In January 2014, President Barack Obama charged his counselor John Podesta with looking at: (a) how the challenges inherent in big data are being confronted in the public and private sectors; (b) whether the United States can forge international norms on how to manage big data; and (c) how the United States can continue to promote the free flow of information in ways that are consistent with both privacy and security. Two reports were published on May 1, 2014, in response to this charge, one focusing on policy and big data (the “Policy Report”)1 and the other complementing and informing the Policy Report with a focus on technology and big data (the “Technology Report”).2
Both reports acknowledge that there is no one definition of “big data.” However, big data is differentiated from data historically collected about individuals (“small data”3) in two ways: big data’s quantity and variety, as well as the scale of analysis that can be applied to big data. And, while both reports view big data as potentially providing great benefits to the economy, society, and individuals, they also identified its potential to cause significant harm.
Based on the premise of embracing big data while protecting fundamental values such as privacy, fairness, and self-determination, the Policy Report makes recommendations in the following five areas: (1) preserving privacy values; (2) robust and responsible education; (3) anti-discrimination; (4) law enforcement and security; and (5) data as a public resource. The Policy Report elevates six of its recommendations, which are described in more detail below, as deserving prompt White House attention and development.
Preserving Privacy Values
Advancing the Consumer Privacy Bill of Rights. The Policy Report urges the prompt re-examination of the Consumer Privacy Bill of Rights in light of the novel privacy implications presented by big data. Specifically, the Policy Report recommends considering whether the notice and consent framework (which focuses on obtaining user permission prior to collecting data) has found its practical limit in big data and should be supplemented or replaced by a responsible-use framework. A responsible-use framework focuses on how data is used and consequently, according to the Policy Report, “holds data collectors and users accountable for how they manage the data and any harms it causes, rather than narrowly defining their responsibility to whether they properly obtained consent at the time of collection.” The Policy Report also asserts that a responsible-use framework “shifts the responsibility [for privacy] from the individual, who is not well equipped to understand or challenge consent notices as they are currently structured in the marketplace, to the entities that collect, maintain, and use data.”
Passing National Data Breach Legislation. Rather than using a patchwork of 47 state laws that govern when and how the loss of personally identifiable information must be reported, the Policy Report urges passing one national data breach standard that imposes reasonable time periods for notification, minimizes interference with law enforcement investigations, and potentially prioritizes notification about large, damaging incidents over less significant incidents. To support this recommendation, the Policy Report highlights individuals’ right to know if the increasing amount of information collected about them has been stolen or improperly exposed.
Extending Privacy Protections to Non-U.S. Persons. The Policy Report asserts that because privacy is a worldwide value, privacy policies should be applied to non-U.S. persons where practicable or alternative privacy policies should be established that apply appropriate and meaningful protections to personal information regardless of a person’s nationality.
Additional Privacy Recommendations. To protect privacy values, the Privacy Report makes four additional recommendations on a less urgent basis:
- Data brokers and the data services industry generally should be more transparent to consumers about how their data is collected, shared, and reused. Specifically, they should “follow the lead of the online advertising and credit industries and build a common website or online portal that lists companies, describes their data practices, and provides methods for consumers to better control how their information is collected and used or to opt-out of certain marketing uses.”
- Consumers should have stronger “Do Not Track” tools that help them control when and how their data is collected, given the growing array of technologies available for data collection.
- The government should lead a consultative process to assess how the Health Insurance Portability and Accountability Act4 and other laws can best accommodate medical advances and healthcare cost reductions that big data can enable, including whether and how to regulate personal health information held by entities that are not currently regulated under such laws.
- The United States should lead international conversations on big data that reaffirm its commitment to interoperable global privacy frameworks, including to promote collaboration on data flows between the United States, Europe, and Asia.
Robust and Responsible Education
Ensuring Data Collected on Students in School Is Used for Educational Purposes. The Policy Report urges the federal government to not hamper innovation in educational technology, while simultaneously ensuring that data collected in schools or another educational context is used for educational purposes and not for inappropriate purposes. The Policy Report describes such an inappropriate purpose as building “extensive profiles about students’ strengths and weaknesses that could be used to their disadvantage in later years.” Specifically, the Policy Report calls for the privacy regulatory framework under the Family Educational Rights and Privacy Act5 and Children’s Online Privacy Protection Act6 to be modernized with these considerations in mind.
