All posts in EU Data Protection Directive

Privacy Shield Training

Daniel Solove
Founder of TeachPrivacy

Privacy Shield Training Course

I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework.  Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US.  Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.

Continue Reading

A New US-EU Safe Harbor Agreement Has Been Reached

Daniel Solove
Founder of TeachPrivacy

EU-US Privacy Shield Safe Harbor Training

Last year, the death of the US-EU Safe Harbor Arrangement sent waves of shock and despair to the approximately 4500 companies that used this mechanism to transfer personal data from the US to the EU.  But a new day has dawned.

Continue Reading

Blogging Highlights 2015: Privacy Issues

Daniel Solove
Founder of TeachPrivacy

Privacy Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts on privacy issues:

I. PHILOSOPHICAL

Privacy by Design:
4 Key Points

title image

What Is Privacy?

Solove Taxonomy of Privacy

II. PRIVACY LAW

Why All Law Schools Should Teach Privacy Law
— and Why Many Don’t

why law schools should teach privacy

Continue Reading

10 Implications of the New EU General Data Protection Regulation (GDPR)

Daniel Solove
Founder of TeachPrivacy

EU GDPR Training General Data Protection Regulation

EU Flag EU Privacy TrainingLast week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries.  Clocking in at more than 200 pages, this is quite a document to digest.  According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”

The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year.  It will has substantial implications for any global company doing business in the EU.  The GDPR is anticipated to go into effect in 2017.

Here are some of the implications I see emerging from the GDPR as well as some questions for the future:

1. Penalties and Enforcement

Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.”  Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.”  The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”

These are huge penalties.  Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO).  Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling.  The CEO will stand up immediately and say: “Excuse me, but I must take this call.  It’s my CPO calling!”

EU Privacy Training Money

To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent.  Will the new GDPR change enforcement?  With such huge fines, the payoff for enforcement will be enormous.  We could see a new enforcement culture emerge, with more robust and consistent enforcement.  If privacy isn’t much of a priority of upper management at some global companies, it will be soon.

Continue Reading

The Growing Problems with the Sectoral Approach to Privacy Law

Daniel Solove
Founder of TeachPrivacy

Sectoral Omnibus Privacy Regulation

By Daniel J. Solove

The US regulates privacy with a sectoral approach, with laws that are directed only to specific industries.  In contrast, the EU and many other countries have an omnibus approach — one overarching law that regulates privacy consistently across all industries.  The US is an outlier from the way most countries regulate privacy.

About 15 years ago, the sectoral approach was hailed by many US organizations as vastly preferable to an omnibus approach.  Each industry wanted to be regulated differently, in a more nuanced way focused on its particular needs.  Industries could lobby and exert their influence much more on laws focused on their industry.  Additionally, some organizations liked the sectoral approach because they fell into one of the big gaps in regulation.

But today, ironically, the sectoral approach is not doing many organizations any favors.  There are still gaps in protection under the US approach, but these have narrowed.  In fact, many organizations do not fall into gaps in protection — they are regulated by many overlapping laws.  The result is a ton of complexity, inconsistency, and uncertainty in the law.

Continue Reading

Sunken Safe Harbor: 5 Implications of Schrems and US-EU Data Transfer

Daniel Solove
Founder of TeachPrivacy

sunken safe harbor

By Daniel J. Solove

In a profound ruling with enormous implications,the European Court of Justice (ECJ) has declared the Safe Harbor Arrangement to be invalid.

[Press Release]  [Opinion]

The Safe Harbor Arrangement

The Safe Harbor Arrangement has been in place since 2000, and it is a central means by which data about EU citizens can be transferred to companies in the US.  Under the EU Data Protection Directive, data can only be transferred to countries with an “adequate level of protection” of personal data.  The EU has not deemed the US to provide an adequate level of protection, so Safe Harbor was created as a work around.

Continue Reading

Privacy Law: From a National Dish to a Global Stew

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove
This post is co-authored by Professor Neil Richards

The recent case of Google v. Vidal-Hall in the UK has generated quite a buzz, with Omer Tene calling it the “European privacy judicial decision of a decade.”

The case illustrates several fascinating aspects of the developing global law of privacy, with big implications for online marketing, Big Data, and the Internet of Things.

At first blush, it is easy to see the case as one more divergence between how privacy is protected in the EU and US, with a European Court once again showing how much eager it is to protect privacy than an American one. But the biggest takeaway from the case is not one of divergence; it is one of convergence!

