The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
A common myth is that the U.S. Congress is a leader in creating privacy and data security law. But this has not been true for quite some time. Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.
In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws. Here are some of the most prominent of these statutes:
Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.
This cartoon depicts the potential future of the Internet of Things. As more and more devices are connected to the Internet, including ones implanted in people’s bodies, increasing thought must be given to the privacy and security implications. The speed of technological development is moving at a far greater pace than the speed of policy thinking regarding privacy and security.
How will the security of new devices be regulated? The market doesn’t seem to be adequately addressing the security of the Internet of Things. Bad security in devices has externalities beyond the users, as devices can be used as part of botnets to attack other targets.
How will privacy be designed into devices? How will notice and choice work? When privacy is “baked in” to a device, do the engineers have a comprehensive understanding of privacy? How will consumers be able to understand and respond to these design choices?
Should there be special considerations for medical devices or any device that is implantable in a person?
We still await satisfactory answers to these questions . . . but the expansion of the Internet of Things isn’t waiting.
Here’s an earlier cartoon I created regarding the Internet of Things:
My cartoon depicts the discrepancy in the security and privacy budgets at many organizations. Of course, the cartoon is an exaggeration. In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were. That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.
Fortunately, it does appear that privacy budgets have increased according to the 2016 IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world. Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.
In response to government surveillance or massive data gathering, many people say that there’s nothing to worry about. “I’ve got nothing to hide,” they declare. “The only people who should worry are those who are doing something immoral or illegal.”
The nothing-to-hide argument is ubiquitous. This is why I wrote an essay about it 10 years ago called “I’ve Got Nothing to Hide,” and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007). It was a short law review piece, one that I thought would be read by only a few people. But to my surprise, this essay really resonated with many people, and it received an unusually high number of downloads for a law review essay. I later expanded the ideas in the essay into a book: Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale University Press 2011).
This year is the 10th anniversary of the piece. A lot has happened between then and now. Not too long before I wrote my essay, there were revelations of illegal NSA surveillance. A significant percentage of the public supported the NSA surveillance, and the nothing-to-hide argument was trotted out again and again. This was the climate in which I wrote the essay.
Later on, in 2013, Edward Snowden revealed that the NSA was engaging in extensive surveillance far beyond its legal authority. Snowden declared: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” This time, there was a significantly large percentage of the public that didn’t side with the NSA but instead demanded scrutiny and accountability.
Nevertheless, the nothing-to-hide argument is far from vanquished. There will always be a need for citizens to demand accountability and oversight of government surveillance, or else we will gradually slide into a more dystopian world.
Here are a few short excerpts from my nothing-to-hide essay:
I’m pleased to announce that a new 4th edition of my short guide, PRIVACY LAW FUNDAMENTALS (IAPP 2017) (co-authored with Professor Paul Schwartz) is now out in print. This edition incorporates extensive developments in privacy law and includes an introductory chapter summarizing key new laws, cases and enforcement actions.
Privacy Law Fundamentals is designed with an accessible, portable format to deliver vital information in a concise (318 pages) and digestible manner. It includes key provisions of privacy statutes; leading cases; tables summarizing the statutes (private rights of action, preemption, liquidated damages, etc.); summaries of key state privacy laws; and an overview of FTC, FCC, and HHS enforcement actions.
“This is the essential primer for all privacy practitioners.” — David A. Hoffman, Intel Corp.
“In our fast-paced practice, there’s nothing better than a compact and accessible work that is curated by two of the great thinkers of the field. It is a gem.” — Kurt Wimmer, Covington & Burling LLP
“Two giants of privacy scholarship succeed in distilling their legal expertise into an essential guide for a broad range of the privacy community.” — Jules Polonetsky, Future of Privacy Forum
“This book is my go-to reference for when I need quick, accurate information on privacy laws across sectors and jurisdictions.” — Nuala O’Connor, Center for Democracy and Technology
The full table of contents is below:
I recently updated my book chapter, A Brief History of Information Privacy Law, which appears in the new edition of PLI’s Proskauer on Privacy.
