The White House Big Data Report: Highlights for Industry
On May 1, the White House released the findings of its 90-day study on how “Big Data” is transforming every facet of modern life. The report seeks to respond to one fundamental, farsighted question: how will Big Data transform the way people (and institutions) live, work, and interact?
The report makes six specific policy recommendations:
1. Advance the Consumer Privacy Bill of Rights
The report proposes that the Department of Commerce consult with stakeholders and draft legislation implementing the Consumer Privacy Bill of Rights.
2. Pass National Data Breach Legislation
The report calls on Congress to create a national standard for data breach notification along the lines of the Administration’s May 2011 proposal.
3. Extend Privacy Protections to non-U.S. Persons
The report calls on the Executive Branch to apply the Privacy Act of 1974 to non-U.S. citizens where practicable, which was among the recommendations of the President’s Review Group on Intelligence and Communications Technologies.
4. Ensure Data Collected on Students in School is Used for Educational Purposes
The report calls for restrictions on the use and sharing of information about students, particularly when gathered in the course of school activities. Similar legislation was recently passed by the California Senate.
5. Expand Technical Expertise to Stop Discrimination
The report calls on federal agencies to develop new technical expertise for identifying applications of Big Data that have a discriminatory impact on protected classes of persons.
6. Amend the Electronic Communications Privacy
The report calls on Congress to amend the Electronic Communications Privacy Act (“ECPA”) to apply a uniform standard for government access to records of electronic communications stored by providers.
Highlights for Industry:
- Regarding online advertising, the report notes that many advertisers have provided privacy tools for consumers, but suggests that few users are aware of or understand the transparency and control features available to them. However, the report notes that “it is . . . possible that most of the public is not very bothered by personalized ads when they enjoy a robust selection of free content, products, and services.”
- The report also notes the difficulty of developing a standard for responding to web browser Do Not Track signals. While noting that there may be growing interest in technical means for consumers to control collection of information about them, the report suggests that present inconsistency in how sites respond to DNT signals is muddling consumers’ expectations.
- Companies that collect information about consumers’ offline activities drew special attention. The report suggests that, unlike online advertising companies, these companies provide consumers with little transparency or recourse to understand or contest information collected or inferred about them. The report also notes that the absence of a self-regulatory industry portal providing transparency and control for consumers “can be particularly harmful to victims of identity theft who have ongoing errors or omissions impacting their [predictive] scores and, as a result, their ability to engage in commerce.”
- Companies using predictive scoring for marketing purposes (rather than eligibility, which in some cases would be subject to the Fair Credit Reporting Act) should be prepared for increased regulatory scrutiny of their practices, both with regard to the accuracy of predictive scores and whether the scores are proxies for membership in a protected class.
- Providers should be pleased with the report’s language regarding ECPA modernization, although the report notably did not explicitly propose a uniform warrant requirement, leaving open the possibility for an exemption for federal agencies without the power to obtain a warrant.
- A nationwide data breach notification standard would simplify compliance for companies that experience breaches, but state attorneys general can be expected to oppose any federal standard that they consider less comprehensive than that currently on the books in their states.
The report has received a lukewarm response from industry and privacy advocates, with some companies and groups expressing frustration with the report’s perceived emphasis on commercial practices at the expense of meaningful reform of government practices. The president of the Computer & Communications Industry Association said, “Frankly, channeling public outrage over NSA overreach into the debate around commercial privacy regulation is irresponsible.” Kevin Bankston of the Open Technology Institute asked, “Was this process ultimately a distraction that has needlessly taken focus away from the debate over how to rein in the National Security Agency’s massive surveillance programs?”