AT&T AT&T

Managing Director Katie Beem Managing Director Katie Beem Managing Director

IAF Comments to the Colorado Attorney General on the Colorado Privacy Act Stakeholder Sessions August 2022 Home / Publications / Download PDF

Dear Friends, I am excited to share news about some important changes at the Information Accountability Foundation. In the eleven years since Marty Abrams founded the IAF, the organization has grown into a respected, global leader in our work with regulators and industry executives to advance accountability, data stewardship, and ethics. With Marty’s transition last year, we were fortunate to welcome Elizabeth Denham CBE, former Information Commissioner of the United Kingdom and Information and Privacy Commissioner of British Columbia, to the role of Chief Policy Strategist. Her leadership has been invaluable. Now, with Liz’s appointment as Chair of the Jersey Data Protection Authority, the IAF board has had the opportunity, and need, to reconsider the structure and operations of the Foundation. Our mission remains the same: to build on the great successes of the IAF while becoming even more nimble in tackling the most pressing issues in data governance and stewardship. We are also focused on optimizing our resources to ensure that more of every dollar goes directly to driving impactful projects for our members and partners. To that end, I am delighted to announce that the IAF Board today unanimously approved the appointment of Fred Cate as IAF’s new Executive Director and Stan Crosley as Chief Policy Strategist. Fred and Stan are industry veterans with over three decades of experience in data privacy and security, and bring a wealth of knowledge, leadership, and innovation to these roles. Both are very familiar with IAF and Stan currently serves as a Senior Strategist with the Foundation. Together, they are well positioned to help strengthen and lead IAF into an exciting new chapter, focusing on delivering high-impact projects that address specific, timely needs, with fewer routine calls and briefings. In addition to these leadership changes, we’re taking significant steps to streamline our operations and reduce overhead, allowing us to be more flexible and focused on our core mission. As part of this transformation, the Board has decided to contract for limited administrative support, which will unfortunately result in phasing out three staff positions. It is with tremendous appreciation and great regret that we bid farewell to Barb Lawler, President of IAF; Candy Johnson, Director of Finance & Accounting; and Stephanie Pate, Administration and Operations Manager. We are deeply grateful to all three of these colleagues and to the many other strategists, policy board members, supporters, participants, and partners whose hard work has made IAF what it is today. Over the past month, Fred, Stan, and members of the Board have actively engaged with our financial supporters and partners, including at our September members’ retreat. The goal in all of these interactions has been not merely to discuss the transition, but to learn where you see the areas of greatest concern and opportunities for maximum impact. I know you will be hearing more from Fred and Stan in the near future. But for the moment, on behalf of the entire Board, I want to welcome them to their new roles at IAF and thank our staff and each of you for your vision, commitment, patience, and support. Scott Taylor Board Chair Fred H. Cate Executive Director Fred H. Cate is a Distinguished Professor, C. Ben Dutton Professor of Law, and A djunct Professor of Informatics and Computing at Indiana University. He is also a senior advisor to Red Barn Strategy, a strategic consulting firm he created with Stan Crosley that partners with government and private organizations to advance strategic data management, security, and use. Professor Cate specializes in information security and privacy law and has testified before numerous congressional committees and served on advisory groups for many professional, industry, and government groups including DHS, DOD, NSA, FTC, OECD, the National Academies of Science, Engineering, and Medicine, the United Nations, Microsoft, Intel, and many other organizations. He chaired the National Academies study on Law Enforcement and Intelligence Access to Encrypted Content. He served as the founding director of IU’s Center for Applied Cybersecurity Research from 2003 to 2014, where he is now a senior fellow, and IU’s Center for Law, Ethics & Applied Research in Health Information from 2010 to 2015. He served from 2001 to 2021 as a Senior Policy Advisor at The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP. He is the author of more than 200 articles and books, served as the privacy editor for the Institute of Electrical and Electronic Engineers’ Security & Privacy, and was one of the founding editors of the Oxford University Press journal, International Data Privacy Law . Professor Cate attended Oxford University and received his J.D. and his A.B. with Honors and Distinction from Stanford University. A former S enator and President of the Phi Beta Kappa Society, he is a fellow of Phi Beta Kappa and the American Bar Foundation , and an elected member of the Council on Foreign Relations and the American Law Institute . He is chair-elect of the Indiana State Museum and Historic Sites. Stan Crosley Chief Policy Strategist Stan Crosley is the founder and managing partner of Crosley Law Offices and, along with Fred Cate, in 2022 created and launched Red Barn Strategy. The two organizations work with some of the largest and most successful multinational corporations in the world on data strategy and data governance, as well as small start-ups and non-profits, across the business ecosystem. Stan has more than 25 years of privacy and data strategy experience and is the former Chief Privacy Officer at Eli Lilly and Company, where he initiated and implemented the privacy program in 2000 as one of the first CPOs in the United States. Stan is an Adjunct Professor of Maurer School of Law and a Senior Fellow with the Future of Privacy Forum. Stan was recently named a Westin Emeritus Fellow by the International Association of Privacy Professionals (IAPP), one of only 50 globally among a professional association of 85,000 members. Stan was a co-founder of the International Pharmaceutical and Medical Device Privacy Consortium, which he chaired for its first decade, and is a former member of the board of IAPP, and co-chair of the HHS/ONC Privacy and Security Workgroup. Stan’s experience extends from in-house chief privacy officer to an attorney with three separate large law firms, to appointments in academia, research NGOs, non-profit advisory boards, and federal government committees and is a frequent speaker on data strategy, digital governance, and data protection at conferences around the world. IAF Leadership Announcement October 1, 2024 Scott Taylor Articles and News Publications Media

