Earlier this month, Access Now submitted comments to the U.S. National Institute of Standards and Technology (NIST) to argue for a stronger Privacy Framework that will better protect individuals’ data.
NIST is tasked with establishing standards through documents such as the Privacy Framework, which guides industry and government in managing privacy risk. In the absence of binding federal rules, the Framework serves as a primary resource for companies, state agencies, and institutions.
While we applaud NIST for its focus on real risk to individuals rather than data processors, we see several areas for improvement.
For one, as noted in our comments, the Framework fails to explicitly recognize that people from different communities may face different levels of risk in the processing of their data. It is imperative that different levels of information sensitivity are considered throughout the privacy risk assessment process.
In addition, we call for greater outreach to non-technical audiences and a stronger emphasis on education and awareness-raising. While the current draft may speak well to engineers or other sophisticated audiences, it falls short in its ability to speak to any non-expert. People across the country, as well as around the world, may be impacted by the implementation of the Framework, and deserve to have a chance to contribute to its development. However, to do that it is necessary to ensure that materials, including the draft Framework itself, are written in an approachable and easily understandable format. To this end, NIST should consider the best ways for entities to communicate with and educate all impacted individuals, particularly those from different backgrounds with whom the entity does not maintain a direct relationship.
(Prior to this latest submission, Access Now submitted comments on earlier Privacy Framework drafts in December 2018 and April 2019. These comments are included as appendices in the most recent July 2019 submission.)