I’m thrilled that, the American Law Institute (ALI) has approved the Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project. According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for a variety of parties at the federal, state, and local levels, including legislators, attorneys general, and administrative agency officials.”
The project involves our attempt to create a comprehensive approach to data privacy for the U.S. that bridges the divide with the EU. For example, there are many provisions in the General Data Protection Regulation (GDPR) that are not as incompatible with U.S. law as one might think. We bring U.S. law most of the way there, but we preserve core commitments in U.S. law that cannot readily be made consistent with the EU approach. We also have some new approaches to certain issues that haven’t yet been tried in quite the same ways in other laws before, such as our approach to transparency and notice, as well as our approach to handling the identifiability of personal data. The Principles of the Law, Data Privacy is not an attempt to write our ideal privacy law as if drafting on a blank slate. Nor is it an attempt to restate existing law. Instead, it is something in between. We build on foundations in existing law, look for ways the law can be advanced progressively without clashing with core commitments or introducing concepts that are without precedent.
Thus, our goal has been to produce a balanced compromise, an approach to advance U.S. privacy law significantly without being radical. I am certain industry and advocates will find things they like and things that they wish were different. This isn’t the law I’d write if I were writing on a blank slate. But it is, I hope, a big step forward.
We hope this project is useful to legislatures working on privacy legislation, to other policymakers, and to everyone who is thinking about privacy law.
We want to thank our advisory group and the ALI members who contributed greatly to this project. The ALI process is a wonderful one — a thoughtful constructive discussion about how to craft meaningful regulation between practitioners, judges, and academics, among others.
The final draft will be released very soon. Paul and I will be posting the blackletter portion of the project. The entire document, which consists of our commentary, notes, and illustrations — including the support for and rationales behind the provisions — will be available from the ALI. Please stay tuned.
As a teaser, below is the table of contents
CHAPTER 1. PURPOSE, SCOPE, AND DEFINITIONS
§ 1. Purpose and Scope of the Data Privacy Principles
§ 2. Definitions
CHAPTER 2. DATA PRIVACY PRINCIPLES
§ 3. Transparency Statement
§ 4. Individual Notice
§ 5. Consent
§ 6. Confidentiality
§ 7. Use Limitation
§ 8. Access and Correction
§ 9. Data Portability
§ 10. Data Retention and Destruction
§ 11. Data Security
§ 12. Onward Transfer
CHAPTER 3. ACCOUNTABILITY AND ENFORCEMENT
§ 13. Accountability
§ 14. Enforcement
Below is the masthead of reporters and advisers:
REPORTERS
Paul M. Schwartz, University of California, Berkeley School of Law
Daniel J. Solove, George Washington University Law School
ADVISERS
Anita L. Allen-Castellitto, University of Pennsylvania Law School
Sharon A. Anolik, Privacy Panacea
Julie S. Brill, Microsoft Corporation
Philip A. Brimmer, U.S. District Court, District of Colorado
Thomas P. Brown, Paul Hastings LLP
Danielle Citron, University of Maryland, Francis King Carey School of Law
Molly Cutler, Facebook, Inc.
Sarah C. Dodds-Brown, American Express
Allyson K. Duncan, U.S. Court of Appeals, Fourth Circuit
Lindsey Finch, Salesforce.com
Scott Darren Goss, Qualcomm Incorporated
Pamela Jones Harbour, Herbalife
Michael David Hintze, Hintze Law PLLC
David Hoffman, Intel Corporation
Chris Jay Hoofnagle, University of California, Berkeley Center for Law & Technology
Michele C. Kane, The Walt Disney Company
Jerry Kang, University of California, Los Angeles School of Law
John B. Kennedy, Wiggin and Dana LLP
Lucy H. Koh, U.S. District Court, Northern District of California
Ronald D. Lee, Arnold & Porter Kaye Scholer LLP
Michael Leiter, Skadden, Arps, Slate, Meagher & Flom LLP
Paul H. Luehr, Faegre Baker Daniels
Susan Lyon-Hintze, Hintze Law PLLC
James C. McKay, Jr., Office of the Attorney General for the District of Columbia
Kenneth P. Mortensen, PricewaterhouseCoopers LLP
George M. Newcombe, Simpson Thacher & Bartlett LLP (Retired)
Karl-Nikolaus Peifer, University of Cologne, Institute for Media and Communications Law
Nancy Leeds Perkins, Arnold & Porter Kaye Scholer LLP
Robert C. Post, Yale Law School
Joel R. Reidenberg, Fordham University School of Law
Neil M. Richards, Washington University School of Law
Lee H. Rosenthal, U.S. District Court, Southern District of Texas
Mark A. Rothstein, University of Louisville School of Medicine
Ira Rubinstein, New York University School of Law
Lior Jacob Strahilevitz, University of Chicago Law School
Lee Tien, EFF
Elpidio Villarreal, GlaxoSmithKline
David C. Vladeck, Georgetown University Law Center
Peter A. Winn, U.S. Department of Justice
Christopher Wolf, Hogan Lovells US LLP
Christopher S. Yoo, University of Pennsylvania Law School
LIAISON
Pamela Dixon, World Privacy Forum
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.
Our New Privacy Awareness Training Course
Click here to see a demo or to learn more about the course.
Table of Contents
Click here to see a demo or to learn more about the course.