakers
FPF’s Vice President of Policy, John Verdi, joined Sheila Hyland on Comcast Newsmakers to talk about the importance of data privacy laws, including new legislation in California, which aim to empower consumers. You can watch the full interview below.
Video
FPF Welcomes Inaugural Elise Berkower Memorial Fellow
The Fellowship
Earlier this year, FPF launched a new fellowship in memory of Elise Berkower. Elise was a senior privacy executive at global measurement and data analytics company Nielsen for nearly a decade and was a valued, longtime member of the FPF Advisory Board. FPF graciously acknowledges the Berkower Family, Nielsen Foundation, and IAPP as founding sponsors of the Elise Berkower Memorial Fellowship.
The Elise Berkower Memorial Fellowship is a one-year, public interest position for recent law school graduates committed to the advancement of responsible data practices. Candidates are selected based on both academic qualifications and a commitment to the personal qualities exemplified by Elise – collaboration with co-workers, peers and the broader privacy community and a commitment to ethical conduct.
Michelle Bae
We are delighted to welcome the inaugural Elise Berkower Memorial Fellow, Michelle Bae!
Michelle will work on consumer and commercial privacy issues, from technology-specific areas such as advertising practices, drones, wearables, connected cars, and student privacy, to general data management and privacy issues related to ethics, de-identification, algorithms, and the Internet of Things. Focusing on the advancement of responsible data practices, she will be developing industry best practices and standards and filing comments on proposed regulatory actions.
During law school, Michelle worked as a data protection and privacy law intern at Ladas & Parry LLP and a legal intern for the Honorable Judge Timothy S. Driscoll at the Nassau County Commercial Division and the New York State Attorney General’s Office. Prior to law school, Michelle worked in the corporate governance team at Citigroup where she managed board agenda materials with respect to internal data control and developed an online platform.
Michelle earned her J.D. from University of Illinois College of Law and her B.A. in Law from Yonsei University.
Please join us in welcoming Michelle to the team!
Donate
FPF is inviting supporters to help us fully fund the Elise Berkower Memorial Fellowship. Donations of all sizes are welcome. Thank you for your support!
Privacy Best Practices for Consumer Genetic Testing Services
The Future of Privacy Forum, along with leading consumer genetic and personal genomic testing companies 23andMe, Ancestry, Helix, MyHeritage, and Habit, released Privacy Best Practices for Consumer Genetic Testing Services. These companies have been joined by African Ancestry, FamilyTreeDNA,* and Living DNA in supporting the Best Practices as a clear articulation of how leading firms can build trust with consumers.
Consumer genetic tests, tests that are marketed to consumers by private companies, have empowered consumers to learn more about their biology and take a proactive role in their health, wellness, ancestry, and lifestyle. When consumers expressly grant permission and provide an informed consent, they can choose to share their genetic data with responsible researchers to help them discover important breakthroughs in biomedical research, healthcare, and personalized medicine.
The Best Practices establish standards for genetic data generated in the consumer context by making recommendations for companies’ privacy practices that require:
Detailed transparency about how Genetic Data is collected, used, shared, and retained including a high-level summary of key privacy protections posted publicly and made easily accessible to consumers;
Separate express consent for transfer of Genetic Data to third parties and for incompatible secondary uses;
Educational resources about the basics, risks, benefits, and limitations of genetic and personal genomic testing;
Access, correction, and deletion rights;
Valid legal process for the disclosure of Genetic Data to law enforcement and transparency reporting on at least an annual basis;
Ban on sharing Genetic Data with third parties (such as employers, insurance companies, educational institutions, and government agencies) without consent or as required by law;
Restrictions on marketing based on Genetic Data; and
Strong data security protections and privacy by design, among others.
Supporters of the Best Practices include: Ancestry, 23andMe, Helix, MyHeritage, Habit, African Ancestry, FamilyTreeDNA,* and Living DNA.
The Association for Molecular Pathology (AMP), the premier global, molecular diagnostic professional society, recently revised its official position for all consumer genomic testing. Among other conditions, AMP will support consumer genetic testing if test providers adhere to FPF’s Best Practices (among other requirements): Announcement and Position Statement.
*In January 2019, Family Tree DNA revealed an agreement with the FBI that conflicts with FPF’s Best Practices. FPF immediately removed Family Tree DNA as a supporter.
