The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Yesterday at FTC, President Obama Announced Plans for new data privacy and security laws: Comprehensive Data Privacy Law, Consumer Privacy Bill of Rights, and Student Digital Privacy Act

Yesterday afternoon, President Barak Obama gave a quip-filled speech at the Federal Trade Commission where he praised the FTC’s efforts in protecting American consumers over the past 100 years and unveiled his plans to implement legislation to protect American consumers from identity theft and to protect school children’s personal information from being used by marketers.   These plans build upon past legislative efforts and the Administration’s focus on cybersecurity, Big Data, and Consumer Protection.  Specifically, On February 23, 2012, the White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” (the “Privacy Blueprint”) and in January 2014, President Obama asked his Counselor, John Podesta, to lead a working group to examine Big Data’s impact on government, citizens, businesses, and consumers.  The working group produced Big Data: Seizing Opportunities, Preserving Values on May 1, 2014.

In his speech, the President highlighted the need for increased privacy and security protections as more people go online to conduct their personal business—shop, manage bank accounts, pay bills, handle medical records, manage their “smart” homes, etc.—stating that “we shouldn’t have to forfeit our basic privacy when we go online to do our business”.  The President referenced his “Buy Secure” initiative that would combat credit card fraud through a “chip-and-pin” system for credit cards and credit-card readers issued by the United States government.  In that system, a microchip would be imbedded in a credit card and would replace a magnetic strip since microchips are harder than magnetic strips for thieves to clone.   A pin number would also need to be entered by the consumer into the credit card reader just as with an ATM or debit card.  The President praised those credit card issuers, banks, and lenders that allowed consumers to view their credit scores for free.   He also lauded the FTC’s efforts in the efforts to help identity theft victims by working with credit bureaus and by providing guidance to consumers on its website, identitytheft.gov.

The first piece of legislation the President discussed briefly was a comprehensive breach notification law that would require companies to notify consumers of a breach within 30 days and that would allow identity thieves to be prosecuted even when the criminal activity was done overseas. Currently, there is no federal breach notification law and many states have laws requiring companies to notify affected consumers and/or regulators depending on the type of information compromised and the jurisdiction in which the organization operates.  The state laws also require that breach notification letters to consumers should include certain information, such as information on the risks posed to the individual as a result of the breach along with steps to mitigate the harm.   This “patchwork of laws,” President Obama noted, is confusing to customers and costly for companies to comply with.  The plan to introduce a comprehensive breach notification law adopts the policy recommendation from the Big Data Report that Congress pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 2011 Cybersecurity legislative proposal.  Such legislation should impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.

The President next discussed the second piece of legislation he would propose, the Consumer Privacy Bill of Rights.  This initiative is not new.  Electronic Privacy Bills of Rights of 1998 and 1999 have been introduced.  In 2011, Senators John Kerry, John McCain, and Amy Klobucher introduced S.799 – Commercial Privacy Bill of Rights Act of 2011.   The Administration’s  Privacy Blueprint of February 23, 2012 set forth the Consumer Privacy Bill of Rights and, along with the Big Data Report, directed The Department of Commerce’s The National Telecommunications and Information Administration (NTIA) to seek comments from stakeholders in order to develop legally-enforceable codes of conduct that would apply the Consumer Privacy Bill of Rights to specific business contexts.

The Big Data Report of May 1, 2014 recommended that The Department of Commerce seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights draft and consider legislative text for the President to submit to Congress.  On May 21, 2014, Senator Robert Menendez introduced S.2378 – Commercial Privacy Bill of Rights Act of 2014.  The Consumer Privacy Bill of Rights set forth seven basic principles:

1) Individual control – Consumers have the right to exercise control over what information data companies collect about them and how it is used.

2) Transparency – Consumers have the right to easily understandable and accessible privacy and security practices.

3) Respect for context – Consumers expect that data companies will collect, use, and disclose the information they provided in ways consistent with the context it was provided.

4) Security – consumers have the right to secure and responsible handling of personal data.

5) Access and accuracy – Consumers have the right to access and correct their personal data in usable formats in a manner that is appropriate to the data’s sensitivity and the risk of adverse consequences if the data is not accurate.

