On August 14, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) submitted its response to the National Telecommunications and Information Administration’s (“NTIA’s”) request for public comment on big data and consumer privacy issues. The NTIA’s request, which follows the White House’s recent study of big data, the May 2014 Big Data Report, and the associated President’s Council of Advisors on Science and Technology Report, seeks further public input on how big data impacts the Consumer Privacy Bill of Rights, and whether the Consumer Privacy Bill of Rights should be modified to contemplate big data.

In its submission, the Centre recommends clarifying or modifying the principles of “individual control” and organizational “accountability” in the Consumer Privacy Bill of Rights to better reflect the opportunities and challenges associated with big data. While the principle of “individual control” should continue to encompass notice and consent where appropriate, it should evolve into a broader “focus on the individual” that includes additional protections for situations where consent is impractical, impossible or illusory, as is increasingly the case in the big data context. Further, the principle of “accountability” should be amended to recognize these additional protections as integral components of organizational accountability.

Such additional protections focused on the individual include the “risk-based approach” to privacy and the concept of “legitimate interest” found in EU privacy law. Including these two concepts also would improve the viability and effectiveness of self-regulatory and co-regulatory efforts to implement the Privacy Bill of Rights.

The Risk-Based Approach

The risk-based approach to privacy involves organizations undertaking risk assessments of their proposed data processing to understand the potential impacts of such processing on individuals. Although such risk assessments should be performed in connection with all data processing, they are particularly well-suited to facilitate sound decisionmaking regarding data use in the big data context when individuals may not be in a position to exercise individual control.

Risk assessments allow organizations to identify and quantify the possible risks and harms associated with their proposed data processing, devise appropriate mitigations and controls, and then make decisions about whether and how to proceed with processing in light of any residual harms and the countervailing benefits that would flow from the processing. As such, risk assessments shift the burden of privacy protections to the organizations (and away from individuals) in contexts where individual control and consent would be impracticable or impossible.

Risk assessments also allow organizations to prioritize their privacy controls and resources to reflect the likelihood and potential severity of harm, thereby contributing to the overall effectiveness of privacy protections. De-identification of data is an important risk mitigation mechanism in this context, but it should be employed with additional appropriate safeguards to ensure its effectiveness.

In its submission, the Centre notes its Privacy Risk Framework Project, an ongoing multiyear project on the risk-based approach to privacy. The project seeks to develop a comprehensive privacy risk framework as well as consensus on what is meant by privacy harms, how to quantify and mitigate privacy harms, and how to weigh residual harms against countervailing benefits.

Legitimate Interest

The Centre notes that even the more restrictive European privacy law regime includes a concept that allows for data processing where consent is not feasible (the “legitimate interest” ground). Processing for “legitimate interests” is closely related to the risk-based approach and should be included in the Privacy Bill of Rights. The legitimate interest ground permits organizations to collect, use or share information when it is in their legitimate interest to do so, and the collection, use or sharing does not prejudice individual’s rights and freedoms.

The test for whether an organization may process data on the basis of its “legitimate interest” includes consideration of the impacts of the proposed processing on the individual, and balancing the respective rights and interests of the organization and the individual. The Centre explains that the legitimate interest analysis:

  • Facilitates data collection, use, sharing and disclosure where consent is not feasible, practicable or effective;
  • Enables new uses of information beyond the original purposes stated at the time of collection, provided there is no harm to consumers;
  • Is consistent with the responsible use model and the accountability principle pursuant to which organizations implement safeguards in the entire lifecycle of information; and
  • Ensures the protection of individuals’ privacy, while allowing organizations to pursue the benefits of new technologies, products and services.

According to the Centre, including the risk-based approach to privacy and a “legitimate interest” provision would make the Privacy Bill of Rights more technology neutral, and ensure its continued relevance in the face of constant technological innovation and change.