Volume I | Issue I

Privacy Law Student Organization Newsletter

January 28, 2021
 

Dear PLSO Community,

There’s no better day than Data Privacy Day to present PLSO’s inaugural newsletter! The newsletter contains editorial content, professional highlights, job opportunities, upcoming events, current events, and much more!

Given that it is our first newsletter, we encourage and welcome any feedback you may have. Feel free to send your comments to plso@scu.edu. We would love to hear from you. 

We wish everyone good health, happiness, and luck throughout the new year!

Best,

The PLSO Board

Vanessa Chang – Co-President
Alyssa Aguilar – 1L Representative
Annie Da – Secretary
Clay Goode – 1L Representative
Kaitlyn Jiminez – Co-Events Chair
Mike Martin – Co-Events Chair
Patricio Munoz-Hernandez – Co-Vice President
Haley Nieh – 1L Representative
David Shannon – Co-Treasurer
John-Alec Stouras – Co-Vice President
Cesar Tino – Co-Treasurer
Kimberly Wallace – Co-President
Casey Yang – Co-Communications Chair
Gustavo Alza – Co-Communications Chair

Photo Credit: https://blog.strongvpn.com/happy-data-privacy-day/
 

SCU FACULTY SPOTLIGHT: Professor Eric Goldman


PLSO would like to congratulate our faculty advisor, Professor Eric Goldman, on his new role as Dean of Research here at Santa Clara Law. Professor Goldman is also the faculty advisor for the Internet Law Student Organization (ILSO), the supervisor for the Privacy Law Certificate, and co-directs the High Tech Law Institute (HTLI). Throughout his career, Professor Goldman has become an expert in the field of Internet and Privacy Law, to name a few, and is the leading expert on Emoji law (yes, such a law exists). We checked in with Professor Goldman to learn more about his current research, how 2020 went, and his general thoughts for 2021. We also asked him about his new role, how students can get involved in research, and how he manages to balance it all. 

Q: What are some topics/areas that you are currently researching?

 A: I’m just finishing a 2+ year project called “Content Moderation Remedies.” It looks at the options available to Internet services to address rule violations beyond the obvious options of content removal or account termination. When that project is complete, I’ll work on my next project, called “Validating Transparency Reports.” The project will look at the unique challenges of confirming the accuracy of Internet services’ transparency reports. Another major 2021 project will be covering the Section 230 reform bills introduced in Congress. I expect dozens of bills will be introduced, and parsing them will be time-consuming and tedious.

Editor’s Note: Check out Professor Goldman’s blog here.

Q: In 2020, were there any developments or failures in privacy that really surprised you?

A: I was surprised that other states did not enact a comprehensive consumer privacy law modeled on the California Consumer Privacy Act (CCPA). It’s inevitable that other states will pass their own laws, but the pandemic definitely slowed down their efforts. While not surprising, I was disappointed that California voters approved Prop. 24, the California Privacy Rights Act (CPRA). That law will produce many headaches for Californians. I was also disappointed, but not surprised, that Congress didn’t make more progress on passing a comprehensive consumer privacy law that preempts state laws like the CCPA/CPRA. We will desperately need a single national legal standard as soon as other states clone-and-revise the CCPA/CPRA.

Q: What privacy problems are already happening in 2021 or do you foresee happening?

A: We are continuing to experience major cybersecurity breaches, like the SolarWinds hack, the theft of valuable government information during the January 6 Capitol insurrection, and the hack of Parler’s customer information. These breaches are likely to lead to adverse consequences we haven’t fully experienced yet. Also, the CPRA will require a lot of hard work in 2021 to get ready for its January 1, 2023 effective date. I expect California privacy professionals will be stretched thin trying to monitor those developments along with everything else they are doing.

Q: What are you looking forward to most in your new role?

A: I am most looking forward to singing the praises of the work my colleagues are doing. There is so much amazing research being done in the law school, and I get the honor of evangelizing that work to the world.

Q: What are ways that law students can get involved in research?

