Chief Privacy Officer, Merck & Co., Inc. (USA) Chris Foreman Chief Privacy Officer, Merck & Co., Inc. (USA) Chris is the Chief Privacy Officer at Merck. Heading the Global Privacy Office, an integral part of the Ethics & Compliance Organization, he leads a global team of privacy professionals that oversees the governance and functioning of the Global Privacy Program. Through its standards, specifications, external certifications and guidance, the Global Privacy Office supports a network of 250+ Privacy Stewards embedded within the various operating divisions and global support functions of the Company, and ensures accountability by the business for its activities. Chris spent his first 20 years with the Company in the Office of the General Counsel, thereafter joining the Global Privacy Office in September 2018. He has been Chief Privacy Officer since August 2023. He advocates the Company’s interests externally in several fora, including EFPIA’s Data Governance Working Group, IAF and dplegal. Chris has spoken widely at privacy and legal conferences, webinars and roundtables on topics including the complexities of international data transfers between the Europe and the United States and the European Health Data Space. Before joining the Company, Chris worked as a corporate attorney at two private law firms. He earned his B.A (Government), J.D. and LL.M. from the University of Texas, University of Georgia, and Vrije Universiteit Brussel, respectively. Chris Foreman Chief Privacy Officer, Merck & Co., Inc. (USA) Chris is the Chief Privacy Officer at Merck. Heading the Global Privacy Office, an integral part of the Ethics & Compliance Organization, he leads a global team of privacy professionals that oversees the governance and functioning of the Global Privacy Program. Through its standards, specifications, external certifications and guidance, the Global Privacy Office supports a network of 250+ Privacy Stewards embedded within the various operating divisions and global support functions of the Company, and ensures accountability by the business for its activities. Chris spent his first 20 years with the Company in the Office of the General Counsel, thereafter joining the Global Privacy Office in September 2018. He has been Chief Privacy Officer since August 2023. He advocates the Company’s interests externally in several fora, including EFPIA’s Data Governance Working Group, IAF and dplegal. Chris has spoken widely at privacy and legal conferences, webinars and roundtables on topics including the complexities of international data transfers between the Europe and the United States and the European Health Data Space. Before joining the Company, Chris worked as a corporate attorney at two private law firms. He earned his B.A (Government), J.D. and LL.M. from the University of Texas, University of Georgia, and Vrije Universiteit Brussel, respectively.

Assessments to an AI World: Legitimate Interest Assessment November 2024 Home / Publications / Download PDF

Vice President, Chief Privacy & Data Ethics Officer at Cognizant Stephanie Higgins Vice President, Chief Privacy & Data Ethics Officer at Cognizant Stephanie is a seasoned global privacy professional with over twenty years of experience managing complex privacy laws and regulations for multinational businesses. Her focus is on privacy strategy including developing programs, policies, and processes necessary to ensure compliance and responsible use of data. She joined Cognizant in January 2019 as Chief Privacy and Data Ethics Officer and leads a global team focused on devising and implementing a global approach to personal information handling. Prior to her current role, she spent 18 years with Deloitte, most recently leading their Global Privacy Office and advising on data protection requirements impacting their global organization. Previously as a regulatory consultant, she specialized in data protection and technology assurance and advisory services supporting multinationals in a range of sectors. Stephanie Higgins Vice President, Chief Privacy & Data Ethics Officer at Cognizant Stephanie is a seasoned global privacy professional with over twenty years of experience managing complex privacy laws and regulations for multinational businesses. Her focus is on privacy strategy including developing programs, policies, and processes necessary to ensure compliance and responsible use of data. She joined Cognizant in January 2019 as Chief Privacy and Data Ethics Officer and leads a global team focused on devising and implementing a global approach to personal information handling. Prior to her current role, she spent 18 years with Deloitte, most recently leading their Global Privacy Office and advising on data protection requirements impacting their global organization. Previously as a regulatory consultant, she specialized in data protection and technology assurance and advisory services supporting multinationals in a range of sectors.

