Legislation + assessment = privacy

| April 9, 2020

Daniel Lipinski, a member of the US House of Representatives, recently introduced a Bill to Congress with the unglamorous name of H.R.6227 – Privacy Score Act of 2020.  The bill, which was then referred to the House Committee on Energy and Commerce, may not have hit the headlines, but could offer an important step forward in protecting people’s privacy in our deeply digital age.  

Although the world is understandably focused on the struggle against COVID-19, the question of further measures to effectively regulate and protect personal information still remains. 

The EU Global Data Protection Regulation (GDPR) had a major impact, but will come to be seen as the best piece of privacy law passed for a bygone era.  However, it will not prove fit for purpose in the 21st Century, given the fast-evolving nature of the way we lead our lives today and into the future and the way that personal data is gathered, analysed and used.

Lipinski’s bill suggests that a scoring is well worth considering to protect the public in future years.  

This is not a new idea and has been considered in the past by a number of others.  In fact, in 2007 Information Integrity Solutions was a major contributor to a “possible framework for trust and privacy in the information age”. 

It was developed for the Privacy and Risk Partnership convened by Global Access Partners, and Section 3 of a Working Paper prepared by that group covers the concept in some detail.  At the time, we suggested this could take the form of a Privacy and Security Risk (P&S) Rating, analogous to credit risk ratings such as the S&P (Standard and Poors) risk rating.

Our thinking culminated in suggesting the following formula, although it was created to start a strong debate rather than pretending to be definitive:

Privacy Risk Rating = [Inherent Use Risk] x [∑Principle Ratings] x [Implementation/compliance/accountability approach]

Some figures can be put into this formula to illustrate its scope.  For “Inherent Use Risk”, a value of 0 would be low and 2 would be high, for example, while for “Principle Ratings”, 0  would be strong and 25 would be weak, depending on the privacy principles to which the entity commits.  0 would be strong and 2 would be weak for the Implementation/compliance/accountability approach.  

Hence a Privacy Risk Rating of 0 would equate to no risk, while a Privacy Risk Rating of 100 would flag an extremely high risk to personal privacy.

Such a rating could have many uses.  It could be used by regulators to identify risks that mattered and by capital raising markets to identify low risk investments.  Of course, it could also be used by individuals to choose which businesses and service offerings to avoid and which might be safer to use.

The course of Daniel Lipinski’s bill remains to be seen, but perhaps the time has come to think more about privacy and security risk ratings in Australia as well and take a more objective approach to rating them.