A: If students want to help faculty with their research, often it’s as simple as just letting the faculty member know! If you’re excited about an area that faculty members are researching, many faculty members would love to have you on their teams.

I hope students will also consider working on their own research projects. Students can use their research projects to build and demonstrate their professional expertise, which can impress employers and make valuable connections. Research projects can take many forms, not just lengthy law review articles, so there are lots of possibilities for creative and motivated students. Students can get started by joining a journal, taking a course that requires a paper, or approaching a faculty member with a research idea and asking for help.   

Q: Law students balance classes, orgs, journals, jobs, etc. You also balance a lot of work on campus and off, do you have any advice you’d want to relay as to how you make it all work?

A: Like most students, I find it hard not to lament all of the things that I hoped to do but didn’t! But I do have one advantage: I love my job and virtually all of the tasks I do every day. As the old adage goes, find a job you enjoy doing, and you will never have to work a day in your life. Over the years, I have gotten much better about saying “no” to projects that I wasn’t totally excited about, even if I could do them well or would have enjoyed some aspects of them. Weeding out those projects has freed up time to work on the things I enjoy more.

Also, I am constantly evaluating and pruning the information sources I consume. For example, periodically I review the list of people I follow on Twitter and unfollow those that aren’t working for me (even if I really like the person). I also periodically curate my RSS feeds[FN] to unsubscribe from feeds that aren’t adding enough value.

[FN] I bet many students don’t know about RSS. It’s a technology that notifies me when websites add new content so that I can see just the new material without having to proactively check for it. I have about 160 RSS feeds. They are a critical part of my research function and make me far more efficient than I could be otherwise. I use Feedly as my RSS reader.

 
 

DISCLAIMER: The views expressed in this document are those of the authors and do not necessarily represent the authors’ school or the views of the authors’ employers. 
 

Privacy Law & Government’s Right to Track Down Terrorists

By Gustavo Alberto Alza, Jr. 

With assistance from Casey Yang & John Alec Stouras  
 

First and foremost, the authors of this document would like to stress the importance of unity. The United States has recently experienced one of its most politically volatile chapters since the Civil War. One can only pray that Americans will dismiss irrelevant distinctions like Republican or Democrat, Red or Blue, and instead focus on the only distinction that matters AMERICAN. E pluribus unum.  

Since the Snowden revelations, the world has become particularly aware of the Government’s surveillance apparatus and the lack of privacy associated with it. For the record, the authors of this article will not take a position on whether Snowden’s actions were ethical and is critical of Snowden for essentially undermining the American Agencies charged with protecting Americans and our allies. With that said, one understands that technology today allows for communication via the Internet in ways that are likely logged/recorded. Whether it be meta data, the correspondence/media/content itself, or indicators that can be derived via the use of tools like artificial intelligence/machine learning (among others); the simple fact of the matter is that there is more personal information/personal data tied to individuals today than ever before (given more internet usage essentially means more data and therefore… more personal information). 

Despite all of this, none of it stopped hundreds of “Americans” from willingly, knowingly, and intentionally using “unlawful… force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives” on January 6th, 2021, when they decided to attempt to undermine the United States of America’s Presidential election via an insurrection at the United States’ Capitol Building. Moreover, the world witnessed these individuals assaulting the media covering the violence and the Capitol Police. They chanted, “Hang Mike Pence” and created a noose and gallows. They breached congressional chambers and even the private offices of some of the highest ranking government officials, including the Democratic Majority Leader of the House of Representatives, the honorable Nancy Pelosi. People died.

Unfortunately, the overwhelming majority of these terrorizing individuals walked away freely, which leads one to ponder . . . What is the point of all the surveillance if it is not used to stop terrorism that has the potential to escalate to additional violence here at home? Simply stated, this paper attempts to explain that the Government is  free to use surveillance technologies to track down terrorists.This paper will also highlight that, if the Government fails to track down domestic terrorists (i.e. fulfill its obligations), then The People (we) may come together to re-evaluate the use of such technology. We should consider regulating the Government’s use of surveillance technologies in a manner that  induces proper security/enforcement, equity, and privacy. 

