Ongoing IAF Projects Al and Digital Governance A hybrid workshop series for regulators, industry leaders, and others to engage in knowledge building and practical discussions of core issues such as Al and Bias, Data for Developing and Refining Al, Al and Legitimate Interest, Al Governance within Institutions, and more. This project builds on past successes of IAF partnering with members who have particular expertise and depth in critical subject matter areas, such as with IPG on the Digital University. These workshops will lead to short whitepapers on the topics and potentially other deliverables decided on by participants. Legitimate Interest Legitimate Interest - Building on existing lAF work, this project will explore the expanded use of legitimate interest for data processing, working to provide clarity around how legitimate interest works, what laws and existing guidance provide, and how to create standards and best practices. Online sessions with industry leaders, regulators, and experts that explore this topic will lead to one or more reports. We have completed initial research to compile the guidance documents published by regulators and third parties. Best Practices for Accountability Tools Best Practices for Accountability Tools - Through a series of online and in-person meetings, this project aims to build on lAF's pioneering work on accountability in data protection by exploring new and emerging tools for accountability, focusing initially on Al/Digital Governance Review Boards. Our goals include providing shared vocabulary for such tools; developing best practices for responsible data governance; and creating standard setting processes for specific tools (i.e., data review boards). We are actively exploring a partnership with |APP. Data for Marketing The use of personal data for marketing plays a critical role in national economies and global trade, yet this data has also been a frequent target for data protection regulators, hampering its use. This project partners with economists and business and trade organizations, as well as data protection officials, to host a workshop/summit, followed by a white paper, on costs and benefits of personal data for marketing and responsible best practices for minimizing risks. Our initial geographic focus is the EU.

