Modernizing Privacy Risk Assessment

I have only one quibble with Stuart Shapiro’s article, “Time to Modernize Privacy Risk Assessment” (Issues, Fall 2021), and I’ll come to it in a minute. Broadly, Shapiro’s analysis is right on target. Privacy Impact Assessments (PIAs) and Fair Information Practices and are necessary to address privacy challenges, but current approaches are not sufficient to meet today’s needs and tomorrow’s technologies. We must do better.

The original US legislative requirement for a PIA, contained in the 2002 E-Government Act, slightly expanded upon an existing obligation that federal agencies publish a flat description of systems for processing personal information. While some agencies use this requirement to do more than the law demands, many merely “tick the box” by preparing one-page PIAs that contain no analysis of risks, harms, or anything.

Shapiro makes the case for the complexity of evaluating the privacy risks and consequences of an activity affecting personal privacy. That complexity means that the same PIA will not be appropriate for every activity. Some activities use novel technologies. Some come with urgent mandates and short timetables. Some require extensive consultations with many stakeholders. All PIAs face budgetary and other limitations. It is not simple.

I recently proposed a major revision to the Privacy Act of 1974, presented in a report for the World Privacy Forum titled From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974. In developing the proposal with the assistance of privacy experts inside and outside government, I found a demand to focus on the PIA process rather than just the PIA product.

As a result, the revised bill would require federal agencies to apply broad standards for the purpose, process, elements, and public participation of the PIA process. It gives agencies considerable discretion. Application of these or any standards will work only with the exercise of good faith and good judgment. Box ticking accomplishes nothing. The bill makes the agency chief privacy officer the key player in designing the best process for conducting each PIA.

What is true for federal agencies is also true for any agency, company, or organization that processes personal information. Whether a PIA obligation arises from a statute, industry standard, or good practice, one size will not fit all. Just to make it harder, today’s PIA may not address future challenges, so any PIA may need updating over time.

The importance of judgment in designing and conducting a PIA process, however, brings with it the risk that the authority will be poorly exercised or flatly abused. That means that we also need oversight from legislators, regulators, investors, the press, privacy advocates, and data subjects. PIAs are essential, but eternal vigilance is essential too.

My initial quibble? Shapiro labels Fair Information Practices as Fair Information Practice Principles (FIPPs). FIPPs were a pointless bureaucratic rebranding of basic privacy policies developed in the 1970s and 1980s in the United States and Europe. Anyone seeking more background on Fair Information Practices can look at my basic history of them.

Robert Gellman