Listen
to
this
post
On
Monday,
March
27,
2023,
the
Centre
for
Information
Policy
Leadership
(CIPL)
at
Hunton
Andrews
Kurth
submitted
a
response
to
the
California
Privacy
Protection
Agency
(CPPA)’s
Invitation
for
Preliminary
Comments
on
Proposed
Rulemaking
for
cybersecurity
audits,
risk
assessments
and
automated
decisionmaking.
CIPL
has
a
long
history
of
promoting
responsible
data
practices
through
its
efforts
regarding
organizational
accountability.
When
paired
with
clear
guidance
from
regulators,
organizational
accountability
supports
businesses
in
achieving
effective
risk
assessments
and
responsible
decisions
regarding
data
uses,
including
automatic
decisionmaking.
Regarding
risk
assessments,
CIPL
offered
the
following
considerations:
-
Regulations
or
regulatory
guidance
should
set
forth
the
specific
harms
that
should
be
identified
and
considered
in
a
risk
assessment; -
Prescriptive
lists
of
scenarios,
technologies
or
processing
activities
that
are
considered
a
“significant
risk”
should
be
avoided.
Instead,
it
would
be
helpful
to
provide
non-exhaustive
lists
describing
(1)
the
kinds
of
high-risk
processing
operations
that
may
require
more
detailed
and
robust
risk
assessments
or
data
protection
impact
assessments,
and
(2)
the
kinds
of
low-risk
processing
that
likely
do
not; -
Risk
mitigation
does
not
mean
the
elimination
of
risk,
but
the
reduction
of
risk
to
the
greatest
reasonable
extent,
given
the
desired
benefits
and
reasonable
economic
and
technological
parameters.
Regulations
should
help
businesses
make
reasoned
and
evidence-based
decisions
on
whether
to
proceed
with
processing
in
light
of
any
residual
risks
and
taking
into
account
proportionality; -
While
the
CPPA
should
provide
risk
assessment
templates
detailing
minimum
requirements,
it
should
maintain
a
flexible
approach
so
long
as
all
substantive
considerations
are
included
based
on
the
context
of
the
processing; -
Promote
interoperability
between
jurisdictions
and
clarify
through
guidance
how
businesses
can
“bridge”
technical
differences
between
legal
systems,
such
as
the
definition
of
“personal
data”; -
Provide
businesses
with
clear
guidance
on
what
should
be
included
in
a
risk
assessment
summary; -
Assess
compliance
based
on
demonstrable
good
faith
and
due
diligence; -
Clarify
that
the
disclosure
of
a
risk
assessment
and
summary
in
response
to
a
request
from
the
California
Attorney
General
or
the
CPPA
does
not
constitute
a
waiver
of
any
attorney-client
privilege
or
work-product
protection
that
might
exist
with
respect
to
any
information
contained
in
the
risk
assessment
and
summary;
and -
Recognize
that
identifying
risk
and
harm
is
largely
a
context-specific
exercise.
Regarding
automatic
decisionmaking
(“ADM”),
CIPL
offers
the
following
considerations:
-
Instead
of
prohibiting
all
or
certain
categories
of
ADM
while
allowing
for
certain
exceptions,
focus
rules
on
ADM
that
produces
legal
or
similarly
significant
effects; -
For
such
regulated
ADM,
establish
robust
ex
ante
risk
assessment
and
mitigation
requirements,
as
well
as
other
accountability
obligations,
such
as
transparency,
human
review
and
robust
ex
post
redress
rights
for
erroneous
or
inappropriate
decisions; -
Provide
examples
of
automated
decisions
producing
“similarly
significant”
effects; -
Examples
of
ADM
producing
legal
or
similarly
significant
effects
should
be
rebuttable
by
businesses,
as
demonstrated
through
risk
assessments; -
Clarify
that
businesses
should
find
simple
ways
to
inform
individuals
about
the
rationale
behind
or
the
criteria
relied
on
in
reaching
the
decision
without
providing
a
complex
explanation
of
the
algorithms
used
or
disclosure
of
the
full
algorithm; -
Providing
appropriate
ADM
transparency
is
contextual
and
rules
on
transparency
should
be
flexible
enough
to
accommodate
different
use
cases;
and -
Clarify
the
scope
of
“profiling”
by
addressing
solely
automated
activities
that
produce
legal
or
significantly
similar
effects.
You
can
read
the
entire
CIPL
response
here.
About Author