IAF Comments to UK ICO AI Consultation February 2024 Home / Publications / Download PDF

Dun & Bradstreet Dun & Bradstreet

A comprehensive, preemptive, federal privacy law that creates a single set of rules for the United States is a once in a generation effort that will have a lasting impact for decades and is long overdue. The drafters of such a bill, the American Data Privacy and Protection Act (ADPPA), should not force companies and courts down the road to guess what the text means. Given the very limited and narrow rulemaking authority granted to the Federal Trade Commission in the draft ADPPA, it’s even more incumbent on Congress to get the text right so that, on a mechanical level at least, the draft ADPPA’s directives can be followed and enforced. A tremendous amount of work went into drafting the ADPPA. It’s an impressive bipartisan effort on an important and timely issue. The most recent version of the draft ADPPA, however, is difficult to interpret and if enacted into law would be challenging to implement and enforce. This comment is not a criticism of substantive decisions or policy compromises but rather an observation that in many places the text of the draft ADPPA deviates from basic standards for sound legislative drafting, producing an incoherent framework. The draft ADPPA is riddled with vague and ambiguous definitions, undefined terms, inconsistent and imprecise use of different words for the same or similar ideas, and overused, vague modifiers (reasonably, serious, significant, substantial, etc.). All this ambiguity and uncertainty will cause endless legal difficulties, make compliance a guessing game, add to the administrative burden on the Federal Trade Commission and state agencies, hinder enforcement, and undermine the important new rights granted to consumers. I do not want the landmark ADPPA to be bogged down in courts for years as judges attempt to divine the intent of Congress. My goal is not to slam the draft ADPPA, fuel opposition, or derail the legislative effort. To the contrary, I want Members of Congress and stakeholders to redouble their efforts to clarify the language. The good news is that there’s plenty of time if Members of Congress and stakeholders roll up their sleeves and take out their pens. Drafting federal legislation is an arduous task, more difficult than most people appreciate. Guidelines, standards, and conventions for legislative drafting help achieve consistency from statute to statute, making federal laws, at least in theory, easier to read, understand, and follow. These best practices start with the notion that federal laws be “written in plain English for real people.” Although the enacted ADPPA primarily will be read by lawyers and lobbyists, not real people, it still needs significant work if the framework is going to work. Now is the time to complete a line-by-line, word-by-word review of each provision so that the legislative language—the black and white text on the page—is as clear as possible and does what people believe it is intended to do. My article “Cleanup in Aisle ADPPA” has greater detail on making the draft ADPPA clearer. CLEANUP IN AISLE ADPPA March 19, 2023 Marc Groman Articles and News Publications Media

The Origins and Taxonomy of Personal Data and its Implications for Governance March 2014 Home / Publications / Download PDF

Our Independence in Action We embrace a project-driven approach to driving meaningful change. By collaborating, we can safeguard the freedom to innovate with data, ensuring it isn’t hindered by well-meaning but misguided policies or by industry missteps that erode public trust and confidence in businesses and technologies. Our Projects The Information Accountability Foundation Fearlessly Forward Thinking Fearlessly Forward Thinking The Information Accountability Foundation A Framework to take us Forward To be trusted, organizations must be responsible, answerable, and prepared to demonstrate their accountability. It's critical that accountable organizations are able to think with data and pursue knowledge discovery and creation in order to engage in a trusted global digital ecosystem. Frameworks based on risk assessment and data governance enable beneficial, data-driven innovation while protecting individuals and society from the potential harms that may arise from data processing in the digital age. Our Initiatives The preeminent think tank enabling data to serve people and society. independent | innovative | non-profit | forward-looking | research and education | risk and governance frameworks Our Team The Way We Think As the new wave of AI integrates the digital, physical, and biological spheres together, we will see a tremendous impact in data-driven research. Public policy, proposed laws and regulatory approaches articulate more explicit and demonstrable accountability processes for artificial intelligence (AI). There is no common standard as to what these new processes should consist of. This void includes how DPA’s and other assessment requirements should be structured. This lack of common expectations regarding standards of practice creates uncertainty for businesses wishing to grow their use of data. For research to benefit patient and societal interests, trust-enhancing frameworks should be developed for a purely digital research environment. Publications Articles IAF News October brought leadership and organizational changes to the IAF. Read update Fiercely Independent. We are an independent, non-profit think tank dedicated to promoting data accountability by design and advancing responsible AI governance. Join Us Get Involved We host and attend many events and workshops all throughout the year. View the calendar to see when you can get involved and RSVP IAF Event Calendar The Power of Membership At IAF you will find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits. Join Us