This book chapter, originally written in 2006 and updated in 2016, provides a brief history of information privacy law, with a primary focus on United States privacy law. It discusses the development of the common law torts, Fourth Amendment law, the constitutional right to information privacy, numerous federal statutes pertaining to privacy, electronic surveillance laws, and more. It explores how the law has emerged and evolved in response to new technologies that have increased the collection, dissemination, and use of personal information.
The chapter can be downloaded for free here.
Here is the table of contents:
A while ago, I wrote about a case involving a member of the St. Louis Cardinals baseball team staff who improperly accessed a database of the Houston Astros. There is now an epilogue to report in the case. The individual who engaged in the illegal access — a scouting director named Chris Correa — was fired by the Cardinals, imprisoned for 46 months, and banned permanently from baseball. The Cardinals were fined $2 million by Major League Baseball Commissioner Rob Manfred, and they must forfeit their first two picks in the draft to the Houston Astros.
According to an article about the incident in the St. Louis Post-Dispatch: “As outlined in court documents, the U.S. attorney illustrated how Correa hacked Houston’s internal database, ‘Ground Control,’ 48 times during a 2½-year period. He viewed scouting reports, private medical reviews and other proprietary information. The government argued that Correa may have sought to determine if Houston borrowed the Cardinals’ data or approach, but the information he accessed was ‘keenly focused on information that coincided with the work he was doing for the Cardinals.'”
As I wrote in my piece about the case, there are several lessons to be learned. One lesson is that it is a myth that hacking and computer crime must be hi-tech. Here, Correa’s hacking was nothing sophisticated — he just used another person’s password. The person had previously worked for the Cardinals, and when he went to the Astros, he kept using the same password. In my piece, I discussed other lessons from this incident, such as the importance of teaching people good password practices as well as teaching people that just because they have access to information doesn’t make it legal to view the information. The Cardinals organization appears to have learned from the incident, as the “employee manual has been updated to illustrate what is illegal activity online,” and the organization is using two-factor authentication to protect its own sensitive data. The article doesn’t say whether the Astros also stepped up their security awareness training by teaching employees not to reuse their old passwords from another team.
For Data Privacy Day this year, I’m happy to make available for the day two new short privacy training programs I created in collaboration with Intel. Ordinarily, I require a login to view my training programs, but for this day, I have put them outside the wall for anyone to see. So click on the programs below to watch them — I’ll keep them up through the weekend. Then, they’ll go behind the wall, so you’ll need to request an evaluation login to see them afterwards.
NOTE: These programs are now no longer publicly available. To see them, please contact us.
The first program is a short 2-minute awareness video about Data Retention.
The second program is an 8.5 minute program called Defining Personal Information. It seeks to explain how to identify personal information, which is a tricky issue because what counts as personal information is not static and is contextual and contingent in some cases.
These programs were created for Intel with their collaboration. Intel graciously allowed me to add generic versions of these programs to my training course library. And in support of Data Privacy Day, Intel was encouraging of my making them publicly available.
Co-authored by Professor Woodrow Hartzog
The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?
I am now offering the full text of my book The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press 2007) online for FREE download.
I am now offering the full text of my book The Digital Person: Technology and Privacy in the Information Age (NYU Press 2004) online for FREE download.
Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.
Contracting with cloud service providers has long been a world shrouded in fog. Across various organizations, cloud service agreements (CSAs) are all over the place, and often many people entering into these contracts have no idea what provisions they should have to protect their data.
I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework. Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US. Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.
Here’s a cartoon I created. It involves several Fair Information Practice Principles (FIPPs) and privacy best practices. The ones involved (and not heeded) in this cartoon are doing a data inventory, informing people about the purposes of the collection of their data, using data for only those purposes, and not keeping data longer than necessary to accomplish those purposes.