Additional Education Recommendation. In furtherance of robust and responsible education, the Privacy Report less urgently recommends teaching how personal data is collected, shared, and used as an essential skill in K-12 education, and for such teaching to be integrated into the standard curriculum.
Expanding Technical Expertise to Stop Discrimination. To help prevent discrimination that big data may enable, the Policy Report urges the federal government to expand its technical expertise to include the ability to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and to develop a plan for investigating and resolving violations of law.
Additional Anti-discrimination Recommendations. The Policy Report also makes two less urgent recommendations to help prevent discrimination enabled by big data:
- New practices may be needed to ensure fairness for consumers, who should know whether prices they are offered are systematically different from prices offered to others, particularly in unexpected situations.
- Government and private civil rights defenders should apply big data technologies to their advantage by using them to identify and empirically confirm instances of discrimination and characterize the harms they caused.
Law Enforcement and Security
Amending the Electronic Communications Privacy Act (ECPA). To ensure the responsible use of big data in law enforcement and security, the Privacy Report urges Congress to amend the ECPA7 to make protection for digital content consistent with that in the physical world, “including by removing archaic distinctions between email left unread or over a certain age.”
Additional Recommendations. The Privacy Report makes five less urgent recommendations for ensuring big data’s responsible use in law enforcement, public safety, and national security:
- The use of predictive analytics by law enforcement should continue to be subject to careful policy review, as well as protections for individual privacy and civil liberties.
- Federal agencies with expertise in privacy and data practices should provide technical assistance to other agencies seeking to deploy big data techniques.
- Government use of lawfully acquired commercial data should be evaluated to ensure consistency with values. Particularly, services that employ big data techniques should incorporate appropriate oversight and protections for privacy and civil liberties.
- Federal agencies should implement best practices for institutional protocols and mechanisms that can help ensure the controlled use and secure storage of data. Particularly, data tagging to enforce usage limitations, controlled access policies, and immutable auditing should be evaluated for integration into databases and data practices to provide built-in protections for privacy, civil rights, and civil liberties.
- Big data analysis and information sharing should be used to strengthen cybersecurity.
Data as a Public Resource
The Privacy Report has three less urgent recommendations for harnessing data as a public resource:
- Government data should be accurate and securely stored, and to the maximum extent possible, open and accessible.
- All departments and agencies should, in close coordination with their senior privacy and civil liberties officials, examine how they might best harness big data to help carry out their missions.
- The country should dramatically increase investment for research and development in privacy-enhancing technologies, encouraging cross-cutting research that involves not only computer science and mathematics, but also social science, communications, and legal disciplines.
These reports demonstrate the White House’s continuing attention to privacy issues, but shift attention—although not yet the compliance burden—from collection (including notice and consent for collection and focused collection) to responsible use.
Companies should prepare to participate in processes proposed by the Policy Report or adapt to the greater focus on responsible usage that may be necessary if new standards emerge, including the possibility of new federal legislation.
1 The Policy Report, Big Data: Seizing Opportunities, Preserving Values, available at http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf.
2 The Technology Report, Big Data and Privacy: A Technological Perspective, available at http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf.
3 The Technology Report defines small data as “the collection and use of data sets by private? and public?sector organizations where the data are disseminated in their original form or analyzed by conventional statistical methods.” The Technology Report, page ix.
4 The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, was implemented through the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), 45 CFR Part 160 and Part 164, Subparts A and E. The Privacy Rule covers the use and disclosure of health information by organizations subject to the Privacy Rule and sets standards for individuals to understand and control how such health information is used. For more information, see the WSGR Alert, HIPAA Omnibus Rule Compliance Deadline, available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-HIPAA-omnibus-rule.htm.
5 The purpose of the Family Educational Rights and Privacy Act it to protect the privacy of student “education records.” See 20 U.S.C. § 1232g; 34 CFR Part 99.
6 The Children’s Online Privacy Protection Act of 1998 and the Federal Trade Commission’s implementing regulations require online services that collect information from children under the age of 13 to provide detailed notice to parents about the information being collected and its uses, and to obtain parents’ verifiable consent prior to collecting, using, or disclosing personal information from such children. For more information, see the WSGR Alert, FTC Releases Final Amendments to Children’s Online Privacy Protection Rule, available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-COPPA-final-amendments.htm.
7 The ECPA was enacted in 1986 to protect wire, oral, and electronic communications in transit from interception, as well as communications in electronic storage from unauthorized access. See 18 U.S.C. §§ 2510-2522.