Digital Governance … … and Algorithms Law and Ethics for - PowerPoint Presentation

Digital Governance … … and Algorithms Law and Ethics for Disruptive Technologies Alan Charles Raul March 14 , 2019

Key Themes Shifting zeitgeist. High-profile data breaches, recent controversies concerning personal data (e.g., Cambridge Analytica), and foreign privacy laws have irrevocably changed debate about information regulation; sea change from decades-old “hands-off” approachDigital issues at intersection of humans and machines will be even harder. Next generation of digital technologies – artificial intelligence, autonomous decision-making, IoT, Big Data – will involve privacy and cybersecurity but will be more complexDigital governance is necessary. Tech challenges and opportunities will necessitate digital governance to guide oversight of technologies and business practices that implicate sensitive data and decision-makingSpecific elements of digital governance include:Structuring and resourcing companies to understand and address digital challengesEnsuring leadership knows what the their companies are doing or could be doing with sensitive data and disruptive technologies Supporting an organizational culture that identifies and values fair digital practices Understanding the promises and risks of a highly dynamic and unpredictable zeitgeist Governance and, or Governance Versus, Innovation and Competitiveness? SIDLEY AUSTIN LLP 3

As digital technologies increasingly occupy more of our lives, information regulation expands commensurately. Privacy “I want control over my personal information” Key issue: Consumers control use and monetization of personal data Governed by data privacy and consumer protection laws (FTC, GDPR, CCPA, GLBA, HIPAA, Constitution, etc.), increasing litigation, and public opinion Cyber-Security “I’ll give you my data, but you have to protect it.” Key issue: Consumers, businesses and governments need to protect their information and ensure data availability and integrity and business continuity Governed by critical infrastructure regulation, litigation, and notification Disruptive Technologies “I want to know why this happened to me and ensure that humans are in control” Key issues: Human control, transparency, bias, values, risks … TBD Governed by … TBD SIDLEY AUSTIN LLP 4

SIDLEY AUSTIN LLP7 “Crisis of New Technologies” – Constant Controversies Raise Concerns and Shift Views on Data Practices

SIDLEY AUSTIN LLP 5“Crisis of New Technologies” – Tim Cook (2018) Platforms and algorithms can magnify worst human tendencies Beware the data industrial complex Our own information is being weaponized against us C ountless decisions are made on the basis of our likes and dislikes This process creates an enduring digital profile pounding preferences into hardened convictions

What is Digital Governance?Oversight of technologies that use personal or sensitive information, make autonomous decisions or exercise human responsibilities Disruptive technologies include Artificial Intelligence (AI), connected devices (IoT, cars, ubiquitous sensors, etc.), machine learning, etc.Digital Governance guides companies on organizational structures, internal processes and policies, ethics, and morality to advance:Legal complianceFiduciary standards and preservation of assetsShareholder value Reputation, company values, stakeholder expectationsInnovation, economic productivity, competitivenessTransparency, intelligibility, explainabilityFairness and human dignity SIDLEY AUSTIN LLP9

Digital Governance Risk Factors – Microsoft 2018 10-KThe development of the internet of things presents security, privacy, and execution risks. ... IoT solutions may collect large amounts of data, and our handling of IoT data may not satisfy customers or regulatory requirement... Issues in the use of artificial intelligence in our offerings may result in reputational harm or liability. … As with many disruptive innovations, AI presents risks and challenges that could affect its adoption, and therefore our business. AI algorithms may be flawed. Datasets may be insufficient or contain biased information. Inappropriate or controversial data practices by Microsoft or others could impair the acceptance of AI solutions. These deficiencies could undermine the decisions, predictions, or analysis AI applications produce, subjecting us to competitive harm, legal liability, and brand or reputational harm. Some AI scenarios present ethical issues. If we enable or offer AI solutions that are controversial because of their impact on human rights, privacy, employment, or other social issues, we may experience brand or reputational harm. … We may experience backlash from customers, government entities, advocacy groups, employees, and other stakeholders that disagree with our product offering decisions or public policy positions. Damage to our reputation or our brands may occur from… Public scrutiny of our decisions regarding user privacy, data practices, or content. ... [and] Data security breaches…SIDLEY AUSTIN LLP10

What Else Are Companies Doing?Microsoft: Technology and Corporate Responsibility Team reports to President/Chief Legal Officer Guidance to Board and management on ethical business practices, privacy and cybersecurity; internal ethics board to navigate AI technology (guardrails) BNY Mellon: Technology Committee of the BoardReview and approve technology planning, strategy and investment Monitor existing and future technology trendsNote: technology risk oversight remains with Risk Committee (with reports to Audit Committee) AIG: Technology Committee of the BoardReview information technology planning, strategy and investmentReview cybersecurity risk management and assessment Walmart: Technology and eCommerce Committee of the Board Oversight and guidance on technology, including emerging tech issues and trendsEffectiveness of developing new business opportunitiesBank of America: Identifies information security and privacy as “key governance topic” SIDLEY AUSTIN LLP 11