An Overview of Potential Data Elements that can be Used to Track Down Terrorists

Technology is a tool that can be used to either benefit society or used to harm such. With that said, one understands that the Government has already been using technology to track down individuals. This section focuses primarily on tools used to tie individuals to criminal activity, such as biometrics (including the use of facial recognition technology), geolocation data, posts on social media platforms, and aggregated metadata.

First, we will address Biometric information. According to NortonLifeLock Inc., there is a wide variety of biometric data types. Given the immense amount of pictures, videos, selfies, and government identification, one could imagine that Federal authorities can, and will, cross-reference this information against databases/datasets controlled, utilized, or accessible by the government. 

An additional note, many of the insurrectionists/terrorists also failed to wear masks, exposing their faces to the potential use of facial recognition technology.       
 

Moreover, according to the Department of Homeland Security, “Biometrics are unique physical characteristics, such as fingerprints, that can be used for automated recognition. At the Department of Homeland Security, biometrics are used to detect and prevent illegal entry into the U.S., grant and administer proper immigration benefits, vetting and credentialing, facilitating legitimate travel and trade, enforcing federal laws, and enabling verification for visa applications to the U.S.”

Interestingly, technology used to target undocumented individuals (typically minorities) can now be leveraged to track down right-wing extremist terrorists (predominantly white). The authors will not comment on such but would like to highlight potential inequity issues, and the fundamental question, “Are we okay with this surveillance apparatus, given the fact that such a tool can be used for good and/or evil and should it be regulated?” 

Second, most Americans understand that when their devices connect to the Internet, they potentially expose their geolocation information. For instance, a cell phone may ping the nearest cellular tower (indicating a rough estimate of the user’s location). Moreover, many users opt-in to location sharing with platforms to receive features that optimize things like navigation, search results, advertisements and even geolocation/geotag information on photos for posts on platforms (among others). 

On the day of the insurrection, many of the individuals committed incredibly serious federal crimes, live streamed, and even posted photos and videos geo-tagging the United States Capitol. Those who traveled to Washington D.C. and ultimately committed terrorism likely created a plethora of data tied to such movements/activity. They likely  joined chat rooms, posted and discussed their activity on social media platforms, and are more likely to be in contact with others who did the same. Therefore, metadata can be used to help identify potential terrorists. Note, this article will not address the plethora of other data elements that can be used by themselves or in conjunction with others to potentially identify criminals for sake of brevity. 

A Brief Legal Analysis

Common Law

With respect to geolocation information, the common law here is clear. In Carpenter v. United States, the United States Supreme Court ruled that law enforcement can obtain geolocation information with proper search warrants. Note, the alleged crimes in Carpenter were far less egregious than terrorism. Consequently, law enforcement will easily be able to gain access to geolocation information.  

Statutory Law

“But Gustavo! California just enacted the California Consumer Protection Act (CCPA) and passed the California Privacy Rights Act (CPRA)!” First and foremost, no American privacy regulation prohibits the government’s ability to conduct surveillance on Americans… period. The CCPA regulates “Businesses,” NOT THE GOVERNMENT, and the CPRA did not change such. “But what about BIPA, which protects the Privacy of Biometric information?” Again, BIPA does not regulate the government.  Overall, California and Illinois statutory law are likely irrelevant and/or preempted by applicable federal law (discussed in next paragraph). 

For instance, FISA warrants may likely cover many of the individuals who participated and conspired in the insurrection if such individuals were communicating with foreign nationals. Note, the European Commission recently invalidated Privacy Shield in large part because of FISA. Furthermore, the Patriot Act, Wiretap Act, Stored Communications Act, CALEA, and potentially even CISA may all be leveraged in order to ensure the safety of Americans and the prompt apprehension of individuals who threaten our constitutional federal republic, lives, and property. If these federal statutes are not enough, federal authorities could also leverage National Security Letters, Executive Order 12333, and the Cloud Act to get the job done. 

