The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


1 Comment

White House releases Big Data Report

The White House released its report on big data, “Big Data: Seizing Opportunities, Preserving Values,” on Thursday, May 1, 2014, which looks at the ways that businesses and the government are able to perform analytics on massive data sets culled from a wide variety of sources to develop new observations and measurements about individual consumers.   The Report offers findings and recommendations, based on 90 day review of big data and privacy led by White House counselor John Podesta and an executive branch working group, including the Secretaries of Commerce and Energy, the President’s Science and Economic Advisors and other administration officials at the request of President Obama. The working group sought public input from academic researchers, privacy advocates, advertisers, civil rights groups and the public during its review in an effort to evaluate the opportunities and challenges presented by big data.

The Report recognizes the inherent value big data has added to society, citing as examples the ability of big data analysis to enhance and improve medical treatment of premature infants, increase efficiencies across transportation networks and utility providers, and identify fraud and abuse in Medicare and Medicaid reimbursements. However, the Report also acknowledges serious privacy concerns, noting that big data may reveal intimate personal details of an individual user, and that big data tools may lead to discriminatory outcomes, particularly with regard to housing, employment and credit.

The Report offered several policy recommendations:

  • Move forward with the Consumer Bill of Rights.  In 2012, the President announced the concept of a Consumer Bill of Rights, which establishes certain baseline consumer privacy principles such as offering transparency about data privacy and security practices, providing consumers control over data practices, respecting the context in which the data was collected, increasing the accuracy of data files, and providing the opportunity for consumers to access collected data. This Report reiterates the importance of passing legislation to enforce the Bill of Rights principles, but also questions whether the principles are well-suited to the world of big data.  Perhaps, the Report suggests, there should be a greater emphasis placed on how the data is used and reused rather than an emphasis on establishing notice and consent for the initial data collection.
  • Pass National Data Breach Legislation.  The Report notes that the amalgamation of so much information about consumers results in much greater harm to the consumer in the event of a data breach, and finds an even greater need for Congress to pass national data breach legislation to preempt the 47 different state laws currently in effect.
  • Extend privacy protections to non-US persons.  The Report urges government departments and agencies to apply the Privacy Act of 1974 and other privacy protections to all individuals, regardless of nationality.
  • Ensure data collected on students in schools is used for educational purposes.  Acknowledging the growing and valuable use of educational technologies in schools, the Report calls for protections to ensure that student data is not used inappropriately when it is collected in an educational setting.  The Report suggests modernizing COPPA and FERPA to protect student data in the digital age, while still encouraging innovation in the educational technology industry.
  • Expand technical expertise to stop discrimination.  Businesses decisions affecting consumers’ access to healthcare, education, employment, credit and goods and services are increasingly made on the basis of big data algorithms. The Report calls on the DOJ, the FTC, the CFPB and the EEOC to develop their technical expertise to be able to detect whether these automated decision-making processes have discriminatory effects on protected classes of people, and to develop tools to redress such discrimination.
  • Amend the Electronic Communications Privacy Act (ECPA).  The Stored Communications Act, which is part of the ECPA, articulates the rules for obtaining the content of stored communications including email and cloud servers, but was written well before personal computing, email, texting, cloud storage, and smart phones were used as the primary means of communication.  The Report calls on Congress to amend the ECPA to ensure the standards of protection for digital online content is consistent with the protections afforded in the physical world.

While the Report provides a useful overview of the big data phenomenon, its benefits and its challenges, it remains to be seen what impact this Report will have on the industry.  By and large, the Recommendations do not contain wholly new ideas.  The ECPA is widely considered to be antiquated and there have been repeated calls for reform.  There have been many attempts to offer national data breach notification legislation, but no bill has made it through Congress to date.  The White House first offered its support for a Consumer Bill of Rights in 2012, but spent the last 2 years involved in multi-stakeholder meetings without producing draft legislation. This recent Recommendation shows little evidence of advancing the ball significantly on that front, as calls for additional “stakeholder and public comment” before crafting the legislative proposal.  However, the call for greater protections for student data is well-timed, as one of the largest school technology providers, inBloom, was forced to shut down over privacy concerns just a few weeks prior to the Report’s release.


Leave a comment

FTC’s Data Privacy Staff Report – Comments Due Jan. 31

Last week, the Federal Trade Commission released its long-awaited privacy report.  Called “Protecting Consumer Privacy in an Era of Rapid Change”, the 79-page preliminary staff report outlines a framework for consumer privacy based on three principles: (1) Privacy By Design; (2) Simplified Choice; and (3) Transparency. 
 
Some of its key proposals include: a “Do Not Track” browser add-on and other changes to consumer privacy choices; broadening the scope “to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers;” and looking at whether COPPA-style consent requirements should apply to teenagers. The FTC is requesting comments on the report by January 31, 2011, and plans to issue a final report later in 2011. Annexed to the report are six pages of questions to which the FTC seeks comments.
 
