The TeachPrivacy Data Privacy Law Fellowship is a part-time fellowship for recent law school graduates. The Fellowship is virtual, so fellows can work from any location.
Data Privacy Law Fellows help Professor Daniel Solove research, draft, and update scripts for training courses and do research for resources, guides, and other materials. TeachPrivacy has 150+ courses on various federal, state, and international privacy laws (GDPR, HIPAA, FERPA, GLBA, CCPA, TCPA, CAN-SPAM, CASL, LGPD, and many more). Fellows also assist with researching new developments in the law to keep scripts up-to-date. Additionally, fellows help with researching for blog posts and with the company’s social media. Generally, Professor Solove hires recent graduates who have taken a privacy law class or who have otherwise acquired a background in privacy law.
TeachPrivacy is a computer-based training company founded and run by Professor Daniel Solove. TeachPrivacy produces privacy and security compliance training for hundreds of companies, hospitals, health plans, universities, government agencies, and other organizations around the world, including many Fortune 500 multinationals.
JD at US law school or foreign law school
Strong interest in privacy issues
Desire to pursue a career in privacy law
Information privacy law coursework
Experience in privacy law (internships, etc.)
The Fellowship has no formal duration, but most fellows work for 6-18 months. Former Data Privacy Fellows now work at large law firms, prominent companies, industry associations, and many other prestigious organizations.
This cartoon focuses on video recording – how people readily whip out their phones to record events involving people in distress. The “bystander effect” is often invoked to describe the phenomenon of why people watch an emergency unfold without trying to help the victim. Perhaps there should be a modern update to the “bystander effect” called the “video recording effect” to describe how people will take videos of people in distress rather than help them.
In an interesting article, Why Do People Film Others in Distress Instead of Helping Them?, Angela Lashbrook discusses research on the bystander effect (it’s not as strong a phenomenon as many accounts say it is) as well as the effects of surveillance and video recording on people’s behavior. The research points in many different directions.
This cartoon is about the HIPAA right to access medical records. Obtaining access to one’s medical records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. There have been several articles (here, here, and here) about healthcare providers clinging desperately to their antiquated fax machines. According to a study in 2019, 90% of healthcare providers still use faxes.
Many healthcare providers cite to HIPAA as a reason to deny patient’s requests to be emailed their records. But ironically, HIPAA says the opposite – providers must email patients their records if patients request them via email.
We’re well into the 21st Century now, and access to our health data should be much easier. HIPAA should do more than provide a right to access. It should encourage access and improve the ease of access.
The global pandemic has affected everything. COVID-19 is not just grinding trials to a halt and foreclosing live, in-person judicial proceedings, it has changed the class action litigation landscape, including data breach class actions. I recently had the opportunity to discuss the pandemic’s impact on data breach class actions with Daniel Raymond, a cyber & tech claims manager based in Beazley’s Chicago office.
Recently, Professor Scott Skinner-Thompson (Colorado Law) published an excellent thought-provoking book, Privacy at the Margins(Cambridge University Press, 2020), which explores the important role that privacy plays for marginalized groups. The book is superb, and it is receiving the highest praise from leading scholars. For example, Dean Erwin Chemerinksy (Berkeley Law) proclaims that the book is “stunning in its originality, its clarity, and its insightful proposals for change.”
I am delighted to have the opportunity to interview Scott about the ideas and arguments in his book.
In a recent case, the U.S. Court of Appeals for the 11th Circuit weighed in on an issue that has continued to confound courts: Is there an injury caused by a data breach when victims don’t immediately suffer financial fraud? I wrote on this issue in an article with Professor Danielle Citron in 2018, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018). (Danielle and I have just completed a new piece on Privacy Harms ). In the article, Danielle and I examined the inconsistent and messy cases and attempted to set forth a coherent approach.
The most recent case to weigh in on the issue is Tan Tsao v. Captiva MVP Restaurant Partners, LLC, No. 18-14959 (11th Cir. Feb 4., 2021). PDQ, a fast food chicken restaurant chain, had a data breach where hackers accessed customer credit card data for a period of nearly a year. When the breach was announced, the plaintiff cancelled the credit cards he used at PDQ. In doing so, the plaintiff lost access to his preferred accounts, lost points and rewards, and expended time and effort. The Tsao court concluded that because the plaintiff couldn’t demonstrate that he suffered any credit card fraud, he lacked standing to sue.