For many organizations, there is a lot of data collected that gets stored and forgotten, or that is collected with no apparent purpose in mind. Data inventories are a great way to take stock of this data and determine whether it is really necessary and appropriate to keep it.
Fellowships can be a great way to kick start a career in privacy law. I have added new fellowships the list I published in February 2016, as well as updated deadlines and other relevant information. Click here to see the fully updated list of privacy fellowships. If you know of others I should add, please email me.
I was fortunate to see James Graham’s incisive play “Privacy” this past Sunday at the Public Theater in New York City. The play is a witty and immensely engaging examination of all the data being collected about us and being assembled into digital dossiers. Technology is adeptly woven into the play. At many points during the production, audience members are asked to use their smart phones. The script is entertaining and intelligent. There is never a dull moment, and I was laughing throughout. Continue Reading
Yesterday, Microsoft won a huge case against government surveillance, a case with very important implications: In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation.
When is a person harmed by a privacy violation?
The U.S. Supreme Court just handed down a decision in an important case, Spokeo Inc. v. Robins.
Plaintiff Thomas Robins sued Spokeo under the Fair Credit Reporting Act (FCRA) because Spokeo had inaccurate information about him in its profile. Spokeo’s profiles are used by potential employers and others to search for data about people. FCRA requires that information in profiles for these purposes be accurate, and it allows people to sue if information is not.
The privacy law profession is growing tremendously, but there is a challenge that we’re facing, one that I’d like to enlist your help in addressing – the bottleneck problem. There is a huge bottleneck at the entry point to the field. So I am calling on organizations to address this bottleneck by offering fellowships to recent law school graduates interested in privacy law.
Each year, I teach about 60-70 privacy law students, and there are many other professors teaching similar courses with large enrollments. Many great students want to enter the field, but they find it very hard to do so because nearly every position requires a number of years of experience.
Unlike other field with a more developed entry point, privacy lacks an easy way in. People have to do all sorts of career gymnastics to lateral sideways or slip in from other areas. A while ago, I solicited advice on entering the profession and provided advice of my own, and I posted about it in my post, How to Enter the Privacy Profession.
On the other side, many organizations are seeking to fill privacy law positions but are having a hard time finding enough people with experience.
The privacy profession must address the bottleneck problem and develop a reliable pathway to the profession.
I am therefore calling on companies and organizations to create privacy law fellowships that would last 1-2 years. If you create one, I will list it in my list of privacy law fellowships. Right now, the list is short, and most of the opportunities are in NGOs and the government, with a handful from the private sector. I’d like to triple or quadruple this list . . . and hopefully make it even longer than that.
So if you’re on the privacy team at an organization, please look into creating a fellowship position. If you’re a privacy law professor, please join in my call. A mature profession needs an entry point and a reliable pathway. It’s time to make that happen for privacy law.
After years of careful study and extensive analysis, I have arrived at a solution to all the privacy and data security problems worldwide. Although I’ve been advised that I shouldn’t give away such a perfect solution to such a vexing problem for free, my drive to altruism is simply too strong.
Without further ado . . .
Don’t collect personal data.
There is another solution — not quite a miracle cure all, but definitely very helpful — privacy and cybersecurity training! And that’s no joke.
With Professor Woodrow Hartzog, I have also solved the challenge of legal compliance more generally: The Ultimate Unifying Approach to Complying with All Laws and Regulations, 19 Green Bag 2d 223 (2016).
The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.
In a high-profile privacy lawsuit, former pro-wrestler Hulk Hogan won a $115 million jury verdict against Gawker for posting his sex video without his consent. Hulk Hogan, whose real name is TerryBollea, brought a lawsuit for invasion of privacy and other torts. Under one of the main privacy torts — public disclosure of private facts — one can be liable if one widely and publicly discloses private information about another that would be highly offensive to a reasonable person and not of legitimate concern to the public.
Bernard Harcourt’s Exposed: Desire and Disobedience in the Digital Age (Harvard University Press 2015) is an indictment of our contemporary age of surveillance and exposure — what Harcourt calls “the expository society.” Harcourt passionately deconstructs modern technology-infused society and explains its dark implications with an almost poetic eloquence.
