Learn about data lakes, machine learning & more innovations

  • April 20, 2015

Big Data Privacy and the Law

Wes Prichard
Senior Director Industry Solution Architecture

In a previous post I discussed a presentation given at Strata+Hadoop. Another one of the Law, Ethics, and Open Data sessions at Strata+Hadoop that I had a chance to attend was by two attorneys, Alysa Z. Hutnik and Lauri Mazzuchetti, from a private law practice talking about Strategies for Avoiding Big Privacy “Don’ts” with Personal Data. I found it very interesting and you can see their slides here.

They provided the regulatory perspective on personal data and I must add that lawyers are really good at making you aware of all the ways you can end up in court. Technology is moving so quickly and governmental legislative bodies move so glacially, that regulation will likely always lag behind. That doesn't mean that companies are off the hook when it comes to personal data and privacy regulation. I learned that in the absence of specific legislation, governments will find ways to regulate using existing law. In the US, the Federal Trade Commission has taken up the cause of consumer data privacy consistent with their mission to "protect consumers in the commercial sphere" and, according to the speakers, identified three areas that it focused on in 2014:

  • Big data
  • Mobile Technology
  • Protecting sensitive information

The FTC is adding Internet of Things to that list for 2015 with a report released in January titled Internet of Things: Privacy & Security in a Connected World based on a workshop they held in November 2013. In terms of regulating security and privacy, the FTC states in the report that it will "continue to use our existing tools to ensure that IoT companies continue to consider security and privacy issues as they develop new devices." When the FTC refers to its "existing tools", it means enforcement of "...the FTC Act, the FCRA, the health breach notification provisions of the HI-TECH Act, the Children’s Online Privacy Protection Act, and other laws that might apply to the IoT." The report also said that "...staff will recommend that the Commission use its authority to take action against any actors it has reason to believe are in violation of these laws." It's clear that the industry cannot put its head in the sand by overlooking or ignoring privacy concerns.

The speakers made a good case for considering the legal implications when working with personal data and they made some recommendations.

  • Think privacy from the start by designing-in privacy and security. Suggested methods include limiting data, de-identifying data, securely storing retained data, restricting access to data, and safely disposing of data that is no longer needed.
  • Empower consumer choice. In apps, give users tools that enable choice, make it easy to find and use those tools, and honor the user's choices.
  • Regularly reassess your data collection practices. Consider your purpose in collecting the data, the retention period, third-party access, and the ability to make a personally identifiable profile of users.
  • Be transparent. Do not hide or misrepresent what data you are collecting and what you are doing with that data. Be open about the third party access to your data, including what happens after termination and/or deletion of user accounts.
  • Platform providers should provide frequent and prominent disclosures using just-in-time principles and also by providing a holistic view of data collection. Also, consumers should be able to easily contact providers and there should be a process for responding to consumer concerns. Providers also need to find ways to effectively educate users about privacy settings.

I won't cover all of their recommendations but there are lessons here that we can apply as we build out big data applications.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.