White House big data initiative: A data security and privacy analysis

Attorney Francoise Gilbert analyzes the White House big data initiative and the data security and privacy ramifications for enterprises.

The report Big Data: Seizing Opportunities, Preserving Values was published on May 1, 2014, by the Executive Office of the President in response to a request made in January 2014 by President Barack H. Obama to conduct a study examining how "big data" will transform the relationships between the government, citizens, businesses and consumers.

The report identifies five areas of focus:

  • Privacy: Maintain privacy values by protecting personal information in the marketplace, the United States and worldwide through interoperable global privacy frameworks
  • Discrimination: Prevent discrimination that some uses of big data may enable
  • Law enforcement: Ensure responsible use of big data in law enforcement, public safety and national security
  • Public resource: Harness data as a public resource, use it to improve the delivery of public services, and invest in research and technology that will further power the big data revolution
  • Education: Recognize schools as an important sphere for using big data to enhance learning opportunities while simultaneously protecting personal data usage and building digital literacy and skills
While big data has the potential for numerous positive developments, it is clear that structures need to be put in place to help preserve intimacy and protect personal lives.

The report concludes with a number of policy recommendations, specifically to:

These recommendations are likely to affect the way in which companies operate, how and why they collect data, and what uses they make of the information collected. The general theme of the report and its recommendations center on finding responsible uses of big data for the benefit of individuals while respecting privacy and intimacy, and setting up better structures, disclosures or technologies to allow for these new uses.

Let's take a further look at some of the main components and recommendations of the report.

Consumer Privacy Bill of Rights

The report furthers the White House initiative known as the "Consumer Privacy Bill of Rights" in which President Obama proposed adoption of a national data privacy law. The report suggests that the Department of Commerce draft legislative text implementing the Consumer Privacy Bill of Rights for submission by the President to Congress.

Notice and consent

The White House report recognizes that the traditional concepts of notice and consent, which have been a central pillar of how privacy practices have been organized, may no longer be sufficient to protect personal privacy for a variety of reasons, including the rampant over-collection of data, combination of multiple databases, the advance of technology and computing capabilities, and the difficulty in keeping data anonymous.

In the "notice and consent" framework, a company notifies a consumer in advance of the intended use of the personal data being collected, and the user consents to collection for these purposes. The company is limited to using or processing the data for the purposes that were originally identified, or perhaps similar purposes. Big data processing does not fit within this framework because most uses of big data processing technologies are outside the scope of the original notice. They are intended for the discovery of patterns or behaviors that were not contemplated in the original notice. In addition, the patterns or behaviors may result from the combination of several databases, originating from several entities.

In fact, notice and consent would be incompatible with the benefits that big data would enable, such as "new, non-obvious, unexpectedly powerful uses of data" beyond the scope and intent of the original data collection. Thus, new criteria for access to and the processing of data would have to be developed.

'Do not track'

The report recommends strengthening "do not track" tools, technologies and mechanisms to address the growing array of technologies available for recording individual actions, behavior and location data across a range of services and devices.

While there are currently numerous efforts to implement a "do not track" regime, various obstacles are delaying implementation. Concurrently, companies are resisting the implementation of "do not track" because they view the ability to analyze usage data as critical for understanding their market.

Data brokers

Key parts of the report apply specifically to data brokers. Data brokers have been the subject of intense scrutiny in the past few months, including an initiative of the Federal Trade Commission. The report encourages the data broker industry to build a portal (similar to those that have been developed by the advertising industry) relating to cookies and customer tracking. On these portals, data brokers would disclose data practices and provide methods for consumers to better control how their information is collected and used, or to opt out of certain marketing uses. The massive collection and use of personal data by data brokers -- and their dissemination of the collected information -- has been the subject of several Federal Trade Commission enforcement actions. The White House report suggestions would help sanitize some of these practices, though at this point the threat of legislation seems highly unlikely.

National data breach legislation

More than 10 years after California passed the first security breach disclosure law, the country is still divided into 47 different regimes, and federal legislators have not been able to pass a law that would provide disclosure uniformity. The White House report on big data supports legislation to define a single national data breach standard that would impose reasonable time periods for consumer notification; minimize interference with law enforcement investigations; and potentially prioritize notifications of large, damaging incidents over less significant incidents.

Amend the Electronic Communications Privacy Act

There is no doubt that the Electronic Communications Privacy Act (ECPA), at almost 30 years old, is out of sync with the reality of today's communications based on cloud, texting, social media and other means that did not exist or were in their infancy in 1986. Numerous initiatives have been discussed already to update this aged act. The White House report supports the trend and recommends amending the ECPA to ensure that the same protection is given to online and digital content as that which is afforded in the physical world, including removing archaic distinctions between emails left unread or over a certain age.

