“I Love Lucy” provides the central metaphor for a Brookings paper released today on what to do to protect privacy. It comes from the episode where Lucy goes to work wrapping candies on an assembly line. The line keeps speeding up with the candies coming closer together, and, as they fall farther behind, Lucy and her sidekick Ethel scramble harder to keep up. “I think we’re fighting a losing game,” Lucy says.
Latest in Data Protection
Corporate Data Collection and U.S. National Security: Expanding the Conversation in an Era of Nation State Cyber Aggression
This post has been adapted from prepared remarks delivered at the Georgetown Law Cybersecurity Law Institute luncheon on May 24, 2018.
Not so long ago, it was hard to find anyone who thought regulating Silicon Valley was even possible, let alone a good idea. Deference to the technology industry was such that companies were sometimes even applauded for baldly violating existing regulations. Think of the early days of Uber, whose “innovative” business model relied on running over transportation regulations and dealing with fines and lawsuits later.
After four years of negotiation, the European Parliament approved the General Data Protection Regulation (GDPR) on April 14, 2016. Enforcement is scheduled to begin May 25. This post provides a high-level summary of what the GDPR requires, how it differs from past EU data regulations and what it means for how data is handled outside the EU.
What the GDPR Does
If your personal information is released but never misused, can you sue the company that was supposed to keep it safe? Some federal circuits say no; others say yes. A new cert petition in Attias v. CareFirst, filed in appeal of the D.C. Circuit’s decision to allow one such lawsuit to proceed, argues that it is time for the Supreme Court to decide.
Those affected by data breaches now have increasing opportunities to take their claims to court. Last month, in northern California’s federal district court, Judge Lucy Koh upheld the right of victims to sue Yahoo for massive breaches between 2013 and 2016.
Last week, credit reporting outlet Equifax disclosed that they were subject to a massive hack of personally identifiable information that may have compromised the data of as many as 143 million Americans. Unlike many other high-profile data breaches, many of the individuals affected might not have ever used Equifax, viewed or consented to their data retention policies.
Last year, the Republican National Committee hired a firm called Deep Root Analytics to collect voter information. The firm accidentally exposed approximately 198 million personal voter records. This was 1.1 terabytes of personal information that the company left on a cloud server without password protection for two weeks.
On June 21 of this year, victims filed a class action in Florida court against Deep Root Analytics for harm resulting from a data breach.
Beijing has published a bevy of laws, regulations, and policy statements over the past six months on cyber governance (here, here, and here).
As the U.S. reexamines its trade policy, commentators following U.S.-China affairs have noted an important area that has not received as much attention as the bilateral trade in goods but may one day rival it: the digital economy. Although U.S. exports of information and communication technology-related services to China totaled $12.8 billion in 2015, e-commerce sales in China were estimated to be $672 billion in 2014 (double that of the United States).