Assessments to an AI World: Legitimate Interest Assessment November 2024 PDF 2024: Quarterly Spotlight - Q2-3 September 2024 PDF Assessments in an AI World Requirements for US State Privacy Laws August 2024 PDF IAF Comments on NIST Privacy Framework v1.1 Concept Paper July 2024 PDF IAF Comments to UK ICO AI Consultation, Part 2 April 2024 PDF 2024: Quarterly Spotlight- Q1 April 2024 PDF IAF Comments to UK ICO AI Consultation February 2024 PDF IAF Submission to the GDPR Review 2024 February 2024 PDF 2024: A Renaissance for the Privacy Profession January 2024 PDF 2023 Quarterly Spotlight- Q4 January 2024 PDF CJEU Case in SCHUFA Credit Scoring- Policy Analysis December 2023 PDF Comments to Canada Parliament House of Commons on Bill C-27 November 2023 PDF 2023 Quarterly Spotlight- Q2 & Q3 September 2023 PDF Colorado Data Protection Assessments July 2023 PDF U.S. State Assessment Provisions v. 1.0 June 2023 PDF 2023 Quarterly Spotlight- Q1 April 2023 PDF Cleanup In Aisle ADPPA March 2023 PDF IAF Comments on California Privacy Protection Agency Rulemaking- Risk Assessments, Automated Decisionmaking March 2023 PDF Making Data Driven Innovation Work February 2023 PDF 2022 Annual Report January 2023 PDF A Principled Approach to Rights and Interest Balancing December 2022 PDF IAF Comments on FTC ANPR on Commercial Surveillance November 2022 PDF IAF Comments to Brazilian LGPD International Transfer Requirements November 2022 PDF IAF Comments to the Colorado Attorney General on the Colorado Privacy Act Stakeholder Sessions August 2022 PDF IAF Comments to the California Privacy Protection Agency Stakeholder Sessions May 2022 PDF Risk of What? April 2022 PDF Adverse Processing Impact and Defining Risk April 2022 PDF Adverse Processing Impact Definition from IAF Fair and Open Use Act February 2022 PDF 2021 Annual Report January 2022 PDF IAF Comments in Response to the California Privacy Protection Agency CPR November 2021 PDF IAF Comments on UK DCMS Consultation on Revising UK GDPR November 2021 PDF Evolving AI Impact Assessments (AIA) October 2021 PDF HR Transfers to the United States Post EDPB Schrems II Final Guidance August 2021 PDF IAF Comments to the EU Proposed AI Regulation July 2021 PDF IAF Comments to the EU Proposed AI Regulation July 2021 PDF Guiding Risk Principles for IAF Model Legislation May 2021 PDF Guiding Risk Principles for IAF Model Legislation May 2021 PDF The Road to Expansive Impact Assessments for Artificial Intelligence (AIA) May 2021 PDF Model Legislation: Fair and Open Use Act May 2021 PDF IAF Model Legislation: The Fair and Open Use Act- May 2021 May 2021 PDF Addressing Human Resources Data Flows in Light of European Data Protection Board Recommendations on Shrems II March 2021 PDF Referential: Singapore Advisory Guidelines on Key Concepts in the PDPA February 2021 PDF Referential: Singapore PDPA Competency and Proficiency Chart February 2021 PDF Referential: Singapore PDPA Annex C Assessment Checklist for Legitimate Interests Exception February 2021 PDF Essential Elements of Accountability Fair Processing Stewardship Elements- Table December 2020 PDF IAF Comments on ICO Direct Marketing Code of Practice December 2020 PDF IAF Public Comments on Improving Private Sector Privacy for Ontarians in a Digital Age October 2020 PDF IAF Comments on Quebec Bill 64- IAF Public- English September 2020 PDF IAF Comments on Quebec Bill 64- IAF Public- French September 2020 PDF GDPR SME Compliance Training Notes for Spain and Latin America June 2020 PDF Bermuda Privacy Commissioner Accountability Report March 2020 PDF A Path to Trustworthy People Beneficial Data Activities for Canada Ministry of Innovation March 2020 PDF Referential: Singapore Model AI Intelligence Governance Framework Annex February 2020 PDF Referential: Singapore Model AI Governance Framework Second Edition January 2020 PDF Origins of Accountability: IAF Demonstrable Accountability Report January 2020 PDF Advanced Data Analytic Processing- 2019 Update November 2019 PDF Origins of Accountability: Advanced Data Analytic Processing- Update to 2013 Big Data Project November 2019 PDF Socially Beneficial Project for Canada Ministry of Innovation January 2019 PDF Trusted Digital Transformation- Considerations for Canadian Public Policy January 2019 PDF Model Ethical Data Impact Assessment January 2019 PDF Fair Processing Principles to Facilitate Privacy and Data Protection Legislation January 2019 PDF Origins of Accountability: Ethical Data Stewardship Accountability Elements January 2019 PDF Origins of Accountability: The Essential Elements of Accountability January 2019 PDF IAF Releases DRAFT Model S. Privacy Framework Discussion Document December 2018 PDF IAF Comments to U.S. FTC RFC on Federal Privacy Legislation December 2018 PDF IAF Response to S. NTIA Consumer Privacy RFC November 2018 PDF Ethical Accountability Assessment Guide: Enhanced Data Stewardship EDIA October 2018 PDF Ethical Accountability Framework for Hong Kong Report October 2018 PDF Report for the Comprehensive Assessment Oversight Dialog Canadian Ethical Data Review Boards Project March 2018 PDF IAF comments to the Article 29 Data Protection Working Party draft Guidelines on Transparency under EU Regulation 2016/679 January 2018 PDF IAF comments to the Article 29 Data Protection Working Party draft Guidelines on Consent under Regulation 2016/679 January 2018 PDF IAF Comments to the Article 29 Working Party’s Draft Guidelines on Individual Decision-Making and Profiling under Regulation 2016/679 November 2017 PDF Legitimate Interests and Integrated Risk and Benefits Assessment September 2017 PDF Artificial Intelligence, Ethics and Enhanced Data Stewardship September 2017 PDF EU Legitimate Interests, Integrated DPIA and Risk and Benefits Assessment September 2017 PDF Report for the Big Data Assessment for Canadian Private Sector Organizations Project February 2017 PDF Canadian Assessment Framework February 2017 PDF Comprehensive Data Impact Assessment (CDIA) Framework November 2016 PDF Improving Operational Efficiency and Regulatory Certainty in a Digital Age(Detailed Overview) November 2016 PDF Improving Operational Efficiency and Regulatory Certainty in a Digital Age(Executive Overview) July 2016 PDF Big Data Ethics Initiative: Contextual Assessment Worksheet for Marketing (Part D) October 2015 PDF Big Data Ethics Initiative: Enforcing Big Data Assessment Processes (Part C) October 2015 PDF Big Data Ethics Initiative: Glossary of Terms for Contextual Assessment for Marketing (Part D) October 2015 PDF Big Data Ethics Initiative: Assessment Framework (Part B) July 2015 PDF The Brazilian Marco Civil and Beyond: Privacy Governance for the Future (English Version) September 2014 PDF The Brazilian Marco Civil and Beyond: Privacy Governance for the Future (Portuguese Version) September 2014 PDF IAF Comments on Big Data Filed with S. NTIA August 2014 PDF IAF Comments on Notions of Legitimate Interests Filed with the Article 29 Working Party June 2014 PDF Origins of Accountability: The Global Information Accountability Project at Five Years May 2014 PDF Organizational Accountability, Government Use of Private Sector Data, National Security, and Individual Privacy May 2014 PDF The Origins and Taxonomy of Personal Data and its Implications for Governance March 2014 PDF Origins of Accountability: Self-Assessment of a Comprehensive Privacy Programme: A Tool for Practitioners February 2013 PDF Origins of Accountability: Big Data and Analytics: Seeking Foundations for Effective Privacy Guidance February 2013 PDF Getting Accountability Right with a Privacy Management Program, Canada December 2012 PDF Origins of Accountability: Accountability Phase III – Madrid Project November 2011 PDF Origins of Accountability: Accountability Compendium March 2011 PDF Origins of Accountability: Accountability Phase II – Paris Project October 2010 PDF Origins of Accountability: Accountability Phase I – Galway Project October 2009 PDF Assessments to an AI World: Legitimate Interest Assessment November 2024 