GC’s Corner: The Algorithmic Accountability Act of 2019 and the EU – U.S. Privacy Shield

Pressure continues to mount in the U.S. in 2019 to keep data privacy and protection at the forefront.  With the passage of the EU GDPR (“Regulation”) on May 25, 2018, and with the California Consumer Privacy Act (“CCPA”) set to go into effect in January 2020, consumers, businesses, governmental entities and other third parties are closely watching the data privacy developments taking shape in the U.S.  

In this article, there will be a discussion on: (1) the Algorithmic Accountability Act of 2019, which was introduced in the U.S. Senate on April 10, 2019, and (2) the status of the EU – U.S. Privacy Shield (“Privacy Shield”) framework.  As recently as this past summer, there were rumblings about the viability of the Privacy Shield and concerns regarding the findings of the Second Annual Review that the EU Commission was set to publish.

The “Algorithmic Accountability Act of 2019” Was Recently Introduced in the U.S. Senate

On Wednesday, April 10, 2019 Senators Booker, Clarke and Wyden sponsored the “Algorithmic Accountability Act of 2019” (the “Accountability Act”) in the U.S. Senate, which is also referred to as S.1108.  The Bill is influenced by the Regulation and CCPA, and directs the Federal Trade Commission (“FTC”) to require entities that use, store, or share personal information to conduct automated decision system impact assessments and data protection impact assessments.

Those entities that would be mandated to adhere to the Accountability Act shall be referred to as “covered entities”.  The Accountability Act includes in its definition of “covered entities” any person, partnership, or corporation, which the FTC has jurisdiction over under section 5(a)(2) of the FTC Act (15 U.S.C. 45(a)(2)), and as well as those covered entities that had $50,000,000 in average annual revenue for the past 3 years, or ones that possess or control personal information on more than 1,000,000 consumers or 1,000,000 consumer devices.

One of the key requirements of the Accountability Act is to mandate that covered entities conduct a Data Protection Impact Assessment (“DPIA”) under certain circumstances. DPIA is defined as “… a study evaluating the extent to which an information system protects the privacy and security of personal information the system processes.”  

The Accountability Act’s overall intent is to prevent risk and harm from automated decision systems as to the privacy or security of personal information of consumers.  Some of the risks that are mentioned, that could potentially negatively impact consumers, include violations of privacy and security, inaccuracies, bias and discrimination - which can possibly result from automated decisions.  

The Bill requires the implementation of “… an assessment of the relative benefits and costs of the automated decision system in light of its purpose, taking into account relevant factors, including ---

(i)            data minimization practices;

(ii)          the duration for which personal information and the results of the automated decision system are stored;

(iii)         what information about the automated decision system is available to consumers;

(iv)         the extent to which consumers have access to the results of the automated decision system and may correct or object to its results; and 

(v)           the recipients of the results of the automated decision system.”

To avoid the above-referenced risks to consumers, covered entities are required to implement technological and physical safeguards.  Special attention is given to what is defined as a “High-Risk Automated Decision System” or a “High-Risk Information System”.  These systems are categorized as “high-risk”, as they can include, but are not limited to the following: “… the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests.”

The Accountability Act states that after it is enacted, that the FTC has up to 2 years to promulgate regulations in accordance with section 553 of title 5, U.S.C.  Included in the regulations are a requirement that covered entities have to conduct a DPIA “… of existing high-risk information systems, as frequently as the Commission determines is necessary.”  The publication of the DPIA is optional, and it is at the sole discretion of the covered entity whether or not to make it public.

In addition, the Accountability Act provides for enforcement by the FTC under unfair or deceptive acts or practices under section 18(a)(1)(B) of the FTC Act (15 U.S.C. 57a(a)(1)(B).  However, it also allows State Attorney Generals to “… bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to obtain appropriate relief.”  

The enforcement net for the Accountability Act has been cast very wide, as it also allows for actions to be brought by other State officials.  More specifically, it states “… in addition to a civil action brought by an attorney general under paragraph (1), any other officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.”

There is no federal preemption as a result of the Accountability Act, as it clearly states that nothing may be construed in the Act to preempt any State law.  The message being conveyed to potential covered entities is that they are expected to ensure fairness, impartiality and transparency in their automated decision making, which should provide consumers with enhanced data privacy and protections from algorithmic biases and risks.