In federal court, plaintiffs must demonstrate they they suffered a harm (actual or imminent injury) in order to sue. The plaintiff argued that he lost out on benefits when he cancelled his cards, but the court held that this was “manufactured” harm. The Tsao court relied on Clapper v. Amnesty International, 568 U.S. 398 (2013), where the U.S. Supreme Court held that plaintiffs can’t “manufacture” harm by spending money, time, and effort to protect themselves against surveillance that they couldn’t prove was occurring. Clapper‘s view on “manufactured” harm striking me as manufactured itself — a rather poorly-reasoned cooked-up excuse to deny standing. But the case is there, and it must be navigated around.
Privacy harms have become one of the largest impediments in privacy law enforcement. In most tort and contract cases, plaintiffs must establish that they have been harmed. Even when legislation does not require it, courts have taken it upon themselves to add a harm element. Harm is also a requirement to establish standing in federal court. In Spokeo v. Robins, the U.S. Supreme Court has held that courts can override Congress’s judgments about what harm should be cognizable and dismiss cases brought for privacy statute violations.
The caselaw is an inconsistent, incoherent jumble, with no guiding principles. Countless privacy violations are not remedied or addressed on the grounds that there has been no cognizable harm. Courts conclude that many privacy violations, such as thwarted expectations, improper uses of data, and the wrongful transfer of data to other organizations, lack cognizable harm.Continue Reading
My reactions to the case are mixed. The court makes a number of good points, and it identifies flaws with HHS’s interpretation of HIPAA and with its enforcement approach. But there are parts of the opinion that overreach and that are unrealistic.
The case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.
Applying the Administrative Procedure Act (APA), the Fifth Circuit concluded that HHS’s enforcement was “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2). There are several parts of the court’s decision that are worth discussing.
When Donald Trump targeted the Communications Decency Act (CDA) Section 230, a debate about the law flared up. Numerous reforms were proposed, some even seeking to abolish the law. Unfortunately, the debate has been clouded with confusion and misinformation.
The CDA Section230, at 47 U.S.C. § 230(c)(1), provides:
No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
The actual text of the law is fine, and I wouldn’t change it. My proposal for reform would be for Congress to reissue Section 230 with the same text and instruct courts to follow the actual text of the law. The problem with Section 230 is that in a bout of free speech zeal, courts have interpreted the law to be far more extensive than it is written or should be.
In this Article, Professor Daniel Solove deconstructs and critiques the privacy paradox and the arguments made about it. The “privacy paradox” is the phenomenon where people say that they value privacy highly, yet in their behavior relinquish their personal data for very little in exchange or fail to use measures to protect their privacy.
Commentators typically make one of two types of arguments about the privacy paradox. On one side, the “behavior valuation argument” contends behavior is the best metric to evaluate how people actually value privacy. Behavior reveals that people ascribe a low value to privacy or readily trade it away for goods or services. The argument often goes on to contend that privacy regulation should be reduced.
On the other side, the “behavior distortion argument” suggests that people’s behavior is not an accurate metric of preferences because behavior is distorted by biases and heuristics, manipulation and skewing, and other factors.
Professor Solove argues instead that the privacy paradox is a myth created by faulty logic. The behavior involved in privacy paradox studies involves people making decisions about risk in very specific contexts. In contrast, people’s attitudes about their privacy concerns or how much they value privacy are much more general in nature. It is a leap in logic to generalize from people’s risk decisions involving specific personal data in specific contexts to reach broader conclusions about how people value privacy.
The behavior in the privacy paradox studies does not lead to a conclusion for less regulation. On the other hand, minimizing behavioral distortion will not cure people’s failure to protect their own privacy. Managing one’s privacy is a vast, complex, and never-ending project that does not scale. Privacy regulation often seeks to give people more privacy self-management, but doing so will not protect privacy effectively. Professor Solove argues instead that privacy law should focus on regulating the architecture that structures the way information is used, maintained, and transferred.