In conjunction with the White House’s comprehensive review of big-data and privacy issues that resulted in a 79-page report, last week the President’s Council of Advisors on Science and Technology (“PCAST”) released a parallel big-data report. The White House report is more general and contains six major policy recommendations, whereas the PCAST report, authored by an outside panel of counselors, was designed to provide a technical evaluation by examining the practical specifics of how big data and related technologies are actually used. Many observations and recommendations in the PCAST report are consistent with those presented in the White House report. The PCAST report, however, has been praised for its candor and for appearing to be more clear, even bold, in advocating particular positions on key issues. For example, in recommending a transition away from “notice and consent” — described in the White House report as a “central pillar” of the U.S. privacy legal system — and towards a “use” framework, the PCAST report states: “Only in some fantasy world do users actually read these notices and understand their implications before clicking to indicate their consent.”
Much of the support for a use system is rooted in its advantages of shifting responsibility from individuals to the entities that collect, maintain, and use data, while also holding data users accountable for how they manage data and any harms caused, rather than narrowly defining their responsibility as whether consent is properly obtained at the time of collection. In this way both reports serve to refocus the policy discussion on how data is used rather than how it is collected, but the PCAST report provides stronger directives, for instance stating in its opening letter, “PCAST recommends that policy focus primarily on whether specific uses of information about people affect privacy adversely. It also recommends that policy focus on outcomes, on the ‘what’ rather than the ‘how,’ to avoid becoming obsolete as technology advances.” In its broadest terms, the PCAST report makes the following five recommendations:
- Focus policy attention on the actual uses of big data and less on its collection and analysis: “By actual uses, we mean the specific events where something happens that can cause an adverse consequence or harm to an individual or class of individuals.”
- To avoid falling behind technology, policies and regulation at all levels of government should not embed particular technological solutions by prescribing the mechanism, but rather should be stated in terms of purpose and intended outcomes.
- Strengthen U.S. research and funding for privacy‐related technologies and in relevant areas of social science that inform the successful application of those technologies to balance the preservation and protection of privacy with economic opportunity and national priorities.
- Encourage increased education and training opportunities for privacy protection, including career paths for professionals, such as digital‐privacy experts both in the software-development and technical-management sectors.
- The United States should take charge both internationally and domestically by adopting policies that stimulate the use of existing practical privacy protecting technologies: “PCAST is not aware of more effective innovation or strategies being developed abroad; rather, some countries seem inclined to pursue what PCAST believes to be blind alleys.” There are leadership opportunities both in convening power (e.g., promoting the creation and adoption of standards) and by procurement practices (e.g., using privacy preserving cloud services).