6) Focused Collection – Consumers have the right to reasonable limits on the personal data that companies collect and retain.

7) Accountability – Consumers have the right to have companies that collect and use their data to have the appropriate methods in place to assure that they comply with the consumer bill of rights.

The President next discussed the third piece of legislation he would propose, the Student Digital Privacy Act.  The President noted how new educational technologies including tailored websites, apps, tablets, digital tutors and textbooks transform how children learn and help parents and teachers track students’ progress.  With these technologies, however, companies can mine student data for non-educational, commercial purposes such as targeted marketing.  The Student Privacy Act adopts the Big Data Report’s policy recommendation of ensuring that students’ data, collected and gathered in an educational context, is used for educational purposes and that students are protected against having their data shared or used inappropriately.  The President noted that the Student Digital Privacy Act would not “reinvent the wheel” but mirror on a federal level state legislation, specifically the California law to take effect next year that bars education technology companies from selling student data or using that data to target students with ads.   The current federal law that protects student’s privacy is the Family Educational Rights and Privacy Act of 1974, which does not protect against companies’ data mining that reveals student’s habits and profiles for targeted advertising but rather protects against official educational records from being released by schools. The President highlighted current self-regulation, the Student Privacy Pledge, signed by 75 education technology companies committing voluntary not to sell student information or use education technologies to send students targeted ads.  It has been discussed whether self-regulation would work and whether the proposed Act would go far enough.  The President remarked that parents want to make sure that children are being smart and safe online, it is their responsibility as parents to do so but that structure is needed for parents to ensure that information is not being gathered about students without their parents or the kids knowing about it.  This hinted at a notification requirement and opt-out for student data mining that is missing from state legislation but is a requirement of the Children’s Online Privacy Protection Act of 1998.  Specifically, COPPA requires companies and commercial website operators that direct online services to children under 13, collect personal information from children under 13, or that know they are collecting personal information from children under to children under 13 to provide parents with notice about the site’s information-collection practices, obtain verifiable consent from parents before collecting personal information, give parents a choice as to whether the personal information is going to be disclosed to third parties, and give parents access and the opportunity to delete the children’s personal information, among other things.

President Obama noted that his speech marked the first time in 80 years—since FDR—that a President has come to the FTC.   His speech at the FTC on Monday was the first of a three-part tour leading up to his State of the Union address.  Next, the President also planned to speak at the Department of Homeland Security on how the government can collaborate with the private sector to ward off cyber security attacks.  His final speak will take place in Iowa, where he will discuss how to bring faster, cheaper broadband access to more Americans.

Advertisements


1 Comment

White House releases Big Data Report

The White House released its report on big data, “Big Data: Seizing Opportunities, Preserving Values,” on Thursday, May 1, 2014, which looks at the ways that businesses and the government are able to perform analytics on massive data sets culled from a wide variety of sources to develop new observations and measurements about individual consumers.   The Report offers findings and recommendations, based on 90 day review of big data and privacy led by White House counselor John Podesta and an executive branch working group, including the Secretaries of Commerce and Energy, the President’s Science and Economic Advisors and other administration officials at the request of President Obama. The working group sought public input from academic researchers, privacy advocates, advertisers, civil rights groups and the public during its review in an effort to evaluate the opportunities and challenges presented by big data.

The Report recognizes the inherent value big data has added to society, citing as examples the ability of big data analysis to enhance and improve medical treatment of premature infants, increase efficiencies across transportation networks and utility providers, and identify fraud and abuse in Medicare and Medicaid reimbursements. However, the Report also acknowledges serious privacy concerns, noting that big data may reveal intimate personal details of an individual user, and that big data tools may lead to discriminatory outcomes, particularly with regard to housing, employment and credit.

