Comments to Canada Parliament House of Commons on Bill C-27 November 2023 Home / Publications / Download PDF

Legitimate Interests and Integrated Risk and Benefits Assessment September 2017 Home / Publications / Download PDF

Osler, Hoskin & Harcourt Osler, Hoskin & Harcourt

Comprehensive Data Impact Assessment (CDIA) Framework November 2016 Home / Publications / Download PDF

IAF Comments in Response to the California Privacy Protection Agency CPR November 2021 Home / Publications / Download PDF

Red Barn Strategy Red Barn Strategy

AT&T AT&T

Managing Director Katie Beem Managing Director Katie Beem Managing Director

IAF Comments to the Colorado Attorney General on the Colorado Privacy Act Stakeholder Sessions August 2022 Home / Publications / Download PDF

Dear Friends, I am excited to share news about some important changes at the Information Accountability Foundation. In the eleven years since Marty Abrams founded the IAF, the organization has grown into a respected, global leader in our work with regulators and industry executives to advance accountability, data stewardship, and ethics. With Marty’s transition last year, we were fortunate to welcome Elizabeth Denham CBE, former Information Commissioner of the United Kingdom and Information and Privacy Commissioner of British Columbia, to the role of Chief Policy Strategist. Her leadership has been invaluable. Now, with Liz’s appointment as Chair of the Jersey Data Protection Authority, the IAF board has had the opportunity, and need, to reconsider the structure and operations of the Foundation. Our mission remains the same: to build on the great successes of the IAF while becoming even more nimble in tackling the most pressing issues in data governance and stewardship. We are also focused on optimizing our resources to ensure that more of every dollar goes directly to driving impactful projects for our members and partners. To that end, I am delighted to announce that the IAF Board today unanimously approved the appointment of Fred Cate as IAF’s new Executive Director and Stan Crosley as Chief Policy Strategist. Fred and Stan are industry veterans with over three decades of experience in data privacy and security, and bring a wealth of knowledge, leadership, and innovation to these roles. Both are very familiar with IAF and Stan currently serves as a Senior Strategist with the Foundation. Together, they are well positioned to help strengthen and lead IAF into an exciting new chapter, focusing on delivering high-impact projects that address specific, timely needs, with fewer routine calls and briefings. In addition to these leadership changes, we’re taking significant steps to streamline our operations and reduce overhead, allowing us to be more flexible and focused on our core mission. As part of this transformation, the Board has decided to contract for limited administrative support, which will unfortunately result in phasing out three staff positions. It is with tremendous appreciation and great regret that we bid farewell to Barb Lawler, President of IAF; Candy Johnson, Director of Finance & Accounting; and Stephanie Pate, Administration and Operations Manager. We are deeply grateful to all three of these colleagues and to the many other strategists, policy board members, supporters, participants, and partners whose hard work has made IAF what it is today. Over the past month, Fred, Stan, and members of the Board have actively engaged with our financial supporters and partners, including at our September members’ retreat. The goal in all of these interactions has been not merely to discuss the transition, but to learn where you see the areas of greatest concern and opportunities for maximum impact. I know you will be hearing more from Fred and Stan in the near future. But for the moment, on behalf of the entire Board, I want to welcome them to their new roles at IAF and thank our staff and each of you for your vision, commitment, patience, and support. Scott Taylor Board Chair Fred H. Cate Executive Director Fred H. Cate is a Distinguished Professor, C. Ben Dutton Professor of Law, and A djunct Professor of Informatics and Computing at Indiana University. He is also a senior advisor to Red Barn Strategy, a strategic consulting firm he created with Stan Crosley that partners with government and private organizations to advance strategic data management, security, and use. Professor Cate specializes in information security and privacy law and has testified before numerous congressional committees and served on advisory groups for many professional, industry, and government groups including DHS, DOD, NSA, FTC, OECD, the National Academies of Science, Engineering, and Medicine, the United Nations, Microsoft, Intel, and many other organizations. He chaired the National Academies study on Law Enforcement and Intelligence Access to Encrypted Content. He served as the founding director of IU’s Center for Applied Cybersecurity Research from 2003 to 2014, where he is now a senior fellow, and IU’s Center for Law, Ethics & Applied Research in Health Information from 2010 to 2015. He served from 2001 to 2021 as a Senior Policy Advisor at The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP. He is the author of more than 200 articles and books, served as the privacy editor for the Institute of Electrical and Electronic Engineers’ Security & Privacy, and was one of the founding editors of the Oxford University Press journal, International Data Privacy Law . Professor Cate attended Oxford University and received his J.D. and his A.B. with Honors and Distinction from Stanford University. A former S enator and President of the Phi Beta Kappa Society, he is a fellow of Phi Beta Kappa and the American Bar Foundation , and an elected member of the Council on Foreign Relations and the American Law Institute . He is chair-elect of the Indiana State Museum and Historic Sites. Stan Crosley Chief Policy Strategist Stan Crosley is the founder and managing partner of Crosley Law Offices and, along with Fred Cate, in 2022 created and launched Red Barn Strategy. The two organizations work with some of the largest and most successful multinational corporations in the world on data strategy and data governance, as well as small start-ups and non-profits, across the business ecosystem. Stan has more than 25 years of privacy and data strategy experience and is the former Chief Privacy Officer at Eli Lilly and Company, where he initiated and implemented the privacy program in 2000 as one of the first CPOs in the United States. Stan is an Adjunct Professor of Maurer School of Law and a Senior Fellow with the Future of Privacy Forum. Stan was recently named a Westin Emeritus Fellow by the International Association of Privacy Professionals (IAPP), one of only 50 globally among a professional association of 85,000 members. Stan was a co-founder of the International Pharmaceutical and Medical Device Privacy Consortium, which he chaired for its first decade, and is a former member of the board of IAPP, and co-chair of the HHS/ONC Privacy and Security Workgroup. Stan’s experience extends from in-house chief privacy officer to an attorney with three separate large law firms, to appointments in academia, research NGOs, non-profit advisory boards, and federal government committees and is a frequent speaker on data strategy, digital governance, and data protection at conferences around the world. IAF Leadership Announcement October 1, 2024 Scott Taylor Articles and News Publications Media