PDF 2024: Quarterly Spotlight - Q2-3 September 2024 PDF Assessments in an AI World Requirements for US State Privacy Laws August 2024 PDF IAF Comments on NIST Privacy Framework v1.1 Concept Paper July 2024 PDF IAF Comments to UK ICO AI Consultation, Part 2 April 2024 PDF 2024: Quarterly Spotlight- Q1 April 2024 PDF IAF Comments to UK ICO AI Consultation February 2024 PDF IAF Submission to the GDPR Review 2024 February 2024 PDF 2024: A Renaissance for the Privacy Profession January 2024 PDF 2023 Quarterly Spotlight- Q4 January 2024 PDF CJEU Case in SCHUFA Credit Scoring- Policy Analysis December 2023 PDF Comments to Canada Parliament House of Commons on Bill C-27 November 2023 PDF 2023 Quarterly Spotlight- Q2 & Q3 September 2023 PDF Colorado Data Protection Assessments July 2023 PDF U.S. State Assessment Provisions v. 1.0 June 2023 PDF 2023 Quarterly Spotlight- Q1 April 2023 PDF Cleanup In Aisle ADPPA March 2023 PDF IAF Comments on California Privacy Protection Agency Rulemaking- Risk Assessments, Automated Decisionmaking March 2023 PDF Making Data Driven Innovation Work February 2023 PDF 2022 Annual Report January 2023 PDF A Principled Approach to Rights and Interest Balancing December 2022 PDF IAF Comments on FTC ANPR on Commercial Surveillance November 2022 PDF IAF Comments to Brazilian LGPD International Transfer Requirements November 2022 PDF IAF Comments to the Colorado Attorney General on the Colorado Privacy Act Stakeholder Sessions August 2022 PDF IAF Comments to the California Privacy Protection Agency Stakeholder Sessions May 2022 PDF Risk of What? April 2022 PDF Adverse Processing Impact and Defining Risk April 2022 PDF Adverse Processing Impact Definition from IAF Fair and Open Use Act February 2022 PDF 2021 Annual Report January 2022 PDF IAF Comments in Response to the California Privacy Protection Agency CPR November 2021 PDF IAF Comments on UK DCMS Consultation on Revising UK GDPR November 2021 PDF Evolving AI Impact Assessments (AIA) October 2021 PDF HR Transfers to the United States Post EDPB Schrems II Final Guidance August 2021 PDF IAF Comments to the EU Proposed AI Regulation July 2021 PDF IAF Comments to the EU Proposed AI Regulation July 2021 PDF Guiding Risk Principles for IAF Model Legislation May 2021 PDF Guiding Risk Principles for IAF Model Legislation May 2021 PDF The Road to Expansive Impact Assessments for Artificial Intelligence (AIA) May 2021 PDF Model Legislation: Fair and Open Use Act May 2021 PDF IAF Model Legislation: The Fair and Open Use Act- May 2021 May 2021 PDF Addressing Human Resources Data Flows in Light of European Data Protection Board Recommendations on Shrems II March 2021 PDF Referential: Singapore Advisory Guidelines on Key Concepts in the PDPA February 2021 PDF Referential: Singapore PDPA Competency and Proficiency Chart February 2021 PDF Referential: Singapore PDPA Annex C Assessment Checklist for Legitimate Interests Exception February 2021 PDF Essential Elements of Accountability Fair Processing Stewardship Elements- Table December 2020 PDF IAF Comments on ICO Direct Marketing Code of Practice December 2020 PDF IAF Public Comments on Improving Private Sector Privacy for Ontarians in a Digital Age October 2020 PDF IAF Comments on Quebec Bill 64- IAF Public- English September 2020 PDF IAF Comments on Quebec Bill 64- IAF Public- French September 2020 PDF GDPR SME Compliance Training Notes for Spain and Latin America June 2020 PDF Bermuda Privacy Commissioner Accountability Report March 2020 PDF A Path to Trustworthy People Beneficial Data Activities for Canada Ministry of Innovation March 2020 PDF Referential: Singapore Model AI Intelligence Governance Framework Annex February 2020 PDF Referential: Singapore Model AI Governance Framework Second Edition January 2020 PDF Origins of Accountability: IAF Demonstrable Accountability Report January 2020 PDF Advanced Data Analytic Processing- 2019 Update November 2019 PDF Origins of Accountability: Advanced Data Analytic Processing- Update to 2013 Big Data Project November 2019 PDF Socially Beneficial Project for Canada Ministry of Innovation January 2019 PDF Trusted Digital Transformation- Considerations for Canadian Public Policy January 2019 PDF Model Ethical Data Impact Assessment January 2019 PDF Fair Processing Principles to Facilitate Privacy and Data Protection Legislation January 2019 PDF Origins of Accountability: Ethical Data Stewardship Accountability Elements January 2019 PDF Origins of Accountability: The Essential Elements of Accountability January 2019 PDF IAF Releases DRAFT Model S. Privacy Framework Discussion Document December 2018 PDF IAF Comments to U.S. FTC RFC on Federal Privacy Legislation December 2018 PDF IAF Response to S. NTIA Consumer Privacy RFC November 2018 PDF Ethical Accountability Assessment Guide: Enhanced Data Stewardship EDIA October 2018 PDF Ethical Accountability Framework for Hong Kong Report October 2018 PDF Report for the Comprehensive Assessment Oversight Dialog Canadian Ethical Data Review Boards Project March 2018 PDF IAF comments to the Article 29 Data Protection Working Party draft Guidelines on Transparency under EU Regulation 2016/679 January 2018 PDF IAF comments to the Article 29 Data Protection Working Party draft Guidelines on Consent under Regulation 2016/679 January 2018 PDF IAF Comments to the Article 29 Working Party’s Draft Guidelines on Individual Decision-Making and Profiling under Regulation 2016/679 November 2017 PDF Legitimate Interests and Integrated Risk and Benefits Assessment September 2017 PDF Artificial Intelligence, Ethics and Enhanced Data Stewardship September 2017 PDF EU Legitimate Interests, Integrated DPIA and Risk and Benefits Assessment September 2017 PDF Report for the Big Data Assessment for Canadian Private Sector Organizations Project February 2017 PDF Canadian Assessment Framework February 2017 PDF Comprehensive Data Impact Assessment (CDIA) Framework November 2016 PDF Improving Operational Efficiency and Regulatory Certainty in a Digital Age(Detailed Overview) November 2016 PDF Improving Operational Efficiency and Regulatory Certainty in a Digital Age(Executive Overview) July 2016 PDF Big Data Ethics Initiative: Contextual Assessment Worksheet for Marketing (Part D) October 2015 PDF Big Data Ethics Initiative: Enforcing Big Data Assessment Processes (Part C) October 2015 PDF Big Data Ethics Initiative: Glossary of Terms for Contextual Assessment for Marketing (Part D) October 2015 PDF Big Data Ethics Initiative: Assessment Framework (Part B) July 2015 PDF The Brazilian Marco Civil and Beyond: Privacy Governance for the Future (English Version) September 2014 PDF The Brazilian Marco Civil and Beyond: Privacy Governance for the Future (Portuguese Version) September 2014 PDF IAF Comments on Big Data Filed with S. NTIA August 2014 PDF IAF Comments on Notions of Legitimate Interests Filed with the Article 29 Working Party June 2014 PDF Origins of Accountability: The Global Information Accountability Project at Five Years May 2014 PDF Organizational Accountability, Government Use of Private Sector Data, National Security, and Individual Privacy May 2014 PDF The Origins and Taxonomy of Personal Data and its Implications for Governance March 2014 PDF Origins of Accountability: Self-Assessment of a Comprehensive Privacy Programme: A Tool for Practitioners February 2013 PDF Origins of Accountability: Big Data and Analytics: Seeking Foundations for Effective Privacy Guidance February 2013 PDF Getting Accountability Right with a Privacy Management Program, Canada December 2012 PDF Origins of Accountability: Accountability Phase III – Madrid Project November 2011 PDF Origins of Accountability: Accountability Compendium March 2011 PDF Origins of Accountability: Accountability Phase II – Paris Project October 2010 PDF Origins of Accountability: Accountability Phase I – Galway Project October 2009 PDF Publications Reports, Research, and Regulatory Feedback Publications Reports, Research, and Regulatory Feedback Articles and News Publications Media

