PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

A Critique of the Uniform Law Commission’s Uniform Personal Data Protection Act

Critique of the ULC's Uniform Personal Data Protection Act 02

In 2021, the Uniform Law Commission (ULC) finalized its Uniform Personal Data Protection Act (UPDPA), a model law intended to be a guide to states seeking to enact broad privacy laws. Unfortunately, the ULC’s law is beyond disappointing.  Quite frankly, the UPDPA is quite terrible. No state should adopt it in whole or in part. It is hard to find anything to salvage in the UPDPA. It’s a law as clunky as its acronym.  I find it shocking that the ULC could propose such a awful law. It is, sad to say, quite shameful.

The UPDPA is quite spare and loose. The heart of the law is basically as follows: (1) companies can use personal data without people’s consent as long as there is a “compatible data practice” and (2) if the event of an “incompatible” data practice, companies only need to provide a chance to opt out.

The ULC has cooked up a broth that is so insubstantial, so thin and fetid, that it is hardly any different from bilge water. One might think I’m exaggerating for dramatic effect, but if you look at the law, you’ll see that my comments are far from rhetorical flourishes but are quite restrained.

More specifically, Section 7(a) provides:

A controller or processor may engage in a compatible data practice without the data subject’s consent. A controller or processor engages in a compatible data practice if the processing is consistent with the ordinary expectations of data subjects or is likely to benefit data subjects substantially.

This provision is so vague that it permits companies to do nearly anything. Even data practices that are not expected by people are fine if a company deems them “likely to benefit data subjects substantially.” Every company thinks that what it does provides a benefit and makes the world a better place. It’s hard to imagine how anyone could fail to cook up a rationale for nearly any data use that wouldn’t somehow constitute a “compatible” practice.

Continue Reading

The Limitations of Privacy Rights

Limitations of Privacy Rights - Daniel Solove 02

I have posted a draft of my new article, The Limitations of Privacy Rights, on SSRN where it can be downloaded for free.  The article critiques the effectiveness of individual privacy rights generally, as well as specific privacy rights such as the rights to information, access, correction, erasure, objection, data portability, automated decisionmaking, and more.

Here’s the abstract:

Individual privacy rights are often at the heart of information privacy and data protection laws. The most comprehensive set of rights, from the European Union’s General Data Protection Regulation (GDPR), includes the right to access, right to rectification (correction), right to erasure, right to restriction, right to data portability, right to object, and right to not be subject to automated decisions. Privacy laws around the world include many of these rights in various forms.

In this article, I contend that although rights are an important component of privacy regulation, rights are often asked to do far more work than they are capable of doing. Rights can only give individuals a small amount of power. Ultimately, rights are at most capable of being a supporting actor, a small component of a much larger architecture. I advance three reasons why rights cannot serve as the bulwark of privacy protection. First, rights put too much onus on individuals when many privacy problems are systematic. Second, individuals lack the time and expertise to make difficult decisions about privacy, and rights cannot practically be exercised at scale with the number of organizations than process people’s data. Third, privacy cannot be protected by focusing solely on the atomistic individual. The personal data of many people is interrelated, and people’s decisions about their own data have implications for the privacy of other people.

The main goal of providing privacy rights aims to provide individuals with control over their personal data.  However, effective privacy protection involves not just facilitating individual control, but also bringing the collection, processing, and transfer of personal data under control. Privacy rights are not designed to achieve the latter goal; and they fail at the former goal.

After discussing these overarching reasons why rights are insufficient for the oversized role they currently play in privacy regulation, I discuss the common privacy rights and why each falls short of providing significant privacy protection. For each right, I propose broader structural measures that can achieve its underlying goals in a more systematic, rigorous, and less haphazard way.

Download Article

Continue Reading

Privacy Papers for Policymakers Event

FPF Privacy Papers for Policymakers 2022

I’m honored and thrilled that my article with Professor Danielle Keats Citron, Privacy Harms102 B.U. Law Review — (forthcoming 2022) has been selected for recognition by the Future of Privacy Forum in the Privacy Papers for Policymakers Competition.