2023 Quarterly Spotlight- Q2 & Q3 September 2023 Home / Publications / Download PDF

We will discuss the significant range and unique nature of digital incidents that can impact companies and how such incidents are urgent drivers for digital governance to enable timely response plans. This will include a discussion of digital litigation response, deepfake and datafake responses, societal disruption planning, and artificial intelligence litigation. Courtesy of the IAPP Digital Incident and litigation Response Playbook 59:37 We will discuss the significant range and unique nature of digital incidents that can impact companies and how such incidents are urgent drivers for digital governance to enable timely response plans. This will include a discussion of digital litigation response, deepfake and datafake responses, societal disruption planning, and artificial intelligence litigation. Courtesy of the IAPP X (Twitter) LinkedIn Facebook WhatsApp Copy link Related Videos TedX Talk: Fred Cate, Privacy and Consent 13:23 Nov 11, 2019 View More Digital Incident and litigation Response Playbook 59:37 Sep 14, 2024 View More Information Accountability Foundation Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People Menu Close Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People Search Menu Close Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People

Essential Elements of Accountability Fair Processing Stewardship Elements- Table December 2020 Home / Publications / Download PDF

Model Ethical Data Impact Assessment January 2019 Home / Publications / Download PDF

Origins of Accountability: Advanced Data Analytic Processing- Update to 2013 Big Data Project November 2019 Home / Publications / Download PDF

Johnson & Johnson Johnson & Johnson

Sun Life Sun Life

Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple Jeff Ratner Director, Global Cybersecurity and Privacy Law at Apple