The EU Commission’s Status Update on the EU – U.S. Privacy Shield

On December 19, 2018, the EU Commission published a report on the second annual review of the EU-U.S. Privacy Shield.  Overall, the report was favorable in that it stated that the U.S. had taken certain measures to implement the recommendations that the EU Commission made in its first report, which had been published in 2017.  The primary conclusion of the second annual review was that “… the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S.”

However, one of the outstanding items that still exists is the concern that the U.S. will nominate a permanent U.S. Privacy Shield Ombudsperson by February 28, 2019.  Since the issuance of the EU Commission’s second annual review, the Trump Administration did nominate Mr. Keith Krach (a well-respected technology leader) for the position.  The U.S. Senate Committee on Foreign Relations has not yet confirmed Mr. Krach to the position. 

The report also noted that the Department of Commerce (“DOC”) and the FTC have been more proactive since the issuance of the EU Commission’s first annual review.  The second annual review did make a point that since the Facebook/Cambridge Analytica scandal is of significant import, it was highlighted that the FTC has an ongoing investigation into the case.

The EDPB’s Status Update on the EU – U.S. Privacy Shield

After the EU Commission published its second annual review of the EU – U.S. Privacy Shield, the report was sent to several entities, including the European Data Protection Board (“EDPB”).  The EDPB is comprised of representatives of the various data protection authorities (“DPAs”) from all of the Member States that comprise the EU (as well as from Norway, Lichtenstein and Iceland) and the European Data Protection Supervisor (“EDPS”). 

On January 22, 2019, the EDPB adopted a report on the “EU – U.S. Privacy Shield – Second Annual Joint Review.”  The EDPB report primarily addressed two areas of concern with regards to Privacy Shield: (1) commercial aspects, and (2) government access by law enforcement and national security to personal data that has been transferred by the EU.

With respect to the commercial aspects, the EDPB report determined that “… many of the WP 29’s findings of the first annual review regarding the commercial aspects have been taken into account by the US authorities.”  The EDPB specifically commented favorably on the following: that the DOC has improved the adaptation of the initial certification process, that the FTC and DOC have begun to undertake oversight and enforcement actions, and that the DOC has issued further guidance for EU individuals.

However, the EDPB highlighted continuing commercial aspect concerns with respect to Privacy Shield, including:

-      “… a certain lack of oversight in substance”, as related to the DOC and FTC;

-      the area of onward transfers;

-      the application of requirements regarding HR data;

-      a further refinement with the re-certification process; and

-      “… the absence or the limitation to the rights of the data subjects (i.e. right to object, right to access, right to be informed for HR processing), the absence of key definitions, the lack of guarantees on transfers for regulatory purpose in the field of medical context, the lack of specific rules on automated decision making and the overly broad exemption for publicly available information. Those remain valid.”

The more serious continuing concerns that were discussed in the second annual review had to do with U.S. law enforcement and national security, which includes, but is not limited to:

-      “… the collection and access of personal data for national security purposes under both Section 702 of FISA and Executive Order 12333”;

-      recommendation that the Privacy and Civil Liberties Oversight Board (“PCLOB”) issue additional reports;

-      that there were not any new guarantees for EU individuals as part of the reauthorization of Section 702 of FISA;

-      that PCLOB should provide guidance and information on the necessity and proportionality of Executive Order 12333;

-      the ongoing admissibility standard of U.S. courts with respect to the “standing requirement” for EU citizens; and

-      “… finally, regarding the access to data for law enforcement purposes, the EDPB underlines its remaining concerns on the available effective remedies for individuals in cases where the personal data processed by companies are accessed by law enforcement.”

Over the past several years there has been a heightened focus on data privacy and protection. All indications point to the fact that this will only increase for the foreseeable future – and on a global level.

Please let me know if you found this to be informational.  I value your feedback.

About the Author:  

Jerry Barbanel is the General Counsel, Chief Compliance Officer and Founder of Precision Discovery.  He is a seasoned attorney and former prosecutor with the Manhattan DA’s Office with over 30 years of legal, risk mitigation, data privacy and protection, operational, law enforcement, forensic accounting, investigative, eDiscovery and consulting expertise.  In addition, Jerry has extensive experience in conducting highly sensitive and complex investigations, both domestically and internationally.  He has attained a number of data protection and privacy certifications including Certified Information Privacy Professional / Europe (CIPP/E), E.U. General Data Protection Regulation Foundation (GDPR F) and E.U. General Data Protection Regulation Practitioner (GDPR P).  In addition, he is a legal technologist, certified public accountant, certified fraud examiner and certified anti-money laundering specialist.