PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The Schrems II Decision

Daniel Solove @danielsolove
Founder of TeachPrivacy
July 16, 2020

Privacy Shield

The European Court of Justice has finally issued its decision in Facebook Ireland Ltd. v. Maximillian Schrems — otherwise known as Schrems II.

The full text of the Schrems II opinion is here.

The result: The US-EU Privacy Shield Framework is invalid.  The Standard Contractual Clauses are valid.  Ultimately, this means that it is still possible to transfer personal data from the EU to the US, but the US no longer enjoys the special arrangement it had with Privacy Shield. The US is now just like any other country.

Before folks cheer about the survival of the Standard Contractual Clauses (SCC), it should be noted that the ECJ didn’t say that data transfers pursuant to the SCC are automatically valid. Instead, the data controller or processor must “verify, on a case-by-case basis . . . whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” The problem is that it is difficult to imagine how one can verify that the United States (or many other countries with extensive government surveillance) are ensuring adequate protection.  According to the U.S. Supreme Court, contracts can’t give rise to a reasonable expectation of privacy to override the Third Party doctrine.  Controllers or processors can’t fix the lack of standing in Clapper v. Amnesty International. 

Some key quotes from the opinion:

Continue Reading

The Three General Approaches to Privacy Regulation

Daniel Solove @danielsolove
Founder of TeachPrivacy
July 15, 2020

Three Approaches to Privacy Law

These days, the debate about a federal comprehensive privacy law is buzzing louder than ever before. A number of bills are floating around Congress, and there are many proposals for privacy legislation by various groups, organizations, and companies.  As proposals to regulate privacy are debated, it is helpful to distinguish between three general approaches to regulating privacy:

  1. Privacy Self-Management
  2. Governance and Documentation
  3. Use Regulation

Most privacy laws rely predominantly on one of these approaches, with some laws drawing from two or even all of them.

Each approach has various strengths and weaknesses.  To be successful, a privacy law must use all three approaches. Many laws could be strengthened greatly if they used more of the third approach that I will outline below.

Continue Reading

Video – Covid, Privacy, and Education with Daniel Solove and Tracy Mitrano

Daniel Solove @danielsolove
Founder of TeachPrivacy
July 14, 2020

Video - interview of Tracy Mitrano about privacy, security, and technology

In this video, Daniel Solove and Tracy Mitrano (former IT Policy at Cornell and now Democratic candidate for US Senate in New York’s 23rd district)  discuss Covid, privacy, education, work-from-home, and other privacy, security, and technology issues.

Continue Reading

Video- Challenges of Privacy Notices, Schrems II, and Other Privacy Issues – A Conversation with Daniel Solove, Justin Antonipillai, and Andy Dale

Daniel Solove @danielsolove
Founder of TeachPrivacy
July 14, 2020

Video Solove Antonipillai Dale

In this video, Daniel Solove (TeachPrivacy, GW Law), Justin Antonipillai (Wirewheel), and Andy Dale (Alyce) discuss the challenge of writing privacy notices, Schrems II, and other privacy issues.

Continue Reading

How Cyberinsurance Is Responding to Ransomware: An Interview with Ken Suh, Mark Singer, and Marcello Antonucci

Daniel Solove @danielsolove
Founder of TeachPrivacy
July 3, 2020

Ransomware has long been a scourge, and it has been growing into a pandemic with no signs of slowing down. I recently had the opportunity to discuss ransomware with several experts at Beazley. Based in Chicago, Ken Suh is the focus group leader for cyber & tech claims at Beazley. Mark Singer is a cyber & tech claims manager based in Beazley’s London office. Marcello Antonucci is based in New York and is a global cyber & tech claims team leader at Beazley.

 

Continue Reading

What Are the Requirements for HIPAA Training?

Daniel Solove @danielsolove
Founder of TeachPrivacy
June 21, 2020

HIPAA Training Requirements - TeachPrivacy 01

HIPAA training is an specific requirement of HIPAA. HIPAA requires that covered entities (CEs) and business associates (BAs) provide HIPAA training to members of their workforce who handle protected health information (PHI).  This means administrative and clinical personnel need to be trained.  Business associates — and any of their subcontractors — must have training.  Basically, anyone who comes into contact with PHI must be trained.

HIPAA’s Privacy Rule and HIPAA’s Security Rule both have separate training requirements.  Generally, HIPAA’s training requirements in both rules are rather sparse — not a lot of guidance is provided.

The HIPAA Privacy Rule, at 45 CFR § 164.530(b)(1), says that training must be “as necessary and appropriate for the members of the workforce to carry out their functions.” HIPAA thus doesn’t require that everyone be trained in the same way.  It is also important to note that HIPAA training doesn’t mean training to make trainees experts on HIPAA. In fact, HIPAA doesn’t even state that trainees learn about HIPAA itself; instead, they must learn about how to carry out their organization’s obligations under HIPAA.

The Privacy Rule doesn’t provide much further guidance on the specific topics that should be covered.

Continue Reading

What Are the Requirements for CCPA Training?

Daniel Solove @danielsolove
Founder of TeachPrivacy
June 8, 2020

What are the requirements for California Consumer Privacy Act (CCPA) training?  At Section 1798.135(a)(3), the CCPA requires that businesses “ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.”

The CCPA’s training requirements specifically mention that all employees responsible for handling consumer inquiries about privacy practices must be informed of the requirements of 1798.120 and 1798.135, which primarily focus on the sale of consumer personal information.

Section 1798.120 includes:

  • the consumer’s right to opt out of the sale of personal information to third parties
  • consumers’ rights to be notified that they have a right to opt out, and
  • the opt in rights for children

Section 1798.135 includes:

  • requirement to have a link on the homepage titled “Do Not Sell My Personal Information”
  • requirement to have a description of consumer rights

Continue Reading

Cartoon: De-Identifying PHI under HIPAA

Daniel Solove @danielsolove
Founder of TeachPrivacy
May 18, 2020

 

Cartoon HIPAA De-Identification - TeachPrivacy HIPAA Training 02 small

This cartoon is about de-identifying PHI under HIPAA.  De-identifying personal data is quite complicated. Researchers have been able to re-identify sets of personal data with just names, birth dates, and gender. The reason why de-identifying data is difficult is that there is more and more identified personal data online that can be matched up with de-identified data and used to link up names.

Continue Reading

Video: Schrems II Initial Reactions with Daniel Solove, Justin Antonipillai, Gabriela Zanfir-Fortuna, Ralf Sauer, and Bob Litt

Daniel Solove @danielsolove
Founder of TeachPrivacy
July 17, 2020

Video - discussion of Scrhems II

The European Court of Justice just issued its decision in Facebook Ireland v. Schrems, and the court’s opinion sent shock waves throughout the privacy world.  I had a terrific discussion with Justin Antonipillai (Wirewheel), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Ralf Sauer (European Commission), and Bob Litt (Morrison & Foerster, former General Counsel for the Director of National Intelligence) about the case.  The video is about 1 hour long.

 

Continue Reading

Ransomware and the Role of Cyber Insurance: An Interview with Kimberly Horn

Daniel Solove @danielsolove
Founder of TeachPrivacy
April 10, 2020

hacker setting up ransomware

Ransomware has long been a scourge, and it’s getting worse. I recently had the chance to talk about ransomware and cyber insurance with Kimberly Horn, the Global Claims Team Leader for Cyber & Tech Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions.

 

Continue Reading