COVID-19 has forced an increased reliance on technology and data, both in our daily lives and in responding to the pandemic. The pandemic has also demonstrated, more than ever before, the need for a comprehensive US federal privacy framework. CIPL has published a new paper entitled “Data Protection in the New Decade: Lessons from COVID-19 for a US Privacy Framework.” It highlights seven key lessons from the health crisis to consider when developing a new privacy framework for the US:
 
1. Data and the technologies that facilitate its collection and use are an essential part of our lives.
 
Since the start of the pandemic, technology fueled by data has kept our economy and society operating as key aspects of our lives (e.g. work, shopping, education, entertainment, medical care, social life, etc.) have moved online. Data has also been essential for medical research and developing tools to fight to the pandemic, as well as to ensure a safe re-opening of our businesses. This situation has also highlighted the ability to share data both between organizations and between the public and private sectors, which, in turn, has put a spotlight on important data protection and privacy issues. We’ve learned that we must have a privacy framework that is flexible and nimble enough to effectively meet the increasing need to use and share data in new ways. Any US data privacy law, therefore, needs to be drafted in a way that both protects individual privacy and enables the effective use of data.
 
2.  A privacy law must not impede the responsible use of artificial intelligence (AI).
 
AI has played a key role in developing technologies to combat the spread of COVID-19 as well as in developing a vaccine and other treatments for the virus. These are just the latest examples of how AI has been used to revolutionize business operations and generally transform core aspects of how we live. As such, any privacy rules we create should not seek to impede the development of AI technology, but must provide reasonable guardrails that enable its further development and responsible use.
 
3. The right to privacy must be balanced with other fundamental rights.
 
Times of crisis have demonstrated that the right to privacy cannot be absolute and must be balanced with other fundamental rights such as healthcare and the freedom of movement. A well-tailored privacy law can and must provide the flexibility to respond to crises such as the pandemic while also protecting individual privacy. As explained further below, a privacy law that is grounded in organizational accountability and rigorously enforced can deliver the appropriate balance and flexibility.
 
4. Traditional interpretations of data protection principles have proven insufficient to keep up with modern data uses.
 
Modern uses of data are challenging long-standing privacy principles. Consent has proven particularly inadequate to protect individuals given how data is used today and how it’s being used to respond to the pandemic. While consent remains relevant in some contexts, consent requests can improperly suggest to individuals that they are choosing between compromising their privacy (by giving their consent) and maintaining their privacy (by not consenting). But privacy protections should not and need not depend on whether one has consented to a particular data use. Moreover, consent can be burdensome to individuals in our increasingly complex, data-driven economy. Not even privacy experts could manage to invest the time and analysis it would take to make appropriate choices in the many contexts where consent is being requested. This overuse of consent has resulted in consent fatigue, which can render even legitimate and appropriate consent requests meaningless.  There are also many uses of data for which consent is not possible or even desirable -- for example, developing a vaccine, enforcing quarantine, or contact tracing for people who have been exposed to the coronavirus, in addition to protecting national security, enforcing criminal laws, and conducting life-saving research. Thus, while there is a role for consent in certain circumstances, it should not be the principal protection mechanism of a modern-day privacy law.
 
5. Privacy laws should focus less on the collection of data and more on the use of data after collection.
 
Many existing privacy laws and proposals focus on the collection of data. However, the COVID-19 pandemic has demonstrated that there always are compelling reasons for collecting data, such as preventing the spread of the virus and medical research. Thus, privacy laws should focus less on data collection and more on how collected data can be used. They should apply a risk- or harm-based approach to determine what uses should be prohibited or allowed based on the actual risk they pose to individuals, taking into account the available mitigations to reduce the risk.
 
6. Privacy laws should embrace an accountability-based model of data protection.
 
The accountability-based model of data protection is the most promising model in for the digital economy and society. It incorporates privacy risk assessment as one of its most important core elements. Risk assessments enable organizations to devise targeted privacy protections that focus on risky and harmful data uses while enabling other data uses that are not risky or harmful.  This approach is ideally suited to the privacy challenges posed by unforeseen events like a pandemic because it facilitates tailoring privacy protections on a case-by-case basis to the risks at hand rather than casting the protective net so widely that it impedes beneficial and harmless data uses. CIPL’s Accountability Framework provides organizations a comprehensive approach for building, implementing and demonstrating accountable and risk-based privacy management programs. While this approach can and should be used even in the absence of a privacy law, any new US privacy law should incorporate an accountability requirement that can be implemented through comprehensive privacy management programs or other measures that operationalize compliance. Other accountability measures leadership and oversight, appointing a person responsible for data protection compliance, effective and actionable transparency, training of relevant employees, written policies and procedures including on data security, or implementing contractual measures to ensure accountability in the context of cross-border data transfers. Such accountability measures are the future of ensuring both responsible and innovative data uses and robust and enforceable protections for individual privacy.
 
7. Comprehensive federal privacy legislation is the best approach to ensuring privacy protections in the US.
 
COVID-19 does not abide by state borders and large amounts of data needs to be shared across the country to respond to the emergency. If it wasn’t already clear, this situation has illustrated the importance of a privacy law that provides uniform protections for this data throughout the US. Personal data should not be subjected to a patchwork of different privacy regimes. Consumers deserve consistent protections and businesses deserve consistent rules that can enable economic activity and innovation across the country. Given the importance of personal data in the modern economy (as brought into even sharper focus by the pandemic), a single comprehensive approach to US privacy law should be considered a top priority, not least to facilitate economic recovery. It would rationalize and streamline data privacy requirements for US businesses and provide the basis for consumers to gain trust in the digital economy, embrace new technologies, and welcome rather than fear broad uses of data for social good and other beneficial purposes. 
 
