Privacy & Information Security Law Blog

On Monday, March 27, 2023, the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth submitted a response to the California Privacy Protection Agency (CPPA)’s Invitation for Preliminary Comments on Proposed Rulemaking for cybersecurity audits, risk assessments and automated decisionmaking.

CIPL has a long history of promoting responsible data practices through its efforts regarding organizational accountability. When paired with clear guidance from regulators, organizational accountability supports businesses in achieving effective risk assessments and responsible decisions regarding data uses, including automatic decisionmaking.

Regarding risk assessments, CIPL offered the following considerations:

• Regulations or regulatory guidance should set forth the specific harms that should be identified and considered in a risk assessment;
• Prescriptive lists of scenarios, technologies or processing activities that are considered a “significant risk” should be avoided. Instead, it would be helpful to provide non-exhaustive lists describing (1) the kinds of high-risk processing operations that may require more detailed and robust risk assessments or data protection impact assessments, and (2) the kinds of low-risk processing that likely do not;
• Risk mitigation does not mean the elimination of risk, but the reduction of risk to the greatest reasonable extent, given the desired benefits and reasonable economic and technological parameters. Regulations should help businesses make reasoned and evidence-based decisions on whether to proceed with processing in light of any residual risks and taking into account proportionality;
• While the CPPA should provide risk assessment templates detailing minimum requirements, it should maintain a flexible approach so long as all substantive considerations are included based on the context of the processing;
• Promote interoperability between jurisdictions and clarify through guidance how businesses can “bridge” technical differences between legal systems, such as the definition of “personal data”;
• Provide businesses with clear guidance on what should be included in a risk assessment summary;
• Assess compliance based on demonstrable good faith and due diligence;
• Clarify that the disclosure of a risk assessment and summary in response to a request from the California Attorney General or the CPPA does not constitute a waiver of any attorney-client privilege or work-product protection that might exist with respect to any information contained in the risk assessment and summary; and
• Recognize that identifying risk and harm is largely a context-specific exercise.

Regarding automatic decisionmaking (“ADM”), CIPL offers the following considerations:

• Instead of prohibiting all or certain categories of ADM while allowing for certain exceptions, focus rules on ADM that produces legal or similarly significant effects;
• For such regulated ADM, establish robust ex ante risk assessment and mitigation requirements, as well as other accountability obligations, such as transparency, human review and robust ex post redress rights for erroneous or inappropriate decisions;
• Provide examples of automated decisions producing “similarly significant” effects;
• Examples of ADM producing legal or similarly significant effects should be rebuttable by businesses, as demonstrated through risk assessments;
• Clarify that businesses should find simple ways to inform individuals about the rationale behind or the criteria relied on in reaching the decision without providing a complex explanation of the algorithms used or disclosure of the full algorithm;
• Providing appropriate ADM transparency is contextual and rules on transparency should be flexible enough to accommodate different use cases; and
• Clarify the scope of “profiling” by addressing solely automated activities that produce legal or significantly similar effects.

You can read the entire CIPL response here.