May 2014, the Executive Office of the United States (Executive Office of the President) released the 2014 global "Big Data" white Paper – Big Data: Seize the opportunity, Guardian value (Bigdata:seize opportunities, Preserving Values) (hereinafter referred to as "white Paper"), the United States of large data application and management of the status quo, policy framework and improvement proposals are focused on. Judging from the value judgment represented in the white Paper, the American government sees the important data as the innovation impetus brought by the economic and social development, and deals with the problem-solving attitude to the conflict that may arise with the privacy right. From the point of view of concrete measures, citing the independent report "Big Data and personal privacy: A technical perspective", the white paper cites the President's Committee on Science and Technology Advisory Council (hereinafter referred to as "pcast") to suggest that the original "' informing and agreeing ' framework has been defeated by the positive benefits of large data", Should be adjusted according to the characteristics of the age of large data.
Background on the introduction of the white Paper
The value controversy of the development of large data technology and the protection of privacy is long-standing, which is mainly embodied in the difference of policy orientations between the United States and EU in the international scope. In the EU, personal data is considered more protective, so the EU and its member States have strict personal data protection legislation. The main implementing agencies for personal data protection include: the European Court of Justice, the final arbiter of EU law, including data protection law, and the EU Data Protection Commissioner (EDPS), which oversees EU institutions ' compliance with data protection laws, while having a significant impact on EU-level data protection policy formulation; 29th Working Group, the The EU Data Protection Directive 29th provides for the establishment of a "Working group for the Protection of individuals in personal data processing", generally referred to as "Working Group 29th", the 31st Committee comprising representatives of EU member Governments, and other institutions such as the European Network and Information Security Agency (ENISA).
The European Union has imposed strict penalties for violations of personal data, including injunctive relief, the inspection and investigation of corporate workplaces and data-processing facilities, a large amount of fines, and penalties for criminal liability for extraordinary offences. In addition, the EU data protection Agency will expose companies that violate personal data to increase disciplinary strength. In recent years, EU officials have said that U.S. companies such as Google, Apple and other search engines and mobile device service providers through the provision of services illegally acquired, infringing the personal data of citizens, has repeatedly expressed the need to strengthen the supervision of the relevant enterprises. Companies such as Google and Apple are also lobbying public relations with EU lawmakers to mitigate possible enforcement pressure.
In contrast, the US government is more likely to use large data technology to promote economic and social development in the United States, between large data technology and privacy protection, in order to maintain the leading position of the U.S. in the relevant fields. At the same time, the US government wants to address the issue of privacy protection with improved policy frameworks and legal rules. Since the development and application of large data technology will pose a serious challenge to privacy protection, the more we want to encourage wider and more scientific application of large data technology, the more we should strengthen the protection of citizen's privacy rights through policy, law and technology. As the white paper notes, "Big data is changing the world, but it has not changed the firm faith of Americans to protect their privacy, to ensure fairness or to prevent discrimination." "In this context, the United States Government has introduced the White Paper and other series of documents, the United States government has elaborated a large data strategy, and policy and related legislation to build its basic framework for privacy protection."
Ii. the "Big Data Age"
For "Big Data", the white paper does not give a strict definition, but points out that its connotation will change with the innovation of technology and industry. As a reference, other definitions reflect the growing technical ability to capture, aggregate, and process data, which continues to grow in number, speed, and type. The data sets of large data are "large, diverse, complex, deep and/or distributed, with a collection of data from various instruments, sensors, online transactions, e-mail, video, click Streams, and now with all available digital sources in the future." According to Pcast's independent report, the real novelty and difference of "big data" lie in "4V" – Data Volume (Volume), timeliness (Velocity), variability (produced), suspicious (veracity), unlike traditional data collection and analysis models, "Big Data" Acquisition is based on new sensors and other data acquisition technology. From the network application, wearable technology to monitoring vital signs and other characteristics of the detection equipment, low-cost and efficient data acquisition to bring the volume of the explosion. The data format is also more diverse, and the so-called "natural analog" signals can also be converted into digital format (so-called "natural simulation", that is born to simulate the form of signal information.) The analog signal is mainly a continuous signal relative to the discrete digital signal. Analog signals are distributed in every corner of the nature, such as changes in temperature every day. The information transmission technology and the super computer system make the data high-speed analysis possible. "Big Data" for the financial industry, health care industry and other social sectors, as well as national security, social intervention and other aspects of the great changes, so that the value of data resources multiplied.
