Privacy Law Commons^™

The Data Heist: Protecting Consumers And Their Information Through Opt-In Consent, John A. Hudson

Arkansas Law Review

This Comment will: (1) compare and contrast the data privacy laws in the United States and the European Union; (2) demonstrate the significant risk American consumers are subject to under the United States’ current laws and regulations; and (3) address the protections provided by the European Union’s explicit opt-in consent requirement that would ensure safer conditions for American consumers.

Data Controllers As Data Fiduciaries: Theory, Definitions & Burdens Of Proof, Noelle Wilson, Amanda Reid

University of Colorado Law Review

As more U.S. states have begun to pass consumer privacy laws, there are growing calls for federal data privacy regulation to ease the burden of compliance with various, sometimes conflicting, state laws. However, scholars and lawmakers are divided on how best to balance robust privacy protections with privacy laws to which businesses can realistically comply. Two prominent regulatory models have emerged from scholarly debate. The Rights/Obligations Model grants consumers various rights and imposes obligations on businesses. This model has been trending in U.S. states, which have mirrored language from the European Union’s General Data Protection Regulation (GDPR) by imposing different …

The Limitations Of Privacy Rights, Daniel J. Solove

Notre Dame Law Review

Individual privacy rights are often at the heart of information privacy and data protection laws. The most comprehensive set of rights, from the European Union’s General Data Protection Regulation (GDPR), includes the right to access, right to rectification (correction), right to erasure (deletion), right to restriction, right to data portability, right to object, and right to not be subject to automated decisions. Privacy laws around the world include many of these rights in various forms.

In this Article, I contend that although rights are an important component of privacy regulation, rights are often asked to do far more work than …

Recognizing Operators’ Duties To Properly Select And Supervise Ai Agents – A (Better?) Tool For Algorithmic Accountability, Richard Zuroff

Canadian Journal of Law and Technology

In November of 2020, the Privacy Commissioner of Canada proposed creating GDPR-inspired rights for decision subjects and allowing financial penalties for violations of those rights. Shortly afterward, the proposal to create a right to an explanation for algorithmic decisions was incorporated into Bill C-11, the Digital Charter Implementation Act. This commentary proposes that creating duties for operators to properly select and supervise artificial agents would be a complementary, and potentially more effective, accountability mechanism than creating a right to an explanation. These duties would be a natural extension of employers’ duties to properly select and retain human employees. Allowing victims …

Semantics And Sin Tax: Maintaining Autonomy In The Age Of Hyper-Personalization, Stephen Kohn

Mitchell Hamline Law Review

No abstract provided.

The Hidden Harms Of Privacy Penalties, Mary D. Fan

Articles

How to frame privacy penalties to protect our personal information is an important question as demands for legislation and proposals proliferate. The predominant assumption in calls for a comprehensive consumer privacy regime is that regulation and penalties arm the consumer David against Goliath businesses. Missing in the focus on powerful companies is attention to the potential harms of expanding privacy penalties for small-fry individuals and entities, especially from disfavored or marginalized groups. This article is the first to illuminate the regressive risks of privacy penalties, showing how broad privacy penalties can become tools for harassment of small businesses and individuals …

Data Privacy, Human Rights, And Algorithmic Opacity, Sylvia Lu

Fellow, Adjunct, Lecturer, and Research Scholar Works

Decades ago, it was difficult to imagine a reality in which artificial intelligence (AI) could penetrate every corner of our lives to monitor our innermost selves for commercial interests. Within just a few decades, the private sector has seen a wild proliferation of AI systems, many of which are more powerful and penetrating than anticipated. In many cases, AI systems have become “the power behind the throne,” tracking user activities and making fateful decisions through predictive analysis of personal information. Despite the growing power of AI, proprietary algorithmic systems can be technically complex, legally claimed as trade secrets, and managerially …

Winter Is Here: The Impossibility Of Schrems Ii For U.S.-Based Direct-To-Consumer Companies, Vanessa Zimmer

Northwestern Journal of International Law & Business

In this paper, Vanessa Zimmer exposes the precarious position of Direct-to-Consumer (DTC) companies that are physically located in the United States but still subject to the European General Data Protection Regulation (GDPR) under Article 3(2) because they offer goods or services to European consumers online. Standard Contractual Clauses (SCCs) and supplementary measures have dominated privacy conversions in the year since the European Court of Justice invalidated the EU-U.S. Privacy Shield framework with its Schrems II decision.