Harcourt begins by critiquing the metaphor of George Orwell’s 1984 to describe the ills of our world today. In my own previous work, I critiqued this metaphor, arguing that Kafka’s The Trial was a more apt metaphor to capture the powerlessness and vulnerability that people experience as government and businesses construct and use “digital dossiers” about their lives. Harcourt critiques Orwell in a different manner, arguing that Orwell’s dystopian vision is inapt because it is too drab and gray:
Back by popular demand, it’s time for another round of the funniest hacker stock photos. Because I create information security awareness training (and HIPAA security training too), I frequently find myself in need of a good hacker photo.
But good hacker photos are hard to find. I often browse through countless images, each one more ridiculous than the next.
The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score. Continue Reading
The passing of Justice Antonin Scalia has brought a wave of speculation about current and future U.S. Supreme Court cases. One area where there might be a significant impact will be the 4th Amendment, which provides the primary constitutional protection against government surveillance and information gathering. A new justice could usher in a dramatic expansion in 4th Amendment protections against government surveillance.
One way to enter the privacy profession is to do a fellowship, and fortunately, an increasing number of fellowship opportunities are emerging.
I have written about the challenges of breaking in to the privacy law profession, especially the challenges that recent law school graduates will face. There are no established career paths in this field yet, so it takes some effort to get started. Once you’re in the club, you’ll be in big demand, but there’s a bottleneck at the entrance. This is why fellowships can be a great way to kick start a career in privacy law.
Here are a few fellowships related to privacy that I’m aware of. If you know of others I should add to the list, please email me.
By Daniel J. Solove
For several years, I have been posting about notable books on privacy and security, and this post lists some of the notable books from 2015. To see a more comprehensive list of nonfiction works about privacy and security, you might consult this resource page that Professor Paul Schwartz and I maintain: Nonfiction Privacy + Security Books.
Now, without further ado, here are some of the many privacy and security books published in 2015:
A dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power. The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.
I created some new training programs last year, and here are some of the highlights:
The Ransomware Attack (~5 mins)
This short program (~5 minutes) consists of an interactive cartoon vignette about malware. The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware. The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.
The Life Cycle of Personal Data (~ 15 mins)
This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data. The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.
I originally posted a version of this post more than 10 years ago, in 2005. I think it is important to re-post it, with a few updates.
I strongly recommend teaching information privacy law in law schools. I have authored several textbooks in the field, and I know that this might seem like a self-plug. But I really am a big believer that all law schools should have not just one course on information privacy law, but several — no matter what textbooks are used!
Information privacy law remains a fairly new field, and it has yet to take hold as a course taught consistently in most law schools. Last year, I wrote a post complaining about the fact that only about 25% of law schools have a course on privacy law. I’m hoping to change all that.
So if you’re an academic interested in exploring issues involving information technology, criminal procedure, or free speech, you should consider adding information privacy law to your course package. If you’re a practitioner, consider teaching an information privacy law course as an adjunct.
Here are some reasons to teach the course:
I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015). I wrote the article with Professor Woodrow Hartzog.
The article addresses the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”). We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.
We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.
The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.
Here is a table of contents of the issue, along with links to where you can access each essay and article.
I’ve long been saying that privacy need not be sacrificed for security, and it makes me delighted to see that public attitudes are aligning with this view. A Pew survey revealed that a “majority of Americans (54%) disapprove of the U.S. government’s collection of telephone and internet data as part of anti-terrorism efforts.” The anti-NSA surveillance sentiment is even stronger in other countries, as is shown in this chart below.
According to the survey, “74% said they should not give up privacy and freedom for the sake of safety, while just 22% said the opposite.”
