Privacy pros are largely lauding the White House’s recently released Big Data report—the culmination of a 90-day effort initiated by John Podesta and called for by President Barack Obama to examine how Big Data is being and will be used. But some are skeptical about its ever being more than a PDF spouting off some pretty good intentions.
Podesta’s report, “A Technological Perspective,” is the result of dozens of stakeholder meetings—including with the IAPP, itself—to understand the ways in which Big Data is being used now and delivers “recommendations on how we can embrace Big Data technologies while at the same time protecting fundamental values like privacy, fairness and self-determination.”
“The dialogue,” Podesta writes in his letter to the president accompanying his report, “we set in motion today will help us remain true to our values even as Big Data reshapes the world around us.”
Concurrently, the President’s Council of Advisors for Science & Technology (PCAST), issued a report of its own as part of an initiative begun in January. Its report is perhaps more technologically canted and has an aim to “accelerate the development and commercialization of technologies,” John Holdren and Eric Lander, PCAST co-chairs, write, “that can help to contain adverse impacts on privacy, including research into new technological options. By using technology more effectively, the nation can lead internationally in making the most of Big Data’s benefits while limiting the concerns it poses for privacy.”
Podesta’s report calls for updates to the Children’s Online Privacy Protection Act and the Electronic Communications Privacy Act; questions the perceived value of de-identification; raises concerns about data collected on students, and “sharply criticizes data brokers,” as Covington & Burling’s Jeffrey Kosseff, CIPP/US, notes.
The PCAST report is similar in its policy findings but specifically notes in number four of its five specific recommendations that the U.S. government and attendant “educational institutions and professional societies” should “encourage increased education and training opportunities concerning privacy protection, including career paths for professionals.”
Not a bad call-to-action if you’ve got a CIPP or CIPM after your name.
“Programs that provide education leading to privacy expertise (akin to what is being done for security expertise) are essential and need encouragement,” the PCAST report continues. “One might envision careers for digital?privacy experts both on the software development side and on the technical management side.”
With a high-profile name like Podesta’s attached, it’s not surprising that the 90-day report is drawing the majority of the feedback.
Hogan Lovells’ Harriet Pearson, CIPP/US, said the report will “be remembered as a landmark moment for U.S. privacy law.”
Yes, its calls for updates to important privacy laws are significant, but it’s bigger than that, she said.
“The report has the potential to significantly influence how the U.S. more broadly approaches privacy issues,” she said. “In calling for a privacy law that emphasizes the responsible use of data over the time-honored principles of notice and choice, the White House validates the importance of the use-based paradigm to the future of privacy. This is very significant.”
These findings jibe with those of a widely circulated and debated report funded by Microsoft, which found that traditional applications of the FIPPs may not be sufficient for a Big Data- and wearables-fueled future.
In fact, at the IAPP’s recent Global Privacy Summit, Microsoft’s Scott Charney said notice and choice place too much burden on the user and don’t require enough accountability on the part of the data collector. Podesta’s report calls for a closer look at the FIPPs framework that “has been a central pillar of how privacy practices have been organized for more than four decades”
Given pervasive examples of data over-collection and because re-identification is “becoming more powerful than de-identification,” the Podesta report states “focusing on controlling the collection and retention of personal data … may no longer be sufficient to protect personal privacy.”
The president’s advisors wrote, “The notice and consent is defeated by exactly the positive benefits that Big Data enables: new, non-obvious, unexpectedly powerful uses of data.”
PCAST puts it even more succinctly: “Policy attention should focus more on the actual uses of Big Data and less on its collection and analysis.”
Wiley Rein’s Kirk Nahra, CIPP/US, isn’t so sure the reports will actually cause any great policy ripples, however. He said that while the report will likely increase the dialogue and was an important discussion on Big Data and the issues surrounding it, it doesn’t bring us materially closer to having a consensus on what the answers should be.
[Podesta's] report has the potential to significantly influence how the U.S. more broadly approaches privacy issues. In calling for a privacy law that emphasizes the responsible use of data over the time-honored principles of notice and choice, the White House validates the importance of the use-based paradigm to the future of privacy. This is very significant.Harriet Pearson, CIPP/US
He added he’s “concerned that it puts real pressure on companies to justify their uses of Big Data and how they are going to avoid or prevent these negatives.”
And while it’s a good idea to aim for a federal data breach notification law, and there appears to be widespread support for such, he said it’s not likely to come to pass.
“The primary hurdle is the inability of Congress to do anything they don't really have to,” he said.
K Royal, CIPP/US, CIPP/E, privacy counsel at Align Technologies, agreed: “Congress is gridlocked and tends to be gridlocked more with (Obama) than with anything else.” But the Podesta report is a “great place to start to get people to start thinking.”
She even said she’s “cautiously optimistic” that it’s going to have a long-term impact, though Obama’s waning power in office isn’t going to help.
And if a federal data breach law is unlikely, what of the Podesta report’s other major policy recommendation, to “advance the consumer privacy bill of rights”?
Jules Polonetsky, CIPP/US, said he thinks the White House handled the Consumer Bill of Rights wisely by simply calling for the “appropriate consultative steps to seek stakeholder and public comment on how Big Data affects the Consumer Privacy Bill of Rights” as well as recommending that “draft legislative text” be developed for consideration by stakeholders and, ultimately, for the president to submit to Congress.
“The Consumer Bill of Rights was a well-done framework, but there are indeed key issues that are hard to put into legislative language,” Polonetsky said, such as “context,” a term the Consumer Bill of Rights is dependent upon.
“What does that mean?” Polonetsky asked. “Out of context for one brand might not be for another brand. What exactly legally would be out of context? By calling for some very specific feedback on key Consumer Bill of Rights issues around Big Data and use, we’re committing that there will be a legislative process and that they will take some careful steps to develop those ideas further before proceeding to that legislative process.”
Outside of policy discussion, what struck Royal about the report in particular were its findings on the way Big Data could introduce or reinforce “subtle and not-so-subtle forms of discrimination.” It notes that companies using Big Data algorithms—based on online behaviors and gathered data about users—may presume information about users that could be discriminatory and harmful to particular groups, offering one group better discounts than another, for example.
“The ability to segment the population and to stratify consumer experiences so seamlessly as to be almost undetectable demands greater review, especially when it comes to the practice of differential pricing and other potentially discriminatory practices,” the 90-day report states.
It is maybe not surprising, then, that the PCAST report emphasizes practical solutions to consumers encountering this kind of discrimination. “The United States should take the lead both in the international arena and at home,” it states, “by adopting policies that stimulate the use of practical privacy-protecting technologies that exist today.” While collectors have an obligation to be accountable with their use of Big Data, the report implies, users have responsibility as well to protect themselves.
Despite Nahra and Royals’ skepticism, Polonetsky thinks the White House’s Big Data initiative and the attendant reports are a net positive, even given the fact that anything requiring legislative action ain’t gonna happen anytime soon.
“I think the biggest impact is it helps endorse the notion that there is value to Big Data,” he said. “There are skeptics who think it’s a marketing term. But I think by very firmly showing there are critical ways Big Data is being used to solve problems and these are core to U.S. policy at home and abroad, that was an important move.”
If you want to comment on this post, you need to login.