Socially Beneficial Project for Canada Ministry of Innovation January 2019 Home / Publications / Download PDF

The European Court of Justice opinion that credit scoring constitutes automated decision-making under GDPR Article 22(1) has broader implications beyond credit-scoring. The ruling by the court “to fill a legal gap” implies that the risk scores produced by businesses like fraud detection and identity verification are automated decisions. It suggests controllers will need to obtain consent before calculating creditworthiness or other types of algorithm-based scoring that are used in a wide variety of business processes. The court’s opinion is inconsistent with modern data analytics and well-established credit scoring practices and may be at odds with the evolving role analytic driven decision-making plays in many aspects of life. These analytic processes reflect the concepts “thinking and acting with data.” Thinking with data is the robust use of data to create new insights; use of those insights to affect individuals is acting with data. Although the score related to a particular individual, until that score was used by a lender – acting with data – that score itself had no impact on an individual. GDPR Article 22 only concerns acting with data. The CJEU overlooks the distinction between thinking and acting with data in order to reach a broad interpretation of the term “decision” in GDPR Article 22(1). Big data were barely understood, and complex analytics were in their infancy, when the GDPR was adopted in 2016. The GDPR is intended to be technology neutral in many respects, but it has some gaps when it comes to regulating advanced analytics. Based on information contained in the order for reference, the court in SCHUFA determines that, in order to fill a legal gap – the data subject cannot obtain access to meaningful information about the logic involved in the score established by credit information agencies from the financial institution the data subject applied for a loan from and the credit information agency is not obliged to provide that information – that score is an automated decision for the purposes of GDPR Article 22(1). In our view, no such gap exists in the GDPR, but even if it did exist, the court should not have presumed what the relationship between the credit information agency and the financial institution is. In doing so, the CJEU reaches an incorrect decision. The GDPR does address how to obtain access to the information at issue here. Usually, controllers and processors enter into agreements which require the processor to assist the controller in responding to such access requests. So, data subjects can obtain access to meaningful information about the logic involved in automated decision-making from the controller, the bank. The issue in the case is what is the relevant decision? The act by which a bank agrees or refuses to grant credit to the applicant? The act by which SCHUFA derives the score from a profiling procedure? The court recognizes that the answer to this question depends on the facts in each case. The problem with the opinion is that the court goes on to make a series of incorrect presumptions about how credit scores are applied to conclude that the credit score is the decision. Ultimately, because of the fact driven nature of the inquiry, the court’s decision may not matter in the financial services industry. However, the broad holding that the court reasoned it should reach because of the absence of a legal definition of the term “decision” in the GDPR means that there many broader implications for other industries and sectors. For example, scoring is used in retail transactions to identify fraudulent transactions. Machine learning scores transactions in real time by analyzing factors such as device information, IP address, and location in order to identify potential fraud in ecommerce transactions. If a customer usually pays with a credit card but suddenly switches to a different payment method, it may indicate that their account has been compromised and a real-time notification is sent. Detecting Retail Fraud Another example is in healthcare. We all are familiar with the scores we receive when we get our blood test results. Are those decisions? The number determines whether a result is diabetes or not. If the doctor solely relies on the score, is the blood test result an automated decision? In the SCUFA case, if the court’s determination that there is a gap in the GDPR because the data subject cannot obtain access to meaningful information about the logic involved in automated decision-making from the bank because the credit bureau, not the bank, has it, then the court just should have interpreted the law rather than made new law. This judicial activism in unwarranted particularly when the EU AI Act which governs credit scoring will be coming into effect soon. While banks and credit information agencies may be able to get around the holding in SCHUFA because the facts are different, the court’s ruling has implications for other businesses providing AI or other analytical scoring. The IAF policy analysis is here . CJEU Case in SCHUFA Has Implications Beyond Credit Scoring December 20, 2023 Lynn A. Goldstein Articles and News Publications Media