Put someone in charge – a Chief Digital Officer? Consider forming a Digital Governance or Technology CommitteeEngage privacy and cybersecurity programs Establish a digital compliance and ethics program, and assign and empower qualified personnelAllocate appropriate resourcesRequire reporting, accountability and escalationProvide appropriate training on key issues of digital fairnessSIDLEY AUSTIN LLP 13 1. Create Focused Organizational Structure and Practices

SIDLEY AUSTIN LLP14 2. Understand What Company Is Doing and Could Be Doing by Mapping Data and Digital Technology UsesWhat sorts of data and digital technologies are significant to the company’s productivity, profitability and competitiveness? Has management taken stock of its digital assets and options? What are peer companies doing?Who is thinking ahead of the curve?How can we best monetize data and digital technologies like AI? Are we investing the right amount?What metrics or outcomes demonstrate progress or stagnation?What are the relevant risks – including privacy and security? Are Legal, Compliance, Communications and CSR functions fully engaged?Who at the company understands what the algorithms are doing?Full understanding of what the company is doing is required for intelligent decision-making about what it should be doing

Identify and comply with relevant legal obligationsUnderstand stakeholder expectations and sensitivitiesInclude ethical considerations in development and deployment of digital technologies: Assess impacts and risks with respect to fair digital practicesEstablish fair digital practices review boardsEvaluate and audit outcomes, including by establishing expectations for reporting to senior leadership and the BoardSIDLEY AUSTIN LLP 153. Promote an Organizational Culture that Values Fair Digital Practices

Keep in Mind These Ethical Considerations Preserving human autonomy and free choiceProviding transparency, intelligibility, explainability to assure human agencyAssuring auditability, accountability, redressability of automated decisionsAnticipating allocation of responsibility and liabilityProtecting vulnerable populations (e.g., children)Assuring relevant and quality data and algorithms Avoiding biased outcomes or entrenching biasesAvoiding discriminatory exclusionAvoiding digital determinism (by limiting choice or prejudging preferred or efficient outcomes, and diminishing role of serendipity in life)Confronting painful realities (e.g., Tinder’s “hotness” algorithm) Addressing embedded value judgments (e.g., the “trolley” dilemma regarding whom to allow being killed) Promoting human (not machine) welfareSIDLEY AUSTIN LLP 16

Alan Charles Raul PartnerPrivacy and Cybersecurity PracticeWashington, D.C. +1 202 736 8477araul@sidley.comALAN RAUL is the founder and leader of Sidley’s highly ranked Privacy and Cybersecurity practice. He represents companies on federal, state and international privacy and cybersecurity issues, including digital governance, global data protection and compliance programs, data breaches, consumer protection issues and Internet law. Alan advises companies regarding their cybersecurity preparedness and helps them address crisis management for data security incidents. His practice involves litigation and counseling regarding consumer class actions and investigations, enforcement actions and policy development by the FTC, State Attorneys General, SEC, Department of Justice, international Data Protection Authorities, and other government agencies. Alan provides clients with perspective gained from extensive government service. He previously served as Vice Chairman of the White House Privacy and Civil Liberties Oversight Board, General Counsel of the Office of Management and Budget, General Counsel of the U.S. Department of Agriculture, and Associate Counsel to the President. In addition to leading a “Privacy and Data Security” practice nationally rated by Chambers Global and Chambers USA, Alan is ranked by Chambers in its top tier of Privacy and Data Security practitioners. Chambers USA has described him as a “true ‘ambassador’ for the privacy sector” who “attracts praise for his deep knowledge of the field. Interviewees stress that ‘he gives invaluable advice’ and is known to be a strong litigator. He also earns plaudits for his regulatory compliance and data protection policy expertise.” Alan was also named to Ethisphere Institute’s “Attorneys Who Matter” in Data Privacy/Security, which recognizes lawyers with the highest commitment to public service, legal community engagement and academic involvement. Alan is a frequent author and speaker on privacy and related issues. He is the editor and contributing author of The Privacy, Data Protection and Cybersecurity Law Review (Law Business Research Ltd. 5th ed. Oct. 2018), co-author of Administrative Law of the European Union: Oversight (ABA 2008), and author of Privacy and the Digital State: Balancing Public Information and Personal Privacy (Kluwer Academic Publishers 2001). Alan received his J.D. from Yale Law School, A.B. from Harvard College, and M.P.A. from the Harvard Kennedy School of Government. Full biography: https://www.sidley.com/en/people/r/raul-alan-charles SIDLEY AUSTIN LLP 17

sidley.com Beijing Boston Brussels Century City Chicago Dallas Geneva Hong Kong Houston London Los Angeles Munich New York Palo Alto San Francisco Shanghai Singapore Sydney Tokyo Washington, D.C.