Continue Reading

Who Are the Privacy and Security Cops on the Beat?

Daniel Solove
Founder of TeachPrivacy

privacy and security

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #3 of a series called Enforcing Privacy and Security Laws.

Continue Reading

What Is Sensitive Data? Different Definitions in Privacy Law

Daniel Solove
Founder of TeachPrivacy

Sensitive Data Image 01

by Daniel J. Solove

I was corresponding with K. Royal the other day, as she was graciously providing some feedback on a training program I created, and we got to talking about sensitive data. In their privacy laws, many countries designate a special category of data called “sensitive data” that receives especially stringent protections.

The most common list of categories for sensitive data is the list in the EU Data Protection Directive, which includes data about “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, health, and sex life.”

The US has no special category of “sensitive data” but US privacy law does protect certain forms of data more stringently (health, financial).

I find it interesting what various countries define as sensitive data, and K Royal has created an awesome chart that she shared with me:

Chart of Sensitive Data in Various Countries

To a privacy wonk like me, a chart like this makes me giddy with excitement, and so I thought I’d share it with you (with her permission, of course).

Here’s a tally of the various types of most-commonly recognized categories of sensitive data. This is based on a chart of the sensitive data category of many countries that K Royal created.

Sensitive Data Chart Word Tally 03

SPECIFIC COUNTRIES’ DEFINITIONS OF SENSITIVE DATA

You can access the full Excel spreadsheet of the data here.

Note: The entry for “standard” means the standard list from the EU Data Protection Directive. The categories encompassed by “standard” include the one beginning “national, Racial/Ethnic” through “sexual preferences and practices.”  More background about K’s project can be found at her blog.

If you want to see the spreadsheet data laid out in a blog post, you can see my longer post about the issue at my LinkedIn Blog.

Follow Professor Solove on Social Media

Daniel Solove
Founder of TeachPrivacy

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:

Professor Solove’s LinkedIn Influencer blog

LinkedIn Influencer 02 You can follow Professor Solove on his blog at LinkedIn, where he is an “LinkedIn Influencer.”  He blogs about various privacy and data security issues. His blog has more than 600,000 followers.

LinkedIn Influencer 01

*    *    *    *

Professor Solove’s Twitter Feed

Twitter 01Professor Solove is active on Twitter and posts links to current privacy and data security stories and new scholarship, cases, and developments of note.

*    *    *    *

Professor Solove’s Newsletter

Newsletter 01Sign up for our newsletter where Professor Solove provides information about his recent writings and new training programs that he has created.

*    *    *    *

Professor Solove’s LinkedIn Discussion Groups

Please join one or more of Professor Solove’s LinkedIn discussion groups, where you can follow new developments on privacy, data security, HIPAA, and education privacy issues. You can also participate in the discussion, share interesting news and articles, ask questions, or start new conversations:

Privacy and
Data Security
HIPAA Privacy
and Security
Education Privacy
and Data Security
Image Group LinkedIn Logo Education Privacy 01 Image Group LinkedIn Logo HIPAA 01 Image Group LinkedIn Logo Privacy Security 01

Is the Right to Be Forgotten Good or Bad? This Is the Wrong Question

Daniel Solove
Founder of TeachPrivacy

right to be forgotten good or bad blog 1

by Daniel J. Solove

Is the right to be forgotten good or bad?

This is the question many are asking these days in light of the recent EU Court of Justice (ECJ) decision that requires search engines such as Google to remove personal data from search results when people request it. (For more background, I wrote about the ECJ decision last week.)

After the decision was released, critics attacked the right to be forgotten as impractical, undesirable, and antithetical to free speech.

Continue Reading

New Privacy Training Programs: US, EU, and Global Privacy Law

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

We have launched several new privacy training programs, including a series with brief introductions to privacy law.  We have completed a privacy training program about US Privacy Law with a video and interactive material / quiz questions.  And we just completed a training program about EU Privacy Law.  This program has a 7.5 minute video (as well as an abridged version at 4.5 minutes), and there’s a separate excerpt on the Safe Harbor Arrangement for those who only want to cover Safe Harbor in their training programs.

These programs are illustrated-as-I-talk.  You can preview the European Union Privacy Law video.

Coming soon: Global Privacy Law, which will focus heavily on the OECD Privacy Guidelines and  the APEC Privacy Framework.

European Union Privacy Training