The biggest problem with big data is the availability of data and the limits of its use. The concrete manifestation is: The data collection becomes ubiquitous, the actor is difficult to realize, the collection main body informs the duty to be difficult to monitor effectively, the data processing specialization, the diversification enhancement, the behavior person is difficult to control own data application situation, the original data storage way is challenged, the data leakage risk increases The disclosure of large data resources and the sharing of claims and privacy contradictions and so on. In this respect, the United States, on the basis of the original privacy Policy and law, through the introduction and amendment of legislation, put forward policy propositions, play the role of industry self-discipline, build a more perfect and unique privacy protection system under the large data environment.
Iii. the challenge of "privacy"
The right of privacy in the United States is embodied in the Fourth Amendment in the Constitution, which protects the "People's personal, dwelling, documents and property from unreasonable search and seizure". As the first part of the Pcast independent report points out, the legal concept of "privacy" has undergone a process of discovery and evolution in American history. From a legal point of view, the right to privacy in the United States law mainly includes:
(1) Individual citizens keep secrets or seek hidden rights. The right was originally proposed by Brandeis (Brandeis) in the Olmsteadv.unitedstates case in 1928. In this case, Olmstead was arrested for making a private brew, accusing him of criminal evidence of eavesdropping evidence, the Supreme Court eventually concluded that this means of collecting evidence without the fourth and fifth constitutional amendments, can be legally used. But the dissenting chancellor, Judge Brandy, argues that citizens have a "right to be undisturbed" and a classic assertion of privacy. The case aroused extensive discussion in American society and had far-reaching implications. In the case of Katzv.unitedstates, which was similar to the case in 1967, the Supreme Court found that the evidence obtained by means of eavesdropping violated the privacy rights of citizens and was revoked. The right of a citizen to keep secret or to seek concealment is not only confirmed, but also extends from residence to all private conversation and communication processes.
(2) The right of individual citizens to express themselves anonymously, especially in the field of political opinion. In the Mclntyrev.ohioelectioncommission case, the Supreme Court of the United States overturned the Ohio law prohibiting the anonymous distribution of campaign publications, stating that the right to anonymous expression is essential to the Constitution of the United States, and that it is incorporated into American history as an important tradition of the United States.
(3) control the ability of others to access such information after private information has been detached from its exclusive ownership. For example, the "Fair Trade Practice principle" of the Federal Trade Commission is presented in detail as described in section IV below.
(4) Stop certain negative results that use private information from citizens. For example, employment discrimination based on DNA information was banned in the 2008 Genetic Information Non-discrimination Act.
(5) The right of individuals to make private decisions without interference from the government. Mainly include the area of personal health, fertility and sexual life.
The Pcast independent report states that there are conflicts between privacy and large data applications in the five areas mentioned above, and that such conflicts will continue to occur. The cause of this conflict, the data collection technology of large data makes individual citizens lose the effective control of private information, and the protection of rights is greatly weakened; data that did not involve personal information can be obtained through large data analysis techniques, which makes it difficult for citizens to perceive and respond effectively.
Notably, since 2010, the Obama administration has embarked on a "My Big data" plan to make it easier for Americans to access their personal data. Mainly includes: "Blue button" program that allows consumers to access their health information and exchange information with the provider, "Create a copy" program that allows taxpayers to obtain their own complete tax records and other information data; "My student data" empowers consumers to inquire about financial information such as their own grants. Through the plan, the Obama administration advocates open transparency of public data and enables citizens to access their own data. While this can facilitate public life and improve government governance, it may lead to a wider range of information leaks and illegal use in large data technology environments.
In addition, the report analyses the main actors involved in large data: Government, business and citizens. Governments have a monopoly of power and lack of competitors, so there is no incentive to improve technology to protect the privacy of citizens. In some cases, the government's need for law enforcement may even be a reason for violating the privacy of citizens. Enterprises can obtain economic benefits from large data, although it may face the risk of infringement penalty, but this is insignificant at present, so enterprises have violated the power of privacy of citizens. There are only citizens who have enough power to protect their privacy. The White paper pointed out that the development of large data itself is an asymmetric process, citizens because of technical conditions and limited knowledge level constraints, do not have enough to protect their own data privacy ability. In this asymmetrical era, there is a great disparity between the citizen's right of privacy protection and the infringement power of the market subject, and the definition of "right of privacy" and the protection way are challenged.
