In a previous post I discussed a presentation given at Strata+Hadoop. Another one of the Law, Ethics, and Open Data sessions at Strata+Hadoop that I had a chance to attend was by two attorneys, Alysa Z. Hutnik and Lauri Mazzuchetti, from a private law practice talking about Strategies for Avoiding Big Privacy “Don’ts” with Personal Data. I found it very interesting and you can see their slides here.
They provided the regulatory perspective on personal data and I must add that lawyers are really good at making you aware of all the ways you can end up in court. Technology is moving so quickly and governmental legislative bodies move so glacially, that regulation will likely always lag behind. That doesn't mean that companies are off the hook when it comes to personal data and privacy regulation. I learned that in the absence of specific legislation, governments will find ways to regulate using existing law. In the US, the Federal Trade Commission has taken up the cause of consumer data privacy consistent with their mission to "protect consumers in the commercial sphere" and, according to the speakers, identified three areas that it focused on in 2014:
The FTC is adding Internet of Things to that list for 2015 with a report released in January titled Internet of Things: Privacy & Security in a Connected World based on a workshop they held in November 2013. In terms of regulating security and privacy, the FTC states in the report that it will "continue to use our existing tools to ensure that IoT companies continue to consider security and privacy issues as they develop new devices." When the FTC refers to its "existing tools", it means enforcement of "...the FTC Act, the FCRA, the health breach notification provisions of the HI-TECH Act, the Children’s Online Privacy Protection Act, and other laws that might apply to the IoT." The report also said that "...staff will recommend that the Commission use its authority to take action against any actors it has reason to believe are in violation of these laws." It's clear that the industry cannot put its head in the sand by overlooking or ignoring privacy concerns.
The speakers made a good case for considering the legal implications when working with personal data and they made some recommendations.
I won't cover all of their recommendations but there are lessons here that we can apply as we build out big data applications.