AI Data Governance: Where to Begin?

Plus: Personal vs Sensitive Personal Information, California's "Do Not Sell List", A Critique of the UK's new surveillance law, and more.

Welcome to Privacy Picks!

This newsletter is my way of learning about and tracking interesting topics from the world of data privacy law.

If you’d like to follow along with my weekly selection of articles and insights about privacy and security, please consider subscribing!

This week’s picks include:

  • Getting started with AI data governance

  • The difference between personal information and sensitive personal information

  • California’s “Delete Act”

  • Proposed changes to the UK surveillance law

  • How life sciences companies might benefit from the new EU-U.S. Data Privacy Framework

  • An increase in health data breach class actions

  • Privacy quick picks

Where to Start With AI Data Governance?

Here’s a scary realization: You can’t control how AI accesses and processes your personal information online.

That’s the premise of this recent article from Wired.

According to the article, the very idea of being responsible for your online privacy is outdated, as generative AI algorithms are trained on vast amounts of data from public records, social media posts, and other sources, all without your consent or control:

Generative AI completely obliterates the idea of individual responsibility for privacy because you can’t control these algorithms’ access to your information, or what they do with it. [Wired]

So, if it’s not up to us as individuals, how will companies and governments address the privacy risks of generative AI?

For starters, they’ll need new guidelines and legislation to clarify the principles of AI data governance.

But what is AI data governance, and how do you even begin to approach and understand this important topic as a user or provider of AI tech?

In discussing fundamental aspects of an AI data governance program, they highlight four critical areas to consider:

  • Provenance and Privacy

  • Transparency and Explainability

  • Bias and Discrimination

  • Compliance Mechanisms

For example, with “provenance and privacy”, companies should look to the principles outlined in recently proposed legislation and frameworks, such as the EU AI Act, the Blueprint for an AI Bill of Rights, and the NIST AI Risk Management Framework.

Companies should also ask questions about their own data governance practices, including:

  • How is the data obtained?

  • Does it contain personally identifiable information? Proprietary information?

  • Is it up-to-date and accurate?

  • Is the data adequately secured?

  • Can you achieve similar results with de-identified data?

With transparency and explainability, companies must consider how easy it is for customers to understand when they are actually interacting with AI and the rationale behind the AI’s output.

Next, companies must implement controls to eliminate bias and discrimination in automated decision-making and “validate training practices and test data to ensure it is representative, error-free, and complete.”

Finally, companies must develop new compliance mechanisms with “multidisciplinary teams to assemble the range of knowledge and skill necessary to meet requirements” of new AI data governance regimes.

This talk is a great introduction to AI data governance and offers an excellent jumping-off point for learning more about privacy models and safeguards concerning generative AI.

View the full article and video here.

Personal vs. Sensitive Personal Information

A core principle of AI data governance is that companies must implement strict protocols regarding how their customers’ sensitive personal information is collected, used, and stored:

Enhanced protections and restrictions for data and inferences related to sensitive domains, including health, work, education, criminal justice, and finance, and for data pertaining to youth should put you first. In sensitive domains, your data and related inferences should only be used for necessary functions, and you should be protected by ethical review and use prohibitions. [White House Blueprint for an AI Bill of Rights]

Of course, it’s not just AI governance: the distinction between personal and sensitive personal information (SPI) is fundamental to any piece of current data privacy legislation.

Generally, personal information includes data like your name, address, email, age and photos, while SPI includes more vulnerable data like race, ethnicity, political opinions, religious beliefs, financial information, trade union membership, genetic information, and more.

However, domestic and international privacy regimes define and address SPI differently.

For example, the GDPR prohibits processing sensitive personal data by default, referred to as “special categories of personal data” under Article 9, unless the controller can prove that an enumerated exception (including explicit consent) applies.

Under the CCPA, as amended, the definition of SPI is broader (including identifiers such as your social security number, financial account information, your precise geolocation data, contents of email and text messages, and more), but processing is not prohibited by default.

Instead, consumers have the right to limit the use and disclosure of sensitive personal information collected about them. 

Whether learning about your rights or determining your company’s obligations, understanding what SPI is and how it’s treated in different settings and jurisdictions is a crucial piece of the privacy puzzle.

For a good primer, this article provides a helpful summary of personal information vs. SPI across various regimes, along with illustrations and examples.

California Proposes a “Do Not Sell List” for Data Brokers

I’m sure you’ve heard about the “do not call list,” but how about the “do not sell list”?

If you’re in California, it may become a reality soon.

Proposed Senate Bill 362, aka The Delete Act, would essentially create a California “do not sell” list for data brokers.

This means data brokers, as defined by the Act, will need to register with the California Privacy Protection Agency (the “CPPA”), pay a registration fee, and provide the CPPA with detailed information about their collection practices.

Also, prior to January 1, 2026, the CPPA will need to establish a mechanism whereby California consumers can securely submit a single deletion request that applies to all data brokers, associated service providers, or contractors.

Once the mechanism is established, data brokers must start complying with deletion requests by August 1, 2026, by accessing the mechanism at least once every 31 days.

Read this article for a full overview of The Delete Act.

So, how does the Ad industry feel about California’s Delete Act? This website might provide a clue: No to SB 362 (“Don’t Destroy California’s Data-Driven Economy”).

Also, as Politico reported, the Association of National Advertising warned lawmakers that “allowing people to delete their data en masse would hurt the government’s ability to prevent fraud and prevent hospitals from providing services.”

In any event, we’ll likely see more proposed legislation that aims to protect consumers from collection and tracking by commercial data brokers, including at the federal level.

More Privacy Picks

A Revised UK Surveillance Regime May Violate International Human Rights Law

The UK Government has proposed changes to its primary surveillance law, the Investigatory Powers Act (IPA)

However, as this article points out, two of the changes concerning the extraterritorial reach of the IPA and notice requirements for private companies may actually violate international human rights law:

Against this backdrop, the main issue Objectives 3 and 4 jointly pose is that the United Kingdom could breach international human rights law by, for example, preventing a communications services provider from either fixing security gaps in software through the provision of security updates or applying advanced protections such as end-to-end encryption to their services, at a global level. Specifically, these measures not only are unlikely to survive the necessity and proportionality test enshrined in Article 8 of the European Convention on Human Rights (ECHR), which guarantees the right to respect for private life, but they could also result in failure to respect the human rights of individuals located abroad. [Just Security]

Life Sciences Companies Could Get a Boost from the New EU-U.S. Data Privacy Framework

In the past, U.S.-based life science companies have had difficulty finding a reliable way to transfer study data from medical counterparts based in Europe.

First, the Privacy Shield was invalidated. Then, they were left with an updated set of Standard Contractual Clauses (SCCs) that technically limited their ability to transfer study-related data.

However, the new EU-U.S. Privacy Framework may provide a better transfer mechanism, with a set of “Supplemental Principles” that specifically address data transfers in the context of pharmaceutical and medical products.

As this article points out, despite expected challenges, U.S. life science companies may want to consider joining the DPF.

Health Data Breach Class Actions Surge

And finally… plaintiff’s lawyers appear to be taking full advantage of an increase in cyber attacks on health facilities.

As this article reports, the monthly average of new class actions filed over health data breaches this year is nearly double the rate from 2022. 

Factors contributing to the surge in litigation include the growing number of ransomware attacks, public notification rules, and increased consumer awareness of privacy issues.

Plus, there is a lack of clarity on how courts will actually treat these lawsuits. Lawyers on both sides are staying busy in the meantime.

Quick Picks