However, Zimmer argues that the greater issue for U.S.-based DTC companies is the lack of clarity over what constitutes an international, or restricted, transfer …

Data Privacy Issues In West Virginia And Beyond: A Comprehensive Overview, Jena Martin

Consumer Law Scholarship

This white paper was commissioned by the Center for Consumer Law and Education, a joint initiative launched by West Virginia University and Marshall University to “coordinate the development of consumer law, policy, and education research to support and serve consumers.”

As such, this paper has a dual purpose. First, it provides a comprehensive overview of the many different legal issues that affect data privacy concerns (both nationally and in West Virginia). Second, it documents and discusses the result of a survey and specific focus groups that were undertaken throughout the fall of 2019 into January 2020 where individuals within the …

Algorithmic Impact Assessments Under The Gdpr: Producing Multi-Layered Explanations, Margot E. Kaminski, Gianclaudio Malgieri

Publications

Policy-makers, scholars, and commentators are increasingly concerned with the risks of using profiling algorithms and automated decision-making. The EU’s General Data Protection Regulation (GDPR) has tried to address these concerns through an array of regulatory tools. As one of us has argued, the GDPR combines individual rights with systemic governance, towards algorithmic accountability. The individual tools are largely geared towards individual “legibility”: making the decision-making system understandable to an individual invoking her rights. The systemic governance tools, instead, focus on bringing expertise and oversight into the system as a whole, and rely on the tactics of “collaborative governance,” that is, …

Outsourcing The Police: How Reliance On The Private Sector For Law Enforcement Threatens Privacy Legislation Around The World, Karl Colbary

Northwestern Journal of International Law & Business

Data privacy is an increasingly important issue in the world today. People are increasingly aware of, and concerned about, their digital footprint. As a result, many jurisdictions around the world—the United States excluded—have enacted legislation with an eye towards giving their citizens greater control over their data. However, the movement to give individuals greater control over how their data is used by tech providers often overlooks the fact that the government is one of the biggest consumers of the data that tech providers collect. Therefore, data privacy regimes that allow the flow of personal information to the government do not …

Catalyzing Privacy Law, Anupam Chander, Margot E. Kaminski, William Mcgeveran

Publications

The United States famously lacks a comprehensive federal data privacy law. In the past year, however, over half the states have proposed broad privacy bills or have established task forces to propose possible privacy legislation. Meanwhile, congressional committees are holding hearings on multiple privacy bills. What is catalyzing this legislative momentum? Some believe that Europe’s General Data Protection Regulation (GDPR), which came into force in 2018, is the driving factor. But with the California Consumer Privacy Act (CCPA) which took effect in January 2020, California has emerged as an alternate contender in the race to set the new standard for …

Send The Word Over There: An Offshore Solution To The Right To Be Forgotten, Jay Kaganoff

Northwestern Journal of International Law & Business

The right to be forgotten is a subject of contention in both the United States and the European Union. In the E.U., the right to be forgotten gives one the right to demand that information—even if published legitimately—be taken down or removed from search engine results. While well-intentioned, this has led to concerns of free press restrictions. In contrast, the right to be forgotten is not recognized in the U.S., although there are scholars who would like to see such a right here. This Note takes the view that introducing a right to be forgotten would be contrary to the …

The Gdpr And The Consequences Of Big Regulation, Matthew R. A. Heiman

Pepperdine Law Review

This Article summarizes the key features of the European Union’s General Data Privacy Regulation (GDPR) that became effective on May 25, 2018. The stated purpose of the law is to give individuals greater control over personal information that is handled by companies and organizations. The Article argues that the GDPR is fundamentally flawed. Key terms within the GDPR are undefined; the burdens of the GDPR will fall heaviest on small businesses; the GDPR disrupts a valuable business model; the GDPR will stymie growth, innovation, and information sharing; and it may be the product of protectionist impulses rather than concerns for …

Untangling The Privacy Law Web: Why The California Consumer Privacy Act Furthers The Need For Federal Preemptive Legislation, Jordan Yallen

Loyola of Los Angeles Law Review

No abstract provided.

