May 1 –The White House May 1 released a report on big data, calling for progress on national data breach notification legislation, Electronic Communications Privacy Act (ECPA) reform and the Obama administration's proposed consumer privacy bill of rights.
The report, which was the product of a review ordered by President Barack Obama, recommends that the Department of Commerce draft legislative language for the bill of rights after promptly launching a comment process on how the proposal could support the innovations of big data while at the same time responding to its risks.
As defined by the report, big data sets are “large, diverse, complex, longitudinal, and/or distributed datasets generated from instruments, sensors, Internet transactions, email, video, click streams, and/or all other digital sources available today and in the future.”
Also May 1, the President's Council of Advisors on Science and Technology (PCAST) released a separate report focusing on the “technical feasibilities” of big data policy approaches.
National Breach Notice Standard Sought
The report calls for Congress to pass legislation that provides for a single national data breach notification standard to replace the “patchwork” of standards set forth in state laws. In April, Kentucky became the 47th state with a breach notice law, requiring companies to notify individuals of breaches of their personal information.
The report said the legislative proposal might be “along the lines of the Administration's May 2011 Cybersecurity legislative proposal.” In that proposal, the White House said the law would cover businesses that collect, use, transmit, retain or dispose of sensitive personally identifiable information on more than 10,000 individuals within a 12-month period.
The proposal set a 60-day deadline for companies to notify individuals of the breach of unencrypted personal data. It described a safe harbor for companies that informed the FTC that they weren't notifying individuals because an investigation revealed there was “no reasonable risk” of harm to individuals.
Report Urges ECPA Update Amendments
The report also urges Congress to amend ECPA to ensure the standard of protection for online digital content is consistent with that afforded in the physical world.
It is “very positive to see the White House commit to essential, long-overdue reform to the Electronic Communications Privacy Act,” Jules Polonetsky, co-chairman and executive director of the Future of Privacy Forum, said in a May 1 statement.
“It is clear that momentum is on the side of reform, and now it is time for the Congress to respond,” Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) said in a May 1 statement on the big data report.
Leahy is the sponsor of legislation (S. 607) to overhaul ECPA, which was approved by the Senate Judiciary Committee in April 2013.
The Kennedy Law Firm, Washington
Charles Kennedy, principal of The Kennedy Law Firm, in Washington, told Bloomberg BNA May 1 that perhaps the least controversial items in the report are the recommendations to enact measures to set a national breach notice standard and to update ECPA. The two legislative efforts “would clarify the privacy obligations of affected businesses, as well as the privacy rights of their customers,” Kennedy said.
International Data Protection
Obama announced a review of big data and privacy in a January speech addressing concerns about National Security Agency surveillance activities. The review covered the collection and use of big data by government and private sector entities.
The report calls for the U.S. government to “actively engage” with the European Union, the Asia-Pacific Economic Cooperation (APEC) and the Organization for Economic Cooperation and Development on interoperable frameworks to address privacy issues related to big data.
The U.S. should also work to strengthen the U.S.-EU Safe Harbor Program, which allows U.S. companies to transfer personal data outside the European Economic Area if they self-certify to the U.S. Department of Commerce their compliance with privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC). U.S. and EU officials are working to reform the program in response to EU concerns over NSA surveillance, including the use of big data analytics techniques in the collection and analysis of metadata on phone calls and Internet communications.
The report also cites the need for the U.S. to continue to work with APEC to strengthen its Cross-Border Privacy Rules (CBPR) System and continue its effort to align the EU binding corporate rules system with the APEC CBPR System.
A new “Privacy Bridge Project” seeks to bring regulators, academics and attorneys from the EU and U.S. together to seek common ground on privacy issues.
The report charges the Office of Management and Budget with working with federal departments and agencies “to apply the Privacy Act of 1974 to non-U.S. persons where practicable or to establish alternative privacy policies that apply appropriate and meaningful protections to personal information regardless of a person's nationality.”
'Only the Beginning.'
“This report is only the beginning of what will be a continuing dialogue among government, business, consumers, entrepreneurs and other stakeholders about maximizing the benefits and minimizing the risks of big data,” Commerce Secretary Penny Pritzker said in a teleconference with reporters.
She was joined by John Podesta, counselor to the president, who has been leading the effort.
At issue is the rapid growth of tools that allow organizations to collect and analyze vast amounts of information on individuals.
Obama Pressed by Privacy Groups
The administration had been under pressure from privacy groups to use the review as an opportunity to make progress on stalled efforts to update U.S. privacy laws.
The White House bill of rights proposal, which was released in February 2012, would give the Federal Trade Commission new authority to require U.S. businesses to abide by privacy principles such as being transparent about their data-collection practices and giving consumers the right to exercise control over the collection of their personal information and how it is used.
“More than two years ago the White House released its consumer privacy bill of rights with great fanfare, yet little has come of it,” John Simpson, privacy director at Consumer Watchdog, said in a statement. “The administration hasn't even offered baseline privacy legislation. I hope the big data report means the administration is finally serious about doing something.”
In March, FTC Commissioner Julie Brill said the proposed bill of rights might not be sufficient on its own to address big data issues, pointing to the separate big data report effort.
Big Data Benefits, Risks Cited
Victoria Espinel, president and chief executive officer of BSA | The Software Alliance, said the group was pleased that the White House report recognizes some of the benefits of big data, including its value to the U.S. economy.
“We encourage policymakers to consider how best to address challenges raised by these new technologies without unnecessarily constraining rapidly evolving industries,” Espinel said in a statement.
Although many applications of big data are beneficial, some big data uses raise privacy issues, the report said. A major concern, according to the report, is that big data tools can reveal individuals' intimate personal details.
The report's policy recommendations included protecting students against having their data shared or used inappropriately, and it calls for harmonization of protections under the Family Educational Rights and Privacy Act and Children's Online Privacy Protection Act.
It also said the government should assess how big data is used to advance health care while protecting health information consistent with the Health Insurance Portability and Accountability Act.
“As big data becomes even more widely used in the private sector to bring a wellspring of innovations and productivity, we must ensure that effective consumer privacy protections are in place to protect individuals,” the report said.
“Many technologists are of the view that de-identification of data as a means of protecting individual privacy is, at best, a limited proposition” because of the volume of information in available datasets and the ability to combine information automatically, the report noted.
Big data tools also can lead to discriminatory outcomes, according to the report, as more decisions are made about people based on algorithms and automated processes.
The report recommended that federal government civil rights and consumer protection agencies, including the FTC, the Department of Justice, the Consumer Financial Protection Bureau and the Equal Employment Opportunity Commission, expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes and develop a plan for investigating and resolving violations of law in such cases.
The report “rightly recognizes” that discrimination and inequality “can be amplified by large-scale data analysis,” Christopher Calabrese, a lawyer for the American Civil Liberties Union, told Bloomberg News May 1.
Kennedy said the call for prevention of discrimination is “more likely to result in policy choices or legislation that hamper business use of data with no offsetting benefit to consumers. Policymakers should proceed carefully in addressing these concerns.”
With assistance from Donald G. Aplin in Washington and Chris Strohm in Washington
To contact the reporter on this story: Alexei Alexis in Washington at [email protected]
To contact the editor responsible for this story: Donald G. Aplin at [email protected]
The 85-page report, “Big Data: Seizing Opportunities, Preserving Values,” is available at http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf.
The 76-page PCAST report, “Big Data and Privacy: A Technological Perspective,” is available at http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf.