On May 3, Sara DePaul, SIIA’s Senior Director for Technology Policy, moderated a panel at the IAPP’s Global Privacy Summit 2019 in Washington DC on “Balancing Transparency and Privacy in Open Access to Public Records.” The panel featured the views of Cindy Van Ort, Chief Privacy Officer of Thomson Reuters; Chris Calabrese, Vice President for Policy at the Center for Democracy and Technology; and David Cuillier, Associate Professor at the University of Arizona School of Journalism. The panelists engaged in a spirited discussion and found a few high-level points of consensus, such as: that the use of public records confer important social benefits, that open access and use can yield the potential for harmful results that should be accounted for, and that the treatment of public records by privacy laws can raise First Amendment concerns that must be balanced by policymakers. They differed, however, in whether and how a privacy law should apply to public records dat ...

On March 12, the Senate Judiciary Committee held a hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.” The Committee heard from witnesses representing industry, consumer organizations, and academia, who discussed a broad range of issues to inform a federal privacy law: from meaningful consumer controls to the successes and failures of other privacy frameworks to beefed up enforcement by the FTC . One important topic that was not discussed was the importance of publicly available information and how it should be treated by a federal privacy law. As SIIA explained in recent comments to the Senate, the social benefits and public policy principles promoted by the processing of public data are tangible, indisputable, and balanced. Public data is used to provide choice and access to credit for personal finances, to enable credit for business expansion to grow our economy, and to promote public safety. Moreover, the free flow o ...

On January 21, 2019, the French National Data Protection Commission (CNIL) fined Google Euros 50 million for not complying with the General Data Protection Regulation (GDPR).   There will be a legal challenge, but this blog focuses on the policy considerations surrounding the decision.  There are at least three initial takeaways from the CNIL decision.  First, this enforcement action demonstrates that the GDPR should not be replicated word for word in a possible U.S. federal privacy law.  Some notion of consumer harm should enter the calculation when a fine is considered.  Second, DPAs should be more forthcoming with guidance on how to comply with the GDPR, especially when companies are making a good faith effort to comply with the law.  Third, there is a risk that the one-stop-shop is going to become effectively meaningless.  As U.S. policymakers consider a federal privacy law, this should be a key co ...

At yesterday’s FTC hearing on the business of big data I outlined some of the important uses of big data and analytics. SIIA companies are industry leaders using analytics and big data to improve business methods and processes.  Among their innovative uses of data are the use of these techniques to:  

This is part 2 of a series on the constitution's role in informational privacy.  There will be endnotes.

The General Data Protection Regulation is designed to support the individual’s interest in informational privacy, which the EU recognizes as a fundamental right.  Under that law, the collection, use and transfer of personal information is prohibited unless done with consent of the individual.  It has a de minimis legitimating role for social or business purposes but generally, if the individual revokes consent, processing of information must stop and often the information itself must be deleted. The US works from a different paradigm.  We certainly value privacy as necessary and valuable to ensure both personal dignity and a free and functioning society.  But we focus privacy laws on the prevention and remediation of harm, not on consent.  United States privacy law grew out of the common-law privacy torts: defamation, intrusion on seclusion, disclosure of private facts, false light and the right of publicity.  Thus, for example, the tort of disclo ...

In what can be compared to a modern-day technology sprint, California’s legislature introduced and passed far-reaching privacy legislation - the California Consumer Privacy Act (CCPA) - in less than a week. The multi-year effort by privacy advocates, technology companies, network providers and others before introduction ended in the final push in the legislature was completed in the just six days. This far-reaching legislation will have impact across many different business sectors when it goes into effect on January 1, 2020 requiring for-profit businesses, not just technology companies, to provide the consumer access to the personal information collected about her, the opportunity to delete the data, and to allow her the opportunity to opt-out of the sale of personal information to third parties (or, if under the age of 16, the ability to opt-in). Much like the software development process, the California legislature has acknowledged the need to fix the “bugs” ...

Tomorrow is May 25 and therefore the entry-into-force of the GDPR.  The European Commission views the GDPR as one of its significant Digital Single Market (DSM) achievements.  The Commission estimates that the DSM could add Euros 415 billion a year to EU GDP and add hundreds of thousands of jobs (see also this document on the economic impact of the DSM).  There is no Commission calculation on what contribution the GDPR would make to this overall DSM estimate (it does say that GDPR will save business some money – see below), but the Commission argues that the GDPR will enhance trust in the digital economy and therefore promote the expansion of Europe’s digital economy. As somebody who has spent a significant portion of the last year on counselling member companies on the GDPR, the immediate compliance burden looms larger than the possible innovation opportunity.  Nonetheless, there is still scope for European regulators and policymakers to interpret an ...

With just over a week until the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect, companies around the world are coming into compliance with the far-reaching law. Inboxes everywhere have been overflowing with consent notifications over the past few months. If you’re just getting started on GDPR or generally curious, here is a brief overview of the GDPR. Disclaimer – GDPR is broadly written and is context-specific. If your company is in need of compliance help, consider engaging with an outside firm to address your compliance needs.

Today, the Atlantic Council hosted an interesting panel discussion entitled: “Protectionism, Data Privacy, and the Transatlantic Partnership.”  European Commission Digital Affairs Counselor Peter Fatelnig, Atlantic Counsel Distinguished Fellow Fran Burwell, and the U.S. Chamber’s Senior Manager for Digital Affairs Kara Sutton provided a lot of substance and perspective on what is happening in the run-up to the GDPR’s May 25, 2018 entry-into-force.    Appropriately, although the event name started with “protectionism,” nobody discussed the GDPR in those terms.  That is because whatever one’s views are on whether the Regulation really will promote digital innovation in Europe, the GDPR per se is not a protectionist Regulation.  Besides, the train has left the station.  Companies around the world, including SIIA and its member companies, are racing to comply with the GDPR.  Currently, I spend about a quarter o ...