Four, the original data application of privacy protection system
The legal framework for protecting privacy interests in the United States covers the constitutional, federal, and state levels. Initially, the United States privacy protection is mainly aimed at the public power to the civil rights of privacy infringement, the 1934 "Restatement of Tort Law" will be no justification for serious violations of personal privacy as a civil action. The data privacy problem brought by the development of computer technology first entered public view in 1973. The United States Department of Health, Education and Welfare issued a report entitled "Recording, Computer and civil Rights" (Records,computers,andtherightsofcitizens), analysing "the possible adverse consequences of automated personal Data Systems" and presenting a widely known "Fair Information Practice Law" (fairinformationpracticeprinciples, abbreviated as Fipps), becomes the cornerstone of data protection system. The law provides that individuals have the right to know what information is collected about him and how it is used, that individuals have the right to reject certain information for use and to correct inaccurate information, and that information-gathering organizations have an obligation to ensure the reliability of information and to protect information security. These elements are the basis of the Privacy Act of 1974 and are accepted by other countries and international organizations.
In the the 1980s, the United States, according to industry characteristics, specifically developed industry privacy laws, to the tort based on customary law to provide a supplement:
(1) Financial sector: The Financial Privacy Act (THERIGHTTOFINANCIALPRIVACYACT,RFPA), which restricts the disclosure of financial records by bank employees and the way in which the federal legislature obtains personal financial records; the modernization of Financial Services Act (FinancialServicesModernizationActof1999) requires financial institutions to respect the privacy of clients and to protect the security and confidentiality of non-public information;
(2) Insurance field: The health Insurance Privacy and Responsibility Act (THEHEALTHINSURANCEPORTABILITYANDACCOUNTABILITYACTOF1996,HIPAA), which stipulates that personal health information can only be specified, The explicit subject use and disclosure in the bill, the individual can control to understand his own health information, but must follow certain procedure standard;
(3) Television field: The Wired Communication Privacy Act (cablecommunicationpolicyact) prohibits CCTV operators from collecting user's personal information using a wired system without prior consent of the user; Television Privacy Protection Act (CableTVPrivacyActof1984) to extend the scope of privacy protection to the customer of the videotape sales or leasing company;
(4) Telecommunications: The Telecommunications Act of 1996 (Telecommunicationact), which stipulates that telecommunications operators have the obligation to keep confidential information about their clients ' property;
(5) Consumer credit field: "Fair Credit Reporting Act" (thefaircreditreportingact), which belongs to Consumer Protection Law series, stipulates consumer's right to report on credit investigation, and regulates consumer credit investigation/reporting agency for report production, dissemination, To deal with the record of breach of contract, the business mode of consumer credit investigation organization is clarified.
(6) Child privacy protection: Children's Online Privacy Protection Act (Thechildren ' Sonlineprivacyprotectionact,coppa), which stipulates that Web operators must provide their parents with notification of privacy protection policies, as well as the Web site on the 13 years of age children under the collection and processing of personal information principles and methods.
To sum up, the traditional information protection program mainly follows the "Fair Information Practice Law", the basic arrangement is "inform and consent" framework, and according to the industry domain to subdivide. But in the big Data age, the original protection scheme has a great limitation: first, the development of data collection technology, so that data can no longer be collected in a dominant manner, data actors are difficult to detect; Secondly, the rise of data service enterprises, many data service enterprises are not in the scope of the original rule of law; third, Blurring the boundaries between industry data, a shopping habit data may also show the perpetrator's financial behavior data; four, third party data storage and cloud computing are widely used, and these third-party institutions do not have direct contact with consumers, information storage and responsibility to become a potential problem; There is a potential conflict between the traditional information protection program and the Obama administration's policy of responding to big data disclosure claims.
Therefore, the United States Privacy policy and law in the big data age focus on more operational programs that are more universally applicable and that are more consistent with the operational characteristics of large data and that do not limit the development of large data technologies and applications.
V. Privacy protection in the "Big Data Age"
In view of the characteristics of large data, the U.S. government has proposed to solve the problem of privacy protection without impeding the development of large data, including policy adjustment, law making and technological innovation.
