For Data Privacy Day this year, I’m happy to make available for the day two new short privacy training programs I created in collaboration with Intel. Ordinarily, I require a login to view my training programs, but for this day, I have put them outside the wall for anyone to see. So click on the programs below to watch them — I’ll keep them up through the weekend. Then, they’ll go behind the wall, so you’ll need to request an evaluation login to see them afterwards.
NOTE: These programs are now no longer publicly available. To see them, please contact us.
The first program is a short 2-minute awareness video about Data Retention.
The second program is an 8.5 minute program called Defining Personal Information. It seeks to explain how to identify personal information, which is a tricky issue because what counts as personal information is not static and is contextual and contingent in some cases.
These programs were created for Intel with their collaboration. Intel graciously allowed me to add generic versions of these programs to my training course library. And in support of Data Privacy Day, Intel was encouraging of my making them publicly available.
I. Data Retention
II. Defining Personal Information
Here’s a cartoon I created. It involves several Fair Information Practice Principles (FIPPs) and privacy best practices. The ones involved (and not heeded) in this cartoon are doing a data inventory, informing people about the purposes of the collection of their data, using data for only those purposes, and not keeping data longer than necessary to accomplish those purposes.
For many organizations, there is a lot of data collected that gets stored and forgotten, or that is collected with no apparent purpose in mind. Data inventories are a great way to take stock of this data and determine whether it is really necessary and appropriate to keep it.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected humor posts about privacy and security:
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
II. PRIVACY LAW
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
1. Penalties and Enforcement
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
By Daniel J. Solove
This post is co-authored by Professor Neil Richards
The recent case of Google v. Vidal-Hall in the UK has generated quite a buzz, with Omer Tene calling it the “European privacy judicial decision of a decade.”
The case illustrates several fascinating aspects of the developing global law of privacy, with big implications for online marketing, Big Data, and the Internet of Things.
At first blush, it is easy to see the case as one more divergence between how privacy is protected in the EU and US, with a European Court once again showing how much eager it is to protect privacy than an American one. But the biggest takeaway from the case is not one of divergence; it is one of convergence!