Maneesha MithalThe Privacy Papers for Policymakers Event takes place on February 10, 2022 from 1 PM to 3 PM Eastern Time.  The event will be virtual. Here are details about the event:

The winning authors will join FPF to present their work at a virtual event with policymakers from around the world, academics, and industry privacy professionals. The event will be held on February 10, 2022, from 1:00 – 3:00 PM EST. The event is free and open to the general public. To register for the event, please click here.

We were honored to be joined by Colorado Attorney General Phil Weiser, who will provide the keynote address. Thank you to Honorary Co-Hosts Congresswoman Diana DeGette, Co-Chair of the Congressional Privacy Caucus.

It is a privilege to be included among a wonderful group of winning articles.

Our article, Privacy Harmswill be covered in a session with myself and Danielle Citron. Maneesha Mithal will moderate. Maneesha, who had a long and terrific career at the FTC, has recently joined Wilson Sonsini as a partner.

You can download our article here. The article develops an approach for when the law should require a showing of privacy harm and when harm shouldn’t be required. The article also develops a typology of privacy harms, which is summarized in the figure below.

Typology of Privacy Harms - Citron and Solove 06

Continue Reading

TROPT Event: Foundational Privacy Conceptions

Foundational Privacy Conceptions

I’ll be speaking about foundational privacy conceptions in a fireside chat with Prof. Woodrow Harzog and moderated by Lourdes Turrecha at The Rise of Privacy Tech (TROPT) Data Privacy Day event (2 PM ET on Jan 26, 2022).

TROPT is the main event focusing on the privacy tech landscape, where innovators, investors, engineers, and experts come together.

I’m thrilled to able to share with you a full comp to register to attend any part of the event.

Please use my free comped link to register to attend my talk (Jan 26 at 2 PM ET) and the rest of this great event.

The event will be virtual this year.

Continue Reading

Privacy in 2022: The Year Ahead

Privacy in 2022

In this free webinar, Prof. Daniel Solove discusses with a panel of experts the privacy issues to watch out for this year. Speakers include:

The webinar will be held on Thursday, January 20, 2022 at 2 PM Eastern Time.

 Sign up for Privacy in 2022

 

Continue Reading

2021 Highlights: New Privacy Training Courses

Highlights 2021 - New Privacy Training Courses

Here are the highlights of my new privacy training courses from 2021.

Privacy Training

 

CPRA (10 min and 15 min)

Data Mapping

Data Mapping Training

Dark Patterns

Dark Patterns Training Course

Global Privacy and Data Protection (non-illustrated version) (25 min)

General Privacy Awareness Course

Privacy and Data Security combo (25 min)

Module Privacy and Data Security 01

See more Privacy Training Courses.

 

Continue Reading

Automating Privacy Incident and Breach Response: An Interview with Andy Lunsford

Automating Privacy Incident and Breach Response

Privacy law compliance and data breach response involve tasks of great complexity and scale that can quickly overwhelm an organization’s privacy team. Technologies have emerged to automate these tasks, but there are many decisions to make about which tasks to automate and which solutions to use.

I recently had a chance to chat with Andy Lunsford is CEO and Founder of BreachRx, a technology company that automates privacy incident and breach response. Prior to founding BreachRx, Andy spent 15 years working in privacy law and large-scale commercial litigation. Andy has a BA from Washington and Lee University, a JD from the University of Arkansas, and an MBA from the Wharton School of the University of Pennsylvania.

Continue Reading

2021 Highlights: Writing and Webinars

 

Highlights 2021 Prof Solove Scholarship

SCHOLARSHIP

Nothing to Hide: The False Tradeoff
Between Privacy and Security

I posted the full text of my book, NOTHING TO HIDE: THE FALSE TRADEOFF BETWEEN PRIVACY AND SECURITY (Yale University Press 2011) on SSRN for free.

Privacy Harms 

Typology of Privacy Harms - Citron and Solove 06Privacy Harms (with Danielle Keats Citron) forthcoming 102 B.U. Law Review __ (2022). You can download the latest draft for free on SSRN.

Continue Reading