CONSUMER PROTECTION—EXPLORING PRIVATE CAUSES OF ACTION FOR VICTIMS OF DATA BREACHES

Data breaches are becoming a norm in modern life. Every year it seems that bigger and bigger attacks are launched, and more and more individuals are harmed. The law has responded by increasing states’ ability to prosecute cybercriminals. A glaring hole exists in this protection though. The state is largely an unharmed party. The real harm is done to individual citizens affected by the breaches. Their data is compromised, their identities are stolen, and their livelihoods are placed at risk. This Article will analyze the issue and propose a solution for increased consumer protection in addition to the current criminal punishments

Consumer Protection—Exploring Private Causes of Action for Victims of Data Breaches

Data breaches are becoming a norm in modern life. Every year it seems that bigger and bigger attacks are launched, and more and more individuals are harmed. The law has responded by increasing states’ ability to prosecute cybercriminals. A glaring hole exists in this protection though. The state is largely an unharmed party. The real harm is done to individual citizens affected by the breaches. Their data is compromised, their identities are stolen, and their livelihoods are placed at risk. This Article will analyze the issue and propose a solution for increased consumer protection in addition to the current criminal punishments

Going Rogue: Mobile Research Applications and the Right to Privacy

This Article investigates whether nonsectoral state laws may serve as a viable source of privacy and security standards for mobile health research participants and other health data subjects until new federal laws are created or enforced. In particular, this Article (1) catalogues and analyzes the nonsectoral data privacy, security, and breach notification statutes of all fifty states and the District of Columbia; (2) applies these statutes to mobile-app-mediated health research conducted by independent scientists, citizen scientists, and patient researchers; and (3) proposes substantive amendments to state law that could help protect the privacy and security of all health data subjects, including mobile-app-mediated health research participants

Individual control and data protection. Looking back and moving forward.

This work aims at investigating the concept of “individual control over personal data”, as a core constituent of data protection law. In an era in which personal data have become a main driving force behind innovation, growth and prosperity; companies and governments are at war to gain new usable knowledge; technological advances are upstaging expectations in terms of what can be inferred, predicted and manipulated through data, and people are milked at an increasing speed to fulfill the generalized data hunger, calls to bring individuals back in control of their personal data and develop a more individual-friendly data ecosystem have been increasingly pressing. Yet, older and newer hurdles still hinder a satisfactory implementation of this vision. Against this backdrop, this work intends to investigate in depth the notion of “individual control” in the data protection realm and its persisting shortcomings, and attempt to further explore what steps could be made to move forward, in order to offer the necessary support or supplementation to this underlying principle of data protection. To this end, the analysis starts by providing a historical overview to track the emergence of this notion in the European data protection context, taking into account the role assigned to the concept of “control” in the doctrinal debate, its legal manifestation within regulatory provisions (at national, international and EU level) and the approach of the CJEU jurisprudence on the matter. The analysis further considers the manifold issues that undermine the effective implementation of the idea of individual control, particularly as a result of the technological changes that have transformed our society and revolutionized the way in which we live and communicate. Finally, in light of the shortcomings affecting the privacy self-management logic, the work seeks to explore possible a selection of mechanisms and approaches that, if adequately leveraged and implemented, could offer effective support and complementation to the individual control model, with a view to increasing the level of protection offered to individuals. These mechanisms include both “individual-centric” measures, whose leading actors remain data subjects and whose objective is to enhance the means individuals can use to gain better control, but also measures that move beyond a strict “data subject-focused” dimension, in that they are addressed to different societal actors and approach data protection from a broader collective rather than strictly individualistic perspective. As the analysis shows, there is, unfortunately, no silver bullet. However, the promotion and valorization of the proposed mechanisms and the combined benefits that these could bring, in their own way, on the data protection table are a first essential step to start building a systemic and comprehensive response to the protection gaps that afflict individuals and society as a result of the weaknesses currently affecting the individual control logic

The Development and the Future of Privacy in Maine

In the United States, privacy law has traditionally developed in concert with intrusions created by newfangled technologies. This pattern has held true in Maine. Beginning in the late 1960s, the state has experienced three eras of privacy reform that track the technological advances of the mid-century, the internet era, and the new era of social media and big data. This Article details these three eras of reform and advances several proposals for responding to the challenges posed by the era that we are living through today. Indeed, at the beginning of the 2020s, there is much work on the horizon to ensure that Maine’s privacy laws keep up with new technological and social developments. The coronavirus pandemic looms large over all facets of society and privacy law is no exception. The pandemic had made us even more reliant on online services that collect, use, and share previously unfathomable quantities of data, leaving residents’ personal information vulnerable to misuse. Increased attention to racial injustice and over-policing in the wake of George Floyd’s tragic murder have likewise highlighted privacy issues with which Maine must continue to grapple. Finally, Northeastern University recently opened the Roux Institute in Portland, offering various graduate-level degrees pertaining to the practical application of artificial intelligence and machine learning in the digital and life sciences. This development offers exciting educational and economic opportunities for the state, but also indicates that regulating AI and machine-learning technologies will be important to preserving Mainers’ privacy rights in the near future. All of these recent challenges, moreover, have emerged against the backdrop of the existing privacy threats posed by social media, big data, mass surveillance, and more. This Article is thus well-timed to inform those who will be tasked with shaping Maine privacy law in the coming years and decades. In Part I of the Article, I detail the three eras of reform highlighted above. In Part II, I propose that Maine enact a general consumer privacy law endowing Mainers with certain rights to their personal information, vesting consumer privacy rulemaking authority in a state agency, regulating automated decision-making technologies, and more. After proposing the general consumer privacy law, I identify five privacy threats that warrant additional attention from the legislature: facial recognition technology; biometric information; smart-home devices; data brokers; and the Maine Information and Analysis Center. Part III briefly concludes the Article

Schrems\u27s Slippery Slope: Strengthening Governance Mechanisms to Rehabilitate EU-U.S. Cross-Border Data Transfers After Schrems II

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield Framework, the central data governance mechanism that once governed cross-border data transfers from the European Union (EU) to the United States. For the second time in five years, Europe’s top court invalidated the primary method of cross-border data transfers. Both times the CJEU found that the United States’s surveillance laws were, and remain, overbroad and fail to provide EU citizens with protections that are essentially equivalent to those guaranteed under the EU’s General Data Protection Regulation (GDPR) in light of the Charter of Fundamental Rights of the European Union. As a result, more than 5400 companies that utilized the Privacy Shield Framework are now scrambling to implement new mechanisms to govern their data transfers along with what they hope are effective supplementary technical, operational, or contractual measures to achieve an essentially equivalent level of protection for their cross-border data transfers from the EU to the United States. Currently, there exists minimal guidance about how companies may satisfy the GDPR’s requirements. Even if the United States and the EU negotiate and implement a “Privacy Shield 2.0” in the near future, a new framework is unlikely to remedy some of the faults the CJEU has consistently identified in U.S. surveillance law. This Note argues that a combination of private-law enhancements, contractual and technical, along with minor modifications to the administrative and judicial oversight of U.S. intelligence agencies, is required to create a sound and stable framework that achieves the needs of EU individuals’ privacy rights and still enables the United States to exercise legitimate foreign surveillance in the interest of national security