The House Committee on Energy and Commerce’s recent Request for Information (RFI) marks a critical milestone in establishing a comprehensive federal data privacy and security framework. As organizations navigate an increasingly complex landscape of state-level regulations and international requirements, the need for unified federal standards has never been more pressing.
This article presents an abridged version of Velotix’s response to the detailed RFI which will be shared by Velotix CEO Dr. Adi Hod in the coming weeks. The committee’s own abridged RFI can be read here.
The Fragmentation Standard
The current discussion around federal privacy frameworks often focuses on the fragmentation of state-level requirements. While this fragmentation creates genuine challenges, it masks a deeper issue: The fundamental mismatch between static governance approaches and dynamic data environments.
Modern enterprises operate complex data ecosystems that span cloud platforms, legacy systems, and hybrid architectures. Each platform implements its own governance schemas, permission models, and security controls. When organizations attempt to enforce consistent privacy policies across these environments, they encounter not just different standards, but different technical capabilities for implementing those standards.
Consider a typical enterprise scenario: A financial services company operates across multiple states, each with its own privacy requirements. The company maintains customer data in legacy systems, cloud data warehouses, and various SaaS platforms. Every time a new state regulation emerges or an existing one changes, the company must manually translate these requirements into platform-specific controls across dozens of systems. This creates an exponential growth in complexity that traditional, static governance approaches simply cannot handle.
Constant Change: Why Static Solutions Fail
The challenge facing modern data organizations extends far beyond managing current complexity – it’s about adapting to constant change. Today’s data environments are in perpetual evolution across multiple dimensions:
Data Infrastructure Evolution
Modern data stacks are increasingly fluid, with organizations continuously adopting new tools and platforms. Business intelligence tools are upgraded, ETL processes are modernized, and data virtualization layers are added. Each change ripples through the entire data governance framework, requiring updates to policies, permissions, and controls.
Human-change Management
Workforce dynamics add another layer of complexity. As employees join, move between roles, or leave the organization, their data access needs change. Traditional approaches to managing these transitions through manual updates to role-based permissions create security gaps and operational bottlenecks.
Regulatory Evolution
Privacy regulations themselves are not static. New requirements emerge, existing regulations are reinterpreted, and international standards evolve. Organizations must not only comply with current requirements but maintain the agility to adapt quickly to new mandates.
Technology Advancement
The rapid advancement of technology, particularly in areas like artificial intelligence and machine learning, creates new categories of sensitive data and novel privacy considerations. Static governance frameworks struggle to accommodate these emerging challenges.
This constant state of change demands a fundamental rethink of how organizations approach data governance. The traditional approach of studying vague access data governance policies and essentially hard-coding permissions on an ad-hoc basis and manually implementing controls cannot scale with the pace of change. Organizations need frameworks that are inherently dynamic, capable of automatically adapting to new requirements while maintaining consistent protection across evolving environments.
The Current State: Unnecessary Strangleholds on the Business
Our extensive experience working with enterprises across multiple sectors demonstrates the stranglehold legacy data privacy controls place on businesses. Modern compute and AI capabilities mean businesses that can act on their data in a compliant way the fastest will compete and survive in an age of Data Darwinism.
The below high-level/abbridged RFI response represents the Velotix approach to solving for:
- Security gaps created by inconsistent requirements and enforcement mechanisms
- Innovation bottlenecks due to uncertainty around compliance requirements
- Reduced data utility as organizations implement the most restrictive interpretations to ensure compliance
- Increased compliance costs as organizations maintain multiple parallel privacy programs that are inherently unscalable.
The Case for Dynamic Data Governance
Any meaningful federal framework must address not just the current state of privacy requirements, but the continuous evolution of data environments. This demands a fundamental shift from static rules to dynamic governance.
Dynamic governance recognizes that data privacy is not a fixed state to be achieved, but a continuous process that must adapt to changing contexts. This approach centers on three core principles:
First principle: Policies must be living documents that automatically translate into technical controls.
Rather than maintaining separate codebases for each platform’s implementation, organizations need policy engines that can interpret high-level privacy requirements and automatically generate appropriate controls across any environment.
Second principle: Access controls must evolve with organizational changes.
As employees move between roles, as departments reorganize, and as business relationships shift, permission systems must automatically adjust to maintain appropriate access levels while ensuring compliance. This requires moving beyond role-based access control (RBAC) to policy-based access controls (PBAC) that can factor in multiple contextual elements including real-time risk assessment of every byte of data and employee attributes that reflect data eligibility rights.
Third principle: Compliance verification must be continuous and automated.
Point-in-time audits and manual reviews cannot keep pace with the rate of change in modern data environments. Organizations need real-time visibility into policy enforcement and automated detection of potential violations.
AI and Privacy: A Two-Way Partnership
Modern privacy frameworks must address AI’s dual nature: it serves both as a powerful tool for protecting privacy and as a domain requiring privacy safeguards. Rather than viewing these roles as competing concerns, they should be understood as complementary aspects of effective data governance.
AI as a Privacy Enabler
In today’s complex data environments, AI has become essential for effective privacy protection. Modern enterprises handle billions of data points across hundreds of systems, creating a scale of data management that exceeds human capability. AI-powered classification and monitoring can process this vast volume of data efficiently and accurately, turning an impossible task into a manageable one.
Beyond just managing scale, AI brings proactive capabilities to privacy protection. Traditional approaches react to privacy breaches after they occur, but AI’s predictive capabilities can identify potential risks before they materialize into actual breaches. This shift from reactive to preventive protection represents a fundamental advance in privacy safeguarding.
Perhaps most importantly, AI systems can adapt privacy controls in real-time based on changing contexts and emerging threats. While static rules quickly become outdated in our rapidly evolving digital landscape, AI-driven protection continuously learns and adjusts, providing more robust and current protection.
AI Requiring Privacy Protection
While AI enables better privacy protection, its use also raises important privacy considerations that must be thoughtfully addressed. The development of effective AI systems requires large datasets for training, making it crucial to protect personal information throughout the model development process. Organizations must also maintain visibility into how AI makes privacy-related decisions while protecting their intellectual property, striking a delicate balance between transparency and security.
Access controls present another critical consideration. Privacy frameworks must ensure appropriate limitations on AI systems’ access to sensitive data and applications of Privacy Enhancing Technologies, even as they enable those systems to protect that same data. This creates an interesting paradox that requires careful architectural design and governance.
Harmonizing Both Aspects
A modern privacy framework should recognize and support both roles by establishing clear guidelines for using AI in privacy protection while defining necessary safeguards. Standards for AI-powered classification accuracy, requirements for explainable privacy decisions, and metrics for measuring protection effectiveness provide the foundation for responsible AI deployment in privacy protection.
At the same time, controls on training data usage, requirements for model transparency, and regular auditing of AI privacy impact ensure that AI systems themselves maintain appropriate privacy standards. This balanced approach ensures that organizations can leverage AI’s capabilities for privacy protection while maintaining appropriate governance over AI systems themselves.
The key to success lies in viewing these requirements not as competing constraints but as complementary elements of effective data governance. When properly implemented, AI and privacy protection create a virtuous cycle, each strengthening the other to provide better overall data protection and governance.
Recommendations for Federal Policy: Actionable Policies as the Cornerstone
The key to effective privacy protection in modern data environments lies in actionable policies – policies that can be interpreted and enforced by both machines and humans across evolving systems in real-time. Federal policy should prioritize this transformative approach to privacy governance, with several interconnected elements:
Machine-Interpretable Policy Framework
Static, text-based policies that require manual interpretation inevitably lead to inconsistent enforcement, implementation delays, and security gaps. Federal policy should promote the development and adoption of machine-interpretable privacy policies that can be automatically translated into enforceable controls across diverse data systems. These actionable policies create the essential foundation for scalable privacy protection by eliminating the translation gap between policy intent and technical implementation.
Real-Time Policy Enforcement
Privacy policies must be continuously enforced as data environments evolve. The framework should explicitly recognize and encourage systems that dynamically enforce policies in real-time across changing data landscapes. This means supporting technologies that automatically adapt policy enforcement as data structures change, new sensitive data emerges, and access patterns evolve – without being bogged down by unscalable manual reconfiguration or creating protection gaps during role transitions in joiner, mover, and leaver use cases.
Comprehensive Visibility and Traceability
Effective governance requires establishing clear connections between high-level policies and actual system permissions. Federal policy should mandate end-to-end traceability from written policies to technical enforcement, enabling organizations to demonstrate exactly how privacy policies translate to practical protections. This traceability must extend across all data systems, providing comprehensive visibility into sensitive data locations, access patterns, and policy enforcement status.
Scalability as a Core Requirement
The volume, variety, and velocity of data in modern enterprises make manual privacy processes fundamentally inadequate. Federal policy should explicitly acknowledge scalability as a core requirement for effective privacy protection and encourage adoption of AI-powered solutions that can maintain protection effectiveness as data environments grow. This scalability is essential not just for large organizations but for any enterprise handling significant data volumes.
Enabling Competition While Enhancing Privacy
The approach outlined above creates a framework that simultaneously strengthens privacy protection and supports business innovation. By focusing on actionable policies that can be consistently enforced in real-time across evolving data environments, federal policy can enable critical outcomes for business and individuals alike.
Accelerated Data Democratization
When privacy controls are automatically enforced through machine-interpretable policies, organizations can safely provide broader access to valuable data assets without increasing risk. This accelerates innovation by eliminating the bottlenecks created by manual approval processes while maintaining strong privacy protections.
Maximum Dataset Availability
Traditional approaches often unnecessarily restrict access to entire datasets when only specific elements contain sensitive information. By enabling granular, context-aware policy enforcement, organizations can maximize the availability of non-sensitive data while ensuring appropriate protection for sensitive elements. This expands the utility of data assets while maintaining privacy.
Enhanced Competitive Position
Organizations can respond more quickly to market opportunities when data access isn’t delayed by manual policy interpretation and implementation. The ability to rapidly adapt privacy controls to new data sources and use cases creates competitive advantage while ensuring individual privacy rights remain protected throughout.
Superior Privacy Outcomes
Perhaps counterintuitively, enabling greater speed and flexibility in data utilization actually strengthens privacy protection. When policies are actionable and automatically enforced, protection becomes more consistent, coverage gaps are eliminated, and privacy risks are identified and addressed in real-time rather than after potential exposure.
Conclusion: Leading the Future of Data Privacy
The development of a federal privacy framework represents a pivotal opportunity to establish a new paradigm for privacy protection – one built on actionable policies that enable both effective protection and innovation.
By focusing on machine-interpretable policies, real-time enforcement, comprehensive visibility, and scalable solutions, we can create a framework that evolves with technology rather than constraining it. This approach recognizes that in modern data environments, speed and protection are not competing priorities but complementary capabilities that reinforce each other.
Organizations that implement these principles not only better protect individual privacy rights but also gain competitive advantages through faster data access and broader data utilization without demanding additional compliance overhead.
The federal framework has the opportunity to accelerate this cycle by establishing standards and requirements that promote actionable policies as the cornerstone of modern privacy protection. By doing so, it can ensure American businesses lead the global economy while setting new standards for privacy protection in the digital age.
*This article represents Velotix’s perspective on the House Committee on Energy and Commerce’s Request for Information regarding a federal data privacy and security framework. For more information about the RFI, visit https://energycommerce.house.gov/posts/chairman-guthrie-and-vice-chairman-joyce-issue-request-for-information-to-explore-data-privacy-and-security-framework.*