Introduction to basic yoga poses and breathing techniques Yoga for Beginners Introduction to basic yoga poses and breathing techniques Next Item Previous Item

U.S. states are leading innovation in data protection law and regulation. Four states (California, Colorado, Connecticut, and Virginia) have enacted laws that require data protection assessments (DPAs), and three states (Indiana, Tennessee, and Montana) have passed legislation requiring DPAs which are awaiting their governors’ signatures. These DPAs consider the benefits to a broad range of stakeholders. The full range of potential adverse processing impacts to consumers, and the mitigation necessary to offset those potential adverse impacts. This is where the innovation lies. Colorado, additionally, has gone a step further and adopted rules which specify the content of the DPAs. Colorado’s new privacy rules go into effect in July, and they are a game changer. Part 8 of the Colorado Rules is entitled “Data Protection Assessments.” Rule 8.02 is entitled Scope, and it states: A data protection assessment shall be a genuine, thoughtful analysis of each Personal Data Processing activity that presents a heightened risk of harm to a Consumer … that : 1) identifies and describes the risks to the rights of a consumers associated with the processing; 2) documents measures considered and taken to address and offset those risks, … 3) contemplates the benefits of the Processing; and 4) demonstrates that the benefits of the Processing outweigh the risks offset by safeguards in place. Notably, the assessment must reach beyond just the individual consumer. Section A.5. of Rule 8.04, which specifies the DPA content, states: The core purposes of the Processing activity, as well as other benefits of the Processing that may flow, directly and indirectly to the Controller, Consumer, other expected stakeholders, and the public. Section A.5 requires the DPA to look not only at the benefits associated with the processing to the controller and the consumer, but other stakeholders as well. To do that the DPA will have to actually catalog who those stakeholders might be. Section A.6 then lists the adverse consequences that the DPA needs to assess against (contained in the table below): Colorado examples of risks to the rights of consumers that may considered in a DPA Constitutional harms, such as speech harms or associational harms Intellectual privacy harms, such as creation of negative inferences about an individual based on what an individual reads, learns, or debates Data security harms, such as unauthorized access or adversarial use Discrimination harms, such as a violation of federal antidiscrimination laws or antidiscrimination laws of any state or political subdivision thereof, or unlawful disparate impact Unfair, unconscionable, or deceptive treatment A negative outcome or decision with respect to an individual’s eligibility for a right, privilege, or benefit related to financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services Financial injury or economic harm Physical injury, harassment, or threat to an individual or property Privacy harms, such as physical or other intrusion upon solitude or seclusion or the private affairs or concerns of Consumers, stigmatization or reputational injury Psychological harm, including anxiety, embarrassment, fear, and other mental trauma; or Other detrimental or negative consequences that affect an individual’s private life, private affairs, private family matters or similar concerns, including actions and communications within an individual’s home or similar physical, online or digital location, where an individual has a reasonable expectation that Personal Data or other data will not be collected, observed, or used. Section A.7 covers mitigation measures and Section A.8 requires a balancing of benefits against the risks described in Section A.6. and the measure used to reduce those risks. The IAF team has looked at requirements in Europe and other jurisdictions, and none contain the breadth of parties to be considered and a description of what significant risk might entail. On the one hand, there are few companies that have the current capacity for these assessments. On the other hand, Part 8 of the Colorado Rules begins to recognize that processing is not just about the consumer, as a data subject, and the controller. It recognizes that complex processing requires an assessment that looks horizontally, both through the organization and externally, to find the appropriate multi-factor balancing. This type of balancing will be required to bridge the differences between legacy privacy governance systems, and fair advanced processing including machine learning and artificial intelligence (AI). As for innovation, the Colorado rules will be studied and considered by other jurisdictions. The IAF team believes that similar rules on assessments likely will be adopted in California and will cascade from there. The IAF has initiated a new project called the “Colorado Project” that will develop an assessment template based on Colorado Rule 8 and expected future regulations in California. The Colorado Project will include a multi-stakeholder dialog to be held most likely in Colorado. The IAF June retreat in San Francisco also will include a discussion on the impact of these DPAs on the way fair AI is balanced. There Is Privacy Law Innovation in the United States April 30, 2023 Lynn A. Goldstein Articles and News Publications Media

Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple

Socially Beneficial Project for Canada Ministry of Innovation January 2019 Home / Publications / Download PDF

The European Court of Justice opinion that credit scoring constitutes automated decision-making under GDPR Article 22(1) has broader implications beyond credit-scoring. The ruling by the court “to fill a legal gap” implies that the risk scores produced by businesses like fraud detection and identity verification are automated decisions. It suggests controllers will need to obtain consent before calculating creditworthiness or other types of algorithm-based scoring that are used in a wide variety of business processes. The court’s opinion is inconsistent with modern data analytics and well-established credit scoring practices and may be at odds with the evolving role analytic driven decision-making plays in many aspects of life. These analytic processes reflect the concepts “thinking and acting with data.” Thinking with data is the robust use of data to create new insights; use of those insights to affect individuals is acting with data. Although the score related to a particular individual, until that score was used by a lender – acting with data – that score itself had no impact on an individual. GDPR Article 22 only concerns acting with data. The CJEU overlooks the distinction between thinking and acting with data in order to reach a broad interpretation of the term “decision” in GDPR Article 22(1). Big data were barely understood, and complex analytics were in their infancy, when the GDPR was adopted in 2016. The GDPR is intended to be technology neutral in many respects, but it has some gaps when it comes to regulating advanced analytics. Based on information contained in the order for reference, the court in SCHUFA determines that, in order to fill a legal gap – the data subject cannot obtain access to meaningful information about the logic involved in the score established by credit information agencies from the financial institution the data subject applied for a loan from and the credit information agency is not obliged to provide that information – that score is an automated decision for the purposes of GDPR Article 22(1). In our view, no such gap exists in the GDPR, but even if it did exist, the court should not have presumed what the relationship between the credit information agency and the financial institution is. In doing so, the CJEU reaches an incorrect decision. The GDPR does address how to obtain access to the information at issue here. Usually, controllers and processors enter into agreements which require the processor to assist the controller in responding to such access requests. So, data subjects can obtain access to meaningful information about the logic involved in automated decision-making from the controller, the bank. The issue in the case is what is the relevant decision? The act by which a bank agrees or refuses to grant credit to the applicant? The act by which SCHUFA derives the score from a profiling procedure? The court recognizes that the answer to this question depends on the facts in each case. The problem with the opinion is that the court goes on to make a series of incorrect presumptions about how credit scores are applied to conclude that the credit score is the decision. Ultimately, because of the fact driven nature of the inquiry, the court’s decision may not matter in the financial services industry. However, the broad holding that the court reasoned it should reach because of the absence of a legal definition of the term “decision” in the GDPR means that there many broader implications for other industries and sectors. For example, scoring is used in retail transactions to identify fraudulent transactions. Machine learning scores transactions in real time by analyzing factors such as device information, IP address, and location in order to identify potential fraud in ecommerce transactions. If a customer usually pays with a credit card but suddenly switches to a different payment method, it may indicate that their account has been compromised and a real-time notification is sent. Detecting Retail Fraud Another example is in healthcare. We all are familiar with the scores we receive when we get our blood test results. Are those decisions? The number determines whether a result is diabetes or not. If the doctor solely relies on the score, is the blood test result an automated decision? In the SCUFA case, if the court’s determination that there is a gap in the GDPR because the data subject cannot obtain access to meaningful information about the logic involved in automated decision-making from the bank because the credit bureau, not the bank, has it, then the court just should have interpreted the law rather than made new law. This judicial activism in unwarranted particularly when the EU AI Act which governs credit scoring will be coming into effect soon. While banks and credit information agencies may be able to get around the holding in SCHUFA because the facts are different, the court’s ruling has implications for other businesses providing AI or other analytical scoring. The IAF policy analysis is here . CJEU Case in SCHUFA Has Implications Beyond Credit Scoring December 20, 2023 Lynn A. Goldstein Articles and News Publications Media

