Kate M. Growley

On May 1, 2014, the White House released a much-anticipated report on how both government and private industry can maximize the benefits of “big data” while minimizing its risks. The report, whose preparation was led by White House counsel John Podesta, evolved from President Obama’s deliberation over surveillance reforms. As such, it is part of the Administration’s continued efforts to accommodate shifting technological developments and its effect on individual freedoms.

Central to the report is its six policy recommendations, each of which could result in legislative action:

Advance the Consumer Privacy Bill of Rights. The report recommends that the Department of Commerce take two steps in implementing the Consumer Privacy Bill of Rights, which was first introduced by the President two years ago and focuses on increased notice, choice, and transparency in how consumer information is collected, used, and stored. According to the report, the Commerce Department should consult both stakeholders and the public on how big data may affect the Bill of Rights at it was originally conceived. With this feedback in mind, the Department should then draft legislative text for further comment and eventually the President’s submission to Congress.

Pass national data breach legislation. The report urges Congress to replace the “patchwork” of 47 state data breach laws with a single national data breach standard. This federal standard should impose reasonable time periods for notification to data breach victims and minimize interference with law enforcement investigations. The report further recommends that Congress consider prioritizing notification of large, damaging incidents over less significant breaches. Interestingly, the report notes that the national standard should reflect the Administration’s May 2011 Cybersecurity Legislative Proposal, which called not only for a simplified data breach standard, but also for information sharing and critical infrastructure protections – policies that have proven difficult to pass on the Hill.

Extend privacy protections to non-U.S. persons. The report calls on the Office of Management and Budget (“OMB”) to work with executive departments and agencies to apply the Privacy Act of 1974 to non-U.S. citizens, but it leaves the OMB with considerable leeway by asking that it only extend the Privacy Act “where practicable.” Alternatively, the OMB should consider implementing an alternative to the Privacy Act that extends “appropriate and meaningful” privacy protections regardless of nationality. This, too, rings of potential legislation.

Ensure data collected on students in school is used for educational purposes. The report asks the federal government as a whole to better protect the personal information of students, especially when that information is ostensibly collected for educational purposes. Specifically, the report looks to modernizing the Family Educational Rights & Privacy Act (“FERPA”) and the Children’s Online Privacy Protection Act (“COPPA”), which Congress wrote before the advent of the Internet and mobile technology, respectively. The reports points out that these stalwart frameworks must strike a balance between the benefits of a technology-enhanced education and the increased risk of compromised privacy that the use of technology brings.

Expand technical expertise to stop discrimination. Reflecting one of its more surprising conclusions, the report encourages civil rights and consumer protection agencies to enhance their technical expertise so that they can better identify the disparate impacts that big data can have on protected classes. For example, cities are beginning to use apps to crowdsource which areas are in need of greater public services, like street repairs. The risk, however, is that more impoverished areas whose populations are less likely to own smartphones – and thus use the app – get systematically ignored. Once aware of these kinds of issues, agencies such the Department of Justice, the Federal Trade Commissions, and then Consumer Financial Protection Bureau should then develop strategies to investigate and ultimately resolve these disparate impacts.

Amend the Electronic Communications Privacy Act. Lastly, the report focuses on its final legislative request: amending the Electronic Communications Privacy Act (“ECPA”) to bring it in line with protections provided to physical content. As it stands now, ECPA empowers law enforcement to access – without a warrant – emails that have either been read and stored on remote servers, or unread and remotely stored for more than 180 days. The report emphasizes that Congress should remove these “archaic distinctions between email left unread or over a certain age.”

The White House report proposes a rather lofty wish-list. Many of its policy recommendations are not new but yet have gone unfulfilled for years. Time will tell whether the executive and legislative branches take the report’s recommendations to heart. In the meantime, however, the report is evidence that President Obama is continuing his commitment to tackle the difficult issues posed by the double-edged sword that is our wired world.