IAF Media Digital Incident and litigation Response Playbook Sep 14, 2024 59:37 Other media TedX Talk: Fred Cate, Privacy and Consent November 11, 2019 13:23 Videos and Media Information Accountability Foundation Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People Menu Close Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People Search Menu Close Resource Library Articles and News Publications Media Initiatives Projects Events About Join Us Our People Digital Incident and litigation Response Playbook Sep 14, 2024 59:37 Articles and News Publications Media Articles and News Publications Media

IAF Leadership Announcement October 1, 2024 Scott Taylor Open article IAF Sees NIST Making Notable Advances in Their NIST Privacy Framework v.1.1 Concept Paper August 8, 2024 Barb Lawler Open article Multistakeholder Sessions Set the Tone for the New Wave of Demonstrable Assessments (Part 1) July 29, 2024 Lynn A. Goldstein Open article Global CBPR and the Long Dance towards Interoperability June 5, 2024 Steve Wood Open article A Renaissance for the Privacy Profession April 15, 2024 Elizabeth Denham Open article A recent EDPB decision on criteria for a GDPR Main Establishment in the EU puts the use and benefits of BCRs potentially at risk. March 21, 2024 Lynn A. Goldstein Open article IAF submission to the European Commission’s GDPR review report – more to be done to unlock responsible and accountable innovation February 26, 2024 Elizabeth Denham Open article Steve Wood, former ICO Deputy Commissioner and Chief Policy Advisor, joins the IAF as Senior Strategist January 1, 2024 Elizabeth Denham Open article CJEU Case in SCHUFA Has Implications Beyond Credit Scoring December 20, 2023 Lynn A. Goldstein Open article IAF responds to the Executive Order on Safe, Secure and Trustworthy AI November 1, 2023 The IAF Team Open article New State Privacy Laws Square the Assessment and Controls Circle September 10, 2023 Peter Cullen Open article Elizabeth Denham, Former ICO Commissioner, Joins Information Accountability Foundation as Chief Policy Strategist July 10, 2023 The IAF Team Open article Load More IAF Leadership Announcement Scott Taylor Oct 1, 2024 Read More IAF Sees NIST Making Notable Advances in Their NIST Privacy Framework v.1.1 Concept Paper Barb Lawler Aug 8, 2024 Read More Multistakeholder Sessions Set the Tone for the New Wave of Demonstrable Assessments (Part 1) Lynn A. Goldstein Jul 29, 2024 Read More Global CBPR and the Long Dance towards Interoperability Steve Wood Jun 5, 2024 Read More A Renaissance for the Privacy Profession Elizabeth Denham Apr 15, 2024 Read More A recent EDPB decision on criteria for a GDPR Main Establishment in the EU puts the use and benefits of BCRs potentially at risk. Lynn A. Goldstein Mar 21, 2024 Read More IAF submission to the European Commission’s GDPR review report – more to be done to unlock responsible and accountable innovation Elizabeth Denham Feb 26, 2024 Read More Steve Wood, former ICO Deputy Commissioner and Chief Policy Advisor, joins the IAF as Senior Strategist Elizabeth Denham Jan 1, 2024 Read More CJEU Case in SCHUFA Has Implications Beyond Credit Scoring Lynn A. Goldstein Dec 20, 2023 Read More IAF responds to the Executive Order on Safe, Secure and Trustworthy AI The IAF Team Nov 1, 2023 Read More New State Privacy Laws Square the Assessment and Controls Circle Peter Cullen Sep 10, 2023 Read More Elizabeth Denham, Former ICO Commissioner, Joins Information Accountability Foundation as Chief Policy Strategist The IAF Team Jul 10, 2023 Read More Articles and News Articles and News Articles and News Publications Media

