I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
Ransomware is one of the most frightening scourges to hit the Internet. Ransomware is a form of malware (malicious code) that encrypts a person’s files and demands a ransom payment to decrypt them. If the money isn’t paid, the encryption keys are destroyed, and the data is lost forever.
Ransomware began to emerge in 2009, and it has been rapidly on the rise. Recently, it was ranked as the number one threat involving mobile malware. According to one estimate, “at least $5 million is extorted from ransomware victims each year.”
Ransomware became a household name in 2013, when CryptoLocker infected about 500,000 victims in just 6 months.
CryptoLocker was eventually defeated. But new variants of ransomware started popping up more frequently.
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
By Daniel J. Solove
Proponents for allowing government officials to have backdoors to encrypted communications need to read Franz Kafka. Nearly a century ago, Kafka deftly captured the irony at the heart of their argument in his short story, “The Burrow.”
After the Paris attacks, national security proponents in the US and abroad have been making even more vigorous attempts to mandate a backdoor to encryption.
“The US is developing a law of cybersecurity that is incoherent and unduly complex,” says Ed McNicholas, one of the foremost experts on cybersecurity law.
McNicholas is a partner at Sidley Austin LLP and co-editor of the newly-published treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan). The treatise is a superb guide to this rapidly-growing body of law, and it is nicely succinct as treatises go. It is an extremely useful volume that I’m delighted I have on my desk. If you practice in this field, get this book.
By Daniel J. Solove
It is essential that children learn about data privacy and security. Their lives will be fully enveloped by technologies that involve data. But far too little about these topics is currently taught in most schools.
Fortunately, there is a solution, one that I’m proud to have been involved in creating. The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.
The Privacy K-12 Curriculum Matrix is free. It can be used by any school, educator, or parent. It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels. It includes suggestions for appropriate learning activities for each grade level.
By Daniel J. Solove
Next year, there will be a milestone birthday for the Electronic Communications Privacy Act (ECPA) – the primary federal law that regulates how the government and private parties can monitor people’s Internet use, wiretap their communications, peruse their email, gain access to their files, and much more.
This is no ordinary birthday for ECPA. In 2016, ECPA turns 30. Little did anyone think that in 1986, when ECPA was passed, that it would still remain largely unchanged for 30 years. In 1986, the Cloud was just something in the sky. The Web was what a spider made.
By Daniel J. Solove
At my annual event, the Privacy+Security Forum, which was held last month, one of the sessions involved privacy and security in fiction. The panelists had some terrific readings suggestions, and I thought I’d share with you the write-up that they generated for their session. The speakers were:
Peter Winn, Assistant U.S. Attorney, U.S. DOJ and Lecturer, University of Washington School of Law
Heather West, Senior Policy Manager & Americas Principal, Mozilla
Kevin Bankston, Director, Open Technology Institute and Co-Director, Cybersecurity Initiative, New America
Joseph Jerome, Policy Counsel at Future of Privacy Forum
By Daniel J. Solove
The US regulates privacy with a sectoral approach, with laws that are directed only to specific industries. In contrast, the EU and many other countries have an omnibus approach — one overarching law that regulates privacy consistently across all industries. The US is an outlier from the way most countries regulate privacy.
About 15 years ago, the sectoral approach was hailed by many US organizations as vastly preferable to an omnibus approach. Each industry wanted to be regulated differently, in a more nuanced way focused on its particular needs. Industries could lobby and exert their influence much more on laws focused on their industry. Additionally, some organizations liked the sectoral approach because they fell into one of the big gaps in regulation.
But today, ironically, the sectoral approach is not doing many organizations any favors. There are still gaps in protection under the US approach, but these have narrowed. In fact, many organizations do not fall into gaps in protection — they are regulated by many overlapping laws. The result is a ton of complexity, inconsistency, and uncertainty in the law.
I am pleased to announce that Alan Westin’s classic work, Privacy and Freedom, is now back in print. Originally published in 1967, Privacy and Freedom had an enormous influence in shaping the discourse on privacy in the 1970s and beyond, when the Fair Information Practice Principles (FIPPs) were developed.
The book contains a short introduction by me. I am truly honored to be introducing such a great and important work. When I began researching and writing about privacy in the late 1990s, I kept coming across citations to Westin’s book, and I was surprised that it was no longer in print. I tracked down a used copy, which wasn’t as easy to do as today. What impressed me most about the book was that it explored the meaning and value of privacy in a rich and interdisciplinary way.
A very brief excerpt from my intro:
At the core of the book is one of the most enduring discussions of the definition and value of privacy. Privacy is a very complex concept, and scholars and others have struggled for centuries to define it and articulate its value. Privacy and Freedom contains one of the most sophisticated, interdisciplinary, and insightful discussions of privacy ever written. Westin weaves together philosophy, sociology, psychology, and other disciplines to explain what privacy is and why we should protect it.
I was fortunate to get to know Alan Westin, as I began my teaching career at Seton Hall Law School in Newark, New Jersey, and Alan lived and worked nearby. I had several lunches with him, and we continued our friendship when I left to teach at George Washington University Law School. Alan was kind, generous, and very thoughtful. He was passionate about ideas. I miss him greatly.
So it is a true joy to see his book live on in print once again.
Here’s the blurb from the publisher:
Free newsletter with cartoons, writings, events, webinars, training, humor and whiteboards.