Future of Privacy Forum and Leading Genetic Testing Companies Announce
Best Practices to Protect Privacy of Consumer Genetic Data
23andMe, Ancestry, Helix, and other leading consumer genetic and personal genomic testing companies back strong protections, including express consent, transparency reports, and strong security requirements
Washington, DC – Today, Future of Privacy Forum, along with leading consumer genetic and personal genomic testing companies 23andMe, Ancestry, Helix, MyHeritage, and Habit, released Privacy Best Practices for Consumer Genetic Testing Services. The Best Practices provide a policy framework for the collection, protection, sharing, and use of Genetic Data generated by consumer genetic testing services. These services are commonly offered to consumers for testing and interpretation related to ancestry, health, nutrition, wellness, genetic relatedness, lifestyle, and other purposes.
“Supporting strong and transparent industry-wide guidelines that provide people with confidence that companies in this growing field will protect their privacy is critical to the continued success of this nascent business sector,” said Jules Polonetsky, CEO, FPF. “That is why we have been working with the industry leaders for the past year to develop privacy and data principles that we and our peers in the personal genomics industry can embrace. We believe that these best practices are essential to engendering trust so that all people can safely access their genetic information.”
Consumer genetic tests, tests that are marketed to consumers by private companies, have empowered consumers to learn more about their biology and take a proactive role in their health, wellness, ancestry, and lifestyle. When consumers expressly grant permission and provide an informed consent, they can choose to share their genetic data with responsible researchers to help support a better understanding of the role of genetic variation in our ancestry, health, well-being, and much more.
“Protecting our customers’ privacy is Ancestry’s highest priority,” said Eric Heath, Chief Privacy Officer, Ancestry. “As a leader in the direct to consumer DNA testing market, Ancestry recognizes the important role that our industry can play in protecting the privacy and data of all customers. We understand the sensitive nature of the information our industry handles and our responsibility as stewards. We are grateful for the Future of Privacy Forum’s leadership in working to get these Best Practices drafted, vetted and aligned, and look forward to seeing these Best Practices broadly adopted across the industry.”
Today, more consumer genetic testing services are available than ever before, prices for testing are becoming increasingly affordable, and the speed at which testing is completed is accelerating. As the industry continues to expand and the technology becomes more accessible, it is vital that the industry acknowledge and address the risks posed to individual privacy when Genetic Data is generated in the consumer context.
“We’re seeing such a rapid progression of the industry, owing to both the advances in technology and the increasing accessibility of genomic information for personal and research use,” said Elissa Levin, Head of Policy and Clinical Affairs, Helix. “We think it’s essential to take a leadership position to continue to grow the industry responsibly, in ways that keep consumer safety at the forefront of action, and pave the way for better experiences and learnings that ultimately help people lead better lives.“
“Everyone who participates in a genetic testing service deserves to have their information protected, no matter which service or product they use. It’s imperative that all consumer genetic testing companies adhere to comprehensive privacy protections, and clearly communicate their policies to consumers in a transparent manner,” said Kate Black, Global Privacy Officer, 23andMe. “With over a decade of experience as a leader in consumer genetic testing, we’ve built incredibly strong privacy practices. We are happy to now work with the industry and an organization like the FPF to solidify best practices, and help ensure proper protection of consumers’ genetic information more broadly.”
The Best Practices are also supported by other consumer genetic testing companies including African Ancestry and FamilyTreeDNA.*
The Best Practices establish standards for genetic data generated in the consumer context by making recommendations for companies’ privacy practices that require:
Detailed transparency about how Genetic Data is collected, used, shared, and retained including a high-level summary of key privacy protections posted publicly and made easily accessible to consumers;
Separate express consent for transfer of Genetic Data to third parties and for incompatible secondary uses;
Educational resources about the basics, risks, benefits, and limitations of genetic and personal genomic testing;
Access, correction, and deletion rights;
Valid legal process for the disclosure of Genetic Data to law enforcement and transparency reporting on at least an annual basis;
Ban on sharing Genetic Data with third parties (such as employers, insurance companies, educational institutions, and government agencies) without consent or as required by law;
Restrictions on marketing based on Genetic Data; and
Strong data security protections and privacy by design, among others.
“The Best Practices recognize that Genetic Data is sensitive information that warrants a high standard of privacy protection,” said Carson Martinez, Policy Fellow, FPF. “Genetic Data may be used to identify predispositions and potential risk for future medical conditions; may reveal information about the individual’s family members, including future children; may contain unexpected information or information of which the full impact may not be understood at the time of collection; and may have cultural significance for groups or individuals. It is therefore critical that the appropriate level of privacy protections is implemented.”
In producing the Best Practices, FPF and privacy leaders at the companies incorporated input from the FTC, a wide variety of genetics experts, and privacy and consumer advocates.
To request comment from FPF or the leading consumer genetic testing companies that were involved with these Best Practices released today, please find contact information below:
The Future of Privacy Forum is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.
