Colorado Data Protection Assessments July 2023 Home / Publications / Download PDF

HP Inc. HP Inc.

IAF Comments on Quebec Bill 64- IAF Public- French September 2020 Home / Publications / Download PDF

IAF Comments to the EU Proposed AI Regulation July 2021 Home / Publications / Download PDF

Origins of Accountability: Big Data and Analytics: Seeking Foundations for Effective Privacy Guidance February 2013 Home / Publications / Download PDF

Origins of Accountability: Accountability Phase III – Madrid Project November 2011 Home / Publications / Download PDF

Cognizant Cognizant

IAF Comments to Brazilian LGPD International Transfer Requirements November 2022 Home / Publications / Download PDF

Bermuda Privacy Commissioner Accountability Report March 2020 Home / Publications / Download PDF

IAF Comments to the California Privacy Protection Agency Stakeholder Sessions May 2022 Home / Publications / Download PDF

Vice President, Chief Privacy & Data Ethics Officer at Cognizant Stephanie Higgins Vice President, Chief Privacy & Data Ethics Officer at Cognizant Stephanie is a seasoned global privacy professional with over twenty years of experience managing complex privacy laws and regulations for multinational businesses. Her focus is on privacy strategy including developing programs, policies, and processes necessary to ensure compliance and responsible use of data. She joined Cognizant in January 2019 as Chief Privacy and Data Ethics Officer and leads a global team focused on devising and implementing a global approach to personal information handling. Prior to her current role, she spent 18 years with Deloitte, most recently leading their Global Privacy Office and advising on data protection requirements impacting their global organization. Previously as a regulatory consultant, she specialized in data protection and technology assurance and advisory services supporting multinationals in a range of sectors. Stephanie Higgins Vice President, Chief Privacy & Data Ethics Officer at Cognizant Stephanie is a seasoned global privacy professional with over twenty years of experience managing complex privacy laws and regulations for multinational businesses. Her focus is on privacy strategy including developing programs, policies, and processes necessary to ensure compliance and responsible use of data. She joined Cognizant in January 2019 as Chief Privacy and Data Ethics Officer and leads a global team focused on devising and implementing a global approach to personal information handling. Prior to her current role, she spent 18 years with Deloitte, most recently leading their Global Privacy Office and advising on data protection requirements impacting their global organization. Previously as a regulatory consultant, she specialized in data protection and technology assurance and advisory services supporting multinationals in a range of sectors.

Origins of Accountability: Advanced Data Analytic Processing- Update to 2013 Big Data Project November 2019 Home / Publications / Download PDF

Johnson & Johnson Johnson & Johnson

Sun Life Sun Life

Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple

Socially Beneficial Project for Canada Ministry of Innovation January 2019 Home / Publications / Download PDF

