PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Webinar – Worldwide Privacy Law: New Developments

In this webinar, I discuss recently-enacted worldwide privacy laws as well as new laws likely to be enacted this year with other experts. The webinar also covers enforcement trends, world regional developments, and cross-border data transfer. Speakers include:

You can see the archived webinar by clicking the button below.

Continue Reading

BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022)

Breached - Solove and Hartzog 05

I’m delighted to announce that my new book, Breached!, with Professor Woodrow Hartzog is now out in print:

BREACHED!

WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT

(Oxford University Press, March 1, 2022)

Website for Breached! 
Breached! Amazon Page

Cover - Breached - Solove & Hartzog

Excerpt from the book jacket description:

Drawing insights from many fascinating stories about data breaches, Solove and Hartzog show how major breaches could have been prevented or mitigated through a different approach to data security rules. Current law is counterproductive. It pummels organizations that have suffered a breach but doesn’t address the many other actors that contribute to the problem: software companies that create vulnerable software, device companies that make insecure devices, government policymakers who write regulations that increase security risks, organizations that train people to engage in risky behaviors, and more.

Although humans are the weakest link for data security, policies and technologies are often designed with a poor understanding of human behavior. Breached! corrects this course by focusing on the human side of security. Drawing from public health theory and a nuanced understanding of risk, Solove and Hartzog set out a holistic vision for data security law-one that holds all actors accountable, understands security broadly and in relationship to privacy, looks to prevention and mitigation rather than reaction, and works by accepting human limitations rather than being in denial of them. The book closes with a roadmap for how we can reboot law and policy surrounding data security.

Here is some additional advanced praise about the book beyond the quotes in the image above:

“A fascinating exploration of the ways that our fixation on individual data breaches has limited the effectiveness of data security law.” – Josephine Wolff, Associate Professor of Cybersecurity Policy, Tufts University

Breached! shows how the future of data security requires us to look at the problem holistically and understand that good privacy rules can also promote good security outcomes. A breath of fresh air on an important and often-ignored topic.”– Neil Richards, Professor of Law, Washington University

“A compelling account of where data security law has gone wrong plus convincing advocacy of where it should go. This book should be read by anyone involved in privacy and cybersecurity.” – Paul Schwartz, Jefferson E. Peyser Professor of Law, Berkeley Law School

“A clear, accessible, persuasive case that data security today needs a systematic approach, far beyond just mopping up breaches. I hope every regulator or legislator working on the subject reads this book and follows their advice.” – William McGeveran, Associate Dean for Academic Affairs, U. Minnesota Law School

Breached! Amazon Page

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals. 

NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.

Privacy+Security Forum: Spring Academy

(Virtual Event | March 23-25, 2022)

Sessions and workshops on CCPA developments, CCPA litigation, state privacy law, health privacy, HIPAA, de-identification, EU privacy law, GDPR, Asian privacy law, Saudi Arabia and UAE privacy laws, cookies, PIAs, mobile apps, vendor management, ad tech, and much more!

SCHEDULE  |  SPEAKERS

PSF Spring 25

Button Register for Privacy+Security Forum

ALI Data Privacy: Overview and Black Letter Text

ALI Data Privacy Article - Solove Schwartz

The final published version of my article with Professor Paul Schwartz, ALI Data Privacy: Overview and Black Letter Text., 68 UCLA L. Rev. 1262 (2022) is now posted on SSRN and available as a free download.

The article is based on the ALI Data Privacy Principles. Professor Paul Schwartz and I were the co-reporters on the project. With a great team of advisers plus the helpful comments of ALI members, we drafted this document, which is similar to a model code.

Article abstract:

In this Article, the Reporters for the American Law Institute Principles of Law, Data Privacy provide an overview of the project as well as the text of its black letter. The Principles aim to provide a blueprint for policymakers to regulate privacy comprehensively and effectively.

The United States has long remained an outlier in privacy law. While numerous nations have enacted comprehensive privacy laws, the United States has clung stubbornly to a fragmented, inconsistent patchwork of laws. Moreover, there long has been a vast divide between U.S. and European Union (EU) approaches to regulating privacy—a divide that many consider to be unbridgeable.

The Principles propose comprehensive privacy principles for legislation that are consistent with key foundations in the U.S. approach to privacy but also better align the United States with the EU. Additionally, the Principles breathe new life into the moribund and oft-criticized U.S. notice-and-choice approach, which has remained firmly rooted in U.S. law. Drawing from a vast array of privacy laws and frameworks, and with a balance of innovation, practicality, and compromise, the Principles aim to guide policymakers in advancing U.S. privacy law.

You can download it for free on SSRN.

Download Article

Continue Reading

A Critique of the Uniform Law Commission’s Uniform Personal Data Protection Act

Critique of the ULC's Uniform Personal Data Protection Act 02

In 2021, the Uniform Law Commission (ULC) finalized its Uniform Personal Data Protection Act (UPDPA), a model law intended to be a guide to states seeking to enact broad privacy laws. Unfortunately, the ULC’s law is beyond disappointing.  Quite frankly, the UPDPA is quite terrible. No state should adopt it in whole or in part. It is hard to find anything to salvage in the UPDPA. It’s a law as clunky as its acronym.  I find it shocking that the ULC could propose such a awful law. It is, sad to say, quite shameful.

The UPDPA is quite spare and loose. The heart of the law is basically as follows: (1) companies can use personal data without people’s consent as long as there is a “compatible data practice” and (2) if the event of an “incompatible” data practice, companies only need to provide a chance to opt out.

