PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Video – Privacy Conversations – Schrems II Aftermath with Justin Antonipillai and Peter Swire

 

In this video, I discuss the aftermath of Schrems II with Justin Antonipillai (Wirewheel) and Peter Swire (Georgia Tech and Alston & Bird).

Peter Swire’s new Lawfare piece on how to address the individual redress issue is After Schrems II: A Proposal to Meet the Individual Redress Challenge.

Continue Reading

Schrems II: Reflections on the Decision and Next Steps

Schrems II - US Surveillance Law

Professor Paul Schwartz and I recently edited the Schrems II decision for our Information Privacy Law casebook.  Schrems II is short for Facebook Ireland Ltd. v. Maximillian Schrems — the second challenge by Maximillian Schrems to the transfer of data between the EU and US.  In Schrems I, the European Court of Justice (CJEU) invalidated the Safe Harbor Arrangement, which was a special arrangement to transfer personal data from the EU to the US.  Schrems II invalidated Privacy Shield and put other data transfer mechanisms into significant doubt. Editing the opinion was truly a challenging task, as the court’s prose is incredibly formal, wordy, and dry. After whittling it down to a few pages, I think I understand it a lot better, and I have the following reflections on the opinion as well as where we go from here.

Continue Reading

Video: Schrems II Initial Reactions with Daniel Solove, Justin Antonipillai, Gabriela Zanfir-Fortuna, Jocelyn Aqua, Ralf Sauer, and Bob Litt

 

Yesterday, the European Court of Justice issued its decision in Facebook Ireland v. Schrems, a case known as Schrems II.  The court’s opinion sent shock waves throughout the privacy world.  I had a terrific discussion with Justin Antonipillai (Wirewheel), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Ralf Sauer (European Commission), Jocelyn Aqua (PwC) and Bob Litt (Morrison & Foerster, former General Counsel for the Director of National Intelligence) about the case.  The video is about 1 hour and 20 minutes long.

 

Continue Reading

The Schrems II Decision

Privacy Shield

The European Court of Justice has finally issued its decision in Facebook Ireland Ltd. v. Maximillian Schrems — otherwise known as Schrems II.

The full text of the Schrems II opinion is here.

The result: The US-EU Privacy Shield Framework is invalid.  The Standard Contractual Clauses are valid.  Ultimately, this means that it is still possible to transfer personal data from the EU to the US, but the US no longer enjoys the special arrangement it had with Privacy Shield. The US is now just like any other country.

Before folks cheer about the survival of the Standard Contractual Clauses (SCC), it should be noted that the ECJ didn’t say that data transfers pursuant to the SCC are automatically valid. Instead, the data controller or processor must “verify, on a case-by-case basis . . . whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” The problem is that it is difficult to imagine how one can verify that the United States (or many other countries with extensive government surveillance) are ensuring adequate protection.  According to the U.S. Supreme Court, contracts can’t give rise to a reasonable expectation of privacy to override the Third Party doctrine.  Controllers or processors can’t fix the lack of standing in Clapper v. Amnesty International. 

Some key quotes from the opinion:

Continue Reading

Video: Schrems II Initial Reactions with Daniel Solove, Justin Antonipillai, Gabriela Zanfir-Fortuna, Ralf Sauer, and Bob Litt

Video - discussion of Scrhems II

The European Court of Justice just issued its decision in Facebook Ireland v. Schrems, and the court’s opinion sent shock waves throughout the privacy world.  I had a terrific discussion with Justin Antonipillai (Wirewheel), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Ralf Sauer (European Commission), and Bob Litt (Morrison & Foerster, former General Counsel for the Director of National Intelligence) about the case.  The video is about 1 hour long.

 

Continue Reading

The Three General Approaches to Privacy Regulation

Three Approaches to Privacy Law

These days, the debate about a federal comprehensive privacy law is buzzing louder than ever before. A number of bills are floating around Congress, and there are many proposals for privacy legislation by various groups, organizations, and companies.  As proposals to regulate privacy are debated, it is helpful to distinguish between three general approaches to regulating privacy:

  1. Privacy Self-Management
  2. Governance and Documentation
  3. Use Regulation

Most privacy laws rely predominantly on one of these approaches, with some laws drawing from two or even all of them.

Each approach has various strengths and weaknesses.  To be successful, a privacy law must use all three approaches. Many laws could be strengthened greatly if they used more of the third approach that I will outline below.

Continue Reading

Video- Challenges of Privacy Notices, Schrems II, and Other Privacy Issues – A Conversation with Daniel Solove, Justin Antonipillai, and Andy Dale

Video Solove Antonipillai Dale

In this video, Daniel Solove (TeachPrivacy, GW Law), Justin Antonipillai (Wirewheel), and Andy Dale (Alyce) discuss the challenge of writing privacy notices, Schrems II, and other privacy issues.

Continue Reading

How Cyberinsurance Is Responding to Ransomware: An Interview with Ken Suh, Mark Singer, and Marcello Antonucci

Ransomware has long been a scourge, and it has been growing into a pandemic with no signs of slowing down. I recently had the opportunity to discuss ransomware with several experts at Beazley. Based in Chicago, Ken Suh is the focus group leader for cyber & tech claims at Beazley. Mark Singer is a cyber & tech claims manager based in Beazley’s London office. Marcello Antonucci is based in New York and is a global cyber & tech claims team leader at Beazley.

 

Continue Reading