2023 Quarterly Spotlight- Q2 & Q3 September 2023 Home / Publications / Download PDF

We will discuss the significant range and unique nature of digital incidents that can impact companies and how such incidents are urgent drivers for digital governance to enable timely response plans. This will include a discussion of digital litigation response, deepfake and datafake responses, societal disruption planning, and artificial intelligence litigation. Courtesy of the IAPP Digital Incident and litigation Response Playbook 59:37 We will discuss the significant range and unique nature of digital incidents that can impact companies and how such incidents are urgent drivers for digital governance to enable timely response plans. This will include a discussion of digital litigation response, deepfake and datafake responses, societal disruption planning, and artificial intelligence litigation. Courtesy of the IAPP X (Twitter) LinkedIn Facebook WhatsApp Copy link Related Videos TedX Talk: Fred Cate, Privacy and Consent 13:23 Nov 11, 2019 View More Digital Incident and litigation Response Playbook 59:37 Sep 14, 2024 View More Information Accountability Foundation Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People Menu Close Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People Search Menu Close Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People

Essential Elements of Accountability Fair Processing Stewardship Elements- Table December 2020 Home / Publications / Download PDF

Ethical Accountability Framework for Hong Kong Report October 2018 Home / Publications / Download PDF

Trusted Digital Transformation- Considerations for Canadian Public Policy January 2019 Home / Publications / Download PDF

