PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Are Many Privacy Violations Also Data Breaches?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 23, 2023

Privacy and Security

Data breaches and privacy violations have long been thought of as different things, but actually, there is a lot of overlap.

Two recent FTC cases address this issue. These cases involve the Health Breach Notification Rule, 16 CFR Part 318, which covers health data breaches beyond HIPAA. The Rule had long existed, but the FTC only started enforcing it in 2021 (see the FTC’s announcement here). Under the Rule, a “breach of security” is defined as “acquisition of [PHR identifiable health information] without the authorization of the individual.”  Unlike the FTC Act Section 5, which has no monetary penalties (unless a consent decree is violated), the Health Breach Notification Rule carries fines of more than $50,000 per violation

In its enforcement of the Rule, the FTC has claimed that privacy violations are data breaches that should have been reported under the Rule. 

  1. In In Re GoodRx Holdings, Inc., (FTC 2023) the FTC claimed that GoodRx shared health data with advertisers, contradicting its privacy notice that stated it didn’t share such data with third parties. This is traditionally a privacy violation — a classic broken promises case.  But the FTC contended that this was a data breach because the third parties obtained the data without the proper authorization.  The FTC imposed a $1.5 million penalty for violating the Rule.
  2. In another case from this year, In re Easy Healthcare Corp., (FTC 2023), a fertility app called Premom shared user health data with third parties in violation of its privacy notice. The FTC asserted that this was a data breach that should have been reported under the Health Breach Notification Rule.

These cases are quite notable, and they go far beyond the Health Breach Notification Rule. As I have been arguing for years, privacy and cybersecurity are quite interrelated and should not be understood as the often-siloed separate domains that they are today. Data breaches need not be caused by hackers breaking in or when data is leaked or lost. They can occur even when a company intentionally shares data improperly — a common privacy violation.

Continue Reading

Dataministeriet Podcast Interview About Privacy Law

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 1, 2023

DataMinisteriet logo

I had a great discussion with Filip Johnssén about various privacy law issues on his podcast, Dataministeriet. It begins in Swedish, then turns to English after a brief introduction.

Listen Button

Continue Reading

Webinar The Quantified Worker AI and Employment Blog

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 28, 2023

If you couldn’t make it to my recent webinar to discuss Ifeoma Ajunwa’s book, The Quantified Worker: Law and Technology in the Modern Workplace, you can watch the replay here. I had a great discussion with Ifeoma Ajunwa, Pauline Kim, and Matthew Bodie on the use of AI in hiring decisions and for other employment purposes.

Button Watch Webinar 02

Continue Reading

Counterman and the U.S. Supreme Court’s Overly Mechanical First Amendment Protection of Threats

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 28, 2023

Threat Counterman 01

In Counterman v. Colorado (June 27, 2023), the U.S. Supreme Court held that in order for a defendant to be convicted of a crime for making a threat to another person, the “State must show that the defendant consciously disregarded a substantial risk that his communications would be viewed as threatening violence.”  In other words, the Court held that subjective intent (recklessness) must be required for criminalizing threats. The Court held that objective reasonableness isn’t restrictive enough a standard to criminalize threats.

For a period of years, Counterman harassed a woman online by sending hundreds of Facebook messages. Whenever she would block him, he created a new account and kept sending messages. The messages said that he was watching her, described her activities, and also made angry threats of violence.  According to the Court’s summary of the facts:

She believed that Counterman was “threat[ening her] life”; “was very fearful that he was following” her; and was “afraid [she] would get hurt.” As a result, she had “a lot of trouble sleeping” and suffered from severe anxiety. She stopped walking alone, declined social engagements, and canceled some of her [singing] performances, though doing so caused her financial strain. Eventually, C. W. decided that she had to contact the authorities.  (citations omitted)

Counterman was convicted of violating a Colorado statute that criminalizes one who:

Repeatedly follows, approaches, contacts, places under surveillance, or makes any form of communication with another person, a member of that person’s immediate family, or someone with whom that person has or has had a continuing relationship in a manner that would cause a reasonable person to suffer serious emotional distress and does cause that person, a member of that person’s immediate family, or someone with whom that person has or has had a continuing relationship to suffer serious emotional distress. Colo. Rev. Stat. §18–3–602(1)(c) (2022).

