The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
For Data Privacy Day this year, I’m happy to make available for the day two new short privacy training programs I created in collaboration with Intel. Ordinarily, I require a login to view my training programs, but for this day, I have put them outside the wall for anyone to see. So click on the programs below to watch them — I’ll keep them up through the weekend. Then, they’ll go behind the wall, so you’ll need to request an evaluation login to see them afterwards.
NOTE: These programs are now no longer publicly available. To see them, please contact us.
The first program is a short 2-minute awareness video about Data Retention.
The second program is an 8.5 minute program called Defining Personal Information. It seeks to explain how to identify personal information, which is a tricky issue because what counts as personal information is not static and is contextual and contingent in some cases.
These programs were created for Intel with their collaboration. Intel graciously allowed me to add generic versions of these programs to my training course library. And in support of Data Privacy Day, Intel was encouraging of my making them publicly available.
I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework. Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US. Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.
When is a person harmed by a privacy violation?
The U.S. Supreme Court just handed down a decision in an important case, Spokeo Inc. v. Robins.
Plaintiff Thomas Robins sued Spokeo under the Fair Credit Reporting Act (FCRA) because Spokeo had inaccurate information about him in its profile. Spokeo’s profiles are used by potential employers and others to search for data about people. FCRA requires that information in profiles for these purposes be accurate, and it allows people to sue if information is not.
After years of careful study and extensive analysis, I have arrived at a solution to all the privacy and data security problems worldwide. Although I’ve been advised that I shouldn’t give away such a perfect solution to such a vexing problem for free, my drive to altruism is simply too strong.
Without further ado . . .
Don’t collect personal data.
There is another solution — not quite a miracle cure all, but definitely very helpful — privacy and cybersecurity training! And that’s no joke.
With Professor Woodrow Hartzog, I have also solved the challenge of legal compliance more generally: The Ultimate Unifying Approach to Complying with All Laws and Regulations, 19 Green Bag 2d 223 (2016).
The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.
The passing of Justice Antonin Scalia has brought a wave of speculation about current and future U.S. Supreme Court cases. One area where there might be a significant impact will be the 4th Amendment, which provides the primary constitutional protection against government surveillance and information gathering. A new justice could usher in a dramatic expansion in 4th Amendment protections against government surveillance.
I created some new training programs last year, and here are some of the highlights:
The Ransomware Attack (~5 mins)
This short program (~5 minutes) consists of an interactive cartoon vignette about malware. The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware. The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.
The Life Cycle of Personal Data (~ 15 mins)
This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data. The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
by Daniel J. Solove
One of the most well-known classic privacy books is George Orwell’s 1984, and it has been published in countless editions around the world. I enjoy collecting things, and I’ve gathered up more than 50 book covers of various editions of the novel. I find it interesting how various artists and designers try to capture the novel’s themes. I thought I’d share the covers with you.
Orwell’s 1984 chronicles a harrowing totalitarian society, one that engages in massive surveillance of its citizenry. Everywhere are posters that say “
NSA Big Brother Is Watching You.” From the novel:
by Daniel J. Solove
Here is a brief synopsis of the webinar:
For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security. What are the standards that the FTC is developing for privacy and data security? What sources does the FTC use for the standards it develops?
A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.
My webinar was written up at the Wall Street Journal. If you’re interested in seeing it, it’s free and available here. Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.
By Daniel J. Solove
I’m a St. Louis Cardinals fan, so I guess it is fitting that my favorite team becomes embroiled in a big privacy and data security incident. At the outset, apologies for the feature photo above. It pulled up under a search for “baseball hacker,” and as a collector of ridiculous hacker stock photos, I couldn’t resist adding this one to my collection. I doctored it up by adding in the background, but I applaud the prophetic powers of the photographer who had a vision that one day such an image would be needed.
by Daniel J. Solove
According to a recent report by Enterprise Management Associates, 56% of employees are not receiving any sort of data security awareness training.
This is a rather distressing statistic. It is particularly distressing because according to another study, “when specific employee behaviors are addressed in a meaningful way to bring about a security-aware culture, the incidence and cost of non-compliance plummets.”
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
You can follow Professor Solove on his blog at LinkedIn, where he is an “LinkedIn Influencer.” He blogs about various privacy and data security issues. His blog has more than 600,000 followers.
* * * *
Professor Solove is active on Twitter and posts links to current privacy and data security stories and new scholarship, cases, and developments of note.
* * * *
Sign up for our newsletter where Professor Solove provides information about his recent writings and new training programs that he has created.
* * * *
Professor Solove’s LinkedIn Discussion Groups
Please join one or more of Professor Solove’s LinkedIn discussion groups, where you can follow new developments on privacy, data security, HIPAA, and education privacy issues. You can also participate in the discussion, share interesting news and articles, ask questions, or start new conversations:
and Data Security
by Daniel J. Solove
I’ve been a teacher for the past 15 years, and I’ve taught in several mediums including live classes and computer-based e-learning. I have come to the conclusion that the most effective factor in education and training is fostering emotional investment.
Simply put, students must care about learning the material. The more they care, the more they learn.
The notion of getting emotional investment from students might sound like simple common sense, but it is often not done …and often not even attempted.