Press Releases

BSA | The Software Alliance Releases Privacy Framework to Support Data Privacy Legislation

WASHINGTON – September 12, 2018 – Privacy is a key concern for millions of Americans. With this in mind, BSA | The Software Alliance has developed a Privacy Framework as a guide for policymakers as they seek to draft privacy legislation.

Software affects every sector in the United States from manufacturing and education to agriculture and business. Software-enabled technologies increasingly rely on data to function, and sometimes that includes personal data.

“We understand and acknowledge the importance of privacy to every consumer,” said Victoria Espinel, President and CEO of BSA | The Software Alliance. “The US has had mechanisms in place to protect privacy for more than twenty years. The world has since changed, and data is critically important to the global economy. We need to ensure clear, consistent, and transparent privacy rules. Now is the time to modernize the law.”

Establishing clear national standards to govern how personal data is used will strengthen trust and confidence in the overall data economy. BSA urges Congress to support a user-centric approach to privacy that will provide consumers with mechanisms to control their personal data. This privacy framework will ensure the use of personal data is consistent with consumers’ expectations while also enabling companies to provide innovative solutions for businesses and consumers. In addition to federal legislation, it can serve as a guide to Administration efforts and companies’ own policies.

Companies should give consumers transparency and choice into how their data is used. Companies should also have reasonable safeguards in place to keep this data safe. And federal law should have accountability and enforcement mechanisms to make sure companies adhere to these standards.

BSA’s Privacy Framework includes making personal data collection and use more transparent, giving consumers more control over their personal data, enabling governance over data collection and use, providing robust security, and promoting the use of data for legitimate business purposes. It includes ten components:

  1. Transparency: Organizations should provide clear and accessible explanations of their practices for handling personal data, including the categories of personal data they collect, the type of third parties with whom they share data, and the description of processes the organization maintains to review, request changes to, request a copy of, or delete personal data.

  2. Purpose Specification: Personal data should be relevant to the purposes for which it is collected and obtained by lawful means. Organizations should inform consumers of the purpose for which they are collecting personal data and use that data in a manner that is consistent with that explanation, the context of the transaction, or reasonable expectation of the consumer, or in a manner that is otherwise compatible with the original purpose for which the data was collected. Organizations should employ governance systems that seek to ensure that personal data is used and shared in a manner that is compatible with the stated purposes.

  3. Informed Choice: Organizations should provide consumers with sufficient information to make informed choices and, where practical and appropriate, the ability to opt out of the processing of personal data. BSA recognizes that certain data, such as financial account information or health condition, may be particularly sensitive. If the use of sensitive data implicates heightened privacy risks, organizations should enable consumers from whom they collect sensitive data to provide affirmative express consent. Certain existing US laws, such as COPPA, HIPAA, GLB, and the FCRA, also provide important protections for the processing of sensitive personal data covered by those laws and should therefore remain in place.

  4. Data Quality: Personal data should be relevant to the purpose for which it is used and, to the extent necessary for those purposes, should be accurate, complete, and current.

  5. Consumer Control: Consumers should be able to request information about whether organizations have personal data relating to them and the nature of such data. They should be able to request a copy of the data, challenge the accuracy of that data, and, as appropriate, have the data corrected or deleted. Organizations that determine the means and purposes of processing personal data should be primarily responsible for responding to these requests. Organizations may deny such requests where the burden or expense of doing so would be unreasonable or disproportionate to the risks to the consumer’s privacy; to comply with legal requirements; to ensure network security; to otherwise protect confidential commercial information; for research purposes; or to avoid violating the privacy, free speech, or other rights of other consumers.

  6. Security: Organizations should employ reasonable and appropriate security measures designed to prevent unauthorized access, destruction, use, modification, and disclosure of personal data based on the volume and sensitivity of the data, size and complexity of the business, and cost of available tools.

  7. Facilitating Data Use for Legitimate Business Interests: Privacy frameworks should facilitate the use of data for legitimate business purposes. Such purposes may include providing services to other business customers or consumers. Where the processing of data poses risks to the privacy of consumers, privacy frameworks should implement a risk-based approach that tailors protections to circumstances that are likely to lead to substantial harm.

  8. Accountability: Organizations should develop policies and procedures that provide the safeguards outlined in this framework, including designating persons to coordinate programs implementing these safeguards and providing employee training and management; regularly monitor and assess the implementation of those programs; and, where necessary, adjust practices to address issues as they arise.

  9. Legal Compliance and Enforcement: Organizations that determine the means and purposes of processing personal data should have primary responsibility for satisfying legal privacy and security obligations. Entities that process data on behalf of those organizations should be responsible for following their agreed upon instructions. Any uniform federal privacy law should harmonize requirements in state law. The Federal Trade Commission, which has a strong record of robust enforcement, should have the tools and resources necessary to carry out its mission effectively.

  10. International Interoperability: Privacy frameworks should enable and encourage global data flows, which underpin the global economy. Where differences exist among varying privacy regimes, governments should create tools to bridge those gaps in ways that both protect privacy and facilitate the free flow of data.

To explore the entire framework, visit http://bit.ly/BSA-PrivacyFramework.
9/12/2018
Media Contact

Anna Hughes
202-530-5177
annah@bsa.org


Jamie Rismiller
202-756-7240
jamie@allisonpr.com


For media inquiries:
media@bsa.org

About BSA

BSA | The Software Alliance (www.bsa.org) is the leading advocate for the global software industry before governments and in the international marketplace. Its members are among the world’s most innovative companies, creating software solutions that spark the economy and improve modern life. With headquarters in Washington, DC, and operations in more than 60 countries, BSA pioneers compliance programs that promote legal software use and advocates for public policies that foster technology innovation and drive growth in the digital economy.
More >>


Techpost Facebook

Follow BSA