Board Chair Scott Taylor Board Chair Scott joined Johnson & Johnson in August 2023 and serves as the Chief Privacy Officer, where he is responsible for Privacy, including strategy, policy, governance, and operations as part of the Global Legal Organization. Scott and his team will work with J&J business groups, regions, and corporate functions to assure the implementation of the company’s Privacy policies and programs and to prioritize and integrate accountability and social responsibility into new, innovative approaches to product and services development and delivery across the company. In this role, he is a member of J&J’s Corporate Compliance Committee and will serve as the company’s global privacy representative with governments, external policymakers, NGOs, and customers. Scott is actively involved in global initiatives to advance responsible, innovative uses of data while ensuring protections for fundamental rights. He serves as ex-officio Chairman of the Board of the International Association of Privacy Professionals (IAPP), Chairman of the Board for The Information Accountability Foundation (IAF), a nonprofit policy think tank for Privacy, and as a private sector delegate in the current U.S. Administration’s efforts to globalize standards for cross-border data transfers. Over the past 20-years, prior to joining J&J, Scott served as the Chief Privacy Officer of Merck & Co., Inc., and as the Chief Privacy Officer of Hewlett-Packard Company. Scott is the Chairman of the Board at IAF. Scott Taylor Board Chair Scott joined Johnson & Johnson in August 2023 and serves as the Chief Privacy Officer, where he is responsible for Privacy, including strategy, policy, governance, and operations as part of the Global Legal Organization. Scott and his team will work with J&J business groups, regions, and corporate functions to assure the implementation of the company’s Privacy policies and programs and to prioritize and integrate accountability and social responsibility into new, innovative approaches to product and services development and delivery across the company. In this role, he is a member of J&J’s Corporate Compliance Committee and will serve as the company’s global privacy representative with governments, external policymakers, NGOs, and customers. Scott is actively involved in global initiatives to advance responsible, innovative uses of data while ensuring protections for fundamental rights. He serves as ex-officio Chairman of the Board of the International Association of Privacy Professionals (IAPP), Chairman of the Board for The Information Accountability Foundation (IAF), a nonprofit policy think tank for Privacy, and as a private sector delegate in the current U.S. Administration’s efforts to globalize standards for cross-border data transfers. Over the past 20-years, prior to joining J&J, Scott served as the Chief Privacy Officer of Merck & Co., Inc., and as the Chief Privacy Officer of Hewlett-Packard Company. Scott is the Chairman of the Board at IAF.

Cisco Cisco

HP Inc. HP Inc.

IAF Comments on Quebec Bill 64- IAF Public- French September 2020 Home / Publications / Download PDF

IAF Comments to the EU Proposed AI Regulation July 2021 Home / Publications / Download PDF

Origins of Accountability: Big Data and Analytics: Seeking Foundations for Effective Privacy Guidance February 2013 Home / Publications / Download PDF

Origins of Accountability: Accountability Phase III – Madrid Project November 2011 Home / Publications / Download PDF