PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Webinar Cross Border Data Transfer

 

In this webinar, Daniel Solove (GW Law and TeachPrivacy), Justin Antonipillai (WireWheel), Peter Swire (Alston & Bird), Kenneth Propp (Atlantic Council), and Shannon Yavorsky (Orrick) discuss the latest developments regarding cross-border data transfers.

 

 

Continue Reading

Why Privacy Matters: An Interview with Neil Richards

Richards Why Privacy Matters 02

Professor Neil Richards has published a new book, Why Privacy Matters (Oxford University Press 2021), and it’s the perfect holiday gift for anyone interested in privacy.

Neil Richards is one of the world’s leading privacy experts. He holds the Koch Distinguished Chair in Law at Washington University in St. Louis where he also directs the Cordell Institute. He has published widely across the full range of privacy issues, and he has served as an expert in a number of high-profile privacy cases, most notably for the Irish government in the case of Data Protection Commissioner v. Facebook, more commonly known as “Schrems 2.”

Continue Reading

Webinar: China’s PIPL – A New Era of Privacy in China

 

In this webinar (1 hour), Daniel Solove,  Justin Antonipillai (CEO and Founder of WireWheel), Mingli Shi (Qualcomm), and Edward R. McNicholas (Ropes & Gray) discuss China’s Personal Information Privacy Law (PIPL). The discussion covers how China’s PIPL compares to the EU’s GDPR, keys to compliance, and potential future developments on privacy and security law in China.

 

 

Continue Reading

A Provocative Critique of Privacy Law: An Interview with Ari Waldman

Ari Waldman Interview

I’m delighted to be interviewing Professor Ari Waldman (Northeastern Law), who has published Industry Unbound: The Inside Story of Privacy, Data, and Corporate Power (Cambridge University Press 2021), a provocative new book about privacy law and privacy programs at corporations.

Ari Waldman Interview In his book, Ari delivers an eviscerating critique of privacy law and of the approach to protect privacy through internal privacy programs at organizations. Although I diverge from Ari in that I believe that that many privacy law provisions and privacy programs are generally a good thing, his critique makes many salient points that must be reckoned with. Privacy law and compliance have significant shortcomings that should be addressed.

Continue Reading

Cartoon: Implantable Devices and Privacy

Cartoon Implantable Devices - TeachPrivacy Privacy Training 02 small

This cartoon is about implantable devices and privacy.  Increasingly devices require subscriptions, and there is tremendous lock in, as the devices can only work with a particular company’s services. Implantable devices up the ante – a person could be locked in for life.  The law must address lock in with more than data portability. When there are compelling reasons, such as devices that cannot readily be replaced, the law should require companies to allow other companies to supply necessary services to keep devices functioning.

Continue Reading

Privacy Harms: A New Version

Typology of Privacy Harms - Citron and Solove 06

Professor Danielle Citron and I have thoroughly revised our article, Privacy Harms, forthcoming 102 B.U. Law Review __ (2022). You can download the latest draft for free on SSRN.

Some of the things we updated:

  • We reordered the piece to discuss earlier on our theory of when harm should be required.
  • We added a discussion of why recognizing privacy harm is important.
  • We rethought the typology to add top-level categories and subcategories. We had received feedback from a number of people that the typology was unwieldy because we had too many categories and many seemed to overlap. Our new structure now has 7 top-level categories.
  • We added short descriptions of each type of harm at the beginning of each section.
  • We added commentary about the recent Supreme Court case on standing, TransUnion v. Ramirez.
  • We added a diagram of the harms, which is above.

There are other changes, too, but the ones above are the most relevant ones.  We’re still editing the piece, so we welcome additional feedback. The piece will be published in 2022.

You can read the latest draft here.

Abstract:

Continue Reading

China’s Personal Information Protection Act (PIPL): Whiteboard and Training Course

China PIPL Training Course and Whiteboard 01

I am pleased to announce that I created a new whiteboard and training course for China’s Personal Information Protection Law (PIPL).

The PIPL is China’s first comprehensive privacy law, and it has several notable similarities to the GDPR. There are also some key differences. In an earlier post, I provide a comparison between the PIPL and GDPR.

Information about the PIPL training course is here. The course is 20 minutes. There is also a short version of the course (5.5 mins) available here.

The whiteboard on China’s PIPL summarizes the law in 1 page. It is available for free for personal use. For other uses, please contact us.

 

Continue Reading

China’s PIPL vs. the GDPR: A Comparison

China PIPL vs. EU's GDPR Comparison - TeachPrivacy Privacy Training 01

How does China’s new Personal Information Protection Law (PIPL) compare to the European Union’s GDPR?  In this post, I provide a quick PIPL vs. GDPR comparison. In comparing the PIPL with the GDPR, I will note a few key similarities and differences — my comparison is not comprehensive.

Comparing PIPL and GDPR: Similarities 

A few notable similarities between the PIPL and GDPR include:

  • Both the PIPL and GDPR are extraterritorial.
  • The PIPL and GDPR define personal data as involving identified and identifiable natural persons.
  • The PIPL uses the GDPR’s lawful basis approach to data processing. Many other Asian privacy laws use the consent-based approach or an approach akin to the US approach of notice-and-choice.
  • Both the PIPL and GDPR have special protections for sensitive data, but they differ on the types of data they recognize as sensitive.
  • Both the PIPL and GDPR have a data breach notification requirement.
  • The PIPL and GDPR recognize many of the same rights.
  • Both the PIPL and GDPR require workforce training.
  • Under certain circumstances, both the PIPL and GDPR require DPOs.
  • Both the PIPL and GDPR require data protection impact assessments (DPIAs) in certain situations.

Comparing PIPL and GDPR: Differences 

A few notable differences between the PIPL and GDPR include:

Continue Reading