On February 5 the White House big data and privacy working group released an “Interim Progress Report” (hereinafter “the Interim Report”) summarizing its “progress in furthering the majority of the recommendations made” in its May’s 2014 report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “the Big Data Report”), discussed here. The Big Data Report followed President Obama’s call “to explore how [big data is] changing our economy, our government, and our society,” and its “implications on personal privacy.”   While much of The Big Data Report emphasized the societal benefits of big data (e.g., improving the economy, education, health and energy efficiency), the working group found that “absent strong social norms and a responsive policy and legal framework,” personal privacy may be difficult to protect with technological advances alone.   To that end, the Big Data Report recommended 6 policy initiatives “deserving prompt action:”
  • Advance the Consumer Privacy Bill of Rights (“CPBR”), a framework that the White House first proposed in 2012 to give consumers greater control over the collection and use of their personal information by businesses and other organizations;
  • Pass National Data Breach Legislation, to provide a single national data breach standard;
  • Ensure Data Collected on Students in Schools is used for Educational Purposes;
  • Expand Technical Expertise to Stop Discriminatory Impacts (resulting from big data analytics);
  • Extend Privacy Protections to non-U.S. Persons; and
  • Amend the Electronic Communications Privacy Act (and, by extension, the Stored Communications Act), in order to bring the 1986 statute in line with the rapid growth of technology and the prevalence of email communications and digital storage.  For example, the statute currently permits warrantless searches of email stored on a service provider’s system for more than 180 days.
The Interim Report claims that the Administration has made “significant progress” on “most of the recommendations.”  The Interim Report points to the Department of Commerce’s efforts to advance the CPBR by seeking public comments “on big data developments” in order to craft legislation.  According to Interim Report, draft legislative language of the CPBR will be released this month.   The report also highlights President Obama’s January 2015 “single national standard” data breach legislation, the “Personal Data Notification and Protection Act,” as well as his “Student Digital Privacy Act,”  which, is modeled on a California statute, and seeks to ensure “that data collected in the educational context is used only for educational [not commercial] purposes.” One significant conclusion of the Big Data Report was that big data analytics “leaves room for subtle and not-so-subtle forms of discrimination in pricing, services, and opportunities” although it also recognized that consumers benefit from “more tailored opportunities to purchase goods and services.”  Following the Big Data Report, the White House Counsel of Economic Advisors conducted a study to determine if and how companies can use big data to offer different prices to different consumers (a practice known as “differential pricing.”)  And, on the same day the White House released its Interim Report, it released a report entitled “Big Data and Differential Pricing.”  The “Differential Pricing” Report also discusses the potential benefits and downsides of differential pricing.  But, the Differential Pricing Report concludes, among other things, that “whether differential pricing helps or harms the average consumer depends on how and where it is used.” On the international front, efforts to extend privacy protections to non-U.S. persons include seeking legislation that would give EU citizens some of the same rights of judicial redress as U.S. citizens have under the Privacy Act of 1974.  The Office of Management and Budget is “also actively working” to “extend other privacy protections to non-U.S. citizens,” according to the Interim Report. While the authors note that White House “[p]olicy development remains actively underway,” they blame any lack of progress on Congress and big data stakeholders.  For example, they cite “little progress” on Congressional efforts to amend ECPA “to ensure the standard of protection for on-line, digital content is consistent with that afforded in the physical world.”   The authors also claim that the Administration is “disappointed” that big data stakeholders have failed to move forward with developing a voluntary “Do Not Track” standard to protect consumers “regardless of browser preference or operating system.” Despite the White House’s apparent frustration, the 114th Congress has seen a flurry of activity to address some of the legislative goals shared by the Executive Branch.  For instance, data security and breach notification bills have already been introduced in both chambers of Congress.  Shortly after President Obama’s call for a national data breach standard, Sen. Ben Nelson (D-FL) introduced the Data Security and Breach Notification Act of 2015 in the Senate in mid-January, while Rep. Joe Barton (R-TX) and Rep. Bobby Rush (D-IL) proposed the Data Accountability and Trust Act in the House of Representatives just a few weeks later.  Moreover, a bipartisan and bicameral group led by Sen. Pat Leahy (D-VT) announced on February 4 their plans to put forward a bill to amend the ECPA.  Though these bills and other legislative efforts are in the early stages of committee review and markup,  these  actions indicate that privacy and security is also at the top of Congress’s agenda. The interim Report also mentions that the White House will host a cybersecurity and consumer protection summit at Stanford University this Friday, February 13th, that “will bring together major stakeholders on cybersecurity and consumer financial protection issues from the public and private sectors.”  While the White House has yet to give detailed information about what topics the summit will cover, every company that handles consumer financial data or has cybersecurity infrastructure concerns should pay close attention to the results of the White House’s summit next week. In advance of the summit, President Obama’s homeland security and counterterrorism advisor, Lisa Monaco, yesterday announced the creation of a new intelligence unit to coordinate analysis of cyberthreats.  Calling the cyberattack on Sony, a “game changer,” Monaco said that the new agency, the Cyber Threat Intelligence Information Center, is being established because “no single government entity is [currently] responsible for producing coordinated cyber threat assessments,” and “is intended to fill the gaps.”