What Consumers Don’T Know They’Re Giving Away (Data And Privacy Concerns), Bayleigh Reeves

Marketing Undergraduate Honors Theses

The modern world leverages technology and information captured by it in ways the inventors of these technologies likely never imagined. Phones and other devices are gathering information about consumers in the background when they do not even realize it. Pew Research Center found that about 77% of Americans own a smartphone and 88% use the internet. This mass access to technology and information tracking raises many privacy concerns. Basic demographic information is being tracked as well as more in-depth information like shopping tendencies, financial information, and information about known associates. While most of this data is being used for marketing …

Privacy's Constitutional Moment And The Limits Of Data Protection, Woodrow Hartzog, Neil M. Richards

Faculty Scholarship

America’s privacy bill has come due. Since the dawn of the Internet, Congress has repeatedly failed to build a robust identity for American privacy law. But now both California and the European Union have forced Congress’s hand by passing the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These data protection frameworks, structured around principles for Fair Information Processing called the “FIPs,” have industry and privacy advocates alike clamoring for a “U.S. GDPR.” States seemed poised to blanket the country with FIP-based laws if Congress fails to act. The United States is thus in the midst …

Reconciling U.S. Banking And Securities Data Preservation Rules With European Mandatory Data Erasure Under Gdpr, Ronald V. Distante

Fordham Journal of Corporate & Financial Law

United States law, which requires financial institutions to retain customer data, conflicts with European Union law, which requires financial institutions to delete customer data on demand. A financial institution operating transnationally cannot comply with both U.S. and EU law. Financial institutions thus face the issue that they cannot possibly delete and retain the same data simultaneously. This Note will clarify the scope and nature of this conflict.

First, it will clarify the conflict by examining (1) the relevant laws, which are Europe’s General Data Protection Regulation (GDPR), the U.S. Bank Secrecy Act, and Securities and Exchange Commission (SEC) regulations, (2) …

American Privacy Law At The Dawn Of A New Decade (And The Ccpa And Covid-19): Overview And Practitioner Critique, Kimberly Dempsey Booher, Martin B. Robins

Marquette Intellectual Property Law Review

No abstract provided.

A Recent Renaissance In Privacy Law, Margot Kaminski

Publications

Considering the recent increased attention to privacy law issues amid the typically slow pace of legal change.

Do You Accept These Cookies? How The General Data Protection Regulation Keeps Consumer Information Safe, Jayne Chorpash

Northwestern Journal of International Law & Business

Abstract:

This note examines the General Data Protection Regulation implemented in the EU in 2018. The GDPR was the result of a long history of data privacy laws that have been met with varying levels of success. While the GDPR has retained many characteristics that have made past privacy laws successful, it has also made some important changes. Most notably, the GDPR gives generous rights to consumers to guard and protect their data, which is of growing concern in light of how easy it is to share information in our modern age. Additionally, the GDPR has a much broader territorial …

Towards Standard Information Privacy, Innovations Of The New General Data Protection Regulation, Ali Alibeigi, Abu Bakar Munir, Md Ershadulkarim, Adeleh Asemi

Library Philosophy and Practice (e-journal)

Protection of personal data in recent decades became more crucial affecting by emergence of the new technologies especially computer, internet, information and communications technology. However, Europeans felt this necessity at time and provided for up-to-date and supportive laws. The General Data Protection Regulation (GDPR) is the latest legislation in EU to protect personal data of individuals based on the recent technological advancements. However, its’ domestic and international output still is debatable. This doctrinal legal study by using descriptive methods, aimed to evaluate the GDPR through analyzing and interpreting its’ provisions by especial focus on its’ innovations. The results show that …

Catalyzing Privacy Law, Anupam Chander, Margot E. Kaminski, William Mcgeveran

Georgetown Law Faculty Publications and Other Works

The United States famously lacks a comprehensive federal data privacy law. In the past year, however, over half the states have proposed broad privacy bills or have established task forces to propose possible privacy legislation. Meanwhile, congressional committees are holding hearings on multiple privacy bills. What is catalyzing this legislative momentum? Some believe that Europe’s General Data Protection Regulation (GDPR), which came into force in 2018, is the driving factor. But with the California Consumer Privacy Act (CCPA) which took effect in January 2020, California has emerged as an alternate contender in the race to set the new standard for …

Confiding In Con Men: U.S. Privacy Law, The Gdpr, And Information Fiduciaries, Lindsey Barrett

