All posts in Privacy Laws

Why I Love the GDPR: 10 Reasons

Daniel Solove
Founder of TeachPrivacy

GDPR Love 01

I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.

There, I said it. . .

In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.

But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law.  Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.

The GDPR is the most profound privacy law of our generation.  Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition.  Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.

Here are 10 reasons why I love the GDPR:

(1) Omnibus and Comprehensive

EU GDPRUnlike the law in the US, which is sectoral (each law focuses on specific economic sectors), the GDPR is omnibus – it sets a baseline of privacy protections for all personal data.

This baseline is important.  In the US, protection depends upon not just the type of data but the entities that hold it.  For example, HIPAA doesn’t protect all health data, only health data created or maintained by specific types of entities.  Health data people share with a health app, for example, might not be protected at all by HIPAA.  This is quite confusing to individuals.  In the EU, the baseline protections ensure that nothing falls through the cracks.

Continue Reading

FERPA Whiteboard and FERPA Interactive Whiteboard

Daniel Solove
Founder of TeachPrivacy

FERPA Whiteboard - TeachPrivacy FERPA Training

Recently, I created two new FERPA training resources.

FERPA Whiteboard

I created a 1-page visual summary of FERPA, which I call the FERPA WhiteboardThe idea was to summarize HIPAA in a concise and visually-engaging way.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes.

FERPA Interactive Whiteboard

I subsequently created a new training module — an interactive version of the FERPA Whiteboard — the FERPA Interactive Whiteboard When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way.  Trainees can learn at their own pace.  This program is designed to be very short — it is about 5 minutes long.

It can readily be used on internal websites to raise awareness and teach basic information about FERPA.  It can also be used in learning management systems.

Continue Reading

Should Privacy Law Regulate Technological Design? An Interview with Woodrow Hartzog

Daniel Solove
Founder of TeachPrivacy

Blueprint Privacy 03

Hot off the press is Professor Woodrow Hartzog’s new book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard Univ. Press 2018). This is a fascinating and engaging book about a very important and controversial topic: Should privacy law regulate technological design?

Continue Reading

My Privacy and Security Scholarship in 2017

Daniel Solove
Founder of TeachPrivacy

Scholarship about Privacy and Security

In this post, I provide a brief overview of my scholarship last year.

Risk and Anxiety: A Theory of Data Breach Harms 

I co-authored  Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron.  The piece is forthcoming in Texas Law Review this year.  Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse.  Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?”  We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.

Download Risk and Anxiety: A Theory of Data Breach Harms for free

Continue Reading

GDPR Training, Writings, and Resources: Roundup from the Past Year

Daniel Solove
Founder of TeachPrivacy

General Data Protection Regulation - GDPR - Training Resources by Prof. Daniel Solove

The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs.  In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.

GDPR Whiteboard

GDPR Whiteboard - TeachPrivacy Privacy Awareness Training 02 small

200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of  GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.

GDPR Interactive Whiteboard

GDPR Whiteboard Interactive - TeachPrivacy GDPR Training

I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)

The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.

A Guide to GDPR Training

A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.

The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO)  is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:

  • basic privacy awareness training for your general workforce
  • advanced training for personnel who need more detailed knowledge of GDPR
  • role-based training specific to an individual’s job function.

I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.

GDPR (Short Introductory Course ~ 7 Mins)

GDPR Training

This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series  –  Privacy Shield and European Union Privacy Law.

COURSE OUTLINE:

  • Structure
    Scope
    Personal Data
    Sensitive Data
    Data Controllers and Data Processors
    Supervisory Authority
    Enforcement
    Rights and Responsibilities
    International Data Transfer
  • Rights and Responsibilities
    Transparency
    Purpose Specification and Minimization
    Consent
    Right to Erasure
    Right to Data Portability
    Data Protection by Design
    Data Protection Impact Assessments
    Record of Data Processing Activities
    Data Breach Notification
  • International Data Transfer

Global Privacy and Data Protection
(Privacy Awareness Course ~20 Mins or ~30 Mins)

 

 This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations.  I updated this program for GDPR.  The course focuses on three main issues:

  • Why is privacy important?
  • What is personal data?
  • How do we protect privacy?

COURSE OUTLINE:

  • The Purpose of this Training
    Personal Data
    People Care About Privacy
    Your Role
  • Why We Protect Personal Data
    Respect
    Preventing Harm
    Trust
    Reputation
    Legal Compliance
    Contractual Compliance
  • What is Personal Data?
    Identifying Personal Data or PII
    Sensitive Data
  • Data Collection
    Lawful Basis
    Data Collection Limitation
  • Data Handling and Processing
    Limited Access
    Confidentiality
    Security Safeguards
  • Use of Personal Data
    Purpose Specification
  • Individual Knowledge and Participation
    Notice
    Access and Correction
    Consent
    Right to Erasure
    Right to Data Portability
  • Transfer and Sharing of Data
    International Transfers of Data
    Sharing Data with Third Parties
  • Accountability
    Privacy by Design
    Ask the Privacy Office

GDPR’s Broad Scope: A Short Vignette

GDPR Humorous Vignette

Please check out our humorous 1-minute video vignette about the GDPR.

