If you couldn’t make it to my recent webinar on privacy and consumer choice, you can watch the replay here. I discussed the challenges of consumer choice in privacy with Christine Lyon (Freshfields), and Troy Sauro (Google).
I also have a paper on these issues that might be of interest, The Limitations of Privacy Rights, forthcoming in Notre Dame Law Review. You can download it here for free.
I’ve read many things about ADPPA, and I’ve written a few things about it as well. I remain highly ambivalent about the law; I truly am torn. Below are a few of the pieces that are especially insightful on different sides of the issue.
On Thursday, September 8, 2022 I will be speaking with Peking University Law School about my paper, The Limitations of Privacy Rights, 98 Notre Dame Law Review __ (forthcoming 2023). Here’s a very brief synopsis of the paper:
Privacy laws often rely too heavily on individual rights, which are at most capable of being a supporting actor, a small component of a much larger architecture. This article discusses the common privacy rights, why each falls short, and the types of broader structural measures that can protect privacy in a more systematic, rigorous, and less haphazard way.
If you couldn’t make it to my webinar to discuss a federal comprehensive privacy law you can watch the replay here. I spoke with an all-star set of speakers to discuss the American Data Privacy and Protection Act (ADPPA), a bill that Congress might enact as the first federal comprehensive privacy law in the U.S. Speakers include:
– Daniel Solove, GW Law and TeachPrivacy
– Omer Tene, Goodwin Proctor
– Susan Hintze, Hintze Law
– Jody Westby, Global Cyber Risk
– Alan Butler, EPIC
– Alastair Mactaggart, caprivacy.org
Professor Woodrow Hartzog and I have posted on SSRN another free chapter from our recent book. The chapter is entitled Unifying Privacy and Data Security.
The chapter is about the relationship between privacy and data security, and it can be read as a stand-alone essay. With our publisher’s gracious permission, we’re making this chapter available to download for free. Here’s the abstract:
Unifying Privacy and Data Security
This book chapter discusses the relationship between privacy and data security. Privacy is a key and underappreciated aspect of data security. Right now, there is a schism between privacy and security in companies. Privacy functions are commonly addressed by the compliance and legal departments, while security is handled by the information technology department. The two areas are commonly split apart and rarely speak to each other.
The chapter argues that we should bridge data security and privacy and make them go hand-in-hand in both law and policy. Strong privacy rules help create accountability for the collection, use, and dissemination of personal information and can reduce vulnerabilities and risk by minimizing the use and retention of personal information. Good privacy strengthens security. The chapter specifically focuses on the importance of data minimization and data mapping as privacy practices that have tremendous benefits for data security.
This piece is Chapter 7 of my book with Woodrow Hartzog, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022). In the book, we explore the shortcomings of data security law. We argue that the law fails because, ironically, it focuses too much on the breach itself.
I recently wrote a post about my concerns about the American Data Privacy and Protection Act (ADPPA) (updated version after markup is here), a bill making its way through Congress that has progress further than many other attempts at a comprehensive privacy law. Despite grading the law a B+, I was skeptical of the law because it would preempt state laws, a provision I believe to be a Faustian bargain. Here’s an updated version of the ADPPA after markup.
Omer Tene (Goodwin Procter LLP) has a series of tweets expressing puzzlement at my reaction to the law. He thinks I should be dancing in the streets. He writes that he is “genuinely puzzled by the logic here. Dan argues against passage of a good federal privacy law (he gives it a B+) bc it might be outdated in 20 years.” He argues that my concerns will be the same with every federal law because there won’t be a federal law without preemption. “[W]hat’s the alternative? Omer asks. “Having no federal law to update in 20 years? How’s that any better?” He further argues that “if the preferred option is state by state, it’s a very poor option. Dan and others have rightfully criticized the weak tea brewed by the states. ADPPA blows every one of the state laws out of the water.” Omer contends that the “ADPPA is *far* stronger than CPRA. Even in California. Not to mention it would also apply in 49 other states.”
Woodrow Hartzog and I wrote a new article about data breaches called “Data Vu: Why Breaches Involve the Same Stories Again and Again.” We discuss how data breaches involve the same old mistakes and how we must break the cycle. We begin:
In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.
Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil eventually figured out how to break the loop, we’re still stuck: the same types of data breaches keep occurring with the same plot elements virtually unchanged.
Like Phil eventually managed to do, we must examine the recurring elements that allow data breaches to happen and try to learn from them. Common plotlines include human error, unnecessary data collection, consolidated storage and careless mistakes. Countless stories involve organizations that spent a ton of money on security and still ended up breached. Only when we learn from these recurring stories can we make headway in stopping the cycle.
Head over to Scientific American to read the rest of the article.
The article draws from some of the ideas in my book with Hartzog, Breached! Why Data Security Law Fails and How to Improve It (Oxford University Press, 2022).
NBC Think Again did a short feature about my article, “I’ve Got Nothing to Hide and Other Misunderstandings of Privacy.” In this interview we talk about what privacy really means and how little of it we actually have.
Click here to watch this interview, or watch it in the embedded video below.
A federal comprehensive privacy law in the United States? Can it really be true? Could this finally be the time it happens?
Eventually, maybe the lion really will lie down the lamb. Maybe the Loch Ness Monster will be located. Maybe Congress will finally join 150+ other countries around the world and pass a comprehensive privacy law. Maybe, just maybe . . .
The United States recently inched closer to this occurrence. I see hope breaking out all over the Twitterverse. The American Data Privacy and Protection Act (ADPPA) advanced out of Committee. This is still an early round in the Squid Game of making a law in this country, but this law might have what it takes. It could go all the way.
I’ve learned not to put too much faith in Congress. I am not going to be Charlie Brown with the football. Back around 2005, after the ChoicePoint data breach, as states all started eyeing California’s breach notification law with envy and started to craft laws of their own, I thought for sure Congress would pass a federal data breach notification law.
But I was wrong. Congress failed. Breach notification was an easy issue for Congress to address – far easier than a comprehensive privacy law which is swamped with a multitude of complicated issues. But maybe this is the time. After all, in the movies the hapless underdog somehow finds a way to win. Sometimes, life imitates the movies, and we all need a feel-good story during these dark summer days.
The ADPPA bill itself isn’t too bad. In my view, Congress is generally a D student when writing laws, and the ADPPA is a B+.
Powered by recent privacy laws, lawsuits for wrongful data collection have been rapidly increasing. The result is a growing body of caselaw, many unanswered questions, and a new landscape for companies to navigate.
I recently had the opportunity to discuss the expanding number of wrongful collection lawsuits with several experts at Beazley. Based in Denver, Katherine Heaton is the Focus Group Leader for Cyber Services and InfoSec at Beazley. Amanda Thai is a Cyber TPL Specialist in Beazley’s New York office.