Our People Leadership Fred Cate Executive Director Go Leadership Fred H. Cate is a Distinguished Professor, C. Ben Dutton Professor of Law, and Adjunct Professor of Informatics and Computing at Indiana University... Add Fred Cate Executive Director Read More > Member Organizations The IAF thanks the financial and resource support of our members: Board Members Board Members Stan Crosley Chief Policy Strategist Add Scott Taylor Board Chair Add Sheila Colclasure Add Chris Foreman Add Jennifer Glasgow Add Stephanie Higgins Add Jeff Ratner Add JoAnn C. Stonier Add Stan Crosley Chief Policy Strategist Go Scott Taylor Board Chair Go Sheila Colclasure Go Chris Foreman Go Jennifer Glasgow Go Stephanie Higgins Go Jeff Ratner Go JoAnn C. Stonier Go

Join the IAF The Information Accountability Foundation is the preeminent global information policy think tank, and a nonprofit organization with a research mission to frame and advance accountability-based information policy and data stewardship, so data-driven innovation serves people. The IAF is primarily funded by corporate contributions by companies that fully believe that data should only be processed by organizations that act in a responsible and answerable manner. Companies interested in supporting or participating please contact us using the form below. The IAF is also funded by data protection agencies and government agencies that join us in exploring a particular research topic - leading to modernized information policy approaches. If you represent a government agency and are interested in discussing a project, please reach out using the form below. All of our projects include multi-stakeholder input, so please join our community. If your organization, including academic or advocacy organizations, have an interest in our projects or learning more, the best way to know us is to be notified when we publish a blog or project report. If your company is interested in becoming a member of the IAF, please fill out the form below: Inquire about joining the IAF First name* Last name* Company name* Position* Email* Message* Submit

