The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
My cartoon depicts the discrepancy in the security and privacy budgets at many organizations. Of course, the cartoon is an exaggeration. In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were. That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.
Fortunately, it does appear that privacy budgets have increased according to the 2016 IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world. Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.
For Data Privacy Day this year, I’m happy to make available for the day two new short privacy training programs I created in collaboration with Intel. Ordinarily, I require a login to view my training programs, but for this day, I have put them outside the wall for anyone to see. So click on the programs below to watch them — I’ll keep them up through the weekend. Then, they’ll go behind the wall, so you’ll need to request an evaluation login to see them afterwards.
NOTE: These programs are now no longer publicly available. To see them, please contact us.
The first program is a short 2-minute awareness video about Data Retention.
The second program is an 8.5 minute program called Defining Personal Information. It seeks to explain how to identify personal information, which is a tricky issue because what counts as personal information is not static and is contextual and contingent in some cases.
These programs were created for Intel with their collaboration. Intel graciously allowed me to add generic versions of these programs to my training course library. And in support of Data Privacy Day, Intel was encouraging of my making them publicly available.
I am now offering the full text of my book The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press 2007) online for FREE download.
I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework. Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US. Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.
Here’s a cartoon I created. It involves several Fair Information Practice Principles (FIPPs) and privacy best practices. The ones involved (and not heeded) in this cartoon are doing a data inventory, informing people about the purposes of the collection of their data, using data for only those purposes, and not keeping data longer than necessary to accomplish those purposes.
For many organizations, there is a lot of data collected that gets stored and forgotten, or that is collected with no apparent purpose in mind. Data inventories are a great way to take stock of this data and determine whether it is really necessary and appropriate to keep it.
I was fortunate to see James Graham’s incisive play “Privacy” this past Sunday at the Public Theater in New York City. The play is a witty and immensely engaging examination of all the data being collected about us and being assembled into digital dossiers. Technology is adeptly woven into the play. At many points during the production, audience members are asked to use their smart phones. The script is entertaining and intelligent. There is never a dull moment, and I was laughing throughout. Continue Reading
Yesterday, Microsoft won a huge case against government surveillance, a case with very important implications: In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation.
When is a person harmed by a privacy violation?
The U.S. Supreme Court just handed down a decision in an important case, Spokeo Inc. v. Robins.
Plaintiff Thomas Robins sued Spokeo under the Fair Credit Reporting Act (FCRA) because Spokeo had inaccurate information about him in its profile. Spokeo’s profiles are used by potential employers and others to search for data about people. FCRA requires that information in profiles for these purposes be accurate, and it allows people to sue if information is not.
After years of careful study and extensive analysis, I have arrived at a solution to all the privacy and data security problems worldwide. Although I’ve been advised that I shouldn’t give away such a perfect solution to such a vexing problem for free, my drive to altruism is simply too strong.
Without further ado . . .
Don’t collect personal data.
There is another solution — not quite a miracle cure all, but definitely very helpful — privacy and cybersecurity training! And that’s no joke.
With Professor Woodrow Hartzog, I have also solved the challenge of legal compliance more generally: The Ultimate Unifying Approach to Complying with All Laws and Regulations, 19 Green Bag 2d 223 (2016).
The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.
Bernard Harcourt’s Exposed: Desire and Disobedience in the Digital Age (Harvard University Press 2015) is an indictment of our contemporary age of surveillance and exposure — what Harcourt calls “the expository society.” Harcourt passionately deconstructs modern technology-infused society and explains its dark implications with an almost poetic eloquence.
Harcourt begins by critiquing the metaphor of George Orwell’s 1984 to describe the ills of our world today. In my own previous work, I critiqued this metaphor, arguing that Kafka’s The Trial was a more apt metaphor to capture the powerlessness and vulnerability that people experience as government and businesses construct and use “digital dossiers” about their lives. Harcourt critiques Orwell in a different manner, arguing that Orwell’s dystopian vision is inapt because it is too drab and gray:
The passing of Justice Antonin Scalia has brought a wave of speculation about current and future U.S. Supreme Court cases. One area where there might be a significant impact will be the 4th Amendment, which provides the primary constitutional protection against government surveillance and information gathering. A new justice could usher in a dramatic expansion in 4th Amendment protections against government surveillance.
By Daniel J. Solove
For several years, I have been posting about notable books on privacy and security, and this post lists some of the notable books from 2015. To see a more comprehensive list of nonfiction works about privacy and security, you might consult this resource page that Professor Paul Schwartz and I maintain: Nonfiction Privacy + Security Books.
Now, without further ado, here are some of the many privacy and security books published in 2015:
I created some new training programs last year, and here are some of the highlights:
The Ransomware Attack (~5 mins)
This short program (~5 minutes) consists of an interactive cartoon vignette about malware. The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware. The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.
The Life Cycle of Personal Data (~ 15 mins)
This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data. The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
By Daniel J. Solove
It is essential that children learn about data privacy and security. Their lives will be fully enveloped by technologies that involve data. But far too little about these topics is currently taught in most schools.
Fortunately, there is a solution, one that I’m proud to have been involved in creating. The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.
The Privacy K-12 Curriculum Matrix is free. It can be used by any school, educator, or parent. It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels. It includes suggestions for appropriate learning activities for each grade level.
By Daniel J. Solove
Next year, there will be a milestone birthday for the Electronic Communications Privacy Act (ECPA) – the primary federal law that regulates how the government and private parties can monitor people’s Internet use, wiretap their communications, peruse their email, gain access to their files, and much more.
This is no ordinary birthday for ECPA. In 2016, ECPA turns 30. Little did anyone think that in 1986, when ECPA was passed, that it would still remain largely unchanged for 30 years. In 1986, the Cloud was just something in the sky. The Web was what a spider made.
I’m very excited that the 1st annual Privacy + Security Forum (Oct. 21-23 in Washington, DC) is finally beginning!
We have about 190 speakers and 60+ sessions.
Below is a chart with session titles, speakers, times, and room assignments. I designed this chart to be easy to access online.
by Daniel J. Solove
One of the most well-known classic privacy books is George Orwell’s 1984, and it has been published in countless editions around the world. I enjoy collecting things, and I’ve gathered up more than 50 book covers of various editions of the novel. I find it interesting how various artists and designers try to capture the novel’s themes. I thought I’d share the covers with you.
Orwell’s 1984 chronicles a harrowing totalitarian society, one that engages in massive surveillance of its citizenry. Everywhere are posters that say “
NSA Big Brother Is Watching You.” From the novel:
by Daniel J. Solove
Here is a brief synopsis of the webinar:
For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security. What are the standards that the FTC is developing for privacy and data security? What sources does the FTC use for the standards it develops?
A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.
My webinar was written up at the Wall Street Journal. If you’re interested in seeing it, it’s free and available here. Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.
By Daniel J. Solove
Co-authored by Professor Paul Schwartz
This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here. We cover health issues in a separate post.
By Daniel J. Solove
Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11.
This is not time for firms to keep calm and carry on. The proper response is to freak out.
By Daniel J. Solove
Does scholarship really have an impact? For a long time, naysayers have attacked scholarship, especially scholarship about law. U.S. Supreme Court Chief Justice Roberts once remarked: “Pick up a copy of any law review that you see, and the first article is likely to be, you know, the influence of Immanuel Kant on evidentiary approaches in 18th Century Bulgaria, or something.” He noted that when the academy addresses legal issues at “a particularly abstract, philosophical level . . . they shouldn’t expect that it would be of any particular help or even interest to the members of the practice of the bar or judges.” Judge Harry Edwards also has attacked legal scholarship as largely irrelevant.