As I wrote in my book, Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale U. Press 2011):
The debate between privacy and security has been framed incorrectly, with the tradeoff between these values understood as an all-or-nothing proposition. But protecting privacy need not be fatal to security measures; it merely demands oversight and regulation.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
By Daniel J. Solove
It is essential that children learn about data privacy and security. Their lives will be fully enveloped by technologies that involve data. But far too little about these topics is currently taught in most schools.
Fortunately, there is a solution, one that I’m proud to have been involved in creating. The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.
The Privacy K-12 Curriculum Matrix is free. It can be used by any school, educator, or parent. It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels. It includes suggestions for appropriate learning activities for each grade level.
By Daniel J. Solove
Next year, there will be a milestone birthday for the Electronic Communications Privacy Act (ECPA) – the primary federal law that regulates how the government and private parties can monitor people’s Internet use, wiretap their communications, peruse their email, gain access to their files, and much more.
This is no ordinary birthday for ECPA. In 2016, ECPA turns 30. Little did anyone think that in 1986, when ECPA was passed, that it would still remain largely unchanged for 30 years. In 1986, the Cloud was just something in the sky. The Web was what a spider made.
By Daniel J. Solove
At my annual event, the Privacy+Security Forum, which was held last month, one of the sessions involved privacy and security in fiction. The panelists had some terrific readings suggestions, and I thought I’d share with you the write-up that they generated for their session. The speakers were:
Peter Winn, Assistant U.S. Attorney, U.S. DOJ and Lecturer, University of Washington School of Law
Heather West, Senior Policy Manager & Americas Principal, Mozilla
Kevin Bankston, Director, Open Technology Institute and Co-Director, Cybersecurity Initiative, New America
Joseph Jerome, Policy Counsel at Future of Privacy Forum
By Daniel J. Solove
The US regulates privacy with a sectoral approach, with laws that are directed only to specific industries. In contrast, the EU and many other countries have an omnibus approach — one overarching law that regulates privacy consistently across all industries. The US is an outlier from the way most countries regulate privacy.
About 15 years ago, the sectoral approach was hailed by many US organizations as vastly preferable to an omnibus approach. Each industry wanted to be regulated differently, in a more nuanced way focused on its particular needs. Industries could lobby and exert their influence much more on laws focused on their industry. Additionally, some organizations liked the sectoral approach because they fell into one of the big gaps in regulation.
But today, ironically, the sectoral approach is not doing many organizations any favors. There are still gaps in protection under the US approach, but these have narrowed. In fact, many organizations do not fall into gaps in protection — they are regulated by many overlapping laws. The result is a ton of complexity, inconsistency, and uncertainty in the law.
I am pleased to announce that Alan Westin’s classic work, Privacy and Freedom, is now back in print. Originally published in 1967, Privacy and Freedom had an enormous influence in shaping the discourse on privacy in the 1970s and beyond, when the Fair Information Practice Principles (FIPPs) were developed.
The book contains a short introduction by me. I am truly honored to be introducing such a great and important work. When I began researching and writing about privacy in the late 1990s, I kept coming across citations to Westin’s book, and I was surprised that it was no longer in print. I tracked down a used copy, which wasn’t as easy to do as today. What impressed me most about the book was that it explored the meaning and value of privacy in a rich and interdisciplinary way.
A very brief excerpt from my intro:
At the core of the book is one of the most enduring discussions of the definition and value of privacy. Privacy is a very complex concept, and scholars and others have struggled for centuries to define it and articulate its value. Privacy and Freedom contains one of the most sophisticated, interdisciplinary, and insightful discussions of privacy ever written. Westin weaves together philosophy, sociology, psychology, and other disciplines to explain what privacy is and why we should protect it.
I was fortunate to get to know Alan Westin, as I began my teaching career at Seton Hall Law School in Newark, New Jersey, and Alan lived and worked nearby. I had several lunches with him, and we continued our friendship when I left to teach at George Washington University Law School. Alan was kind, generous, and very thoughtful. He was passionate about ideas. I miss him greatly.
So it is a true joy to see his book live on in print once again.
Here’s the blurb from the publisher: