New York Data Privacy Act, Section 7

Proposed 2023-02-03 | Official source

Summary

Requires entities that decline access to important services (e.g. healthcare and financing) on the basis of an AI system's decision to evaluate the system for accuracy & discrimination, to disclose the system's use, and to enable affected individuals to appeal the decision to a human being.

This summary is awaiting validation (peer review by a second AGORA editor).
This document has not been enacted or otherwise finalized and is subject to change. This summary is based on a copy of the document collected 2024-05-14 - refer to the official source for the most current version.

Key facts

🏛️ This document has been proposed by the State of New York, but is not yet enacted. For authoritative text and metadata, visit the official source.

🎯 This document primarily applies to the private sector, rather than the government.

📜 This document's name is An Act to amend the general business law, in relation to the management and oversight of personal data (Section 7). AGORA also tracks this document under the name New York Data Privacy Act, Section 7. It is part of New York Data Privacy Act.

↳ This document is part of a longer one: New York Data Privacy Act. Some AGORA documents are "split off" from longer documents that mix AI and non-AI content, such as omnibus authorization or appropriations laws in the United States Congress. Read more >>

Themes AI risks, applications, governance strategies, and other themes addressed in AGORA documents.

Thematic tags for this document are awaiting validation (peer review by a second AGORA editor).
This document has not been enacted or otherwise finalized and is subject to change. This summary is based on a copy of the document collected 2024-05-14 - refer to the official source for the most current version.

Harms (4)

Governance strategies (9)

Incentives for compliance (2)

AI application areas (3)

Full text

This is an unofficial copy. The document has been archived and reformatted in plaintext for AGORA. Footnotes, tables, and similar material may be omitted. For the official text, visit the original source.
Thematic tags for this document are awaiting validation (peer review by a second AGORA editor).
This text may be out of date. According to the latest data in AGORA, this document has been proposed, but is not yet enacted or otherwise finalized. This text was collected 2024-05-14 and may have been revised in the meantime. Visit the official source for authoritative text.

1. AUTOMATED DECISION-MAKING. (A) WHENEVER A CONTROLLER MAKES AN AUTO- MATED DECISION INVOLVING SOLELY AUTOMATED PROCESSING THAT MATERIALLY CONTRIBUTES TO A DENIAL OF FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION, INSURANCE, HEALTH CARE SERVICES, OR ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, THE CONTROLLER MUST: (I) DISCLOSE IN A CLEAR, CONSPICUOUS, AND CONSUMER-FRIENDLY MANNER THAT THE DECISION WAS MADE BY A SOLELY AUTOMATED PROCESS; (II) PROVIDE AN AVENUE FOR THE AFFECTED CONSUMER TO APPEAL THE DECI- SION, WHICH MUST AT MINIMUM ALLOW THE AFFECTED CONSUMER TO (A) FORMALLY CONTEST THE DECISION, (B) PROVIDE INFORMATION TO SUPPORT THEIR POSITION, AND (C) OBTAIN MEANINGFUL HUMAN REVIEW OF THE DECISION; AND (III) EXPLAIN THE PROCESS TO APPEAL THE DECISION.

(B) A CONTROLLER MUST RESPOND TO A CONSUMER'S APPEAL WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE APPEAL. THAT PERIOD MAY BE EXTENDED ONCE BY FORTY-FIVE ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF APPEALS. THE CONTROLLER MUST INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE APPEAL, TOGETHER WITH THE REASONS FOR THE DELAY.

(C) (I) A CONTROLLER OR PROCESSOR ENGAGED IN AUTOMATED DECISION-MAKING AFFECTING FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION, INSURANCE, EDUCATION ENROLLMENT, EMPLOYMENT, HEALTH CARE SERVICES, OR ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, OR ENGAGED IN ASSISTING OTHERS IN AUTOMATED DECISION-MAKING IN THOSE FIELDS, MUST ANNUALLY CONDUCT AN IMPACT ASSESSMENT OF SUCH AUTOMATED DECISION-MAKING THAT: (A) DESCRIBES AND EVALUATES THE OBJECTIVES AND DEVELOPMENT OF THE AUTOMATED DECISION-MAKING PROCESSES INCLUDING THE DESIGN AND TRAINING DATA USED TO DEVELOP THE AUTOMATED DECISION-MAKING PROCESS, HOW THE AUTOMATED DECISION-MAKING PROCESS WAS TESTED FOR ACCURACY, FAIRNESS, BIAS AND DISCRIMINATION; AND (B) ASSESSES WHETHER THE AUTOMATED DECISION-MAKING SYSTEM PRODUCES DISCRIMINATORY RESULTS ON THE BASIS OF A CONSUMER'S OR CLASS OF CONSUM- ERS' ACTUAL OR PERCEIVED RACE, COLOR, ETHNICITY, RELIGION, NATIONAL ORIGIN, SEX, GENDER, GENDER IDENTITY, SEXUAL ORIENTATION, FAMILIAL STATUS, BIOMETRIC INFORMATION, LAWFUL SOURCE OF INCOME, OR DISABILITY. (II) A CONTROLLER OR PROCESSOR MUST UTILIZE AN EXTERNAL, INDEPENDENT AUDITOR OR RESEARCHER TO CONDUCT SUCH ASSESSMENTS. (III) A CONTROLLER OR PROCESSOR MUST MAKE PUBLICLY AVAILABLE IN A MANNER ACCESSIBLE ONLINE ALL IMPACT ASSESSMENTS PREPARED PURSUANT TO THIS SECTION, RETAIN ALL SUCH IMPACT ASSESSMENTS FOR AT LEAST SIX YEARS, AND MAKE ANY SUCH RETAINED IMPACT ASSESSMENTS AVAILABLE TO ANY STATE, FEDERAL, OR LOCAL GOVERNMENT AUTHORITY UPON REQUEST. (IV) FOR PURPOSES OF THIS PARAGRAPH, THE LIMITATIONS TO JURISDICTIONAL SCOPE SET FORTH IN PARAGRAPHS (B) AND (C) OF SUBDIVISION TWO OF SECTION ELEVEN HUNDRED ONE OF THIS ARTICLE SHALL NOT APPLY.