Here’s my latest cartoon – on machine learning and the use of data in marketing.
Cartoon: HIPAA Confidentiality and PHI Sharing
Here’s a cartoon about HIPAA confidentiality and our modern medical system. In the old days, medical confidentiality meant that people’s health information was seen by just a handful of people – doctors and their staff. These days, health information is widely shared. Countless people see a patient’s medical records and numerous organizations are provided with access.
Webinar – Is Consumer Choice the Right Way to Protect Privacy?
If you couldn’t make it to my recent webinar on privacy and consumer choice, you can watch the replay here. I discussed the challenges of consumer choice in privacy with Christine Lyon (Freshfields), and Troy Sauro (Google).
I also have a paper on these issues that might be of interest, The Limitations of Privacy Rights, forthcoming in Notre Dame Law Review. You can download it here for free.
5 Essential ADPPA Reads
I’ve read many things about ADPPA, and I’ve written a few things about it as well. I remain highly ambivalent about the law; I truly am torn. Below are a few of the pieces that are especially insightful on different sides of the issue.
Speaking at Peking University Law School
On Thursday, September 8, 2022 I will be speaking with Peking University Law School about my paper, The Limitations of Privacy Rights, 98 Notre Dame Law Review __ (forthcoming 2023). Here’s a very brief synopsis of the paper:
Privacy laws often rely too heavily on individual rights, which are at most capable of being a supporting actor, a small component of a much larger architecture. This article discusses the common privacy rights, why each falls short, and the types of broader structural measures that can protect privacy in a more systematic, rigorous, and less haphazard way.
Webinar on ADPPA – Bill for a Federal Comprehensive Privacy Law
If you couldn’t make it to my webinar to discuss a federal comprehensive privacy law you can watch the replay here. I spoke with an all-star set of speakers to discuss the American Data Privacy and Protection Act (ADPPA), a bill that Congress might enact as the first federal comprehensive privacy law in the U.S. Speakers include:
– Daniel Solove, GW Law and TeachPrivacy
– Omer Tene, Goodwin Proctor
– Susan Hintze, Hintze Law
– Jody Westby, Global Cyber Risk
– Alan Butler, EPIC
– Alastair Mactaggart, caprivacy.org
- A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law?
- Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill
Unifying Privacy and Data Security
Professor Woodrow Hartzog and I have posted on SSRN another free chapter from our recent book. The chapter is entitled Unifying Privacy and Data Security.
The chapter is about the relationship between privacy and data security, and it can be read as a stand-alone essay. With our publisher’s gracious permission, we’re making this chapter available to download for free. Here’s the abstract:
Unifying Privacy and Data Security
This book chapter discusses the relationship between privacy and data security. Privacy is a key and underappreciated aspect of data security. Right now, there is a schism between privacy and security in companies. Privacy functions are commonly addressed by the compliance and legal departments, while security is handled by the information technology department. The two areas are commonly split apart and rarely speak to each other.
The chapter argues that we should bridge data security and privacy and make them go hand-in-hand in both law and policy. Strong privacy rules help create accountability for the collection, use, and dissemination of personal information and can reduce vulnerabilities and risk by minimizing the use and retention of personal information. Good privacy strengthens security. The chapter specifically focuses on the importance of data minimization and data mapping as privacy practices that have tremendous benefits for data security.
This piece is Chapter 7 of my book with Woodrow Hartzog, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022). In the book, we explore the shortcomings of data security law. We argue that the law fails because, ironically, it focuses too much on the breach itself.
Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill
I recently wrote a post about my concerns about the American Data Privacy and Protection Act (ADPPA) (updated version after markup is here), a bill making its way through Congress that has progress further than many other attempts at a comprehensive privacy law. Despite grading the law a B+, I was skeptical of the law because it would preempt state laws, a provision I believe to be a Faustian bargain. Here’s an updated version of the ADPPA after markup.
Omer Tene (Goodwin Procter LLP) has a series of tweets expressing puzzlement at my reaction to the law. He thinks I should be dancing in the streets. He writes that he is “genuinely puzzled by the logic here. Dan argues against passage of a good federal privacy law (he gives it a B+) bc it might be outdated in 20 years.” He argues that my concerns will be the same with every federal law because there won’t be a federal law without preemption. “[W]hat’s the alternative? Omer asks. “Having no federal law to update in 20 years? How’s that any better?” He further argues that “if the preferred option is state by state, it’s a very poor option. Dan and others have rightfully criticized the weak tea brewed by the states. ADPPA blows every one of the state laws out of the water.” Omer contends that the “ADPPA is *far* stronger than CPRA. Even in California. Not to mention it would also apply in 49 other states.”
Data Vu: Why Breaches Involve the Same Stories Again and Again
Woodrow Hartzog and I wrote a new article about data breaches called “Data Vu: Why Breaches Involve the Same Stories Again and Again.” We discuss how data breaches involve the same old mistakes and how we must break the cycle. We begin:
In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.
Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil eventually figured out how to break the loop, we’re still stuck: the same types of data breaches keep occurring with the same plot elements virtually unchanged.
Like Phil eventually managed to do, we must examine the recurring elements that allow data breaches to happen and try to learn from them. Common plotlines include human error, unnecessary data collection, consolidated storage and careless mistakes. Countless stories involve organizations that spent a ton of money on security and still ended up breached. Only when we learn from these recurring stories can we make headway in stopping the cycle.
Head over to Scientific American to read the rest of the article.
The article draws from some of the ideas in my book with Hartzog, Breached! Why Data Security Law Fails and How to Improve It (Oxford University Press, 2022).
NBC Think Again Interview
NBC Think Again did a short feature about my article, “I’ve Got Nothing to Hide and Other Misunderstandings of Privacy.” In this interview we talk about what privacy really means and how little of it we actually have.
Click here to watch this interview, or watch it in the embedded video below.