First Orion First Orion

1 CJEU Case in SCHUFA Has Far Reaching Implications Beyond Credit Scoring Martin Abrams, Emeritus Lynn Goldstein, Senior Strategist The European Court of Justice opinion, SCHUFA, that credit scoring constitutes automated decision-making under GDPR Article 22(1) has broader implications beyond credit-scoring. The ruling by the court “to fill a legal gap” implies that the risk scores produced by businesses like fraud detection and identity verification are automated decisions. It suggests controllers will need to obtain consent before calculating creditworthiness or other types of algorithm-based scoring that are used in a wide variety of business processes. The court’s opinion is inconsistent with modern data analytics and well-established credit scoring practices and may be at odds with the evolving role analytic driven decision-making plays in many aspects of life. These analytic processes reflect the concepts “thinking and acting with data.” Thinking with data is the robust use of data to create new insights; use of those insights to affect individuals is acting with data. Although the score in SCHUFA related to a particular individual, until that score was used by a lender – acting with data – that score itself had no impact on an individual. GDPR Article 22 only concerns acting with data. The CJEU overlooks the distinction between thinking and acting with data in order to reach a broad interpretation of the term “decision” in GDPR Article 22(1). Big data were barely understood, and complex analytics were in their infancy, when the GDPR was adopted in 2016. The GDPR is intended to be technology neutral in many respects, but it has some gaps when it comes to regulating advanced analytics. Based on information contained in the order for reference, the court in SCHUFA determines that, in order to fill a legal gap – the data subject cannot obtain access to meaningful information about the logic involved in the score established by credit information agencies from the financial institution the data subject applied for a loan from and the credit information agency is not obliged to provide that information – that score is an automated decision for the purposes of GDPR Article 22(1). In our view, no such gap exists in the GDPR, but even if it did exist, the court should not have presumed what the relationship between the credit information agency and the financial institution is. In doing so, the CJEU reaches an incorrect decision. The GDPR does address how to obtain access to the information at issue here. Usually, controllers and processors enter into agreements which require the processor to assist the controller in responding to such access requests. So, data subjects can obtain access to meaningful information about the logic involved in automated decision-making from the controller, the bank. The issue in the case is what is the relevant decision? The act by which a bank agrees or refuses to grant credit to the applicant? The act by which SCHUFA derives the score from a profiling procedure? The court recognizes that the answer to this question 2 depends on the facts in each case. The problem with the opinion is that the court goes on to make a series of incorrect presumptions about how credit scores are applied to conclude that the credit score is the decision. Ultimately, because of the fact driven nature of the inquiry, the court’s decision may not matter in the financial services industry. However, the broad holding that the court reasoned it should reach because of the absence of a legal definition of the term “decision” in the GDPR means that there are many broader implications for other industries and sectors. For example, scoring is used in retail transactions to identify fraudulent transactions. “Machine learning scores transactions in real time by analyzing factors such as device information, IP address, and location in order to identify potential fraud in ecommerce transactions. If a customer usually pays with a credit card but suddenly switches to a different payment method, it may indicate that their account has been compromised and a real-time notification is sent.” Detecting Retail Fraud Another example is in healthcare. We all are familiar with the scores we receive when we get our blood test results. Are those decisions? The number determines whether a result is diabetes or not. If the doctor solely relies on the score, is the blood test result an automated decision? In the SCHUFA case, if the court’s determination that there is a gap in the GDPR because the data subject cannot obtain access to meaningful information about the logic involved in automated decision-making from the bank because the credit bureau, not the bank, has it, then the court just should have interpreted the law rather than made new law. This judicial activism in unwarranted particularly when the EU AI Act which governs credit scoring will be coming into effect soon. While banks and credit information agencies may be able to get around the holding in SCHUFA because the facts are different, the court’s ruling has implications for other businesses providing AI or other analytical scoring. ANALYSIS OF THE CASE SCHUFA Holding AG is a German credit information agency that provides its clients, financial institutions, with information on the credit worthiness