The Report offered several policy recommendations:

  • Move forward with the Consumer Bill of Rights.  In 2012, the President announced the concept of a Consumer Bill of Rights, which establishes certain baseline consumer privacy principles such as offering transparency about data privacy and security practices, providing consumers control over data practices, respecting the context in which the data was collected, increasing the accuracy of data files, and providing the opportunity for consumers to access collected data. This Report reiterates the importance of passing legislation to enforce the Bill of Rights principles, but also questions whether the principles are well-suited to the world of big data.  Perhaps, the Report suggests, there should be a greater emphasis placed on how the data is used and reused rather than an emphasis on establishing notice and consent for the initial data collection.
  • Pass National Data Breach Legislation.  The Report notes that the amalgamation of so much information about consumers results in much greater harm to the consumer in the event of a data breach, and finds an even greater need for Congress to pass national data breach legislation to preempt the 47 different state laws currently in effect.
  • Extend privacy protections to non-US persons.  The Report urges government departments and agencies to apply the Privacy Act of 1974 and other privacy protections to all individuals, regardless of nationality.
  • Ensure data collected on students in schools is used for educational purposes.  Acknowledging the growing and valuable use of educational technologies in schools, the Report calls for protections to ensure that student data is not used inappropriately when it is collected in an educational setting.  The Report suggests modernizing COPPA and FERPA to protect student data in the digital age, while still encouraging innovation in the educational technology industry.
  • Expand technical expertise to stop discrimination.  Businesses decisions affecting consumers’ access to healthcare, education, employment, credit and goods and services are increasingly made on the basis of big data algorithms. The Report calls on the DOJ, the FTC, the CFPB and the EEOC to develop their technical expertise to be able to detect whether these automated decision-making processes have discriminatory effects on protected classes of people, and to develop tools to redress such discrimination.
  • Amend the Electronic Communications Privacy Act (ECPA).  The Stored Communications Act, which is part of the ECPA, articulates the rules for obtaining the content of stored communications including email and cloud servers, but was written well before personal computing, email, texting, cloud storage, and smart phones were used as the primary means of communication.  The Report calls on Congress to amend the ECPA to ensure the standards of protection for digital online content is consistent with the protections afforded in the physical world.

While the Report provides a useful overview of the big data phenomenon, its benefits and its challenges, it remains to be seen what impact this Report will have on the industry.  By and large, the Recommendations do not contain wholly new ideas.  The ECPA is widely considered to be antiquated and there have been repeated calls for reform.  There have been many attempts to offer national data breach notification legislation, but no bill has made it through Congress to date.  The White House first offered its support for a Consumer Bill of Rights in 2012, but spent the last 2 years involved in multi-stakeholder meetings without producing draft legislation. This recent Recommendation shows little evidence of advancing the ball significantly on that front, as calls for additional “stakeholder and public comment” before crafting the legislative proposal.  However, the call for greater protections for student data is well-timed, as one of the largest school technology providers, inBloom, was forced to shut down over privacy concerns just a few weeks prior to the Report’s release.


Leave a comment

Direct Marketing Association Launches “Data Protection Alliance”

Image

On October 29, 2013, the Direct Marketing Association (“DMA”) announced the launch of a new initiative, the Data Protection Alliance, which it describes “as  a legislative coalition that will focus specifically on ensuring that effective regulation and legislation protects the value of the Data-Driven Marketing Economy far into the future.” In its announcement release, the DMA reports the results of a study it commissioned on the economic impact of what calls “the responsible use of consumer data” on “data-driven innovation.” According to the DMA, its study indicated that regulation which “impeded responsible exchange of data across the Data-Driven Marketing Economy” would cause substantial negative damage to the U.S.’ economic growth and employment. Instead of such regulation, the DMA asks Congress to focus on its “Five Fundamentals for the Future”:

  1. Pass a national data security and breach notification law;

  2. Preempt state laws that endanger the value of data;

  3. Prohibit privacy class action suits and fund Federal Trade Commission enforcement;

  4. Reform the Electronic Communications Privacy Act (ECPA); and

  5. Preserve robust self-regulation for the Data-Driven Marketing Economy.

The DMA is explicitly concerned with its members’ interests, as any trade group would be, and this report and new Data Protection Alliance are far from the only views being expressed as to the need for legislation and regulation to alter the current balance between individual control and commercial use of personal information. Given the size and influence of the DMA and its members, though, this announcement provides useful information on the framing of the ongoing debate in the United States and elsewhere over privacy regulation.