Conclusion

As discussed, privacy law will not protect those who commit or attempt to commit terrorism. One believes that those who committed terrorism will be tracked down and prosecuted to the full extent of the law. Moreover, one believes more privacy reforms are coming. It is unclear whether any privacy reforms will ever attempt to regulate the government, and whether such is a good idea from a national security perspective. That being said, one believes that future violence can be prevented, if government authorities work quickly to leverage the intelligence gathering tools discussed in this paper. Moreover, if the public perceives that the government is failing to use the aforementioned technology in an effective, and equitable manner, we the people can come together to reform/improve such. 

As we ponder the future of privacy law, one believes that there needs to be a balance among national security, equity, and the privacy of the innocent. Lastly, although this technology can be used – as in this instance of holding domestic terrorists responsible – for good, this technology can also be used to cause harm, and is essentially an unchecked power wielded by the government. Should such be regulated? You decide.  E pluribus unum.  

About the Author:  www.alza.xyz 

Gustavo A. Alza, Jr. is currently a student at Santa Clara University where he is pursuing a J.D., an M.B.A, a Privacy Law Certificate, and a Finance specialization. He serves as the Managing Editor (Online) of the High Technology Law Journal and is the president and founder of the Blockchain & Compliance Legal Society.  Prior to his current role at Airbnb as a Data Privacy Support Specialist, Gustavo interned for Reserve.org and gained international experience at OhKims Law & Co. in Seoul, Korea where he focused on privacy matters affecting Virtual Asset Service Providers and Blockchain technologies (such as GDPR, CCPA, AML/Anti-terrorism financing & KYC). Prior to his current education at Santa Clara University, Gustavo obtained a B.S. in Economics and a B.A. in Political Science from Loyola Marymount University. In addition to the aforementioned, Gustavo has over a decade of experience in privacy as the Chief Privacy Officer and Information Technology Manager for his family’s medical corporation and is CIPP/US certified. Gustavo is primarily interested in privacy, business, equity, and compliance/national security.

 

Professional Highlights and Spotlights

Ann Staggs – Lead Privacy Counsel Airbnb

Ann brings more than a decade of legal experience in deep data privacy and hands on knowledge developing, maintaining, an strategizing a global privacy program while enabling rapid business growth. Ann is Lead Counsel, Privacy driving GDPR and CCPA initiatives building out the Airbnb Global Privacy Program and also supports product and cross-functional teams across the organization working on areas such as data processing, data strategy, commercial agreements, privacy training, AI/ML, data subject rights, global products, and new product launches.

Airbnb is one of the world’s most recognizable brands, and Ann’s work impacts consumers worldwide. Before joining Airbnb, Ann lead GDPR readiness initiatives for Visa’s Global Privacy Policy, Visa’s Privacy Center, and supported dozens of Visa products spanning Visa Checkout, Visa Developer Platform, and Visa Authentication Solutions. 

Ann was a keynote speaker at PrivacyConnect in London, and speaker panelist at American Lawyer Magazine’s General Counsel Conference in NYC, Stanford Law School, and Santa Clara University Law School.

Beyond her privacy expertise, Ann has a reputation for being an exceptional leader who is passionate about legal diversity and community service. She is widely known in the legal community for her work as a board member of the Bar Association of San Francisco, Minority Coalition Co-Chair, Vietnamese American Bar Association of Northern California President, and De Anza Law Academy board member. Ann is also on Airbnb’s Legal Diversity Committee furthering Airbnb’s commitment to diversity.

 
Emily Yu – Roblox
 
Emily Yu is the Senior Privacy Director, Policy at Roblox, where she oversees the intersection of privacy and data security in collaboration with Roblox’s internal teams. Prior to joining Roblox, Emily was a Senior Corporate Counsel of Global Privacy at Seagate Technology and a Global Privacy Manager at TRUSTe. Emily graduated with a certificate in privacy law with honors from SCU Law, where she was a member of APALSA and an Associate on the Santa Clara University Law Review. 
 
