SIIA Welcomes Administration’s Privacy and Big Data Report; Says Current Regulatory Framework Can Respond to Potential Problems

SIIA today responded to the release of the Administration’s Report on Privacy and Big Data.  SIIA welcomed the report’s assessment that big data provides substantial public benefits and will provide more benefits in the future.  The organization believes the current regulations are adequate to address potential concerns.

As the report recognizes, the collection and analysis of data is leading to better consumer products and services and innovations in healthcare, education, energy, and the delivery of government benefits.  SIIA member companies are driving this innovation by leading the development of techniques for analyzing big data, while also working to safeguard personal data.  We will continue to work with the Administration to promote the responsible use of data to drive innovation, job-creation and economic growth.

The Administration’s work to examine discrimination concerns is extremely important.  It is our view that current law works.  Vigilantly enforced consumer protection and antidiscrimination laws are strong and flexible enough to prevent unfair practices.  Industry efforts are also safeguarding data privacy and preventing discriminatory practices.  Burdensome new legal requirements would only impede data-driven innovation and hurt the ability of U.S. companies to create jobs and drive economic growth.

As recently as three weeks ago the Federal Trade Commission used existing authority under the Fair Credit Reporting Act to bring cases against companies that used data in ways that violated the Act’s consumer protection provisions. Other possible unfair or discriminatory practices in the use of data may already be regulated under other statutes, including Title VII of the Civil Rights Act of 1964, the Equal Credit Opportunity Act, the Fair Housing Act and the Genetic Information Nondiscrimination Act of 2008.

In addition, SIIA is delighted that the report recognized the need to reform the Electronic Communications Privacy Act (ECPA). As users increasingly store email and other communications remotely, it is critical to reform ECPA to establish a warrant requirement for access to these communications, regardless of where they are stored.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

Digital Policy Roundup

Administration Readies Big Data and Privacy Report

The Administration signaled that it would release its long-awaited report on privacy and big data this week. In an interview with AP over the weekend, White House Counselor John Podesta, who has been tasked by President Obama to lead the review effort, indicated that the report will highlight the extraordinary common good benefits of increasingly accurate analytical predictions. It is also likely that the report will focus some attention on big data and discrimination. In anticipation, SIIA posted this blog, noting that current law works to control possible discriminatory uses of data.

Patent Reform, Manager’s Amendment Delayed

The anticipated Monday release of a manager’s amendment for Thursday’s markup has been delayed with the earliest release cited as this evening. Some attribute the delay to a coalition of large patent holders who are contesting crucial provisions. Negotiations will continue – and hopefully be finalized – later today. Any further delay would most certainly mean the Thursday markup will be pushed to next week. As these developments are in a state of flux and liable to change, stay tuned.

Netmundial Internet Governance Conference a Success

The conference, hosted by the Brazilian government in Sao Paulo April 23-24, concluded with an outcome statement on principles to guide Internet governance and a “roadmap” for future Internet governance reform. SIIA welcomed the outcome because the participants supported continued multistakeholder Internet governance, encouraged ICANN to reach out beyond its normal range of stakeholders for advice on the IANA transition, and highlighted the importance of qualified stakeholder participation in meetings. The outcome is non-binding but will feed into other meetings this year such as the ICANN 50 meeting in London June 22-26 (the meeting is open to all who wish to attend, but the registration deadline is May 2), WSIS +10 High Level Event in Geneva June 10-13, and the IGF meeting in Istanbul September 2-5. For the next year or so, Internet governance discussions will be dominated by the question of who will succeed NTIA and Verisign in managing the domain name server system, but there are many other Internet governance issues such as cybersecurity, ISO standards, IVP6, spam, to name just a few, that also require international consideration. Currently, ICANN is requesting input by May 8 on its suggested process for developing a proposal for the IANA transition.

Brazilian President Internet Bill of Rights at Netmundial

In a symbolic gesture, the President of Brazil, Dilma Roussef, signed the bill shortly before delivering opening remarks at the Netmundial conference. The impetus for the bill came as a result of the Snowden revelations, prompting calls to include data localization requirements in the law. However, partly as a result of successful advocacy and partly because of the implementation challenges, data localization was not included. The bill does include a network neutrality mandate, limits on metadata collection, requirements that companies collecting data in Brazil comply with Brazilian law (even if the data is transferred overseas), fines for non-complying companies of up to 10% of revenues of the company in Brazil, and many other features generally designed to enhance individuals’ protection. There is also a provision saying that Internet intermediaries are not liable for content that users post online.