Privacy protections for non-U.S. persons

The report takes into account the increased globalization of practices and communications along with the fact that cloud computing and other technologies allow the presence on U.S. servers of information generated by users out of the country that is intended to be used outside the United States. The report recommends that the Office of Management and Budget work with various departments and agencies to apply the Privacy Act of 1974 to non-U.S. persons where practicable, or to establish alternative privacy policies that apply appropriate and meaningful protections to personal information regardless of a person's nationality.

Interoperable global privacy frameworks

After having been the target of much criticism for its practices and lack of "adequate protection," the United States is now stepping up its efforts at communicating with the other powers worldwide and attempting to establish and participate in building bridges between the different privacy and data protection regimes.

The big data report encourages the Department of State and the Department of Commerce to engage with the European Union, the Asia Pacific Economic Cooperation (APEC), the Organization for Economic Cooperation and Development, and other stakeholders to take stock of how existing and proposed policy frameworks address big data issues. In addition, it recommends that the two departments strengthen the U.S.-European Union Safe Harbor Framework, encourage more countries and companies to join the APEC Cross-Border Privacy Rules system, and promote collaboration with respect to data flows between the United States, Europe and Asia through efforts to align Europe's system of Binding Corporate Rules and the APEC CBPR system.

Discrimination

The report also focuses on the potential ability of big data to create more opportunity for discrimination based on the information that would be collected through the processing of the data. The White House recommends the federal government's lead civil rights and consumer protection agencies expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and then develop a plan for investigating and resolving violations of law.

Law enforcement and security

With the recent revelations of the extensive use of personal information by U.S. and foreign government agencies, it is no surprise that the White House report would contain numerous recommendations regarding the role and scope of powers of law enforcement agencies. For example, the report recommends that the use of predictive analytics by law enforcement should receive careful policy review. Federal agencies with expertise in privacy and data practices should provide technical assistance to state, local, and other federal law enforcement agencies seeking to deploy big data techniques. Government use of lawfully acquired commercial data should be evaluated to ensure consistency with our values. Federal agencies should also implement best practices for institutional protocols and mechanisms that can help ensure the controlled use and secure storage of data.

Conclusion

Big data tools offer astonishing and powerful opportunities to unlock previously inaccessible insights from new and existing data sets. As a result, organizations are collecting and storing increasingly larger amounts of data and allowing the digital traces users leave behind to be collected, analyzed and assembled to reveal a surprising number of things about individuals. As a result, big data analytics have the potential to eclipse long-standing civil rights protections in how personal information is used in housing, credit, employment, health, education and ultimately the entire digital marketplace.

The White House big data report provides a thorough analysis of the good and bad uses of big data and suggests numerous structures and safeguards that should be put in place to avoid negative or harmful consequences for individuals. It is likely that some of the proposed initiatives will be translated into new laws and regulations, which will undoubtedly create obstacles and compliance requirements for many, if not most, companies.

It is clear that big data analytics and technologies -- especially when combined with the amazing capabilities of sensors, wearable technologies and other Internet of Things devices -- create the potential for new uses of data never before envisioned. While big data has the potential for numerous positive developments -- such as in the health or the education sectors -- it is clear that structures need to be put in place to help preserve intimacy and protect personal lives. The White House big data report is an important step in the right direction, but it remains to be seen how the study and its recommendations will be implemented to preserve a reasonable balance between the different players -- and the different goals.

About the author:
Francoise Gilbert, JD, CIPP/US, is the managing attorney of the IT Law Group, and she serves as the general counsel of the Cloud Security Alliance. She focuses her legal practice on information privacy and security, cloud computing, big data and data governance. Francoise was named Best Lawyers' "2014 San Francisco Lawyer of the Year" in the area of information technology, and was listed as one of the country's top legal advisors on privacy matters in a recent industry survey. For the past few years, she has been repeatedly identified by Ethisphere as "an attorney who matters" in the field of information privacy and security, and by Chambers and Best Lawyers as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume, 3,000-page treatise Global Privacy & Security Law, which provides an in-depth analysis of the data protection laws of 66 countries on all continents. Her blog, http://www.francoisegilbert.com, focuses on domestic and international data privacy and security issues. Gilbert can be reached at fgilbert@itlawgroup.com.

This was first published in May 2014

Dig deeper on Data Analysis and Classification

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Francoise Gilbert asks:

What do you think of the White House's big data report? Did it cover the top big data privacy issues? What was left out?

1  Response So Far

Join the Discussion

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close