The first half of the report discusses the principles of “notice and choice” and “harm” that have formed the basis for the FTC’s privacy-related policy work, educational efforts, and enforcement actions. It also summarizes the FTC’s activities and provides an overview of key issues raised during several years of roundtable discussions involving consumer advocacy groups, businesses, academicians and others. The second half of the report expands on the new principles, which appear to simply consolidate and expand upon the earlier principles – “notice” becomes “transparency”, “choice” becomes “simplified choice”, and “harm” becomes “privacy by design”:
  • Privacy by Design – Companies are urged to “incorporate substantive privacy and security protections into their everyday business practices and consider privacy issues systemically, at all stages of the design and development of their products and services.” Companies are urged to collect information only for a specific purpose, limit the amount of time that data is stored, use reasonable safeguards, and develop comprehensive, company-wide privacy programs. However, the FTC staff also recognizes that these measures need to be tailored to each company’s data practices – companies that collect limited amounts of non-sensitive data need not implement the same types of programs required by a company that sells large amounts of sensitive personal data.
  • Simplified Choice – Companies should “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . .at a time and in a context in which the consumer is making a decision about his or her data.”  The FTC is proposing a new “laundry list” approach to determine whether or not companies need to provide choice to consumers. For example, defined “commonly accepted practices” generally will not require choice, whereas other practices may require either (1) some type of choice mechanism; (2) enhanced choice mechanism; or (3) even more restrictions than enhanced consent. As this is designed for both online and offline behaviors, categorizing each company’s practices as “commonly accepted” or not could be a daunting task.  A chart below outlines the basics of simplified choice.  
    • Do-Not-Track: The day after the report issued, the Commerce Department’s NTIA testified to Congress that it would be convening industry and consumer groups to discuss the “achieving voluntary agreements” on Do-Not-Track.   The FTC would then “ensure compliance with these voluntary agreements, as appropriate.” 
    • ABA Antitrust Section Members note: Companies in markets with limited competition may be subject to “Enhanced Privacy protections” and/or “Additional Enhanced Privacy Protections.” 
  • Greater Transparency – Companies should “make their data practices more transparent to consumers”. The FTC suggests developing a standardized policy like the notice templates currently developed for financial companies complying with Gramm-Leach-Bliley. The FTC is also considering whether increase the transparency of data broker activities and proposes allowing consumers to access (but not necessarily change) profiles compiled about them from many sources.
Two Commissioners issued concurring statements to the proposed framework. Commissioner Kovacic called some of the recommendations “premature” – including the Do-Not-Track proposal. He also pointed out the report lacked consideration of the existing federal and state oversight of privacy concerns. Commissioner Rauch issued a concurring statement that applauds the report as a useful “horatory exercise”, but criticizes the new approach. He states that it could be overstepping the FTC’s bounds to consider “reputational harm” and “other intangible privacy interests” if no deception is involved.
 
Stay tuned – there are many privacy developments on the horizon. In remarks delivered with the report, Chairman Liebowitz declared that “despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for Americans consumers.” He signaled that the FTC will be bringing more cases in the coming months – and that cases involving children are of particular interest.  In addition, the Commerce Department’s “green paper” on Commercial Data Privacy is expected soon.
 
                                                            Table – Simplified Choice
 
Choice Not Required
Choice Mechanism REQUIRED
Choice Not Required
No choice, but Additional Transparency (Notice)
(Unspecified – presumably Company Discretion; also Do Not Track)
Enhanced Consent (Affirmative Express Consent)
“Even more heightened restrictions” than Enhanced Consent
Do Not Track
1. “Commonly Accepted Practices” 
Laundry list of practices, report suggests: first party marketing (FTC seeks comment on scope); internal operations, legal compliance, fraud prevention.
 
1. Technically Difficult/not feasible to provide choice mechanism: e.g. Data Brokers? (comment sought)
2.“Enhancement?” – compiling data from several sources to profile consumers (comment sought re: whether choice should be provided about these practices?) 
1. Not “Commonly Accepted Practices” and not “Technically Difficult” e.g. Data Brokers (comment sought).
1. Sensitive Information for online behavioral advertising; information about children, financial & medical information, precise geolocation data.
2. Sensitive Users: Children: Teenagers (staff seeks comment); Users who lack meaningful choice (lack of competition in market) (Staff seeks comment).
3. Changing specific purpose: Use of data in materially different manner than claimed when data was posted, collected, or otherwise obtained.
1. Lack of alternative consumer choices through Industry factors (competition): Broadband ISP deep packet inspection.
2, Others?
 
1. Online Behavioral Advertisers.
2. Others?