By: Elizabeth Denham (Chief Strategist) & Steve Wood (Senior Strategist) Article 97 of the GDPR requires the European Commission to undertake a review of the legislation every four years. The last report was in 2020, so the process was kicked off with an open consultation , running from January 11 to February 8, 2024. The IAF recently submitted evidence to the review focused on our mission related to accountability, responsible innovation, risk-based governance, and the importance of knowledge creation to the economy and society. In this blog we discuss the key points from the IAF submission . (These comments were prepared by IAF staff and do not necessarily reflect the views of the IAF Board of Directors, funders, or members of the IAF extended community). The IAF also submitted to evidence to the UK Government’s consultation about GDPR back in 2021. The GDPR has now been in full force for six years, the IAF recognizes the benefits that it has provided for data subjects in terms of greater awareness and engagement with their rights, and the improvements that many organizations have made to data governance. While there is still distance to be travelled in raising the strategic positioning of data governance, there is now better awareness at board level of the importance of governing risks related to personal data. In some organisations GDPR has played a role in driving investment into privacy management programmes and organizational-wide data governance strategies. These strategies enable long term benefits in developing a culture of data stewardship and accountability, and greater trust in data use. The key challenge is to effectively realize the potential of the GDPR as a risk-based system of regulation. This will require an effective balance between data protection and the other fundamental rights in the EU Charter. How the GDPR can enable responsible innovation in knowledge discovery and creation The IAF’s submission sets out the challenge the GDPR poses for knowledge creation and discovery. A longstanding policy approach from the IAF has been to highlight the importance of understanding the difference between ‘thinking with data’ and ‘acting with data.’ The knowledge creation and discovery process lie at the heart of the former and the context of risk for data subjects is fundamentally different at that stage, compared to the application. A risk-based approach to GDPR application should enable organisations to distinguish between the two concepts and apply safeguards at each stage proportionate to the risk. The IAF undertook the project Making Data Driven Innovation Work (2023) to understand how organizations discover and create new knowledge. The broad approach to defining personal data under GDPR, combined with a lack of clarity and harmonization over the definition of scientific research, approach to compatibility, lawful bases and exceptions create an overall effect of caution in using personal data in knowledge creation and discovery. Although the GDPR adopts a “broad” definition of scientific research in recital 159, encompassing the activities of public and private entities, this intent has not been applied in practice in member state laws and Data Protection Authority (DPA) guidelines. The focus has generally been on public sector research in tightly drawn scenarios. The IAF therefore believes that more could be done to clarify the position of scientific research on the face of GDPR, including more explicit recognition of the activity in the commercial sector. Additional statutory language should be included alongside further references that translate knowledge creation and discovery into practical business activities, drawing on provisions already in use in other jurisdictions, such as US State laws (e.g Colorado Privacy Act ) and Canada ( Consumer Privacy Protection Act ). We also note that the EU AI Act does not apply to scientific research and product orientated research, possibly creating inconsistency in the approach to scientific research between the Act and the GDPR. see recital 12c and in Articles 5a and 5b (current text). We have made some specific recommendations: scientific research and business activities that make up knowledge creation and discovery should be recognized as specific lawful bases in Article 6, subject to necessity and proportionally considerations. A new condition for using special categories of data should also be created in Article 9. Our submission also highlights the inconsistencies in approach to the question of anonymized data. The situation is challenging when DPAs often promote an approach to anonymization that insists on elimination of all risks of identification, rather than applying the test of ‘reasonably likely’. Further clarity would also create greater incentives for the use of privacy enhancing technologies (PETs). The IAF also proposes that the GDPR be amended so that the business activities that are part of knowledge creation and discovery join scientific research as a compatible purpose under Article 5. This is relevant given that such activities can often use pseudonymised and anonymized data. Legitimate interests, accountability and responsible innovation The IAF submission also notes the importance of legitimate interests as a lawful basis in Article 6 GDPR and the need for further guidance to ensure that organizations have confidence about how and when to apply the provision. Again, the context of knowledge discovery and creation has uncertainty. We also highlight the value of legitimate interest and how it can be linked to wider accountability programs to ensure effective it operates as an effective lawful basis. A multi-dimensional approach to proportionality can also ensure that data protection rights are assessed in balance with other rights in the EU Charter, ensuring there is a fairer reflection of the role of data across the economy and society. We have therefore proposed that the DPAs and the European Data Protection Board invest more resources into guidance and tools to support effective use of legitimate interests. They should do this in the context of wider guidance on accountability and data protection assessments. It is also important that EDPB guidance is issued on the question of how legitimate interests intersect with commercial interests once the Court of Justice has ruled in the case of Koninklijke Nederlandse Lawn Tennisbond . The intersection between Artificial Intelligence (AI) and GDPR The IAF previously submitted comments on the Commission’s proposed AI Act. We noted the value in the two-step approach used by the legislation, between AI developers and AI users. Such an approach fits with the two-step risk-based approach for GDPR advocated by the IAF: data (knowledge creation) and acting with data (knowledge application). Our GDPR submission highlighted the following key issues related to GDPR and AI: The need for greater clarity about the use of personal data in AI training, to guard against bias and ensure diversity, noting the recognition that is granted in the AI Act. The need for clarification on application of legitimate intertest to AI data training. The importance of enabling organisations to effectively conduct joined up risk assessments related to AI, including new guidance on adverse processing impact, how legitimate interests assessments, DPIA and fundamental rights impact assessments should work together. In light of the Schufa CJEU judgment the IAF proposes that Article 22 should be revised to describe more clearly profiling and automated decision making, and the difference between the two in impact. The European Commission should take steps to enable joined up regulation between the data protection authorities, the AI office and other EU regulators. We encourage the EU to look at the approaches to joined up digital regulation in the UK, Australia and Canada. International Data Transfers Since the Schrems II CJEU judgment in 2020 international data transfers has become an area of significant uncertainty for organizations. For many, the costs of compliance, particularly undertaking transfer impact assessments, have often become disproportionate to the risks posed. This has also had the effect of diverting resources away from data governance programs in other areas of risk, such as AI. The IAF therefore highlights the importance applying the risk-based approach of the GDPR to international data transfers, and this is in keeping with the intention of the legislation. As part of the risk-based approach, we also highlight the importance of accountability to international data transfers and how this should become part of the toolbox. The submission stresses the importance of accountability to questions of government access and how the EU should build on the foundation established by the OECD Declaration on Government Access to Data. The approach of Data Protection Authorities to GDPR implementation Finally, the IAF flags the key role that DPAs play in GDPR implementation and addressing a number of the issues raised in the response. We advocate for DPAs to undertake a greater step toward collaboration and consultation with stakeholders. Key challenges related to consistency are also highlighted, guidance on legitimate interests. The IAF calls for DPAs’ to place a greater emphasis on risk, harm and outcomes in developing their regulatory strategies. The development of publicly facing strategies, drawing on consultation, is also important step that some DPAs need to take. These strategic steps become ever more important in the context of AI regulation. We have therefore proposed that Article 59 of the GDPR is amended to require DPAs to produce strategies that cover a three-year period, alongside a more detailed annual workplan to deliver the strategies. The strategies should also contain key performance indicators that are then covered in their annual reports. Next steps We now await the report of the European Commission later in 2024. It is unclear whether the GDPR text will be reopened. Some of the IAF recommendations would require amendment of the GDPR but many could also be addressed in new or updated guidance from DPAs or the European Data Protection Board. The IAF looks forward to engaging with stakeholders about these issues over the coming years. IAF submission to the European Commission’s GDPR review report – more to be done to unlock responsible and accountable innovation February 26, 2024 Elizabeth Denham Articles and News Publications Media

Meta Meta

IAF Comments to UK ICO AI Consultation, Part 2 April 2024 Home / Publications / Download PDF

