On October 20, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP hosted a side workshop at the International Conference of Data Protection & Privacy Commissioners focused on transparency and risk assessment, entitled “The Role of Risk Assessment and Transparency in Enabling Organizational Accountability in the Digital Economy.” The workshop was led by Bojana Bellamy, CIPL’s President, and featured contributions from many leaders in the field, including the UK ICO, Belgium and Hong Kong’s Privacy Commissioners, and counsel and privacy officers from several multinational companies.
The workshop discussed several topics, including:
- What are the real drivers for transparency?
- How do we get beyond legal transparency?
- How can real transparency best be delivered in a connected world where machines are learning faster than humans?
- How should harms and benefits be identified for meaningful risk assessment?
- What do regulators expect from “best practice” risk assessments?
- How do regulators take risk mitigation into account?
Many ideas and insights were exchanged during the session and there was substantial consensus between regulators and businesses on a number of topics. There is a real danger that both transparency and risk management can end up as empty slogans, but the lively discussion probed beneath both concepts to come to a better understanding of how these concepts can contribute to organizational accountability in practice. For example, participants heard accounts of the efforts being made by companies like Google, Facebook, TRUSTe and Telefónica to understand and effectively implement transparency. Although legal obligations can stimulate companies’ efforts towards transparency, the real challenge is disseminating to users the right amount of information at the right time and in ways which can be easily understood and acted upon. The recent report from the Telefónica and CIPL roundtable on Reframing Data Transparency confirms the dangers of a growing gap between legal and user-centric transparency. The challenges are especially acute in observational and connected environments where personal information can be collected and used with little or no interaction with the data subject.
The Hong Kong, Belgian and UK privacy commissioners also discussed how they could use the tools at their disposal to incentivize best practices. For example, the new UK ICO Code on Privacy Notices seeks to draw the right balance between the “right time” disclosure and information overload, and provides examples of “good” and “bad” notices. In Hong Kong, the Privacy Commissioner has pioneered privacy education programs. Although information provided directly to consumers must be kept as simple and relevant as possible, participants agreed that proper accountability demands meaningful openness (often in considerably more detail) to intermediary players other than individual users – such as the media, certification and seal bodies, consumer organizations and, of course, data protection authorities.
With respect to risk management, participants agreed that many businesses struggle to shift their focus from risks and harms to their own businesses, to risks and harms to individuals. Stakeholders also must take into account benefits to individuals and society. It is important – especially as the EU GDPR comes into force – that there is maximum consistency across Europe and beyond about the interpretation, implementation and enforcement of a regulatory framework which is becoming increasingly risk-based.