CARTOONS

Preparing for GDPR

 

Taking Privacy Seriously

cartoon-gdpr-training-privacy-shield-training-01

Silencing #MeToo: How NDAs and Litigation Stifle Victims, Innovators, and Critics — An Interview with Orly Lobel

Daniel Solove
Founder of TeachPrivacy

 

Countless women have been coming forward to say #MeToo and share their traumatic stories of sexual harassment and assault. But there are many stories we’re not hearing. These stories are being silenced by extremely broad nondisclosure agreements (NDAs), some made at the outset of employment and others when settling litigation over sexual harassment. They stop victims from talking. They also silence other employees who witness sexual harassment of co-workers. NDAs were a powerful device used by Harvey Weinstein to hush up what he was doing.

In her new book, You Don’t Own Me: How Mattel v. MGA Entertainment Exposed Barbie’s Dark Side, Professor Orly Lobel tells a fascinating story about the Barbie versus Bratz litigation, which went on for about a decade. Her book is a page turner — told as a story that could readily be a movie. The book succeeds brilliantly as a gripping tale. But it goes beyond great storytelling to explore many important issues related to business, employment, and intellectual property: the enormous power of corporate employers, the weaponized use of intellectual property to stifle innovation, the dismal failure of business ethics, the troubling use of nondisclosure agreements (NDAs) to maintain dominance and power, and the punishing litigation process. Continue Reading

The U.S. Congress Is Not the Leader in Privacy or Data Security Law

Daniel Solove
Founder of TeachPrivacy

Capitol Sinking 01

A common myth is that the U.S. Congress is a leader in creating privacy and data security law.  But this has not been true for quite some time.  Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.

In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws.  Here are some of the most prominent of these statutes:

Continue Reading

New Edition of Privacy Law Fundamentals

Daniel Solove
Founder of TeachPrivacy

Privacy Law Fundamentals

I’m pleased to announce that a new 4th edition of my short guide, PRIVACY LAW FUNDAMENTALS  (IAPP 2017)  (co-authored with Professor Paul Schwartz) is now out in print.  This edition incorporates extensive developments in privacy law and includes an introductory chapter summarizing key new laws, cases and enforcement actions.

Privacy Law Fundamentals is designed with an accessible, portable format to deliver vital information in a concise (318 pages) and digestible manner. It includes key provisions of privacy statutes; leading cases; tables summarizing the statutes (private rights of action, preemption, liquidated damages, etc.); summaries of key state privacy laws; and an overview of FTC, FCC, and HHS enforcement actions.

“This is the essential primer for all privacy practitioners.” — David A. Hoffman, Intel Corp.

“In our fast-paced practice, there’s nothing better than a compact and accessible work that is curated by two of the great thinkers of the field.  It is a gem.” — Kurt Wimmer, Covington & Burling LLP

“Two giants of privacy scholarship succeed in distilling their legal expertise into an essential guide for a broad range of the privacy community.” — Jules Polonetsky, Future of Privacy Forum

“This book is my go-to reference for when I need quick, accurate information on privacy laws across sectors and jurisdictions.” — Nuala O’Connor, Center for Democracy and Technology

You can get a copy at IAPP’s bookstore or at Amazon.  For general information about this book as well as all my textbooks and useful resources, visit our Information Privacy Law textbook website.

The full table of contents is below:

Continue Reading

A Brief History of Information Privacy Law

Daniel Solove
Founder of TeachPrivacy

I recently updated my book chapter, A Brief History of Information Privacy Lawwhich appears in the new edition of PLI’s Proskauer on Privacy.

This book chapter, originally written in 2006 and updated in 2016, provides a brief history of information privacy law, with a primary focus on United States privacy law. It discusses the development of the common law torts, Fourth Amendment law, the constitutional right to information privacy, numerous federal statutes pertaining to privacy, electronic surveillance laws, and more. It explores how the law has emerged and evolved in response to new technologies that have increased the collection, dissemination, and use of personal information.

The chapter can be downloaded for free here.

Here is the table of contents:

Continue Reading

The Digital Person: Technology and Privacy in the Information Age

Daniel Solove
Founder of TeachPrivacy

 

Digital Person: Technology and Privacy in the Information Age

 

I am now offering the full text of my book The Digital Person:  Technology and Privacy in the Information Age (NYU Press 2004) online for FREE download.

Continue Reading