EPIC: Mandatory, Transparent Risk Assessments Can Make Data Collection, AI Use Accountable
The Electronic Privacy Information Center (EPIC) called for "enforceable legal obligations" that make risk assessments "mandatory" and afford "public access" to them, ensuring citizens can identify "how harms are mitigated and compliance is ensured."
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The group's position was covered in a report it published on Wednesday.
"It is past time in the United States for regulatory frameworks that provide consumers actionable transparency and meaningful accountability around data processing," the report said. "Transparency can lead to better-informed choices from consumers, robust enforcement of privacy rights, and incentives for companies to mitigate harms or terminate harmful systems."
The report was the result of a 2023 project EPIC launched to study California and other jurisdictions that have "adopt[ed] risk assessment requirements," ensuring they serve as "genuine instruments of accountability." Activities of the California Consumer Privacy Act (CCPA) concerning automated decision-making systems (ADS) were also studied.
The report found "risk assessments are a key accountability mechanism that can help ensure that businesses process personal data or use automated decision systems safely, responsibly, and in ways that minimize the risk of harm to individuals."
When risk is not accounted for, businesses may participate in commercial surveillance that sometimes leads them to commoditize consumers' personal data, which may then be aggregated and sold to third parties, EPIC said. The report cited data breaches at PowerSchool data breach (see 2505220037) and Hertz (see 2504150010) as examples of bad consequences of unchecked data collection.
In addition, the report mentioned surveillance pricing and discriminatory advertising as risks associated with unethical mass data collection. For instance, Consumer Reports recently blasted Kroger for surveillance pricing activities (see 2505210043).
The EPIC study also raised concerns over surveillance in the workplace, law enforcement, housing, education and health care.
In a section about California, the report notes "the strong proposed regulations in the initial draft [of the California Privacy Protection Agency's rulemaking]" were "watered down due to industry pressure, resulting in proposed draft regulations that provide far less transparency and accountability." California Privacy Protection Agency Chairperson Jennifer Urban in May also voiced that concern (see 2505010048).
"Currently, no jurisdiction has adopted an ideal risk assessment framework," the EPIC report said, and "California, with one of the strongest privacy laws in the country, may adopt stripped-down risk assessment requirements that do not even obligate businesses to disclose critical components of the assessment." But "conducting thorough risk assessments can in fact benefit businesses" and "earn consumer trust."
"By implementing thorough risk assessments now, businesses will be better situated to comply with forthcoming requirements and able to develop best practices without a looming compliance deadline," EPIC added. "It is past time that businesses processing personal information demonstrate to consumers that their data practices are not putting [consumers] at risk."
On June 16, during an EPIC webinar about California’s proposed AI and privacy regulations, panelists said transparent risk assessments are the best way of negating privacy and AI harms before they arise (see 2506160049).