SIIA Comments to FTC on Consumer Score Regulation

In comments to the FTC in response to their workshop on Alternative Scoring Products, SIIA urged the agency to focus consumer score regulation on prevention of actual harm. It is SIIA’s view that the workshop did not reveal evidence of significant unregulated harmful acts or practices that could result from the use of consumer scores. If the need for additional consumer protections is substantiated by compelling evidence, these protections should be undertaken at the stage of usage or implementation, rather than at the stages of data collection or analysis. As an alternative to increased government regulation, companies need to take on a greater role in consumer protection. Such an accountability framework would shift the burden of responsibility for protecting consumers from harm, from the data subject to those entities that engage in collection, analysis and use of such data.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Ohlhausen on Big Data and Consumer Harm

At today’s conference on Privacy Principles in the Era of Massive Data, co-sponsored by the Georgetown University McCourt School of Public Policy and the Georgetown Law Center, Maureen K. Ohlhausen, Commissioner at the Federal Trade Commission, delivered a thoughtful keynote address on The Power of Data.

She emphasized the value of the new computational techniques that arise in the context of data sets that are larger in volume than traditional data sets, that are composed of a greater variety of data types, and that change at a much faster velocity. These characteristics of volume, variety and velocity enable data scientists to generate insights that were previously impossible to anticipate from traditional static data bases.

This unanticipated quality of the new computational techniques challenges traditional notions of privacy protection. For instance, it creates a tension with the traditionally understood privacy principles of notice and purpose specification.  As Commissioner Ohlhausen pointed out succinctly, “…companies cannot give notice at the time of collection for unanticipated uses.”  These novel uses also challenge the idea that data collection should be minimized and data discarded as soon as possible:

“Strictly limiting the collection of data to the particular task currently at hand and disposing of it afterwards would handicap the data scientist’s ability to find new information to address future tasks.”

So what should the FTC do?  The Commissioner approvingly referenced the FTC’s action in the Spokeo case, where the agency fined the company for failure to follow the requirements of the Fair Credit Reporting Act.  Going forward she thinks that the FTC “should use its traditional deception and unfairness authority to stop consumer harms that may arise from the misuse of big data.”

SIIA agrees.  In our recent White Paper and comments filed with the FTC in their consumer scoring workshop we urged the Commission to use its existing powers under the current regulatory regime to bring bad actors to task for failing to follow consumer protection rules.   This can only help the growth of big data analysis by making sure that edge-riders do not tarnish the new computational techniques.

Moreover, the Commissioner thinks that the FTC should continue its convening role in holding workshops to explore “the nature and extent of likely consumer and competitive benefits and risks.”  In this regard, SIIA found the FTC’s March workshop insightful and looks forward to the Commission’s workshop in September on big data and low income and underserved consumers.

As to principles that should govern the FTC’s actions on big data going forward, the Commissioner was clear that the agency “must identify substantial consumer harm before taking action.”  SIIA endorses this idea that only a significant risk of substantial consumer harm justifies new regulatory action.

Ben Wittes from the Brookings Institution, commenting as part of the discussion panel that followed the Commissioner’s talk, echoed this theme of focusing on harm, instead of abstract notions of privacy.  In his view, when data use is outside of the normal social expectations of data use typical of the context in which the data has been collected, agencies should consider regulatory action only when the data use is hostile to the data subject’s interests.  Determining which uses are harmful, then, becomes a primary task for advocates, industry and policymakers.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

Digital Policy Roundup

SIIA Weights in with White House on “Big Data and Privacy”

On Monday, SIIA submitted comments in response to the White House’s request for information on how the government can best protect citizens’ privacy in the age of “big data” analytics. SIIA’s overarching recommendation for policymakers is to proceed cautiously when considering new data policies, as these are likely to steer the future of data-driven innovation and the scope of what is possible for American innovation for decades to come. Policies that seek to curb the use of data could stifle this nascent technological and economic revolution before it can truly take hold. Additional inputs for the ongoing Obama Administration big data review process include full day workshops at UC Berkely on April 1st, and NYU on March 17th. The Administration is expected to release the outcome of the 90 day review on April 17th.