*In January 2019, Family Tree DNA revealed an agreement with the FBI that conflicts with FPF’s Best Practices. FPF immediately removed Family Tree DNA as a supporter.
PrivacyNews.TV
PrivacyNewsTV videos can be viewed below. You can navigate here via privacynews.tv, can watch the videos on Facebook or on FPF’s YouTube channel.
Policy Brief: European Commission’s Strategy for AI, explained
The European Commission published a Communication on “Artificial Intelligence for Europe” on April 24th 2018. It highlights the transformative nature of AI technology for the world and it calls for the EU to lead the way in the approach of developing AI on a fundamental rights framework. AI for good and for allis the motto the Commission proposes. The Communication could be summed up as announcing concrete funding for research projects, clear social goals and more thinking about everything else.
The Communication lays out proposed actions for the following years, fully taking into account that cooperation with Member States and at EU level is crucial. There are already some Member States that developed AI strategies. France presented its national strategy for AI on March 29 – and president Emmanuel Macron has been quitevocal about it. Germany also set up aplatform on learning systems to enable a strategic dialogue between academia, industry and the government, and it has put forward a report on the ethics of automated and connected driving. Finland has put forward astrategy as well. The Commission doesn’t want to see a fragmented Single Market when it comes to AI and it transpires from the Communication that this was one of the main reasons to take action at this stage.
The Strategy proposed by the Commission contains several streams of action, of which the major ones are:
Concrete financial support for the development of AI applications;
Initiatives to make data available to researchers;
Analyzing the impact of AI on workforce and setting up a framework to support Member States to prepare workforce to cope with the age of AI;
Establishing an appropriate ethical and legal framework (even though no major initiatives were announced, besides adopting this year AI ethical guidelines);
Establishing an infrastructure for collaboration with Member States and research institutions.
Each of them will be briefly detailed below.
1) Financial support, including for the creation of an “AI Toolbox”
The Commission pledged 1.5 billion euros (1.75 billion dollars) in the next two years (2018-2020) for research and innovation in AI technologies under the Horizon 2020 program, primarily to support applications which address societal challenges in sectors such as health, transport and agrifood. Through public-private partnerships, this amount is estimated to increase with 2.5 billion euros over the same period of time. The Commission will also support the strengthening of AI research excellence centers. One ambitious target is to stimulate the uptake of AI across Europe through a toolbox for potential users, with a focus on small and medium-sized enterprises, non-tech companies and public administrations.
The toolbox will include:
an AI-on-demand platform giving support and easy access to the latest algorithms and expertise;
a network of AI-focused Digital Innovation Hubs facilitating testing and experimentation; and
the set-up of industrial data platforms offering high quality datasets.
In addition, the Commission aims to stimulate more private investments in AI under theEuropean Fund for Strategic Investments (at least 500 million euros in 2018-2020).
2) Initiatives to make data available for researchers: a new support centre for data sharing
Acknowledging that data is essential for the development of AI, the Commission wants to act towards growing the European data space. It is important however to mention that the focus of the data sharing initiatives is primarily on non-personal data and public sector information (traffic, meteorological, economic and financial data or business registers). As for personal data and privately-held data, the Commission emphasizes that any sharing initiative must ensure full respect for legislation on the protection of personal data.
To support making data available in a responsible way, the Commission published together with the Communication as series of new initiatives and guidance:
Guidance on sharing private sector data in the economy (including industrial data), which is designed for across all sectors of the economy. The Guidance contains a “How to” guide on legal, business and technical aspects of data sharing that can be used when considering and preparing data transfers between companies coming from the same or different sectors.
A Communication on the digital transformation of health and care, including sharing of genomic and other health data sets. This Communication announces several initiatives, including supporting the development of technical specifications for secure access and cross-border exchange of genomic and other health datasets within the internal market for research purposes, in order to facilitate interoperability of relevant registries and databases in support of personalized medicine research.
3) Dealing with the impact of AI on EU workforce
Preparing the society as a whole for the impact of AI is the first main challenge identified by the Communication in this area. The aim is to develop programs that will help all Europeans to develop basic digital skills, as well as skills which are complementary to and cannot be replaced by any machine, such as critical thinking, creativity or management.
The second challenge is the impact of AI on jobs and workers. The Commission announced that the EU will focus efforts to help workers in jobs which are likely to be the most transformed or disappear due to automation, robotics and AI. This means also ensuring access for all citizens, including workers, to social protection. The Commission intends to set-up dedicated re-training schemes in connection with the Blueprint on sectoral cooperation on skills for professional profiles which are at risk of being automated, with financial support from the European Social Fund.