The Court began by stating that “[t]rue threats of violence, everyone agrees, lie outside the bounds of the First Amendment’s protection.” However, the Court held that the absence of a subjective mental state “will chill protected, non-threatening speech” and that at least recklessness must be proven as to the speech’s threatening character.

This holding, however, is problematic for protecting people against online threats of violence. Ironically, under the reckless standard required by Counterman, a deranged stalker will fare better than one who understands what is reasonable; the deranged stalker’s threats can’t be criminalized. The most frightening threats are those by obsessed stalkers who have no awareness of unreasonable they are being.  These people are acting beyond reason. They are unhinged.

Continue Reading

ABA Event on Privacy and Consent

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 12, 2023

ABA Webinar - Privacy and Consent

On Thursday, June 22 at 12pm EST, I’ll be speaking on a webinar hosted by the ABA on Privacy and the Ongoing Viability of Consent. I’ll be discussing the background and effectiveness of the consent model with Jessica Rich and Aryeh Friedman.

You can find more information about the event and how to register here.

Button Register

I will be speaking about my recent article Murky Consent: An Approach to the Fictions of Consent in Privacy Law.

Article - Solove - Murky Consent 03a

Download Button 01

Continue Reading

Video of My Children’s Book, THE EYEMONGER

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 11, 2023

Eyemonger Video Title Page

Here’s an animated video of my children’s book, The Eyemonger, that I narrated.

Cover Eyemonger Solove If you want the print version, click here to order the book on Amazon.

I also have free resources for parents and teachers to accompany the book.

Publisher’s Weekly writes that The Eyemonger is a “delightfully illustrated story concerned with issues of privacy. . . . Solove’s underlying theme and catchy rhymes sit perfectly on the cusp of children’s and middle-grade reading levels, and Beckwith’s eye-catching and brilliantly detailed illustrations will inspire young imaginations to soar.”

 

Continue Reading

Cartoon: AI Experimentation and Regulation

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 11, 2023

Cartoon AI Experimentation Law Innovation - TeachPrivacy Training 02

Here’s a new cartoon on artificial intelligence, experimentation, and regulation. Creators of new technology often extol the virtues of experimentation. When it comes to policymakers experimenting with legal regulation, I often hear a different tune from those creating new technology. But they are experimenting with our lives and well-being, with society and democracy. Law, too, is an experiment. We often don’t know what works until we try it.  So, while those developing new technologies experiment on society, is it so wrong for society to experiment in return?

Continue Reading

The Prediction Society: Algorithms and the Problems of Forecasting the Future

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 20, 2023

The Prediction Society - Algorithms and the Problems of Forecasting the Future 02

I am excited to share my new paper draft with Hideyuki (“Yuki”) Matsumi, The Prediction Society: Algorithms and the Problems of Forecasting the Future.  The paper is available for free on SSRN.

Download Article

Yuki is currently pursuing a PhD at Vrije Universiteit Brussel. Yuki began his career as a technologist, then turned to law, where he has been exploring predictive technologies for more than a decade. The origins of this article trace back to 2011, when Yuki was my student. I supervised Yuki’s thesis about predictive technologies. His work was way ahead of its time. I am beyond thrilled to join him now on exploring these issues. Writing this paper with Yuki has been a terrific experience, and I have learned a tremendous amount in working with him.

We aim to add a unique and important contribution to the discourse about AI, algorithms, and inferences by focusing specifically on predictions about the future. We argue that the law should recognize algorithmic predictions about the future as distinct from inferences about the past and present. Algorithmic predictions about the future present a special set of problems that aren’t addressed by the law. The law’s existing tools and rights are ill-suited for predictions. We examine in depth the issues the law must consider when addressing these problems.

I’m really happy about how the paper turned out, and I want to note that I played but a supporting role.  Yuki has been the driving force behind this paper.  I joined because I find the issues to be fascinating and of the utmost importance, and I believe we have something important to add to the discussion. We welcome feedback.

Continue Reading