 

Job and Internship Opportunities


Talend – Legal Intern 

Description: Talend is searching for a remote-based, second-year legal intern for the Spring 2021 semester: “As our Legal Intern, you will be exposed to various aspects of a thriving technology company’s legal environment, including contract drafting, international law considerations, privacy concerns, legal research, and hands-on exposure to in-house commercial legal support and operations.” This is a paid opportunity.


Twitch – Legal Internship 

Deadline: February 1, 2021

Description: 3-month program to: (1) support high-caliber law students whose potential is limited only by the opportunities available to them; (2) provide a challenging and rewarding internship experience at the intersection of law and technology; (3) expose participants to various careers within in-house practice; and (4) establish a network of professional contacts who may serve as resources on participants’ continuing journeys. This is a paid opportunity.
Responsibilities: Research substantive legal issues and propose solutions that impact our streamer communities, internal clients, and the company. Draft and negotiate various commercial agreements. Review and analyze current company policies to ensure we remain compliant in a shifting regulatory environment. Update agreement templates for use throughout the organization. Assist with special projects and initiatives, as needed.
Required Application Materials: Resume, Transcript, Writing Sample


6sence Insights, Inc. – 2021 Summer In-House Law Clerk 

Deadline: February 6, 2021

Description: 6sense is seeking a second-year law student with a passion for privacy and transactional law to work closely with 6sense’s in-house legal team and assist with a wide range of tasks. As a 6sense Summer In-House Law Clerk, you will be introduced to the diverse and complex nature of an in-house legal practice within a rapidly growing tech company. Available on SCU’s CORE Platform.

Required Application materials: Resume, Cover Letter, Transcript 


Wikimedia Foundation (San Francisco, CA) – Legal Fellow (Summer ‘21)

Deadline: January 31, 2021

Description: If you’re a current law student or recent law school graduate passionate about free knowledge and open source issues, applying to our legal fellowship program can provide an immersive in-house experience with specific education and training in the areas of Internet law and free knowledge organizations. The Foundation faces a myriad of legal issues ranging from complex copyright questions to international freedom of speech issues to mobile development to internal corporate compliance. Because of the wide array of legal issues, the fellows will be assigned challenging projects based on their particular interests and strengths. These projects range from researching various legal questions to drafting licensing agreements to developing internal and external policies. 

Required Application Materials: Resume 


Upcoming Events


Less Pain, More Gain: How AI Can Cut Data Breach Response Time and Complexity (IAPP) – February 18, 2021
 

Register here. Time: 08:00–09:00 PST, 11:00–12:00 EST, 17:00–18:00 CET

Description: Once a data breach has been identified, the clock to notify impacted individuals starts ticking. Yet, for the most part, assessing the impact and understanding who needs to be notified based on regulatory thresholds is a manual, protracted and often painful multi-step process.

Join us for this privacy education web conference in which we will discuss how using artificial intelligence technology to automate the data breach process can help enterprises manage the complexity of the regulatory landscape, avoid the risks of notifying too late, notifying when not required and notifying the same individuals multiple times.

 
We will cover the practical steps for accelerating the breach process, including:
1. How to quickly narrow the focus on personally identifiable information data impacted by the breach in the initial response phase.
2. How to better understand and extract whose data has been impacted.
3. How to formalize the distinction between individual reports and notification reports.
4. How to consolidate multiple profiles for single individuals for reporting obligations.

Host: Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP
Panelists: Jeremiah Weasenforth, Managing Project Attorney, Orrick Analytics Group & Apoorv Agarwal, CEO and Co-Founder, Text IQ


What Legal Needs to Know: Breaking Down Your 2021 CPRA Compliance Checklist (IAPP) – February 25, 2021
 

Register here. Time: 08:00–09:00 PST, 11:00–12:00 EST, 17:00–18:00 CET

Description: While the California Privacy Rights Act provides organizations with two years of crucial ramp-up time until the law’s core provisions become effective, several new requirements easily justify starting a data inventory and retention policy immediately. The CPRA’s groundbreaking codification of longstanding privacy principles, such as purpose limitation and records retention, means extreme fines are in store for organizations who fail to properly minimize data.
Join us for this privacy education web conference to learn from industry experts about: 
The impact the CPRA will have on organizations and what legal and privacy teams need to consider now.
Data retention requirements and what this means for your organization.
How to best implement data inventory and minimization strategies in 2021 to protect your company’s data and your organization.

