U.S. Congress struggles mightily with privacy, but for all its efforts, attempts at an omnibus privacy bill have not been successful. I do not propose a broad solution for privacy today. I want to play small ball. I want to address a small, focused privacy issue that cuts across many different types of activities and databases.
The question is how to deal with the disclosure of deidentified data.
The sharing of deidentified data often provides societal or other benefits while minimizing privacy risks. There is much potential here for a win-win outcome. But there are hurdles, risks and costs that need attention.
One hurdle is how to define deidentified data. There is no completely satisfactory, generally applicable definition, although there are many statistical, mathematical and other approaches that work in some circumstances. No simple definition will work because too much personal data is available today, and techniques for matching data to identifiable individuals advance all the time. Harvard Professor Latanya Sweeney, a noted authority on anonymity, put it this way: “I can never guarantee that any release of (deidentified) data is anonymous, even though for a particular user it may very well be anonymous.”
The risks to data subjects from sharing of supposedly deidentified information are obvious enough that I don’t need to list them. But there are also risks to the person who makes anonymized data available to another user. Will that data discloser face legal or reputational penalties if a data recipient or some other downstream user reidentifies the data? Given the uncertainties, some users with good intentions may not be able to obtain useful data, and we all face the loss of valuable research and other useful activities.
Ten years ago, I drafted a statute to address the problem. The statute creates a framework that both data disclosers and data recipients could voluntarily adopt to define their responsibilities when sharing potentially personally identifiable information.
The model for this type of voluntary contractual agreement is arbitration, a process that both parties to a contract agree to on their own. Under my proposal, the data discloser and recipient could plug into a statutory framework that offers a safe harbor to data disclosers, defined responsibilities for data recipients, remedies to individuals harmed by reidentification, and administrative sanctions and enforcement. No one would be required to use the framework, and that avoids the many problems that mandatory approaches face.
Best of all, it is not necessary for anyone to define deidentification. PII is simply any data without overt identifiers. The parties to the sharing decide when their data sharing needs the benefits, protections and structure of the statutory framework. No one has to decide if data is truly deidentified to benefit from the contractual method.
The bill does not offer a fully comprehensive solution to every aspect of the sharing of deidentified data. It simply offers a new tool that would solve many problems faced by those who want to share data but fear liability; protect consumers by defining the responsibilities of data disclosers and data recipients; and encourage the responsible sharing of data for research, public health and other beneficial activities. The bill could be passed at the state or federal level.
Just to make a point about the utility of a better framework for sharing deidentified records, consider the current COVID-19 pandemic. It would surely be useful for researchers and others to be able to share records. Current rules sometimes allow for sharing, but there are uncertainties, especially when removing identifiers on the fly from data files. A way to share data under a statutory scheme that defines roles and responsibilities would speed up the process while making everyone more comfortable.
I originally published my proposal, including a fully drafted bill, 10 years ago in the Fordham Intellectual Property, Media & Entertainment Law Journal. The article received favorable comments from a few experts in the field. But it generally received all the attention most law journal articles receive, which is to say next to none.
Ten years ago, interest in privacy legislation was limited. Today, privacy is a hot legislative topic, but many intractable issues remain unresolved. Federal legislation, in particular, is hard to pass in the absence of a broad consensus. I humbly suggest it may be possible to find consensus on smaller, more narrowly focused matters.
Photo by Steve Johnson on Unsplash
If you want to comment on this post, you need to login.