of individuals. SCHUFA provided a financial institution with a score for OQ which served as the basis for the refusal to grant the credit for which OQ applied. OQ then requested SCHUFA to erase the entry concerning her and to give her access to her data, but SCHUFA merely informed her of the score and, in broad outline, of the principles underlying the calculation method for the score, without informing her of the specific data included in that calculation or of the relevance accorded to them in that context, asserting that the calculation method is a trade secret. OQ brought a case against SCHUFA. The court stayed the case and referred to the CJEU for a preliminary ruling on the question of whether GDPR Article 22(1) is to be interpreted as meaning that the automated establishment of a score by the credit 3 information agency concerning the ability of a data subject to service a loan constitutes a decision within the purview of GDPR Article 22(1). CJECU HOLDS CREDIT SCORE IS AN AUTOMATED DECISION In holding that the creation of the score, itself, was an automated decision, the CJEU broadly interprets the term “decision. In determining what is the relevant “decision,” the CJEU observes there is, on the one hand, the act by which a bank agreed or refused to grant credit to the applicant, and on the other hand, the score derived from a profiling procedure conducted by SCHUFA. The CJEU was unable to answer this question because the answer depends on the way in which the decision-making process is structured in each particular case. The CJEU states that this process typically includes several phases: profiling, establishment of the score, and the actual decision on the grant of credit. The CJEU speculates that although a financial institution can take on this process, there is nothing to prevent it from, by contract, assigning certain tasks, such as profiling and scoring, to a credit information agency. The CJEU then incorrectly speculates that the decision-making process could be conceived in such a way that the scoring by the credit information agency predetermines the decision by the financial institution to grant or refuse to grant credit, Thus, if the scoring were carried out without any human intervention that could verify its result and the fairness of the decision with respect of the credit applicant, the CJEU thinks it logical for the scoring itself to constitute the “decision” under GDPR Article 22(1). The CJEU then determines the information contained in the order for reference suggested that the score established by a credit information agency and transmitted to a financial institution generally tends to predetermine the financial institution’s decision to grant or refuse to grant credit to the data subject. Even though the CJEU acknowledges that the facts need to be assessed in each individual case, the CJEU concludes that the score itself is a “decision” within the meaning of GDPR Article 22(1). A GAP IN LEGAL PROTECTION? The CJEU states that it is reasonable to draw this conclusion because a strict reading of GDPR Article 22(1) would give rise to a gap in legal protection. On the one hand, SCHUFA would not be required to provide information to the data subject under GDPR Article 15(1)(h) since it would not be the one making an “automated decision” within the meaning of GDPR Articles 15(1)(h) and 22(1). On the other hand, the financial institution to whom the score is communicated cannot provide information under these Articles because it does not have it and would be unable to review the evaluation of the creditworthiness of the credit applicant if the decision is contested. To avoid this perceived gap, the CJEU proposes an interpretation of GDPR Article 22(1) which it thinks considers the real impact of scoring on the data subject. The CJEU thinks this approach logical as the credit information agency, should, in general, be the only entity capable of responding to requests from the data subject based on the rights guaranteed by GDPR Articles 16 (right to rectification) and 17 (right to erasure), The CJEU wrongly observes that the financial institution generally is not involved in either 4 collecting those data or profiling where those tasks are “assigned” to the credit information agency. There is no gap in the GDPR. The CJEU says that SCHUFA is the only entity capable of responding, but not obligated to respond, to data subject requests under GDPR Articles 15 – 17, and that the only way to solve this gap is to conclude that a score is a decision under GDPR 22(1). The CJEU is incorrect. The CJEU makes incorrect assumptions about the credit information agency – financial institution relationship (the CJEU does not refer to any information contained in the order for reference about the relationship between the credit information agency and the financial institution). This relationship is fact based and must be determined in every case, but generally the financial institution is the controller, and the credit information agency is the processor. When there is a controller-processor relationship, under GDPR Article 28(3), the controller and the processor must enter into a contract that governs the processing the processor does for the controller. Under Article 28(3)(3), the contract must provide that the processor assist the controller in fulfilling “the controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III.” Articles 15 – 17 are in Chapter III. Therefore, even though the financial institution does not have information about the score, when it receives a request from its customer, the contract it has with the credit information agency requires the credit information agency to assist financial institution in: • Reviewing the evaluation of the creditworthiness of the credit applicant if the decision is contested, and • Responding to requests based on the right of access to data upon which the decision was based, the right to rectification where personal data to carry out scoring proved to be inaccurate, and the right to erasure where those data have been unlawfully processed. Thus, there is no “legal protection gap;” the controller can provide the information when the processor has it because the contract between the controller and the processor requires the processor to assist the controller in providing information in response to requests in Chapter III. CREDIT SCORING AND THE AI ACT The result in SCHUFA is inconsistent with modern data analytics and well-established credit scoring practices. Both of these processes reflect the concepts “thinking and acting with data.” Thinking with data is the robust use of data to create new insights; use of those insights to affect individuals is acting with data. Part of thinking with data is determining the likelihood of an event happening. In developing the scoring mechanism, SCHUFA was a controller but not using data to make a decision on an individual. Credit scores are not stored by bureaus. They are derived at the time of the request. When SCHUFA determined the credit score at issue here, one could argue about whether it was thinking or acting with data. What is not debatable is that in certain factual situations, the credit information agency is acting as a processor for the bank. Although the score 5 related to a particular individual, until that score was used by a lender – acting with data – that score itself had no impact on an individual. GDPR Article 22 only concerns acting with data. The CJEU overlooks the distinction between thinking and acting with data in order to reach a broad interpretation of the term “decision” in GDPR Article 22(1). There is no gap in legal protection; however, if there were, let the new EU AI Act cover it. This broad reading of the term “decision” by the CJEU is unnecessary.. Under the new EU AI Act, high-risk AI systems are those that pose significant risk to fundamental rights, such as those used for credit scoring. High-risk AI systems must comply with strict rules on data quality, transparency, human oversight, accuracy, robustness, and security. Rather than shoehorn the scoring practices at issue in SCHUFA under the GDPR, let the new AI Act come into effect and let the practices at issue in SCHUFA be governed by it. Not every issue involving personal data must go through the GDPR. The GDPR does address how to get the information at issue here, but even if it did not, then the new AI Act addresses how to get it. CREDIT SCORING Credit scoring has existed for a longer period of time in the U.S. than in the EU. Some learnings in the U.S. have relevance. When David Medine was director of financial practices at the FTC, he said he preferred decisions based on credit scores to those made by lending officers with possible prejudices, Time has shown that scoring expanded credit further and deeper into populations. The inconsistent data pertaining to populations baked prejudice into the process. It was and is a data issue. A credit score is a tool to make better decisions. Not perfect decisions, but better decisions. Credit scores are based on probability. The logic could be explained by saying that if there were a hundred consumers whose data looked like you, x number would go bad over a determined period of time. Bad could be a credit default or a significant delinquency. Explaining the logic in those terms is a doable task by the model developer. The concept of scoring for significant decisions has been more sensitive in the EU than the U.S. That is why making the logic transparent is important. However, defining the creation of the science behind the score as decisioning has ramifications. GDPR Articles 9 and 89 come into play and impede conducting the science. Scoring has been sensitive in Europe for over 25 years for several reasons. First, the protection of human dignity – preventing the data subject from being subject to a decision based solely on automated processing. Second, the data in Europe was a negative, not full, file. There is no gap in the GDPR. Going beyond the information contained in the order for reference and making incorrect assumptions about the credit information agency - financial institution relationship led the CJEU to broadly interpret the term “decision” in GDPR Article 22(1) in order to address a nonexistent gap. Even if there were a gap, it is not unusual for gaps to exist in legislation; there is nothing wrong in not having anticipated every possible use of technology when the GDPR was drafted, especially 6 when new legislation, the AI Act, is awaiting final passage that will address this new technology. CJEU Case in SCHUFA Credit Scoring- Policy Analysis December 2023 Home / Publications / Download PDF

