Remember those famous Rorschach ink blot tests, where you could see nearly anything in an image? The White House’s recent Big Data report (BIG DATA: Seizing Opportunities, Preserving Values, the “Report”), which examines how Big Data is and will be expected to be used, strikes us as rather like one of those ink blots – what you’ll take away from it depends on your perspective coming in.
While some privacy pros see images in the Report ink blot causing them to hail its findings and recommendations we’re more skeptical that any definitive action – good or bad – will directly result in the near term. This is not to say that the Report is not worth reading, nor that its recommendations are without merit – they are; merely that in the existing political landscape gridlock is the order of the day. So what does the Report say?
After clearing its throat for roughly 47 of its 85 pages with background info, defining terms, such as “What is a Zettabyte,” and laying out a roadmap of the current legal sectoral landscape the Report finally launches into a Section V, “Toward a Policy Framework for Big Data,” where four main policy areas are targeted for “further policy exploration.” They are:
- How government can harness big data for the public good while guarding against unacceptable uses against citizens;
- The extent to which big data alters the consumer landscape in ways that implicate core values;
- How to protect citizens from new forms of discrimination that may be enabled by big data technologies; and
- How big data affects the core tenet of modern privacy protection, the notice and consent framework that has been in wide use since the 1970s.
In response to these four targeted goals, the Report offers up six “discrete policy recommendations that deserve prompt Administration attention and policy development” listed below with commentary.
- Advance the Consumer Privacy Bill of Rights. The Department of Commerce should take appropriate consultative steps to seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights and then devise draft legislative text for consideration by stakeholders and submission by the President to Congress. [Comment: This is effectively a plea to “do something” and it’s a long road between draft legislation and enactment. Score: 1 of 5 as to anything resulting from this recommendation in the next two years]
- Pass National Data Breach Legislation. Congress should pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 2011 Cybersecurity legislative proposal. [Comment: Another call to arms accompanied by a beat down of data brokers. With midterms coming up in Nov and the makeup and control of Congress perhaps changing as a result absolutely nothing will happen on this prong (other than the FTC’s push to probe and scrutinize data brokers) until 2015 at the earliest and given the track record of numerous such bills proposed (Sen. Leahy’s five time Cybersecurity Act comes immediately to mind) we’re skeptical any legislation will occur in the next two years. If the Target breach couldn’t lever Congress out of its data security rut, what will it take? Score: 0 of 5]
- Extend Privacy Protections to non-U.S. Persons.The Office of Management and Budget should work with departments and agencies to apply the Privacy Act of 1974 to non-U.S. persons where practicable, or to establish alternative privacy policies that apply appropriate and meaningful protections to personal information regardless of a person’s nationality. [Comment: This is direct fallout of the Snowden affair. Ironically this act benefiting non-U.S. citizens may actually come to pass before anything effecting U.S. residents and citizens. Score: 2 of 5]
- Ensure Data Collected on Students in School is Used for Educational Purposes. The federal government must ensure that privacy regulations protect students against having their data being shared or used inappropriately, especially when the data is gathered in an educational context. [Comment: Of all the six recommendations THIS one may have the most legs in the short term. Given the Common Core controversy and increased data collection/testing of students, the constituency for passage of measures addressing this recommendation is vocal, committed and resolute. The Report recommends FERPA and COPPA be “modernized” The FTC recently updated its COPPA rules last year, so whether FERPA gets a wash and wax remains to be seen. Score: 4 of 5]
- Expand Technical Expertise to Stop Discrimination.The federal government’s lead civil rights and consumer protection agencies should expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law. [Comment: A huge can of worms. Expect lots of talk about this and little action. Score: 1 of 5]
- Amend the Electronic Communications Privacy Act. Congress should amend ECPA to ensure the standard of protection for online, digital content is consistent with that afforded in the physical world — including by removing archaic distinctions between email left unread or over a certain age. [Comment: Paging Senator Leahy’s ECPA Amendments Act of 2011 (S. 1011) to a white courtesy phone. Everyone on both sides of the Congressional aisle seem to agree the ECPA and its component SCA need to be updated and amended. It hasn’t happened. Yet. But we’re somewhat optimistic that this *might* occur in late 2015. Stress might. Score: 3 of 5]
In summary, the Report is a call for more of the same but does yeoman’s work in laying out the issues big data raises. Nearly simultaneous with the Report’s release the President’s Council of Advisors for Science & Technology (PCAST), issued a report of its own that seeks to “accelerate the development and commercialization of technologies that can help to contain adverse impacts on privacy, including research into new technological options. By using technology more effectively, the nation can lead internationally in making the most of Big Data’s benefits while limiting the concerns it poses for privacy.”
As an IAPP Certified Information Privacy Professional my colleagues and I debate existing methods and future privacy goals constantly while we advise clients on privacy and information secruity issues. For example, among the many points made during this past Spring’s IAPP Global Privacy Summit in D.C., Keynote speaker Scott Charney of Microsoft highlighted – as have many of us – that the mechanism of notice and consent was effectively breaking down in its current form. What can effectively replace it remains to be seen, however, and the rise of big data will only increase methods and mechanisms to safeguard and secure individual’s privacy goals.
Big data is here to stay (and I recently completed a tech edit of a friend’s upcoming book on Big Data uses) but that doesn’t mean that privacy – contrary to many’s conclusions – is dead nor no longer valued. The issue is how we address the conflicting and competing needs and desires at work. That will call for smart thinking, smart actions and a smart recognition of the limits of each. As always, stay tuned…