Editor’s Note: This blog post highlights Palantir’s response to a Request for Information from the House Energy and Commerce Committee’s Privacy Working Group, which is exploring the creation of a national data privacy law. For more information about Palantir’s contributions to AI Policy, visit our website here.
Introduction
In April, Palantir submitted a response to a Request for Information from the House Energy and Commerce Committee’s Privacy Working Group regarding its efforts to develop a federal comprehensive data privacy and security law. How the federal government finally works to resolve the challenges of a patchwork of consumer privacy legislation is not just critical in its own right, but also serves as a signal for how the government should be addressing similar challenges with AI regulation.
At Palantir, we see our work as a duty and a privilege, serving our nation and strengthening its vital interests at home and abroad. Respect for individual liberties is central to the American way of life, and privacy rights have always been a crucial part of these freedoms. That is why privacy rights shaped Palantir’s founding 20 years ago and remain core to our identity as a company today.
The Privacy Working Group’s deliberations on the framework and essential details of a federal comprehensive data privacy and security law may prove crucial to the safeguarding of Americans’ fundamental privacy rights for years to come. We approached our response to the working group’s RFI with abiding respect for the delicate balance that must be struck between maintaining a commitment to America’s democratic process and formulating a federal data security and privacy law that safeguards the privacy rights of all Americans while encouraging innovation.
Below is a portion of our RFI response. We encourage interested readers to check out our full response posted here.
House Energy & Commerce Prompts & Palantir’s Responses
Personal Information, Transparency, and Consumer Rights
- Please describe the appropriate scope of such a law, including definitions of “personal information” and “sensitive personal information.”
Recommended Scope: Any organization [excepting exempted organizations] that processes the data of United States citizens or residents (“U.S. persons”).
Any organization handling the data of U.S. persons should be subject to laws that protect the data of U.S. persons, no matter where they are based. This is the best way to guard against organizations based offshore that poorly handle sensitive data.
Recommended Definitions:
We recognize the challenge of defining personal information, especially against a backdrop of existing — and often inconsistent — definitions enshrined in other sectoral (e.g., HIPAA) and jurisdictional (e.g., CPPA/CPRA, GDPR) privacy legislation. As a company that provides configurable, privacy-enhancing technology capabilities adaptable to heterogeneous definitions of personal and sensitive personal information, we are agnostic to the specific attributes of a chosen definition. We do, however, wish to urge caution on two areas of potential ambiguity that flow from sub-optimal definitions:
- Definition approaches should consider how they lend themselves to practicable approaches to de-identification (i.e., via anonymization, pseudonymization, or other means). Definitions that, for example, foreground clear concepts such as linkability might allow for cleaner approaches to de-identification. See our white paper, ‘Beyond Anonymization,’ for an extended discussion of these and related issues.
- Given the ever-expanding ubiquity of public sources of information (i.e., accessible in varying forms via commercial data brokers, social media websites, public registries, etc.), a definition approach should consider the interplay of reasonable expectations of privacy as it relates to so-called ‘publicly available information.’
2. What disclosures should consumers be provided with regard to the collection, processing, and transfer of their personal information and sensitive personal information?
Entities should provide clear, articulate, and reasonably specific documentation of the intended use cases for which data is to be collected, processed, or transferred.
For instance, “general marketing” is an example of too vague an explanation of legitimate purpose of use. Instead, stating, “marketing of complementary services within X months of collection,” would establish a clearer framework for onward use for collected data.
3. Please identify consumer protections that should be included in a comprehensive data privacy and security law. What considerations are relevant to how consumers enforce these protections and how businesses comply with related requirements?
We believe the following consumer protections should be included in any comprehensive data privacy and security law:
Right to Delete / Right of Erasure
- Deletion is one of the most important remedies for violations of privacy, and all Americans should have a right to ask entities covered by this regulation to delete their personal information. Right to erasure is already common across existing regulatory frameworks.
Right to Know / Right to Access
- Americans should be able to know when and how their personal information is being processed, so that they can make informed decisions about how their data is and should be used. This kind of access request right is also common across existing privacy regulations.
Compliance with Rights of Access and Erasure
- Organizations will need to be able to identify personal data within their systems to comply with these rights.
- While opponents of strong privacy legislation might say that requiring organizations to identify (and potentially delete) personal data upon request is unduly difficult to comply with, we cannot stress enough the importance of holding organizations that process Americans’ most sensitive information to at least this bar.
- We have seen with first-hand experience how the foundational data governance that would enable these privacy rights is both readily practicable through competent technology tools and also fundamentally complementary with business goals and business practices that align with consumer confidence and trustworthiness. Data quality, governance, and protection is not a burden, and in fact allows organizations to more efficiently organize to deliver on their business priorities — including leveraging more advanced technologies, like AI, on their data.
- There should be no zero-sum tradeoff between supporting basic privacy rights and achieving business objectives. With the right technology, you can do both.
Right of Redress
- For consequential decisions or consumer outcomes impacting individuals’ livelihoods, health, and well-being, they should have a right to request redress for adverse decisions that lead to curtailment, rejection, limitation, denial, etc. of services when such decisions may be based on potentially errant information and/or decision-making processes (including both manual and algorithmic or automated decision-making).
The above outlined consumer protections offer important measures for reaffirming the rights of American consumers. Their full implementation, however, may implicate organizational, procedural, and technical burdens that are onerous to smaller ventures. It may therefore be prudent to consider a tiered or graduated framework for operationalizing these protections, with escalating requirements as organizations grow in both their risk profile and capacity to support such measures.
4. What heightened protections should attach to the collection, processing, and transfer of sensitive personal information?
Regardless of a party’s standing as controller or processor, we view the following as core privacy and security protective principles for the collection, processing, and transfer of all personal information, whether or not it rises to defined level of sensitivity:
- Purpose/Use Limitation: Organizations should be required to justify why they need to access or use sensitive data.
- Data Minimization: Sensitive data should by default be minimized to the greatest extent possible.
- Storage Limitation / Scheduled Deletion: Sensitive data should be deleted when it is no longer needed, reducing the risk of unintended leaks or exposure.
- Security Controls: Consumer data should be protected through hardware and software tools which prevent unauthorized access, use, disclosure, or modification.
- Incident Response: Organizations handling consumer data should have a clear incident response plan to address security breaches and data privacy violations.
- Oversight & Governance: Organizations handling consumer data should institute a framework for oversight and data governance to ensure that consumer data is handled responsibly and securely.
The above principles are well established within existing privacy protective frameworks, including various formulations of the of the Fair Information Principles (FIPs) and Fair Information Practice Principles (FIPPs). See, for example, the Department of Homeland Security’s articulation of the Fair Information Practice Principles (FIPPS).
These articulated principles should be reinforced through a mix of both organizational practices and technical controls. While prescriptive approaches to institutional practices tend to be more difficult and less effective to impose (given the multitude of creative business approaches taken by America’s entrepreneurs and business leaders), more discrete specifications of the supporting technical controls can be articulated and provided as examples.
- Organizations processing and storing consumer data should have technical controls which include access controls, data encryption, identity and access management, and regulatory audits, all working together to protect sensitive data.
- Palantir has first-hand experience building and configuring tools for these kinds of capabilities, we know it’s feasible with the right technology investments, and we have long advocated for this in our prior policy submissions: 2022 FTC RFI (See Page 10, Page 16); 2022 NTIA RFI (See Page 13).
Conclusion
Our response to the House Energy and Commerce Committee’s Privacy Working Group underscores Palantir’s long-standing commitment to privacy-protective technologies. We look forward to engaging with the working group and other stakeholders as this critical work continues to evolve.
Palantir Advocates for Balanced Data Privacy Legislation in RFI Response was originally published in Palantir Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.