On Thursday, the White House Big Data Working Group, led by senior presidential advisor John Podesta, released a 79-page report that outlines a number of key observations and recommendations for privacy in both the private sector and government.  Although the report does not create binding law, it provides insight into the administration’s  priorities on a wide range of privacy and data security issues, from government surveillance to data breaches.  Below are some of the most important themes to emerge from this report.

1. Data Use vs. Data Collection:  Many existing U.S. privacy laws and regulations focus on the collection of data.  The White House report appears to recognize that collection is increasing at an exponential pace, and suggests that the public is better served by restrictions on the use and dissemination of personal information. 

2. Notice and Consent.  Another pillar of the U.S. privacy legal system has long been “notice and consent.” Under this model, organizations describe their data collection practices, typically  in a very lengthy privacy policy, and require users to consent, often by checking a box.  The Podesta report questions whether, in light of the ubiquity and complexity of Big Data, the notice-and-consent model is useful or even possible.

3. De-identification:  The report also questions whether it is useful to de-identify personal data after collection.  The report recognizes that de-identification strips data of its value, and that evolving technologies allow data controllers to re-identify the information.

4. Digital Discrimination:  Focusing on the use of information, Podesta’s group appears particularly concerned about the use of Big Data to discriminate against certain groups. For instance, the group cites recent reports that some retailers offered higher discounts to customers who they believed live in higher-income neighborhoods.  The group writes that “the ability to segment the population and to stratify consumer experiences so seamlessly as to be almost undetectable demands greater review, especially when it comes to the practice of differential pricing and other potentially discriminatory practices.”

5. Healthcare and Big Data.  The report recognizes the tremendous value of using big data for predictive healthcare analysis (i.e., given an individual’s health characteristics, what are the risks of certain diseases?).  The Podesta report concludes that the existing healthcare privacy laws, including the Health Insurance Portability and Accountability Act, may not adequately allow such analytics or protect individual privacy.

6. Predictive Analytics and Law Enforcement.  The report acknowledges law enforcement agencies’ increasing use of Big Data to conduct criminal investigations.  But the authors recognize that the “presence and persistence of authority, and the reasonable belief that one’s activities, movements, and personal affiliations are being monitored by law enforcement, can have a chilling effect on rights of free speech and association.” 

7. Education.  The Podesta report recognizes that Big Data creates tremendous opportunities for innovative approaches to education, such as Massive Open Online Courses.  But the report also warns that schools must ensure that student data gathered for educational purposes is not misused.  

8. Do-Not-Track.  The working group appears skeptical about the benefits of “Do-Not-Track,” which would enable users to prevent the tracking of their activities across websites.  The working group notes that “anti-fraud and online security activities now rely on these same data flows to track and prevent malicious activity.”

9. Data Brokers.  The working group sharply criticizes data brokers.   The report notes that data brokers are unregulated, even though their information is often used in the same way as data provided by regulated industries, such as credit rating agencies.  The working group notes that “there is often no meaningful avenue for either identifying harms or holding any entity in the decision-making chain accountable.”  Some members of Congress already are attempting to regulate the growing data broker industry. 

10. National Data Breach Notification Law.  The working group criticizes the “patchwork” of 47 state laws that set different standards for notifying individuals about data breaches.  The report calls for a uniform national data breach notification law that “should impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.”