Student Data Privacy Legislative Update

Student data privacy bills are pending in a majority of state legislatures, though few have reached the finish line. Most notably, SB 167 was defeated in Georgia, a significantly modified version of NY S6007 was included in the NY State Budget signed into law yesterday, and discussions are ongoing regarding CA SB 1177. SIIA continues to emphasize the need to limit restrictions to “personally identifiable” information, the challenges to schools of parent opt-in/out policies, the important use of meta-data to drive product algorithms, and that one-size requirements on service providers will not work if they fail to address school primary governance in areas such as breach notification, data deletion, and access and correction. Meanwhile, U.S. Senator Markey (MA) indicates continued work toward introducing a bill to amend the Federal Family Educational Rights and Privacy Act (FERPA). SIIA members interested in student privacy should contact SIIA’s Mark Schneiderman.

New School Technology Funding Advances

State and federal initiatives are advancing around technology access, infrastructure and related educator supports. The 2014-2015 New York State Budget signed into law yesterday will authorize up to $2 billion from state bonds to fund school broadband infrastructure and student devices, pending voter approval, with funding distributed on a needs-base formula over the next few years to schools with a state approved technology plan. Equity in technology access was among the SIIA recommendations in testimony 18 months ago to Governor Cuomo’s education reform commission. At the federal level, the FCC issued a second NPRM for the E-rate, calling for comments on their proposed rules, including to prioritize new funding for internal connections including school Wi-Fi, eliminate or phase out voice support, and potentially provide funding eligibility to caching servers and network filtering software. Finally, President Obama’s 2015 Education Budget proposal includes $200-$500 million for a new ConnectEDucators program, which would provide competitive grants for teacher and principal professional development in the improvement of curriculum and instruction through technology.
[Read more...]

Innovative Policies, Developer Content and Data Tools are Key, According to Education Officials at SIIA Mobile Learning Forum

SIIA this week hosted a successful meeting with education policy makers to enhance dialogue with developers of moble learning and other educational technologies. Discussions helped SIIA members better understand how public policies, funding and regulations are impacting their K-20 education customers, and provided education and government officials with an better understanding of the industry’s role, questions and concerns. Among the clear conclusions from SIIA’s Education Government Forum on Mobile Learning: Educators and students are looking increasingly to deveopers and service providers for adaptive, mobile content as well as data analytics as the engines of instruction and the platform for student learning.

The conference agenda included:

  • Keynote presentations from Rich Crandall (Chief, Wyoming Department of Education), Robbie Melton (Tennessee Board of Regents) and Kathleen Styles (CPO, U.S. Department of Education);
  • Review of federal and state K-20 policy trends from both analysts and officials;
  • Discussions about the migration to mobile learning; and
  • Updates on pending regulations and funding shaping the market, includingthe E-rate, student privacy and Common Core State Standards and assessments.

Among the takeaways:

  • Leading educators are turning increasingly to mobile devices to personalize learning and meet student needs anytime/everywere — They are looking to developers for interoperable, adapative and aligned content and tools; and they are looking for flexible public policies to support that innovation including the E-rate.
  • Safeguarding student data privacy and data security are critical — A regulatory framework is now in place, and policy must not get too far ahead of the problem and unintentionally restrict data-driven learning.
  • Common Core State Standards and assessments are moving forward — Implementation is hard work, but educator and public support remains strong as does their need for aligned instructional resources, assssments and data-driven professional development.
  • Costs and quality remain primary concerns in higher education — Public policies are pushing toward an outcomes-based model built around transparency and flexibility, while entrenched interests and undefined competency metrics stand as barriers to reform.

 


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

Georgia Student Privacy Act Would be a Barrier to Student Learning

Senate Bill 167 is receiving much debate in Georgia, centered largely on its primary task of pulling the state back off  of the Common Core State Standards (CCSS). But also included in the controversial bill is a Part II, the so-called “Student Right to Privacy Act.” The Georgia House Education Committee met yesterday to consider SB167, and heard from more than 60 passionate educators, parents and business leaders. While the focus was on the CCSS provisions, SIIA (see 2:16:50 of the March 5 video) and a chorus of eduction (e.g., at 1:27:25), social welfare and business leaders spoke up against the privacy regulations. None cited a problem that needed fixing, while all raised concern with the unintended consequences of restrictive regulations that undermine necessary decision making by local administrators and school boards.

SIIA agrees with the need to safeguard student privacy and data security. A strong network of laws and business practices now does so. SIIA agrees with those concerned that Senate Bill 167 may inappropriately and unnecessarily inhibit core educational functions necessary to serve Georgia’s students.

Schools and service providers have policies and procedures in place to limit the use student personal information to legitimate educational purposes, and safeguard student privacy. For example, the federal Family Educational Rights and Privacy Act (FERPA) requires that: (1) personal student information shared with service providers be limited to uses otherwise performed by the school’s own employees; (2) the provider be under direct control of the school; and (3) the information can only be used for educational purposes. And FERPA and COPPA require parental consent if the service provider wants to use or disclose the information for its own commercial purposes. Responding to the calls for additional industry self-regulation, SIIA has released Industry Best Practices as another step to ensure safeguarding of student information.  This network of laws and practices is safeguarding student privacy and data security.

With regard to Senate Bill 167, the scope, scale, complexity and lack of clarity of the bill’s procedural and technical requirements are significant and challenging to address. The bill creates barriers and disincentives to local school systems to enhance their use of modern technologies and data systems for educational innovation and improvement, just at a time when the state is making continued investments in technology infrastructure and digital learning access.  The bill will have a chilling effect.

  1. While providers are working with schools to help them support the personalization of learning, the very broad restrictions on use of all student information for so-called commercial purposes may interfere with desired educational activities. SIIA does not defend the sale of personal student data, and such sale is already prohibited by federal law. But the bill would inhibit the use of student data to improve product efficacy, and to support recommendation engines and other analytics aimed at addressing the unique needs of each student.
  2. The bill is inconsistent in the types of student information regulated and includes narrow, one-size-fits all restrictions on the educational use and sharing of student information, whether personally identifiable or not, including duplicative requirements around testing and cloud computing. This will create barriers to use of information appropriate and necessary for educational purposes, including with subcontractors and school directed partners.
  3. Many breach notification requirements are inconsistent with standard best practices. For example, required notification of all ‘suspected’ breaches could create false-positive user fatigue, diminishing attention to actual breaches. The bill also excludes standard criteria around actual harm such as in the case of encrypted data or inadvertent exposure by educators. And, ironically, the bill would inappropriately require third parties to notify parents of a breach, thus giving them access to personal parental information to which they would/should not otherwise have access.
  4. The bill puts in place a series of escalating and potentially very large financial penalties for violations of sometimes vague requirements, not distinguishing based upon harm, negligence or intent. There appears no opportunity to first correct the violation, or for appeal. This all will provide a disincentive for outside parties to conduct business in Georgia.
  5. The prohibition on student biometric data will restrict appropriate and important educational activities, including for: (1) student identity verification for online learning or device security, and (2) embedded voice and visual diagnostics for language learning and reading comprehension. Some of these require personally identifiable information, while many do not. In all cases, broader practices and laws already ensure student privacy and data security.
  6. Lastly, while these concerns have focused on those directly impacting school service providers, SIIA notes that there are many burdensome requirements on local school systems and institutions.

In short, SIIA is concerned that SB167, while well-intentioned, is overly inclusive and restrictive. Transparency is critical, but one-size-fits-all requirements will detrimentally limit innovation, appropriate local school decisions, and appropriate educational services that benefit Georgia students. For service providers, there are significant risks and costs that may discourage doing business in Georgia.

While many of these issues are now best handled by existing federal law, state agency guidance, and local school boards, SIIA will continue to work with policy makers in Georgia and across the country on any identified needs to further ensure privacy protections for all Georgia students.

SIIA Commends U.S. DoED Guidance for Protecting Student Privacy

SIIA commended the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) for today’s release of the guidance document, “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices.” The guidance includes information related to school implementation of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).

The guidance is consistent with the commitment of SIIA and its member companies to advance the effective use of technology in education and to safeguard student information privacy and ensure data security.  Together with SIIA’s just-released “Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services,” the guidance makes clear that all parties – technology providers, schools, students and the government – are working toward the same important goals.

The Department of Education guidance both affirms and reinforces the strong safeguards in current law. It provides an important roadmap that will help make certain educational institutions and service providers continue to appropriately handle student information.

The federal guidance is very consistent with SIIA’s recently-released Best Practices for school service providers. Together, these efforts will ensure that we continue to protect student data and that a strong relationship of trust is built between providers, schools and families.  Importantly, the efforts will help make certain our students continue to have access to leading-edge digital services critical to providing the world class education needed for success in the global economy.

SIIA’s “Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services” are available here.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA. Follow the SIIA Education team on Twitter at @SIIAEducation.

Curated By Logo