(i) Policy Framework for privacy protection
In the white paper, the United States Government believes that the "inform and consent" framework has not met the need for privacy protection. The white paper proposes that the "inform and consent" framework protects privacy for the vast majority of current user interactions with the enterprise, but the US president's Science and Technology Advisory board says the technology trajectory is shifting to gathering, using and storing data that is not directly linked to consumers and individuals, if " Tell and agree "the framework is more likely to be violated, we need to focus on the use of data at one end, rather than the original end of the collection." The United States Government believes that privacy protection in the large data age should focus on the use of accountability, which allows data collectors and users to be responsible for the management of data and the hazards it may cause, rather than narrowly defining its responsibilities as whether to collect data through normal channels.
The white paper adds that more attention to responsibility does not mean ignoring the collected environment. One aspect of data accountability is respect for the acquisition of raw data. In other words, the original "inform and consent" framework should be kept to the fullest extent and adjusted to the development of technology to meet some of the challenges posed by large data.
In addition, the U.S. government has a more open attitude to privacy policy framework, that should be concerned about how the benefits of large data, and privacy rights, such as large data acquisition information and can not avoid loss of value between the reasonable balance. At the same time, the US government has reiterated in the White paper that "while we live in a world where we can share personal information more freely than in the past, we must firmly deny that the value of privacy is outdated." Privacy has been the heart of our democracy from the start, and now we need it more than ever before.
(ii) Legislative recommendations on privacy protection
February 23, 2012--U.S. President Barack Obama signs the White House work Report "Privacy protection of consumer data in a networked environment – a policy framework for protecting privacy and promoting innovation in the context of the global digital economy" (consumerdataprivacyinanetworkedworld:aframeworkforprotectingprivacyandpromotinginnovationintheglobaldigitaleconomy) (hereinafter referred to as "Consumer Privacy Protection Report"). The report formally introduced the Consumer Privacy Bill (consumerprivacybillofrights), which was made available to the public and brought to Parliament for consideration. The report introduces the legislative concept and main contents of the Consumer Privacy bill, and embodies the approach of the U.S. government to the privacy protection in the large data age. At present, the consumer privacy bill has not been passed by Congress, so in the white Paper, the U.S. government also called on Congress to pass the consumer privacy bill as soon as possible to determine the rule of law framework for privacy protection.
Overall, the Consumer Privacy Act is based on the "Fair Information Practice Law", which provides the following three major areas:
1. Strengthening of the framework of "informing and agreeing"
(1) Personal control (Individualcontrol): Consumers have the right to control the collection and use of personal information by enterprises. First, the bill requires that in any case the enterprise should give the consumer the option to control any personal data collected by the enterprise. Third parties that do not have direct contact with consumers, as long as the use of data will have a significant impact on the interests of consumers, but also to give consumers the right to choose. Enterprises collecting data should also conduct due diligence on third parties to investigate how Third-party enterprises will use consumer data and whether to give consumers the right choice. In addition, consumers should have the right to revoke the authorization, which should be the same as the convenience of the authorization method. Second, the bill requires consumers to assess the possible consequences and take responsibility for the choice of personal data when they are used, especially when they are publicly shared.
(2) Transparency (transparency): Consumers have the right to understand and obtain information about privacy and security. In the time and place where the consumer understands the privacy risks and enforces personal control, the enterprise should clearly state the information as to the type of personal data collected, the reasons for collecting personal data, the purpose of the collected personal data, and the conditions under which data is deleted or the identity information of the consumer is deleted. Whether to share personal data and the purpose of sharing with third parties. The bill highlights the need for companies to disclose behavior that is inconsistent with the intended use of personal data and to disclose the use of personal data that is inconsistent with consumer expectations. The form of notification taken by the enterprise shall enable the consumer to read on the equipment used while acquiring the Enterprise services. Enterprises that do not engage with consumers should inform consumers in detail of the collection, use and disclosure of personal data.
(3) Situational Consistency (RESPECTFORCONTEXT): Consumers have the right to expect enterprises to collect, use and disclose personal information in a manner consistent with the circumstances in which they provide information. The use or disclosure of personal data by an enterprise shall have a specific purpose, and that purpose shall be consistent with their public statements to consumers in accordance with the reasonable expectations of the consumer and to use and disclose data to the extent that they are intended to achieve them. If this is not the case, the enterprise should highlight it in a way that consumers respond easily. In addition, the bill specifically requires that data obtained from children and youth should be given greater protection than adults.