For more information on any of these topics, please see CIPL’s new paper.

Over the past decade, we have witnessed the gradual rise of “organizational accountability” in global privacy and data protection law and practice. Privacy regulators increasingly expect it from their regulated organizations, and it’s fair to say that many modern privacy laws now explicitly require it. CIPL has been engaged pretty much from the beginning both in helping to define what this concept actually means in practice and in socializing this important concept globally. We have urged regulators and law and policymakers to promote and incentivize the uptake of accountability, and we have pushed organizations around the world to implement and operationalize it. Why? Because accountability, and only accountability – properly understood, can deliver effective privacy protections for individuals and, at the same time, enable the wide range of beneficial data uses that are indispensable to an increasingly digital world. Accountability enables organizations to comply with privacy laws around the world, supports organizational data strategies, sustainability data uses and digital transformation, and is the foundation for public trust in the digital society.  

In a nutshell, organizational accountability requires organizations to have measures and tools in place that operationalize applicable legal requirements and to be able to demonstrate them on request, say to a data protection authority, business partner or investor. An even shorter way of explaining it is that accountability requires organizations to have demonstrable comprehensive privacy management and compliance programs. But exactly what these programs should entail and look like has, so far, eluded not only global consensus amongst regulators, but also many organizations that are keen on implementing this core data protection requirement properly and effectively. 

To assist on both fronts, CIPL embarked on a data privacy accountability mapping project in the middle of last year. Over a period of several months we worked with 17 leading organisations with mature privacy programs in different sectors to explore and assess the ways in which they infuse accountability into their corporate DNA. The outcome of this exercise was our newly published report on “What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework”. The overarching objectives of the Report were to:

• provide concrete evidence and success stories from organizations on how they implement, demonstrate and enforce accountability; 
• promote accountability as a board-level and business strategy issue that includes but also goes beyond mere legal compliance; and 
• build global consensus between industry and regulators on the elements of accountability.

We started this project by mapping the specific accountability measures and tools included in the participating organizations’ privacy management programs against the CIPL Accountability Framework (see image below), which sets forth seven core elements of accountability. We have long since argued that to be comprehensive and effective, data privacy management programs must include demonstrable processes, measures and tools to address each of these core elements. We are not alone. Commissioner Wilson of the U.S. Federal Trade Commission recently endorsed the CIPL Accountability Framework in a keynote speech at the Privacy + Security Academy:​

​Our accountability mapping project did just that. It looked at leading organizations’ privacy programs in light of the seven elements of CIPL’s “accountability wheel.” In addition to collecting a plethora of concrete examples of how organizations effectively operationalize accountability through specific measures, the Report also identifies ten common trends within accountable organizations:

1. Accountable organizations view accountability as a journey and internal change management process to embed data privacy in the company’s DNA, rather than a one-moment-in-time checkbox compliance exercise.
2. Organizations consider the CIPL Accountability Framework as an ideal architecture to build, organize, measure and communicate an effective data privacy management program that translates legal requirements into actionable controls.
3. Accountable organizations and their privacy officers and senior leaders recognize accountability as a business topic and driver, enabling responsible innovation and business sustainability.
4. Organizations report that accountability results in business benefits and efficiencies by reducing delays in sales, reducing the number and cost of data breaches, scaling compliance activities and improving overall operational efficiencies.
5. Data processors are also strongly embracing accountability, as it enables them to differentiate in the marketplace and build trust in the digital supply chain with clients who are looking for accountable business partners to fulfil their own obligations.
6. Senior leaders recognize the importance of “tone from the top” and leading by example to drive internal cultural change towards accountability in data protection.
7. Accountability is sector agnostic and scalable, as it can be implemented by organizations of all types, sizes, sectors (including the public sector), geographical footprints and varying corporate cultures.
8. Accountable organizations proactively manage privacy risks to individuals and adopt a risk-based approach to their data privacy management programs.
9. Senior management and boards are familiar with accountability frameworks, as they are also used in other compliance areas such as anticorruption, anti-money laundering, competition law, export controls and information security.
10. Accountable organizations are driving global convergence in data privacy laws and best practices, which is also helpful for national regulators around the globe who are able to align their views and expectations of data privacy compliance activities.

We encourage all public and private sector organizations that may be asking themselves what a good privacy management and compliance program should look like to read our report. Our findings shed light on some important questions that many senior leaders and privacy officers are asking today. How do we build and implement accountability into our business and organizational culture? How do we operationalize legal norms into risk-based controls, policies and procedures? How do we demonstrate accountability to our boards, shareholders, regulators, business partners, oversight bodies and the public? What is the role of privacy officers in organizations and where should they be positioned? What are key transparency best practices? 

In the end, implementing organizational accountability requires two things: one, a comprehensive and holistic approach to address all organizational operations that touch personal data; and two, a lot of creativity and attention to practical details. We are sure that the Report will be able to inspire and guide many of you on both of these, regardless of how far along your organization is on its accountability journey.