Host: Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP
Panelists: Matt Dumiak, CIPP/E, CIPP/US, Director of Privacy Services, CompliancePoint; Robert Fowler, CIPP/US, Director of Strategic Partnerships, Exterro; & Alysa Hutnik, CIPP/US, Chair, Privacy and Information Security Practice Group


Privacy Careers in Big Law (PLSO) – March 19, 2021
 

Time: 12:00–13:00 PST

Description: Law firms are quickly building out and formalizing their Privacy, Cybersecurity, & Data Protection practices. Interested in learning more about what it takes to become a Privacy, Cybersecurity, & Data Protection associate and what such an associate does? Then join us to learn from some of the most esteemed professionals in the field! More information to come!

Host: TBD
Panelists: TBD

Privacy Certificate Reminder


The Privacy Law Initiative and High Tech Law Institute at SCU are proud to announce its partnership with the California Lawyers Association to offer SCU students the opportunity to publish works of scholarship in the CLA BLS online legal publications to satisfy the certificate’s writing requirement. 

For 3Ls who are graduating in May, get your papers going ASAP if you are going to complete the requirement before you graduate. If you want to pursue the option, contact Tom Hassing (tom.hassing@calawyers.org) or Eric Goldman (egoldman@gmail.com).

Privacy Certificate students can also pursue other publication venues. Anything privacy-related published via the IAPP or the Santa Clara High Tech Law Journal automatically satisfies the requirement. Other venues need to be approved by Eric Goldman.

CIPP Study Group Announcements


The CIPP Google Drive has reached its limit on the number of people who can be invited to share a single shared drive. We are still considering alternative options to migrate shared study materials such as to a wiki or other platform without limitations. If you have a suggestion, please feel free to email plso@scu.edu.

In the meantime, if you are preparing to take the CIPP/US exam and need access to the CIPP Google Drive, please join our Google Group here. That should give you access to the drive here

 

Recent News


CPPA – CANADA (not to be mistaken with California’s CCPA, CPRA, or CPPA)

In November 2020, Canada’s parliament brought legislation that, if approved, would be their new privacy policy, the CPPA, the Consumer Privacy Protection Act, not to be confused with the California Consumer Privacy Act, which California voters approved on their November election ballots. Canada presently has PIPEDA, the Personal Information Protection and Electronic Documents Act. The CPPA would bring about a few changes, but a few standouts are as follows. Under the CPPA, consent would be required before the data collection as opposed to consent being required after collection, but before use. Additionally, the CPPA provides that for consent to be deemed valid, plain language information must be provided on certain matters, such as the purpose of processing, or reasonably foreseeable consequences of processing, and more. These shifts seem to place more power and understanding in the hands of data subjects to give them more control over their personal information. There has not been an update on the legislation, but the privacy community has its eyes on it and we will keep you informed.


Brexiting from the GDPR?

As Brexit negotiations are making way and the departure grows closer, we are left to wonder what will happen with privacy laws in the United Kingdom (UK) as they will no longer be governed by the General Data Protection Regulation (GDPR). On December 24, 2020 the European Union (EU) and the UK decided to remain under the GDPR until June 30, 2021. After that date, the UK will be considered a “third country”. What that means is, all personal data from the EU to the UK will be considered a transfer of personal data outside of the EU, to a country not offering an “adequate level of data protection” from an EU point of view, although the regulatory framework of the UK does not change. Companies will have to work hard to maintain compliance and the European Data Protection Board (EDPB) is still evaluating if the UK’s framework is adequate. An update on the adequacy decision is expected in the spring. The next few months will be telling and we hope to have an update on the transition next month.