The Datatrust Privacy Guarantee: Protecting the Datatrust from Compelled Disclosure
- Introduction: Why we need to understand privacy rights.
- A quick overview of federal privacy law.
- Implications for data collectors today.
- Implications for the datatrust.
IV. IMPLICATIONS FOR THE DATATRUST?
The datatrust can likely expect that it, like any organization holding large amounts of data, will receive requests for law enforcement for that data.
We will have to have a clearly stated policy regarding how we deal with such requests. We’ll have to understand how existing law applies to us, and the extent to which we can lawfully push to protect the individual privacy rights of people whose data is in the datatrust.
How ECPA might apply
Right now, it’s unclear precisely how ECPA would apply to the datatrust. It most likely would not be considered an electronic communications service provider. It could be considered a remote computing service, in which case the datatrust could be compelled to disclose data by a subpoena. If the law were changed in accordance with Digital Due Process’s recommendation, it’s possible that any personally identifying data stored by the datatrust would be available to the government only with a search warrant issued based on a showing of probable cause.
At the same time, it’s unclear if ECPA, now or later, would apply clearly to a service for organizations rather than individuals. Although there are many businesses out there trucking in personal information, sometimes anonymized, sometimes not, the same uncertainty around them would apply to the datatrust. This is an area we will have to research.
Potential defenses to law enforcement requests
One way the datatrust could deal with law enforcement requests for data would be to limit the amount of data it actually holds. Right now, it’s not clear what kind of personally identifying information the datatrust will retain, and thus, what we might be compelled to disclose. We will have registered users, which means we will have names of organizations. The data will be raw, which may or may not include names and/or other identifying information.
Would it be possible, technologically, to store data in ways that limit the amount of data the datatrust can actually disclose? If we’re a privacy query+filter, could we avoid storing information that could be subpoenaed? Could we use technology to organize the data in some way so as to limit the data available to government?
Could we (and should we) create a new class of data to protect?
We at the Common Data Project are working on creating a datatrust because we believe a new kind of institution is needed to enable the public to make use of data in as powerful a way as is used by corporations and government agencies. Although we are not a lobbying organization, we do believe we as a society need to acknowledge data as a new kind of resource and come up with new legislation if necessary.
We've talked about how a datatrust will be like a bank or a credit union for personal data. People increasing store and back-up their data in the cloud because the cloud makes their data easier to access and use. It's arguably similar to the shift from people storing cash under their mattress to depositing in a bank. In that case, data would warrant privacy protection on par with financial records. Are we ready to talk about data privacy in a context that includes individual use of data, and not Google and Facebook's use of data?
Privacy protections for statistical information currently protect government agencies and non-goverment researchers, at least to the extent they're able to obtain discretionary Certificates of Confidentiality. It may be possible to create a similar type of document to protect institutions like the datatrust that seek to provide data as a public resource, for statistical research and analysis. Could such protection apply to an institution rather than a specific study? Would this require some formalization of what a datatrust is, in statutory or regulatory terms?