The following blog was taken directly from the IAF comments filed in response to the California Privacy Protection Agency request for comments on assessments and automated decision – making . The February 10, 2023, Invitation for Preliminary Comments asks a series of questions related to automated decision-making and profiling. The IAF is not responding to the specific questions but instead setting forth some basics for the discussion. The fact is that automated decision-making is baked into how things work on an everyday basis. For example, the CPPA uses automated decision-making on requests from browsers to access the CPPA’s servers on a daily basis. These decisions have the effect of limiting who can browse the CPPA’s website and file complaints. This is good because the alternative would be constant security breaches. However, the issues related to profiling and automated decision-making predate when consumer browsers made the Internet a consumer medium. Martin Abrams, former President and current Chief Policy Innovation Officer of the IAF, was the President of the Centre for Information Policy Leadership (CIPL), the Vice President, Information Policy, Experian, Director Consumer Policy, TRW Information Systems and Services and the Community Affairs Officer of the Cleveland Federal Reserve Bank. His background gives him the perspective to provide the following comments. The consumer Internet accelerated an observational age that in turn accelerated the use of data for probabilistics pertaining to how people behave. The first broad-based probabilistic use of consumer data was probably the Fair Isaac credit risk score in 1989. It was quickly adopted by the consumer lending industry as an aid to better decisioning than was possible with the subjectivity of decisions made purely by lending officers. Soon that aid to people evolved into automated credit decisions. The U.S. Department of Justice (DOJ) investigated whether those decisions had the effect of making decisions on grounds that violated the Equal Credit Opportunity Act (ECOA). Since the data for credit risk scores came directly from credit bureaus, the FCRA required that the use of scores must be disclosed along with the factors that led to the denial. So, from the very beginning, the use of profiling and automated decision-making for substantive decisions were covered by a fair processing law, the FCRA. In Europe, there was no uniformity in the data available for consumer credit decision-making. As Europe evolved towards the creation of the 1995 EU Privacy Directive, there were debates on whether it was unseemly for decisions on people to be made solely by a machine. Those concepts on what is seemly or not influenced the drafting of Article 22 of the GDPR. So, there are cultural differences between the way that Europe sees these issues and the way they are seen in the United States. The fact is that the relationship between profiling, the use of probabilistics against broad data sets, and automated decision-making is muddled still under Article 22 of the GDPR. The 21st century saw the rise of analytic skills that allowed for the use of unstructured data into advanced analytic processes. Legacy statistics tested causality, while the growth of big data switched the dominant theme to correlation. This change naturally raised questions about the accuracy of the correlations, whether they were appropriate to apply, and whether they were influenced by the bias built into available data sets. This development has informed the debate about algorithmic fairness. These concerns have accelerated with the growing use of AI, which is the next stage of advanced analytics in our observational world. So, in thinking about the questions the CPPA is asking, some pragmatic truths need to be addressed: Profiling is probabilistics built with consumer data. Building choice into the data that feeds the probabilistics has the unintended consequences of skewing the accuracy of predictive values. Choice worked when the relationship was one on one. Most relationships are no longer one on one. Ours is an observational world where there are not many one-on-one relationships. Choice no longer fits and indeed harms the process in an observational world. Automated decision-making is built into how many modern processes work, including the functioning of the CPPA’s cybersecurity processes. Many automated decision-making processes are subject already to laws such as the FCRA, ECOA, and Fair Housing Act (FHA). The FCRA, ECOA, and FHA wrestled with these issues already and decided that the benefits of the automated decision-making outweighed the risks. Those Acts have methods for determining whether the automated decision-making is biased or not (after the fact testing), and those methods are just as applicable today as they were when they were implemented. Much of the emotions that pertain to automated decision-making are related directly to whether one thinks it is fairer for a person to make a decision or whether a well-governed algorithm, in the end, would be fairer. As mentioned above, the DOJ in the context of the ECOA decided that a well-governed algorithm was better. The IAF staff believes this is where the discussion should begin. Automated Decision-Making and Profiling are Not New Issues March 28, 2023 Martin Abrams Articles and News Publications Media