Seattle University Law Review

In scope, ambition, and animating philosophy, U.S. privacy law and Europe’s General Data Protection Regulation are almost diametric opposites. The GDPR’s ambitious individual rights, significant prohibitions, substantive enforcement regime, and broad applicability contrast vividly with a scattershot U.S. regime that generally prioritizes facilitating commerce over protecting individuals, and which has created perverse incentives for industry through anemic enforcement of the few meaningful limitations that do exist. A privacy law that characterizes data collectors as information fiduciaries could coalesce with the commercial focus of U.S. law, while emulating the GDPR’s laudable normative objectives and fortifying U.S. consumer privacy law with a …

General Data Protection Regulation (Gdpr): Prioritizing Resources, Jennifer Dumas

Seattle University Law Review

This Article will discuss and analyze the years of preparation for the GDPR and provide recommendations for dealing with the GDPR forevermore. It will assess whether the preparation and panic were worth it. In other words, was the time, expense, and distraction my peers and I expended and experienced over the past years proportionate to the requirements and impact of the GDPR? Further, was the high level of preparation and panic many legal departments in countless companies undertook and experienced appropriate now that we have had a chance to see the initial impact of the GDPR?

The Gdpr: It Came, We Saw, But Did It Conquer?, Leila Javanshir

Seattle University Law Review

On February 1, 2019, the Seattle University Law Review held its annual symposium at the Seattle University School of Law. Each year, the Law Review hosts its symposium on a topic that is timely and meaningful. This year, privacy and data security professionals from around the globe gathered to discuss the current and future effects of the General Data Protection Regulation (GDPR) that was implemented on May 25, 2018. The articles and essays that follow this Foreword are the product of this year’s symposium.

Footprints: Privacy For Enterprises, Processors, And Custodians…Oh My!, Blair Witzel, Carrie Mount

Seattle University Law Review

Americans’ interest in privacy—as evidenced by increasing news coverage, online searches, and new legislation—has grown over the past decade. After the European Union enacted the General Data Protection Regulation (GDPR), technologists and legal professionals have focused on primary collectors of data—known under various legal regimes as the “controller” or “custodian.” Thanks to advances in computing, many of these data collectors offload the processing of data to third parties providing data-related cloud services like Amazon, Microsoft, and Google. In addition to the data they have already collected about the data subjects themselves, these companies now “hold” that data on behalf of …

"You Have The Data"...The Writ Of Habeas Data And Other Data Protection Rights: Is The United States Falling Behind?, Sarah L. Lode

Indiana Law Journal

In Part I of this Note, I will discuss the writ of habeas data that has been developed primarily, but not exclusively, in Latin American countries. I will discuss the intricacies of the writ, how it evolved, and how it is applied today. Using Argentina as an example, I will discuss how the writ would be used by an Argentine citizen to protect her personal data. Part II summarizes the previously employed data protection scheme in the European Union, the Data Protection Directive (“the Directive”), and will also discuss the new EU data protection regulation, the General Data Protection Regulation …

The Right To Explanation, Explained, Margot E. Kaminski

Publications

Many have called for algorithmic accountability: laws governing decision-making by complex algorithms, or AI. The EU’s General Data Protection Regulation (GDPR) now establishes exactly this. The recent debate over the right to explanation (a right to information about individual decisions made by algorithms) has obscured the significant algorithmic accountability regime established by the GDPR. The GDPR’s provisions on algorithmic accountability, which include a right to explanation, have the potential to be broader, stronger, and deeper than the preceding requirements of the Data Protection Directive. This Essay clarifies, largely for a U.S. audience, what the GDPR actually requires, incorporating recently released …

Face Off: An Examination Of State Biometric Privacy Statutes & Data Harm Remedies, Maya E. Rivera

Fordham Intellectual Property, Media and Entertainment Law Journal

As biometric authentication becomes an increasingly popular method of security among consumers, only three states currently have statutes detailing how such data may be collected, used, retained, and released. The Illinois Biometric Information Privacy Act is the only statute of the three that enshrines a private right of action for those who fail to properly handle biometric data. Both the Texas Capture or Use Biometric Identifier Act Information Act and the Washington Biometric Privacy Act allow for state Attorneys General to bring suit on behalf of aggrieved consumers. This Note examines these three statutes in the context of data security …