This month the IAF held a multistakeholder session featuring our research on Demonstrable Assessments for U.S. State Privacy Laws, attended by regulators, academics and business. The objective of the session was to collectively advance the content and process expectations for organizations submitting a Risk or Data Protection Assessment (RDPA) to a U.S. State Regulator. As we see the passage of 20 (and counting) U.S. state privacy laws and one state AI Act, almost all of these states require conducting a RDPA where there is a heightened risk of harm to more than just the individual. These assessments are broader in scope than other impact assessments, such as those expected by the GDPR. Businesses are required to assess more stakeholders, more interests, more benefits, and more risks. Plus, the RDPA is required to be produced on demand in Colorado and provided at least annually in California, and must be signed by senior executives. The RDPA is based upon the U.S. state privacy laws and rules promulgated and draft regulations proposed thereunder. It also includes information from IAF’s AI Assessment , which was developed in consultation with AI experts and practitioners (Responsible AI) privacy and data protection professionals and based on IAF’s 10+ years of experience in developing big data and complex analytics assessments such as to be used with AI, the IAF’s model legislation, the FAIR and OPEN USE ACT , which is based upon input from IAF strategists and membership. and the IAF’s research paper on multidimensional proportionality, A Principled Approach to Rights and Interests Balancing . Elements from the Omidyar Ethical Framework for Technology and Business Data Ethics were also used. Participants commented on the importance of reviewing and discussing this project in a multistakeholder environment. We were encouraged to think about how non-privacy teams think about assessments, such as AI, security, product readiness/IT, and businesses operations. IAF’s multi-dimensional weighing is unique. It factors in as many stakeholders, benefits, and risks as are relevant to the processing being assessed. It is capable of weighing each of the stakeholders vis-à-vis each of the other factors. It can demonstrate the results mathematically or pictorially or both. It can be used to supplement the required narrative response. The RDPA required by the Regulations is used only when High Risk Processing is conducted. Because of the IAF’s additions to the RDPA, the IAF version of the RDPA can assess Artificial Intelligence (AI) where AI goes beyond ADMT. It increasingly seems likely these High-Risk Processing scenarios also will involve AI, thus supporting their inclusion in a RDPA. The AI or Algorithmic aspects of these laws make the resulting assessment and assessment process more complex – requiring larger cross-organization collaboration and alignment. The weighing of the risks and benefits to the numerous stakeholders will be worthwhile only if it done competently and with integrity. The IAF version of the RDPA enables business to weigh the risks and benefits of AI competently and with integrity. Organizations may find it challenging to identify, describe and assess impacts to all the relevant stakeholders, an effort that is no longer optional. Notably, the Demonstrable Assessments for U.S. State Privacy Laws Project dovetails with the IAF’s Project on Legitimate Interest for an AI World. Convening multistakeholder sessions like this will be crucial for business and regulators as the shift from Accountability to Demonstrable Accountability goes global. Multistakeholder Sessions Set the Tone for the New Wave of Demonstrable Assessments (Part 1) July 29, 2024 Lynn A. Goldstein Articles and News Publications Media

Privacy Notice IAF Privacy Statement Updated April 2024 IAF Privacy Commitment The Information Accountability Foundation (IAF) Privacy Policy reflects our commitment to data stewardship and accountability. We describe here our data handling practices for the IAF and the informationaccountability.org website. Information Collection and Use If you use the “Contact Us”, “Join Us” functions, or write us an email, we ask you to provide your first and last name, email address, and optionally, a phone number, to contact you. This means we have a legitimate interest to contact you based on your inquiry, and to administer any membership you have with us as a global policy think tank. We use this information: To contact you about our projects, initiatives, events, membership or related topics. To send meeting invitations and periodic updates about IAF projects, initiatives and blogs. You may opt-out of our emails at any time. Along with applicable organizational information, to manage membership invoicing, payments and to maintain regulatory tax and compliance reporting and records as required for non-profit organizations. Data Transfer and Sharing We do not share or sell personal user information with any third party for their own purposes. Occasionally we host joint events with other policy, academic or business organizations, where each organization maintains separate contact information. We transfer your personal data to the United States whenever you interact or communicate with the IAF. Should the IAF activity status change or discontinue, we will inform you of your options and choices about your contact information and/or membership. Retention We keep your data for as long as you want to hear from us and stay connected to IAF projects, events or initiatives. We will maintain certain business information and records as required non-profit organizational compliance. Website Usage The IAF website provides social links to the IAF Twitter and IAF LinkedIn pages. Those social media platforms collect metrics about the source website, e.g. informationaccountability.org. We use Microsoft Teams or Zoom Business for video policy calls, chats and other online events. The IAF website is designed so that the use of cookies and analytics is limited to understanding website visit and usage trends. The IAF uses Google Analytics (GA4) to track how often people access, read or download our content. We use this information in the aggregate to understand what content our members and website visitors so we can produce the most valuable content to meet your needs. You can use the Google Analytics opt-out browser extensions, which you can download here . Updates Our privacy policy may change from time to time and all updates will be posted on this page. If you wish to know what information we have about you, or have further questions, please contact us . Technical Data categories Anonymous website usage intelligence Cookie and pixel data Purpose Improve products and services Business intelligence GDPR Lawful Basis IAF legitimate interest (Article 6(1)(f)) Consent (Article 6(1)(a)) CPRA Category IAF Service Delivery Improvement and Analysis Consent (Article 6(1)(a)) Cookie & pixel details scc_session tccl_visit tccl_visitor pk_id.200323.e7bd ses.200323.e7bd Description session single visit repeat visitor repeat visitor single session Duration temporary, session temporary, session one year nine months temporary, session

Making Data Driven Innovation Work February 2023 Home / Publications / Download PDF

