The Administration has released its long-awaited, review of Big Data — a report from the Executive Office of the President on the phenomenon of large-scale data collection and analysis. The review was accompanied by a blog post (apparently, this is now the official form of Executive communication, instead of a formal press release) from Counselor John Podesta, who chaired the group writing the report.
My first instinct, on reading the report, was to think that it was “all hat and no cattle” as they say in Texas — long on description and short on innovation. Which is not to say that, even at that level, the report is valueless. To the contrary, it collects, in one place, an excellent summary of the state of Big Data today, along with a scoping of the legal and policy issues that lurk behind the Big Data revolution. For those unfamiliar with the scale of data collection today it is a worthwhile read (I plan, for example, to assign it to my students). The report does, therefore, two useful things, even on these limited terms:
- It makes clear that the “volume, variety, and velocity” of data collection is increasing, and that the technological trend is unstoppable; and
- It clearly takes the position that Big Data analytics have utility — both to governments and to the private sector. Since that is a proposition I have heard some contest, it is useful for the Administration to have taken a side.
But further reading suggests that there was more cattle in the Report than at first appears. Most notably, and most welcome, the Report leans heavily on the idea of “responsible use” — that is the conception that instead of focusing privacy-protection efforts on anti-collection rules you focus on rules relating to use, and manage that aspect of the Big Data problem. Since collection limitations are becoming technologically impossible to maintain; and since they fundamentally destroy the value of big data aggregation they are likely to be long-term mistakes if implemented. As the Report says, quoting the President’s Council of Advisors for Science & Technology, “The [idea of] notice and consent [as a limit on collection] is defeated by exactly the positive benefits that big data enables: new, non–obvious, unexpectedly powerful uses of data.” Since the need to focus on use case scenarios (or, as I sometimes like to call “consequences”) is one that has been apparent for some time, the acknowledgment at the Presidential level is most welcome.
Where the Report falls down most, in my judgment, is in its perpetual “on the one hand; on the other” nature. I counted at least 5 uses of the word “profound” to describe the challenges faced in squaring the circle of new technology and continuing privacy and anti-discrimination values. It would have been useful, in my view, to both recognize that Big Data works a fundamental change in how we do business (as the Report did) and then to set about the task of crafting a new set of rules that reflect that fundamental change. But the Report’s recommendations shy away from the implications of its analysis and are decidedly small bore. After describing the sea-change that is coming in data analysis, the six concrete policy recommendations were:
Advance the Consumer Privacy Bill of Rights. Consumers deserve clear, understandable, reasonable standards for how their personal information is used in the big data era. We recommend the Department of Commerce take appropriate consultative steps to seek stakeholder and public comment on what changes, if any, are needed to the Consumer Privacy Bill of Rights, first proposed by the President in 2012, and to prepare draft legislative text for consideration by stakeholders and submission by the President to Congress.
Pass National Data Breach Legislation. Big data technologies make it possible to store significantly more data, and further derive intimate insights into a person’s character, habits, preferences, and activities. That makes the potential impacts of data breaches at businesses or other organizations even more serious. A patchwork of state laws currently governs requirements for reporting data breaches. Congress should pass legislation that provides for a single national data breach standard, along the lines of the Administration’s 2011 Cybersecurity legislative proposal.
Extend Privacy Protections to non-U.S. Persons. Privacy is a worldwide value that should be reflected in how the federal government handles personally identifiable information about non-U.S. citizens. The Office of Management and Budget should work with departments and agencies to apply the Privacy Act of 1974 to non-U.S. persons where practicable, or to establish alternative privacy policies that apply appropriate and meaningful protections to personal information regardless of a person’s nationality.
Ensure Data Collected on Students in School is used for Educational Purposes. Big data and other technological innovations, including new online course platforms that provide students real time feedback, promise to transform education by personalizing learning. At the same time, the federal government must ensure educational data linked to individual students gathered in school is used for educational purposes, and protect students against their data being shared or used inappropriately.
Expand Technical Expertise to Stop Discrimination. The detailed personal profiles held about many consumers, combined with automated, algorithm-driven decision-making, could lead—intentionally or inadvertently—to discriminatory outcomes, or what some are already calling “digital redlining.” The federal government’s lead civil rights and consumer protection agencies should expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law.
Amend the Electronic Communications Privacy Act. The laws that govern protections afforded to our communications were written before email, the internet, and cloud computing came into wide use. Congress should amend ECPA to ensure the standard of protection for online, digital content is consistent with that afforded in the physical world—including by removing archaic distinctions between email left unread or over a certain age.
On the whole then, a worthwhile report, but not a “home run” in analysis.