The European Court of Justice opinion that credit scoring constitutes automated decision-making under GDPR Article 22(1) has broader implications beyond credit-scoring. The ruling by the court “to fill a legal gap” implies that the risk scores produced by businesses like fraud detection and identity verification are automated decisions. It suggests controllers will need to obtain consent before calculating creditworthiness or other types of algorithm-based scoring that are used in a wide variety of business processes. The court’s opinion is inconsistent with modern data analytics and well-established credit scoring practices and may be at odds with the evolving role analytic driven decision-making plays in many aspects of life. These analytic processes reflect the concepts “thinking and acting with data.” Thinking with data is the robust use of data to create new insights; use of those insights to affect individuals is acting with data. Although the score related to a particular individual, until that score was used by a lender – acting with data – that score itself had no impact on an individual. GDPR Article 22 only concerns acting with data. The CJEU overlooks the distinction between thinking and acting with data in order to reach a broad interpretation of the term “decision” in GDPR Article 22(1). Big data were barely understood, and complex analytics were in their infancy, when the GDPR was adopted in 2016. The GDPR is intended to be technology neutral in many respects, but it has some gaps when it comes to regulating advanced analytics. Based on information contained in the order for reference, the court in SCHUFA determines that, in order to fill a legal gap – the data subject cannot obtain access to meaningful information about the logic involved in the score established by credit information agencies from the financial institution the data subject applied for a loan from and the credit information agency is not obliged to provide that information – that score is an automated decision for the purposes of GDPR Article 22(1). In our view, no such gap exists in the GDPR, but even if it did exist, the court should not have presumed what the relationship between the credit information agency and the financial institution is. In doing so, the CJEU reaches an incorrect decision. The GDPR does address how to obtain access to the information at issue here. Usually, controllers and processors enter into agreements which require the processor to assist the controller in responding to such access requests. So, data subjects can obtain access to meaningful information about the logic involved in automated decision-making from the controller, the bank. The issue in the case is what is the relevant decision? The act by which a bank agrees or refuses to grant credit to the applicant? The act by which SCHUFA derives the score from a profiling procedure? The court recognizes that the answer to this question depends on the facts in each case. The problem with the opinion is that the court goes on to make a series of incorrect presumptions about how credit scores are applied to conclude that the credit score is the decision. Ultimately, because of the fact driven nature of the inquiry, the court’s decision may not matter in the financial services industry. However, the broad holding that the court reasoned it should reach because of the absence of a legal definition of the term “decision” in the GDPR means that there many broader implications for other industries and sectors. For example, scoring is used in retail transactions to identify fraudulent transactions. Machine learning scores transactions in real time by analyzing factors such as device information, IP address, and location in order to identify potential fraud in ecommerce transactions. If a customer usually pays with a credit card but suddenly switches to a different payment method, it may indicate that their account has been compromised and a real-time notification is sent. Detecting Retail Fraud Another example is in healthcare. We all are familiar with the scores we receive when we get our blood test results. Are those decisions? The number determines whether a result is diabetes or not. If the doctor solely relies on the score, is the blood test result an automated decision? In the SCUFA case, if the court’s determination that there is a gap in the GDPR because the data subject cannot obtain access to meaningful information about the logic involved in automated decision-making from the bank because the credit bureau, not the bank, has it, then the court just should have interpreted the law rather than made new law. This judicial activism in unwarranted particularly when the EU AI Act which governs credit scoring will be coming into effect soon. While banks and credit information agencies may be able to get around the holding in SCHUFA because the facts are different, the court’s ruling has implications for other businesses providing AI or other analytical scoring. The IAF policy analysis is here . CJEU Case in SCHUFA Has Implications Beyond Credit Scoring December 20, 2023 Lynn A. Goldstein Articles and News Publications Media

Board Chair Scott Taylor Board Chair Scott joined Johnson & Johnson in August 2023 and serves as the Chief Privacy Officer, where he is responsible for Privacy, including strategy, policy, governance, and operations as part of the Global Legal Organization. Scott and his team will work with J&J business groups, regions, and corporate functions to assure the implementation of the company’s Privacy policies and programs and to prioritize and integrate accountability and social responsibility into new, innovative approaches to product and services development and delivery across the company. In this role, he is a member of J&J’s Corporate Compliance Committee and will serve as the company’s global privacy representative with governments, external policymakers, NGOs, and customers. Scott is actively involved in global initiatives to advance responsible, innovative uses of data while ensuring protections for fundamental rights. He serves as ex-officio Chairman of the Board of the International Association of Privacy Professionals (IAPP), Chairman of the Board for The Information Accountability Foundation (IAF), a nonprofit policy think tank for Privacy, and as a private sector delegate in the current U.S. Administration’s efforts to globalize standards for cross-border data transfers. Over the past 20-years, prior to joining J&J, Scott served as the Chief Privacy Officer of Merck & Co., Inc., and as the Chief Privacy Officer of Hewlett-Packard Company. Scott is the Chairman of the Board at IAF. Scott Taylor Board Chair Scott joined Johnson & Johnson in August 2023 and serves as the Chief Privacy Officer, where he is responsible for Privacy, including strategy, policy, governance, and operations as part of the Global Legal Organization. Scott and his team will work with J&J business groups, regions, and corporate functions to assure the implementation of the company’s Privacy policies and programs and to prioritize and integrate accountability and social responsibility into new, innovative approaches to product and services development and delivery across the company. In this role, he is a member of J&J’s Corporate Compliance Committee and will serve as the company’s global privacy representative with governments, external policymakers, NGOs, and customers. Scott is actively involved in global initiatives to advance responsible, innovative uses of data while ensuring protections for fundamental rights. He serves as ex-officio Chairman of the Board of the International Association of Privacy Professionals (IAPP), Chairman of the Board for The Information Accountability Foundation (IAF), a nonprofit policy think tank for Privacy, and as a private sector delegate in the current U.S. Administration’s efforts to globalize standards for cross-border data transfers. Over the past 20-years, prior to joining J&J, Scott served as the Chief Privacy Officer of Merck & Co., Inc., and as the Chief Privacy Officer of Hewlett-Packard Company. Scott is the Chairman of the Board at IAF.

Cisco Cisco

Big Data Ethics Initiative: Assessment Framework (Part B) July 2015 Home / Publications / Download PDF