The third challenge is training more specialists in AI, including attracting talent from abroad. The Commission estimates that there are about 350.000 vacancies for such professionals in Europe, pointing to significant skills gap. To this end, the European Institute of Innovation and Technology will integrate AI across curricula in the education courses it supports.
4) Ensuring both legal and ethical frameworks for the development of AI
The Communication does not announce any new legislative proposal, but it emphasizes how the current proposals debated in Brussels are relevant for AI (the Regulation on the free flow of non-personal data, the ePrivacy Regulation and the Cybersecurity Act) and that they need to be adopted as soon as possible so that citizens and businesses alike will be able to trust the technology they interact with. The possibility that the Product Liability Directive will be revised is announced, but the only concrete step mentioned for the time being is an analysis of the current provisions and whether they are fit to deal with AI technology.
In addition, the Commission highlights the role the GDPR plays on regulating the use of personal data for AI related purposes, including with regard to the right of individuals to receive meaningful information about the logic involved in automated decision-making and their right not to be subject to solely automated decision-making except in limited circumstances. The Commission intends to support national and EU-level consumer organisations and data protection supervisory authorities in building an understanding of AI-powered applications with the input of the European Consumer Consultative Group and of the European Data Protection Board.
As for dealing with ethics, the Communication announces that “AI Ethics Guidelines” will be adopted by the end of the year, in collaboration with “all relevant stakeholders”. The Guidelines are expected to address issues such as the future of work, fairness, safety, security, social inclusion and algorithmic transparency. To this end, the Commission set up a High Level Working Group for AI and the European AI Alliance.
5) Establishing partnerships with Member States
Finally, the Commission focuses on establishing partnerships at EU level. By the end of the year the Commission will work on a coordinated plan with Member States to maximise the impact of investments at EU and national levels, exchange information on the best way for governments to prepare Europeans for the AI transformation and address legal and ethical considerations. At the same time, the Commission plans to systematically monitor AI-related developments at Member State level.
It is relevant to note here that a week before the Commission published its strategy on AI, 25 EU Member States signed a Declaration of Cooperation on Artificial Intelligence, and they were joined one month later by the rest of the Member States. Currently, all 29 EU Member States are signatories to the Declaration.
For more information on the Future of Privacy Forum’s work on AI, or if you have questions related to this Policy Brief, contact:
Brenda Leong, Senior Counsel and Director of Strategy at [email protected]
FPF Publishes Report Supporting Stakeholder Engagement and Communications for Researchers and Practitioners Working to Advance Administrative Data Research
The ADRF Network is an evolving grassroots effort among researchers and organizations who are seeking to collaborate around improving access to and promoting the ethical use of administrative data in social science research. As supporters of evidence-based policymaking and research, FPF has been an integral part of the Network since its launch and has chaired the network’s Data Privacy and Security Working Group since November 2017.
This summer, ADRF Network published its first set of working group reports in order to help advance standards and best practices for administrative data researchers and practitioners. The reports address priority issues in administrative data research, including: Data Quality and Standards; Data Sharing Governance and Management; and Communicating about Data Privacy and Security. The working groups engaged over 30 experts from academic universities, government agencies, and other institutions.
FPF CEO Jules Polonetsky and FPF Policy Counsel Kelsey Finch led the work on Communicating about Data Privacy and Security as part of its ongoing efforts to support proactive and privacy-focused stakeholder engagement and communications around administrative data research. While strong privacy safeguards are the foundation of any administrative data research, learning to effectively communicate about how and why administrative data are being used and protected and providing stakeholders with meaningfully input in the research process is essential to maintaining public trust.
In the report, we identify the “why, when, who, and how” of communicating about data privacy and security while doing administrative data research. The report highlights the importance of engaging a diversity of stakeholders at multiple stages in the research lifecycle, and includes an initial matrix model building on the GovLab’s People-Led Innovationframework to ensure active engagement. We also apply the model to a hypothetical research project to further inspire researchers and practitioners to think creatively about meaningful opportunities for stakeholder engagement.
Publication of these reports is a pivotal step toward developing industry-wide best practices for researchers and practitioners working to advance administrative data research. We believe that stakeholder engagement and communicating about data privacy and security are crucial to the future success of administrative data research.
FPF is thankful to the Alfred P. Sloan Foundation for making this work possible; to Monica King for her leadership of the ADRF Network; and our fellow Data Privacy & Security Working Group members for their thoughtful contributions. Working Group participants included: Elizabeth Dabney, Data Quality Campaign; Tanvi Desai, Data Strategy Consultant; Valerie Holt, ECDataWorks; Della Jenkins, Actionable Intelligence for Social Policy; Stefaan Verhulst, GovLab; and Evan White, California Policy Lab.
