[First Reprint]

ASSEMBLY, No. 5430

STATE OF NEW JERSEY

218th LEGISLATURE

INTRODUCED MAY 20, 2019

Sponsored by:

Assemblyman  ANDREW ZWICKER

District 16 (Hunterdon, Mercer, Middlesex and Somerset)

Assemblyman  HERB CONAWAY, JR.

District 7 (Burlington)

SYNOPSIS

     "New Jersey Algorithmic Accountability Act"; requires certain businesses to conduct automated decision and data protection impact assessments.

CURRENT VERSION OF TEXT

     As reported by the Assembly Science, Innovation and Technology Committee on June 10, 2019, with amendments.

An Act requiring certain businesses to conduct automated decision and data protection impact assessments and supplementing Title 56 of the Revised Statutes.

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    This act shall be known and may be cited as the "New Jersey Algorithmic Accountability Act."

     2.    As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

     "Automated decision system" means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making and that impacts consumers.

     "Automated decision system impact assessment" means a study evaluating an automated decision system and the automated decision system's development process, including the design and training data of the automated decision system, for impacts on accuracy, fairness, bias, discrimination, privacy, and security that shall include, but not be limited to:

     a detailed description of the ¹best practices used to minimize the risk of the¹ automated decision system, its design, decision training, data collection, and purpose ¹impacting accuracy, fairness, bias, discrimination, privacy, and security¹; 

     a cost-benefit analysis of the automated decision system in light of its purpose, taking into account relevant factors, including:

     data minimization practices;

     the duration for which personally identifiable information and the results of the automated decision system are stored;

     what information about the automated decision system is available to consumers;

     the extent to which consumers have access to the results of the automated decision system and may correct or object to its results; and

     the recipients of the results of the decisions of the automated decision system;

     an assessment of the risks posed by the automated decision system to the privacy or security of personally identifiable information of consumers and the risks that the automated decision system may result in or contribute to inaccurate, unfair, biased, or discriminatory decisions impacting consumers; and

     the measures the covered entity will employ to minimize the risks posed, including technological and physical safeguards.

     "Consumer" means an individual within this State who provides, either knowingly or unknowingly, personally identifiable information to a covered entity.

     "Covered entity" means a corporation, partnership, firm, enterprise, franchise, association, trust, sole proprietorship, union, political organization, or other legal entity other than a State agency or any political subdivision thereof, federal agency, or any contractor or subcontractor employed by a State agency, political subdivision thereof, or federal agency, that does business in this State and that:

     had greater than $50,000,000 in average annual gross receipts for the three taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code, 26 U.S.C. s.448;

     possesses or controls personally identifiable information on more than:

     1,000,000 consumers; or

     1,000,000 consumer computers or mobile telecommunications service devices; ¹or¹

     is a data broker.

     "Data broker" means a commercial entity that, as a substantial part of its business, collects, assembles, or maintains personally identifiable information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.

     "Data minimization" means the practice of limiting the collection and storage of personally identifiable information to what is relevant and necessary to accomplish a specific purpose.

     "Data protection impact assessment" means a study evaluating the extent to which an information system protects the privacy and security of personally identifiable information the system processes.

     "Director" means the Director of the Division of Consumer Affairs in the Department of Law and Public Safety.

     "Division" means the Division of Consumer Affairs in the Department of Law and Public Safety.

     "High-risk automated decision system" means an automated decision system that:

     takes into account the novelty of the technology used and the nature, scope, context, and purpose of the automated decision system that poses a significant risk:

     to the privacy or security of personally identifiable information of consumers; or

     results in or contributes to inaccurate, unfair, biased, or discriminatory decisions impacting consumers;

     makes decisions, or facilitates human decision making, based on systematic and extensive evaluations of consumers, including attempts to analyze or predict sensitive aspects of their lives, such as their work performance, economic situation, health, personal preferences, interests, behavior, location, or movements, that:

     alter legal rights of consumers; or

     otherwise significantly impact consumers;

     involves the personally identifiable information of a significant number of consumers regarding race, color, national origin, political opinions, religion, union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests;

     systematically monitors a large, publicly accessible physical place; or

     meets any other criteria established by the division in rules and regulations issued pursuant to section 7 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     "High-risk information system" means an information system that:

     takes into account the novelty of the technology used and the nature, scope, context, and purpose of the information system:

     poses a significant risk to the privacy or security of personally identifiable information of consumers;

     involves the personally identifiable information of a significant number of consumers regarding race, color, national origin, political opinions, religion, union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests;

     systematically monitors a large, publicly accessible physical place; or

     meets any other criteria established by the division pursuant to P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     "Information system" means a process, automated or manual, that involves personally identifiable information, such as the collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, sharing, disclosure, dissemination, combination, restriction, erasure, or destruction of personally identifiable information and does not include automated decision systems.

     "Personally identifiable information" means any information that, regardless of how the information is collected, inferred, or obtained, is linked or reasonably linkable to a specific consumer or consumer's computer, mobile telecommunications service device, or any other Internet-connected device.

     "Store" means the actions of a covered entity to retain personally identifiable information and includes actions to store, collect, assemble, possess, control, or maintain information.

     "Use" means the actions of a person, partnership, or corporation in using information, including actions to use, process, or access information.

     3.    a.  Not later one year after the date of enactment of P.L.    , c.    (C.      ) (pending before the Legislature as this bill), the ¹[Director of the Division of Consumer Affairs in the Department of Law and Public Safety] director¹ shall require that a covered entity:

     (1)   conduct an automated decision system impact assessment of:

     (a)   the covered entity's existing high-risk automated decision systems, as frequently as the director determines is necessary; and

     (b)   the covered entity's high-risk automated decision systems developed since the previous automated decision system impact assessment, if applicable, prior to its implementation;

     (2)   conduct a data protection impact assessment of:

     (a) the covered entity's existing high-risk information systems, as frequently as the director determines is necessary; and

     (b)   the covered entity's high-risk information systems developed since the previous data protection impact assessment, if applicable, prior to its implementation;

     (3)   conduct the impact assessments pursuant to paragraphs (1) and (2) of subsection a. of this section in consultation with external third parties, including independent auditors and independent technology experts, if reasonably possible, as determined by the director; ¹[and]¹

     (4)   make record of any indication of racial or other bias, or any threat to the security of a consumer's personally identifiable information, found in the impact assessments required pursuant to paragraphs (1) and (2) of subsection a. of this section, including any measures taken by the covered entity to remedy these issues ¹; and

     (5) provide any other information the director may require¹.

     b.    A covered entity may evaluate similar high-risk automated decision systems and high-risk information systems that present similar risks to the high-risk automated decision systems and high-risk information systems assessed pursuant to paragraphs (1) and (2) of subsection a. of this section in a single assessment for purposes of comparison.

     c.     The impact assessments and information required pursuant to this section shall be submitted to the director upon completion and may be made public by the covered entity.

     4.    A waiver of the requirements of, or an agreement entered into after the effective date of P.L.    , c.    (C.      ) (pending before the Legislature as this bill), that does not comply with, the provisions of section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) between a covered entity and a consumer shall be void and unenforceable.

     5.    If the director determines, after reviewing the impact assessments and information submitted pursuant to subsection c. of section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill), that an interest of the residents of the State has been or is being threatened or adversely affected by a practice that violates section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill), the Attorney General of the State may institute civil action on behalf of the residents of the State in an appropriate district court of the United States to obtain appropriate relief.

     6.    It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a covered entity to violate sections 3 or 4 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) or to knowingly provide substantial assistance to any person, partnership, or corporation whose actions violate sections 3 or 4 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     7.    The director shall adopt, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), any rules and regulations necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     8.    This act shall take effect immediately.