In the US, efforts have continued to establish a comprehensive national privacy law, to replace the current patchwork approach undertaken on a state and sector basis. Key recent federal privacy initiatives include the following:
Algorithmic Accountability Act of 2019
On 10 April 2019, Senators Ron Wyden (D-OR) and Cory Booker (D-NJ), and Representative Yvette Clarke (D-NY), proposed the Algorithmic Accountability Act of 2019 ("AAA"; respectively S.1108 and H.R.2231. The AAA directs the US Federal Trade Commission ("FTC") to impose requirements (set out below) on certain "entities that use, store, or share personal information ("PI") to conduct automated decision system ("ADS") impact assessments and data protection impact assessments." It defines PI as "any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device." It further defines an ADS as "a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers."
The legislation would require covered entities to, among other things, assess their use of ADS for impacts on accuracy, fairness, bias, discrimination, privacy, and security, and to fix flawed computer algorithms that result in inaccurate, unfair, biased or discriminatory decisions impacting consumers. The bill would allow a State attorney general to bring a civil enforcement action on behalf of state residents in US federal court, a provision that, if enacted, would likely lead to a greater number of actions than if enforcement were limited to federal authorities.
The companion bills were referred to respective Senate and House committees, where they remain. As the implementation of AI technologies and systems increases, proposed legislation such as this, if enacted, could be applicable to and have a significant impact on a broad range of contexts.
Privacy Bill of Rights Act
On 11 April 2019, Senator Edward Markey (D-Mass.) introduced the Privacy Bill of Rights Act (S.1214). The bill proposes to establish and protect individual and collective privacy rights. It prohibits a covered entity from using PI for harmful, discriminatory purposes, such as advertising for housing, employment, healthcare, or education focusing on demographics such as race, colour, ethnicity, religion, national origin, gender, sexual orientation, or disability. It defines PI as non-publicly-available "information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, a particular individual", and provides numerous examples. It also sets forth cybersecurity standards and provides rulemaking authority to the FTC.
Other key aspects of the bill include:
- Requiring covered entities to obtain opt-in approval from an individual to collect, use, retain, share, or sell the individual's PI, or to make any material changes in the collection, use, retention, sharing, or sale of that PI;
- Requiring companies to provide consumers with a short-form notice about the collection, retention, use, and sharing of the PI by the covered entity;
- Requiring businesses to protect and secure the PI they hold;
- Ensuring businesses collect from consumers only the PI needed to provide the requested services;
- Establishing a centralised FTC website advising consumers on their privacy rights;
- Providing for FTC enforcement powers;
- Enabling State Attorneys' General to protect the interest of their residents and bring actions against companies that violate individuals' privacy rights; and
- Providing individuals a private right of action so they can defend their privacy rights themselves.
The bill was referred to, and remains before, the US Senate Committee on Commerce, Science and Transportation.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.