On May 1, 2014, the White House released a much-anticipated report on how both government and private industry can maximize the benefits of “big data” while minimizing its risks. The report, whose preparation was led by White House counsel John Podesta, evolved from President Obama’s deliberation over surveillance reforms. As such, it is part of the Administration’s continued efforts to accommodate shifting technological developments and its effect on individual freedoms.

Central to the report is its six policy recommendations, each of which could result in legislative action:

Advance the Consumer Privacy Bill of Rights. The report recommends that the Department of Commerce take two steps in implementing the Consumer Privacy Bill of Rights, which was first introduced by the President two years ago and focuses on increased notice, choice, and transparency in how consumer information is collected, used, and stored. According to the report, the Commerce Department should consult both stakeholders and the public on how big data may affect the Bill of Rights at it was originally conceived. With this feedback in mind, the Department should then draft legislative text for further comment and eventually the President’s submission to Congress.

Pass national data breach legislation. The report urges Congress to replace the “patchwork” of 47 state data breach laws with a single national data breach standard. This federal standard should impose reasonable time periods for notification to data breach victims and minimize interference with law enforcement investigations. The report further recommends that Congress consider prioritizing notification of large, damaging incidents over less significant breaches. Interestingly, the report notes that the national standard should reflect the Administration’s May 2011 Cybersecurity Legislative Proposal, which called not only for a simplified data breach standard, but also for information sharing and critical infrastructure protections – policies that have proven difficult to pass on the Hill.

Extend privacy protections to non-U.S. persons. The report calls on the Office of Management and Budget (“OMB”) to work with executive departments and agencies to apply the Privacy Act of 1974 to non-U.S. citizens, but it leaves the OMB with considerable leeway by asking that it only extend the Privacy Act “where practicable.” Alternatively, the OMB should consider implementing an alternative to the Privacy Act that extends “appropriate and meaningful” privacy protections regardless of nationality. This, too, rings of potential legislation.

Ensure data collected on students in school is used for educational purposes. The report asks the federal government as a whole to better protect the personal information of students, especially when that information is ostensibly collected for educational purposes. Specifically, the report looks to modernizing the Family Educational Rights & Privacy Act (“FERPA”) and the Children’s Online Privacy Protection Act (“COPPA”), which Congress wrote before the advent of the Internet and mobile technology, respectively. The reports points out that these stalwart frameworks must strike a balance between the benefits of a technology-enhanced education and the increased risk of compromised privacy that the use of technology brings.

Expand technical expertise to stop discrimination. Reflecting one of its more surprising conclusions, the report encourages civil rights and consumer protection agencies to enhance their technical expertise so that they can better identify the disparate impacts that big data can have on protected classes. For example, cities are beginning to use apps to crowdsource which areas are in need of greater public services, like street repairs. The risk, however, is that more impoverished areas whose populations are less likely to own smartphones – and thus use the app – get systematically ignored. Once aware of these kinds of issues, agencies such the Department of Justice, the Federal Trade Commissions, and then Consumer Financial Protection Bureau should then develop strategies to investigate and ultimately resolve these disparate impacts.

Amend the Electronic Communications Privacy Act. Lastly, the report focuses on its final legislative request: amending the Electronic Communications Privacy Act (“ECPA”) to bring it in line with protections provided to physical content. As it stands now, ECPA empowers law enforcement to access – without a warrant – emails that have either been read and stored on remote servers, or unread and remotely stored for more than 180 days. The report emphasizes that Congress should remove these “archaic distinctions between email left unread or over a certain age.”

The White House report proposes a rather lofty wish-list. Many of its policy recommendations are not new but yet have gone unfulfilled for years. Time will tell whether the executive and legislative branches take the report’s recommendations to heart. In the meantime, however, the report is evidence that President Obama is continuing his commitment to tackle the difficult issues posed by the double-edged sword that is our wired world.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
Comment Period Extended for NIST SP 800-171 Assessment Guide
December 11, 2017
Key EU Privacy & Cybersecurity Highlights, November 30 – December 6, 2015
December 11, 2015
Privacy-Cybersecurity Weekly News Update November 29- December 4, 2015
December 9, 2015