IAF Releases DRAFT Model S. Privacy Framework Discussion Document December 2018 Home / Publications / Download PDF

Adverse Processing Impact Definition from IAF Fair and Open Use Act February 2022 Home / Publications / Download PDF

Global Chief Digital Responsibility and Public Policy Officer @ IPG/Kinesso Sheila Colclasure Global Chief Digital Responsibility and Public Policy Officer @ IPG/Kinesso As Global Chief Digital Responsibility and Public Policy Officer, Sheila leads the global data policy and digital responsibility strategies for Kinesso, ensuring that data and digital technology are used ethically and accountably across the enterprise and with IPG clients. This means ensuring data and tech are used in ways that serve people. She helps ensure practices operating at the leading edge of digital technology are consistent with principles of responsible, respectful, proportionate and fair data use. Sheila is responsible for public policy engagement with regulators, policy groups, clients and other key stakeholders globally, advocating for ethical advertising and marketing practices, in ways that earn trust. She is an advisor on the development and deployment of Kinesso’s data-driven and digital solutions and services. She is a trusted thought partner, advisor, and reputational champion for IPG companies. Ms. Colclasure is a recognized global thought leader on applied data ethics, accountable data governance and human-centered digital responsibility. Sheila has extensive knowledge of laws and societal expectations governing the collection and use of information, with particular depth in the rapidly evolving data-driven advertising and marketing ecosystem and ethical AI. She is continuously sought out by policy makers, regulators and government agencies for her views on data integrity and how to address the complexity of operationalizing and harmonizing next[1]generation data governance for the global digital data-driven ecosystem. Sheila is a Presidential Leadership Scholar and was recognized by CSO as one of the “12 amazing women in security” (2017.) She is a frequent speaker and media interviewee and has advanced data leadership and policy with the marketplace, regulators and lawmakers in many fora, including the U.S. HHS Datapalooza, Attorney General Alliance, Dublin Tech Summit, Global Data Transparency Lab, Information Accountability Foundation (IAF) Digital University for Regulator Series, and Ibero-American Data Protection Network. Sheila has presented key talks at global events for the Consumer Electronics’ Show, Forrester, adExchanger, International Association of Privacy Professionals, Healthcare Information and Management Systems Society, Digital Advertising Alliance, OutSell DataMoney, ShopTalk, Philly Phorum, American Bar Association and the Marketing Sciences Institute. Sheila serves on the advisory board of the IAF and is corporate liaison to several industry standards-setting groups. Prior to joining IPG Kinesso, she was the Acxiom Global Chief Data Ethics Officer and Public Policy Executive, Manager of Congressional and Political Affairs for the American Institute of Certified Public Accountants in Washington, D.C., and Staff Assistant in the U.S. Senate. Sheila has a master’s degree in communications, specializing in business and political communication. Sheila Colclasure Global Chief Digital Responsibility and Public Policy Officer @ IPG/Kinesso As Global Chief Digital Responsibility and Public Policy Officer, Sheila leads the global data policy and digital responsibility strategies for Kinesso, ensuring that data and digital technology are used ethically and accountably across the enterprise and with IPG clients. This means ensuring data and tech are used in ways that serve people. She helps ensure practices operating at the leading edge of digital technology are consistent with principles of responsible, respectful, proportionate and fair data use. Sheila is responsible for public policy engagement with regulators, policy groups, clients and other key stakeholders globally, advocating for ethical advertising and marketing practices, in ways that earn trust. She is an advisor on the development and deployment of Kinesso’s data-driven and digital solutions and services. She is a trusted thought partner, advisor, and reputational champion for IPG companies. Ms. Colclasure is a recognized global thought leader on applied data ethics, accountable data governance and human-centered digital responsibility. Sheila has extensive knowledge of laws and societal expectations governing the collection and use of information, with particular depth in the rapidly evolving data-driven advertising and marketing ecosystem and ethical AI. She is continuously sought out by policy makers, regulators and government agencies for her views on data integrity and how to address the complexity of operationalizing and harmonizing next[1]generation data governance for the global digital data-driven ecosystem. Sheila is a Presidential Leadership Scholar and was recognized by CSO as one of the “12 amazing women in security” (2017.) She is a frequent speaker and media interviewee and has advanced data leadership and policy with the marketplace, regulators and lawmakers in many fora, including the U.S. HHS Datapalooza, Attorney General Alliance, Dublin Tech Summit, Global Data Transparency Lab, Information Accountability Foundation (IAF) Digital University for Regulator Series, and Ibero-American Data Protection Network. Sheila has presented key talks at global events for the Consumer Electronics’ Show, Forrester, adExchanger, International Association of Privacy Professionals, Healthcare Information and Management Systems Society, Digital Advertising Alliance, OutSell DataMoney, ShopTalk, Philly Phorum, American Bar Association and the Marketing Sciences Institute. Sheila serves on the advisory board of the IAF and is corporate liaison to several industry standards-setting groups. Prior to joining IPG Kinesso, she was the Acxiom Global Chief Data Ethics Officer and Public Policy Executive, Manager of Congressional and Political Affairs for the American Institute of Certified Public Accountants in Washington, D.C., and Staff Assistant in the U.S. Senate. Sheila has a master’s degree in communications, specializing in business and political communication.

DLA Piper DLA Piper

IAF Comments on Quebec Bill 64- IAF Public- English September 2020 Home / Publications / Download PDF

Colorado Data Protection Assessments July 2023 Home / Publications / Download PDF

Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple

Socially Beneficial Project for Canada Ministry of Innovation January 2019 Home / Publications / Download PDF