I had the opportunity to interview Mark Singer and Raf Sanchez, both at Beazley, about the issue of profiling and the GDPR. Mark Singer is a member of the Cyber & Executive Risk Group at Beazley. Mark handles insurance coverage issues arising out of cybersecurity, technology errors and omissions, data privacy, intellectual property, media and advertising liabilities. Raf Sanchez leads the international Beazley Breach Response Services team at Beazley and is responsible for incident response in all territories outside the US and Canada.
I’m thrilled that, the American Law Institute (ALI) has approved the Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project. According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for a variety of parties at the federal, state, and local levels, including legislators, attorneys general, and administrative agency officials.”
The project involves our attempt to create a comprehensive approach to data privacy for the U.S. that bridges the divide with the EU. For example, there are many provisions in the General Data Protection Regulation (GDPR) that are not as incompatible with U.S. law as one might think. We bring U.S. law most of the way there, but we preserve core commitments in U.S. law that cannot readily be made consistent with the EU approach. We also have some new approaches to certain issues that haven’t yet been tried in quite the same ways in other laws before, such as our approach to transparency and notice, as well as our approach to handling the identifiability of personal data. The Principles of the Law, Data Privacy is not an attempt to write our ideal privacy law as if drafting on a blank slate. Nor is it an attempt to restate existing law. Instead, it is something in between. We build on foundations in existing law, look for ways the law can be advanced progressively without clashing with core commitments or introducing concepts that are without precedent.
Thus, our goal has been to produce a balanced compromise, an approach to advance U.S. privacy law significantly without being radical. I am certain industry and advocates will find things they like and things that they wish were different. This isn’t the law I’d write if I were writing on a blank slate. But it is, I hope, a big step forward.
We hope this project is useful to legislatures working on privacy legislation, to other policymakers, and to everyone who is thinking about privacy law.
We want to thank our advisory group and the ALI members who contributed greatly to this project. The ALI process is a wonderful one — a thoughtful constructive discussion about how to craft meaningful regulation between practitioners, judges, and academics, among others.
The final draft will be released very soon. Paul and I will be posting the blackletter portion of the project. The entire document, which consists of our commentary, notes, and illustrations — including the support for and rationales behind the provisions — will be available from the ALI. Please stay tuned.
As a teaser, below is the table of contents
I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have. Going through this list can help to assess how complete a privacy law is. For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data Protection Regulation (GDPR), and I’ve heard it sometimes referred to as a GDPR in the United States. But the CCPA is far different from the GDPR, as the GDPR is significantly more comprehensive and has many more dimensions than the CCPA. For example, the GDPR has a broader scope (covers more types of entities) and has many provisions about responsibilities and governance that the CCPA lacks. Indeed, the GDPR has most of the elements in this list. In the US, HIPAA comes the closest to the GDPR in terms of how many items it has from the last, but HIPAA is just limited to certain forms of health data.
The vast majority of privacy laws have provisions relating to their scope and applicability, a definition of the personal information that they regulate, individual rights and organizational responsibilities, enforcement provisions, and a particular position with regard to preemption.
I am pleased to announce the publication of the new edition of PRIVACY LAW FUNDAMENTALS, my short guide to privacy law with Prof Paul Schwartz. The purpose of this compact treatise is to distill the vast terrain of privacy law to the essential cases, regulations, statutes, and other notable developments. We aim to provide what you need to know about privacy law in a concise volume that doesn’t weigh 500 pounds. We hope that this book will serve as a privacy law reference that you can readily keep at hand.
Please visit my casebook website — Information Privacy Law — to find out more info about this book, as well as my casebooks with Paul Schwartz.
I hope that you can join us for the International Privacy+Security Forum (April 3-5, 2019 in Washington, DC).
The International Privacy+Security Forum is an annual sister event to the Privacy+Security Forum, an annual event held in October at George Washington University in Washington, DC. The Int’l Forum event focuses on privacy and security laws from around the world. The main feature of Forum events is that we have deep-dive sessions on topics. We attract highly seasoned professionals, and we encourage highly interactive sessions.
We will have 100+ speakers and about 40 sessions.