2. Security responsibility for data preservation and processing
(1) Security: Consumers have the right to require their data to be safely and responsibly handled. Enterprises should evaluate privacy and security risks in combination with their own practice in the field of personal data, and must take reasonable security measures to prevent possible risks such as data loss, illegal acquisition, use, damage or modification of data, improper disclosure of data, etc.
(2) Access rights and Accuracy (accessandaccuracy): When the personal data is incorrect, the consumer has the right to obtain and then correct the personal data that exists in the available format when the data is sensitive to the risk that the data error may have a negative impact on the consumer. The enterprise shall take reasonable measures to ensure that it keeps accurate personal data.
(3) Collection Control (focusedcollection): Consumers have the right to reasonably restrict the collection and preservation of personal information by enterprises. An enterprise should determine the scope of the data collected in accordance with its need to achieve a specific purpose, and should delete personal data securely or clear identity information in personal data after no personal data is needed.
3. Post-accountability system
Accountability System (Accountability): Consumers have the right to submit personal information to enterprises that will take appropriate measures to ensure compliance with the relevant rules of the ACT. An enterprise should train its employees to make use of their personal data in compliance situations and conduct periodic performance evaluations accordingly. The enterprise should also carry out comprehensive internal control supervision to ensure that the data is used within a reasonable range. Unless otherwise stipulated in the law, an enterprise shall, at the very least, ensure that an enterprise receiving such data has a contractual obligation to comply with the principles of the Act if it is disclosed to a third party. Under the accountability system, there is not only a need for control and accountability within the company, but also external responsibility for consumers and law enforcement agencies. It can be seen that the Consumer Privacy Act has put forward very detailed and specific reasons for accountability, covering the enterprise staff behavior control, internal data use supervision, public data to the third party, so that the subsequent accountability more clearly specific.
In the Consumer privacy report, the U.S. government believes consumer personal data protection is the most common problem in the current large data environment. The report calls for Congress to enact legislation to apply the relevant content of the bill to commercial areas that the privacy law does not cover, given that the consumer Privacy bill incorporates the world's universally recognized principles of privacy protection. It can be seen that the practice of the Consumer Privacy Act – Strengthening the framework of "informing and agreeing", focusing on corporate self-discipline, and emphasizing ex post facto responsibility – represents the general thinking of the U.S. government to address privacy protection issues in the large data age.
(iii) Promoting privacy protection law enforcement and international cooperation
In addition to policy and legislation, the U.S. government has advocated greater privacy protection law enforcement efforts to promote privacy protection of international cooperation. The Consumer Privacy Protection Report advocates that the Federal Trade Commission should be supported and empowered to provide more predictable expectations for companies implementing the code of Conduct. First, the Federal Trade Commission should have the right to examine whether the corporate code of conduct is in violation of the consumer privacy bill, and to guide the parties to participate in the formulation of the Federal Trade Commission's law enforcement guidelines so that they can make a correct judgment. Second, granting the Federal Trade Commission the power to provide "safe haven" to enterprises complying with the permitted code of conduct, that is, to exempt the relevant enterprises from enforcing the legislative text of the Consumer privacy bill. In addition, the report calls on Congress to empower more government departments to protect privacy rights.
In furthering international cooperation, States should: (1) mutual recognition. States should, on the basis of agreement on the fundamental values of privacy and personal data protection, recognize each other's privacy protection framework on the condition of effective law enforcement and corporate accountability. (2) Multi-party participation in procedures and code of conduct development. The operation of large data is global, and the process of multi-party participation and the formulation of code of conduct have some advantages over traditional government regulation. (3) Law enforcement cooperation. The United States Federal Trade Commission, in cooperation with similar institutions in other countries, has created an "international Privacy Enforcement Network" that significantly improves the efficiency of data privacy laws in various jurisdictions.
Vi. Conclusion
From the influence of large data on the subject of privacy protection, ordinary citizen as the provider of data, its status and other main body is not the same degree gradually increased. The intrusion of large data technology on the privacy of citizens is impossible in most cases. From the United States Government's response strategy, unless relying on corporate self-discipline under legal rules, citizens can only wait to rely on ex post facto relief to protect their own interests when rights are violated, which is definitely passive. The reason for this is that the U.S. government will protect and promote the development of large data technology in order to maintain America's leading position in a more important position. Large data technology is not already an era of the existing products, but is booming, in the ascendant. Predictably, future technological progress will bring more challenges to privacy law, and privacy protection in the large data age will be a long-standing and unresolved problem.
(Responsible editor: Mengyishan)