The ULC has cooked up a broth that is so insubstantial, so thin and fetid, that it is hardly any different from bilge water. One might think I’m exaggerating for dramatic effect, but if you look at the law, you’ll see that my comments are far from rhetorical flourishes but are quite restrained.

More specifically, Section 7(a) provides:

A controller or processor may engage in a compatible data practice without the data subject’s consent. A controller or processor engages in a compatible data practice if the processing is consistent with the ordinary expectations of data subjects or is likely to benefit data subjects substantially.

This provision is so vague that it permits companies to do nearly anything. Even data practices that are not expected by people are fine if a company deems them “likely to benefit data subjects substantially.” Every company thinks that what it does provides a benefit and makes the world a better place. It’s hard to imagine how anyone could fail to cook up a rationale for nearly any data use that wouldn’t somehow constitute a “compatible” practice.

Continue Reading

The Limitations of Privacy Rights

Limitations of Privacy Rights - Daniel Solove 02

I have posted a draft of my new article, The Limitations of Privacy Rights, on SSRN where it can be downloaded for free.  The article critiques the effectiveness of individual privacy rights generally, as well as specific privacy rights such as the rights to information, access, correction, erasure, objection, data portability, automated decisionmaking, and more.

Here’s the abstract:

Individual privacy rights are often at the heart of information privacy and data protection laws. The most comprehensive set of rights, from the European Union’s General Data Protection Regulation (GDPR), includes the right to access, right to rectification (correction), right to erasure, right to restriction, right to data portability, right to object, and right to not be subject to automated decisions. Privacy laws around the world include many of these rights in various forms.

In this article, I contend that although rights are an important component of privacy regulation, rights are often asked to do far more work than they are capable of doing. Rights can only give individuals a small amount of power. Ultimately, rights are at most capable of being a supporting actor, a small component of a much larger architecture. I advance three reasons why rights cannot serve as the bulwark of privacy protection. First, rights put too much onus on individuals when many privacy problems are systematic. Second, individuals lack the time and expertise to make difficult decisions about privacy, and rights cannot practically be exercised at scale with the number of organizations than process people’s data. Third, privacy cannot be protected by focusing solely on the atomistic individual. The personal data of many people is interrelated, and people’s decisions about their own data have implications for the privacy of other people.

The main goal of providing privacy rights aims to provide individuals with control over their personal data.  However, effective privacy protection involves not just facilitating individual control, but also bringing the collection, processing, and transfer of personal data under control. Privacy rights are not designed to achieve the latter goal; and they fail at the former goal.

After discussing these overarching reasons why rights are insufficient for the oversized role they currently play in privacy regulation, I discuss the common privacy rights and why each falls short of providing significant privacy protection. For each right, I propose broader structural measures that can achieve its underlying goals in a more systematic, rigorous, and less haphazard way.

Download Article

Continue Reading

Privacy Papers for Policymakers Event

FPF Privacy Papers for Policymakers 2022

I’m honored and thrilled that my article with Professor Danielle Keats Citron, Privacy Harms102 B.U. Law Review — (forthcoming 2022) has been selected for recognition by the Future of Privacy Forum in the Privacy Papers for Policymakers Competition.

Maneesha MithalThe Privacy Papers for Policymakers Event takes place on February 10, 2022 from 1 PM to 3 PM Eastern Time.  The event will be virtual. Here are details about the event:

The winning authors will join FPF to present their work at a virtual event with policymakers from around the world, academics, and industry privacy professionals. The event will be held on February 10, 2022, from 1:00 – 3:00 PM EST. The event is free and open to the general public. To register for the event, please click here.

We were honored to be joined by Colorado Attorney General Phil Weiser, who will provide the keynote address. Thank you to Honorary Co-Hosts Congresswoman Diana DeGette, Co-Chair of the Congressional Privacy Caucus.

It is a privilege to be included among a wonderful group of winning articles.

Our article, Privacy Harmswill be covered in a session with myself and Danielle Citron. Maneesha Mithal will moderate. Maneesha, who had a long and terrific career at the FTC, has recently joined Wilson Sonsini as a partner.

You can download our article here. The article develops an approach for when the law should require a showing of privacy harm and when harm shouldn’t be required. The article also develops a typology of privacy harms, which is summarized in the figure below.

Typology of Privacy Harms - Citron and Solove 06

Continue Reading

TROPT Event: Foundational Privacy Conceptions

Foundational Privacy Conceptions

I’ll be speaking about foundational privacy conceptions in a fireside chat with Prof. Woodrow Harzog and moderated by Lourdes Turrecha at The Rise of Privacy Tech (TROPT) Data Privacy Day event (2 PM ET on Jan 26, 2022).

TROPT is the main event focusing on the privacy tech landscape, where innovators, investors, engineers, and experts come together.

I’m thrilled to able to share with you a full comp to register to attend any part of the event.

Please use my free comped link to register to attend my talk (Jan 26 at 2 PM ET) and the rest of this great event.

The event will be virtual this year.

Continue Reading

Privacy in 2022: The Year Ahead

Privacy in 2022

In this free webinar, Prof. Daniel Solove discusses with a panel of experts the privacy issues to watch out for this year. Speakers include:

The webinar will be held on Thursday, January 20, 2022 at 2 PM Eastern Time.

 Sign up for Privacy in 2022

 

Continue Reading