BIG DATA NEW CONCERNS
Big data tools offer astonishing and powerful opportunities to unlock previously inaccessible insights from new and existing data sets. Large amounts of data are being processed through new techniques and technologies, dissecting the digital footprints individuals leave behind, and revealing a surprising number of personal details. As a result, big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace.
The White House Big Data Report, published on May 1, 2014, suggests structures and safeguards to avoid negative or harmful consequences for individuals. The general theme of the Report and its recommendations center on finding responsible uses of big data for the benefit of individuals, respecting privacy and intimacy, and setting up better structures, disclosures or technologies to allow for these new uses. The Report identifies five areas of focus: protecting privacy, preventing discrimination, ensuring responsible use of information by government agencies, harnessing data as a public resource, and using big data to enhance learning opportunities. The Report concludes with policy recommendations, including, advancing the Consumer Privacy Bill of Rights; passing national data breach legislation; amending the Electronic Communications Privacy Act; expanding technical expertise to stop discrimination; extending privacy protections to non-U.S. persons; and ensuringe that data collected on students in school are used for educational purposes.
Many of the proposed initiatives would be translated into new laws and regulations, which are likely to create obstacles and compliance requirements for businesses. These recommendations are likely to affect the way in which companies operate, how and why they collect data, and what uses they make of it.
Law Enforcement Powers
With the recent revelations on the extensive use of personal information by US and foreign government agencies, it is not surprising that the Report would recommend clarifying law enforcements powers and role. For example, the Report suggests that government use of lawfully acquired commercial data should be evaluated to ensure consistency with the country’s values. Federal agencies should implement best practices for institutional protocols and mechanisms to ensure the controlled use and secure storage of data. Law enforcement use of predictive analytics should receive careful policy review. Federal agencies with expertise in privacy and data practices should provide technical assistance to state, local, and other federal law enforcement agencies seeking to deploy big data techniques.
Electronic Communications Privacy Act
There is no doubt that the Electronic Communications Privacy Act, almost 30 years old, is out of synch with the reality of today’s cloud services, texting, social media and other means that did not exist or were in their infancy in 1986. Consistent with the numerous initiatives already in progress, the Report recommends amending the ECPA to provide the same protection for online, digital content as that which afforded in the physical world.
National Privacy Legislation
The Report recommends the adoption of a national data privacy law that would incorporate the principles laid out in the White House Consumer Privacy Bill of Rights. The Department of Commerce would be tasked with drafting legislative text implementing the Consumer Privacy Bill of Rights for submission by the President to Congress.
Notice and Consent
The traditional concepts of notice and consent, which have been a key requirement in all data protection regimes, may no longer be sufficient to protect personal privacy. The Report recognizes that notice and consent would be incompatible with the way big data functions, because it would block new, non-obvious, unexpectedly powerful uses of data. Thus, new criteria for access to and processing of data would have to be developed.
“Do Not Track”
Tracking technologies have been the subject of numerous government and private initiatives in the US at the State and Federal level, and internationally, as well. Numerous obstacles are delaying implementation of a do not track framework. Concurrently, companies are lobbying to preserve their ability to analyze usage data in order to understand their market. The Report recommends strengthening “do not track” tools, technologies, and mechanisms to address the growing array of technologies available for recording individual actions, behavior, and location data across a range of services and devices.
Data brokers have been the subject of intense scrutiny in the past few years, including several initiatives by the Federal Trade Commission, alleging violation of the US Fair Credit Reporting Act. The Report encourages the data broker industry to build a portal where data brokers would disclose their data practices and provide methods for consumers to better control the collection and use of their information and to opt-out of certain marketing uses. The Report suggestions might help sanitize or curb certain aggressive practices.
National Data Breach Legislation
More than ten years after California passed the first Security Breach Disclosure Law, the Federal legislators have not been able to pass a law that would provide a uniform approach nationwide. As a result, companies have to deal with 47 different state laws. The Report supports passing a national data breach law that would impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.
Global Privacy Frameworks
After having been the target of much criticism for its practices, and its lack of “adequate protection”, the United States is now stepping up its efforts to communicate with other worldwide powers and attempt to establish, and participate in, bridges between the different privacy and data protection regimes, such as through its initiatives as part of the Asia Pacific Economic Cooperation (APEC).
The Report encourages the US Departments of State and Commerce to engage with the European Union, APEC, Organization for Economic Cooperation and Development (OECD), and other stakeholders, to evaluate how existing and proposed policy frameworks address big data. It recommends strengthening the U.S.-European Union Safe Harbor Framework and, encourages more countries and companies to join the APEC Cross Border Privacy Rules system. It also promotes collaboration on data flows between the United States, Europe, and Asia through efforts to align Europe's system of Binding Corporate Rules and the APEC CBPR system.
Big data may create tools or information that may lead to discrimination. The Report recommends that civil rights and consumer protection agencies expand their technical expertise and identify practices and outcomes that may have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law.
Protections for Non-U.S. Persons
Cloud computing and other technologies allow US servers to collect, store and transmit data generated by non-U.S. persons and intended to be used outside the United States. The Report recommends that the 1974 Privacy Act be applied to non-U.S. persons where practicable, or that alternative privacy policies that provide appropriate and meaningful protection be applied to personal information regardless of a person’s nationality.
Big data has the potential for numerous positive developments, such as in the health or the education area. However, big data analytics and technologies - especially when combined with the new means of collecting personal information such as sensors, wearable technologies, smart grid, or Internet of things devices - create the potential for new uses of data. Some of these uses may be invasive, and erode privacy rights. Structures are needed to help preserve intimacy, and protect personal lives. The White House Big Data Report is an important step in the right direction but it cannot remain just a report. The next steps will be crucial. The suggestions in the Report need to be taken to the next steps, analyzed further, and distilled into practical, pragmatic steps, to help establish a workable balance between the different players, and the different goals.
© 2014 Francoise Gilbert
Françoise Gilbert, JD, CIPP/US, is the managing attorney of the IT Law Group (www.itlawgroup.com) and she serves as the general counsel of the Cloud Security Alliance. She focuses her legal practice on information privacy and security, cloud computing, big data, and data governance. Francoise was named Best Lawyers’ “2014 San Francisco Lawyer of the Year” in the area of Information Technology.
Ms. Gilbert is the author and editor of the two-volume, 3,000 page treatise Global Privacy & Security Law, www.globalprivacybook.com, which provides an in-depth analysis of the data protection laws of 66 countries on all continents. Her blog, www.francoisegilbert.com, focuses on domestic and international data privacy and security issues).
Françoise Gilbert can be reached at +1 (650) 804-1235 or firstname.lastname@example.org.