We're committed to promoting research and education to enable data to serve people and society. Research Initiatives Education Initiatives Defining Demonstrable Accountability In 2025 and beyond View the Project Outline As the new wave of artificial intelligence integrates the digital, physical, and biological spheres together, this will make tremendous impact in data-driven research, including health and medical device research. Public policy, proposed laws and regulatory approaches articulate more explicit and demonstrable accountability processes for artificial intelligence (AI). There is no common standard as to what these new demonstrable processes should consist of. This void includes how DPA’s and other assessment requirements should be structured. This lack of common expectations regarding standards of practice creates uncertainty for businesses wishing to grow their use of data. For research to benefit patient and societal interests, trust-enhancing frameworks should be developed for a purely digital research environment. Global Flows of Data and Extending Demonstrable Accountability The leading global data protection issue for the past three decades has been personal data transfer governance. The most basic business processes require data to flow, and regulators, legislators and courts have struggled to figure out how data might be protected over distance and time. The issues encompass the potential for private sector misuse of personal data, plus concerns about national security agencies demanding personal data held by the private sector. The EU-U.S. Data Protection Framework and possible interoperability with the Global Cross-Border Privacy Rules project prompts the need to overlay the fundamentals of accountability. Legitimate Interests for an AI World This project's solution set will include a better understanding of the challenges business face, further exploration of regulatory expectations. This will serve as input to the development of a normative framework consisting of process and procedures though a multi-stakeholder engagement model. View Project Outline Legitimate Interests for an AI World This project's solution set will include a better understanding of the challenges business face, further exploration of regulatory expectations. This will serve as input to the development of a normative framework consisting of process and procedures though a multi-stakeholder engagement model. View Project Outline Applied Regulation Applied to New Legislation The IAF has drafted model fair processing legislation to inform legislative processes in the United States and other jurisdictions intent on drafting legislation in response to risks to people from the accelerated use of observational data, advanced analytics, model development, and AI. The last big change in computer and communication technology was captured in the third phase of privacy legislation best exemplified by the GDPR. The fourth legislative phase of privacy legislation needs to meet the challenges of 2025 and beyond. IAF model legislation will help define the way policymakers think about policy choices. The IAF will continually refine the model so that it is fit for its educational purposes. View IAF Model Regulations IAF Digital University The IAF, working with partners, organizes seminars for policymakers and influencers on how legacy and new technologies work and how best practices may be applied to governance. Defining Demonstrable Accountability In 2025 and beyond As the new wave of artificial intelligence integrates the digital, physical, and biological spheres together, this will make tremendous impact in data-driven research, including health and medical device research. Public policy, proposed laws and regulatory approaches articulate more explicit and demonstrable accountability processes for artificial intelligence (AI). There is no common standard as to what these new demonstrable processes should consist of. This void includes how DPA’s and other assessment requirements should be structured. This lack of common expectations regarding standards of practice creates uncertainty for businesses wishing to grow their use of data. For research to benefit patient and societal interests, trust-enhancing frameworks should be developed for a purely digital research environment. View the Project Outline Education Initiatives Workshops and Seminars at Industry and Policy Events The IAF collaborates with a wide range of stakeholders to organize and deliver content to conferences and policy fora for the global community interested in strategic governance so that data may serve people. Upcoming Events The IAF has drafted model fair processing legislation to inform legislative processes in the United States and other jurisdictions intent on drafting legislation in response to risks to people from the accelerated use of observational data, advanced analytics, model development, and AI. The last big change in computer and communication technology was captured in the third phase of privacy legislation best exemplified by the GDPR. The fourth legislative phase of privacy legislation needs to meet the challenges of 2025 and beyond. IAF model legislation will help define the way policymakers think about policy choices. The IAF will continually refine the model so that it is fit for its educational purposes. IAF Digital University The IAF, working with partners, organizes seminars for policymakers and influencers on how legacy and new technologies work and how best practices may be applied to governance. The IAF also conducts specialized seminars for data protection authorities and policy developers, at Maastricht University in Brussels, the Data Protection Commission in Dublin Ireland, and with Canadian and U.S. officials. The IAF also conducts specialized seminars for data protection authorities and policy developers, at Maastricht University in Brussels, the Data Protection Commission in Dublin Ireland, and with Canadian and U.S. officials. Global Privacy Assembly The IAF Chief Policy Officer is a member of the GPA Programme Advisory Committee for the 2023 annual conference in Bermuda. IAF executives have served on the committee on previous conferences in Hong Kong, Morocco, Mauritius, Poland, Mexico, United Kingdom, and Australia. Global Privacy Assembly The IAF Chief Policy Officer is a member of the GPA Programme Advisory Committee for the 2023 annual conference in Bermuda. IAF executives have served on the committee on previous conferences in Hong Kong, Morocco, Mauritius, Poland, Mexico, United Kingdom, and Australia. Join the IAF Contributing to Global Organizations The IAF is a member of the ‘experts’ group at the OECD which advises on new guidance for privacy accountability related to advanced analytics and AI. The IAF is an invited guest at the APEC Data Privacy Subgroup and the Global Cross Border Privacy Rules project.

Origins of Accountability: Accountability Phase II – Paris Project October 2010 Home / Publications / Download PDF

HP Inc. HP Inc.

IAF Comments on Quebec Bill 64- IAF Public- French September 2020 Home / Publications / Download PDF

IAF Comments to the EU Proposed AI Regulation July 2021 Home / Publications / Download PDF

Origins of Accountability: Big Data and Analytics: Seeking Foundations for Effective Privacy Guidance February 2013 Home / Publications / Download PDF

Origins of Accountability: Accountability Phase III – Madrid Project November 2011 Home / Publications / Download PDF

Cognizant Cognizant