Videos
“The Statutory Foreign Affairs Presidency,” A Symposium at the University of Pennsylvania
October 13, 2023
“3 Jahre DSGVO” (“3 Years GDPR”), German Language Interview with Frederick Richter, Data Protection Foundation
May 25, 2021
My Comments at the First Annual Reidenberg Lecture, Fordham Law School
April 29, 2021
First Annual Reidenberg Lecture, Fordham law School, Featuring Judge Denny Chin
April 29, 2021
Recht auf Vergessenwerden (Right to be Forgotten)
Nov. 19, 2020
Discussion of the right to be forgotten as part of a panel on the Deutsche Welle
Global Data Privacy Law
Nov. 9, 2018
Faculty Insights: Global Privacy Challenges
Fall 2016
World Affairs Council – Our Lives Online: US v. EU
September 17, 2015
ALI Project: Principles of Data Privacy
Spring 2015
Audio
The Explosion in Novel Data Privacy Claims (Law, disrupted)
Discussion with John B. Quinn, founder and chairman of Quinn Emanuel Urquhart & Sullivan LLP, Viola Trebicka, partner in Quinn Emanuel’s Los Angeles office and the Co-Chair of the firm’s Data Privacy and Security Practice, and Stephen Broome, partner in the firm’s Los Angeles and New York offices and the Co-Chair of the firm’s Data Privacy and Security Practice on the explosion of data privacy claims across the United States.
In particular, the discussion revolves around the increase in claims being brought under the Illinois Biometric Information Privacy Act (BIPA) and claims based on new novel theories of recovery. Not only are plaintiffs bringing common law invasion of privacy claims, they are also repurposing statutes that did not contemplate contemporary data gathering practices, such as the Video Privacy Protection Act and Federal Wire Tap Act of 1968.
The discussion then moves to the lack of comprehensive national legislation that addresses data privacy and the most recent attempt, the American Data Privacy Protection Act (ADPPA). In returning to the discussion on privacy claims, the panel talks about how plaintiffs build large damage claims and how companies can protect against these huge awards. Finally, the panel discusses what has been notable about recent FTC enforcement actions, including patterns of personal liability for senior executives and extreme specificity in what companies are to do in the aftermath of a data breach.
Corona im Rechtsstaat (Corona and the Rule of Law), Episode 20
Discussion with Prof. Niko Haerting, Haerting Law, about the different discussion of the Corona-Apps in Europe and the United States. Discussion is first in German, and then in English (May 22, 2020).
Niko Härting unterhält sich mit dem Datenschutzexperten Prof. Schwartz (Uni Berkeley) über die Corona-Maßnahmen in Kalifornien. Dort gibt es seit 9 Wochen eine rigide Ausgangssperre. Erst auf Deutsch, dann auf Englisch geht es auch um die sehr unterschiedlichen Diskussionen der Datenschützer über Corona-Apps in Europa und den USA. Während in Deutschland weitgehend Einigkeit darüber herrscht, dass die Apple/Google-Lösung datenschutzfreundlich ist, wird diese Lösung in den USA vielfach kritisch gesehen. Man zweifelt an der Effizienz einer dezentralen Datenspeicherung und sieht die Rolle von Apple und Google kritischer, als dies in Deutschland der Fall ist.
US-Technologie-Firmen vor grosser Herausforderung
Audio in German, (“US tech firms face a great challenge.”), SRF, Swiss Public Radio, October 7, 2015 (segment on ECJ decision invalidating the Safe Harbor)
It Has Your Money—and Your Pants Size. Here’s What PayPal Is Doing With Them.
Wall Street Journal, Oct. 25, 2024 by Imani Moise
Starting on Nov. 27, 2024, PayPal will compile and sell customer purchase data to retailers for targeted advertising. Advertisers find personal financial data like transaction patterns or checking account statements highly valuable because the data can reveal income levels, sources of earnings, and how people spend on specific categories such as child care or political donations. Federal law allows banks and financial-technology firms like PayPal to share vast amounts of customer data with outside parties for marketing as long as disclosure and opt-out requirements are met. “Disclosure requirements were set 25 years ago, and most financial companies use boilerplate language to satisfy legal requirements without adding details about how data is collected and shared,” says Paul Schwartz, co-director of the Center for Law & Technology at the University of California, Berkeley, School of Law. “The best way to give consumers more control over their data would be to switch the opt-out system to an opt-in one, which would require congressional action.”
US privacy litigation surges, though not because of California privacy law, expert says
MLex, Mar. 8, 2024 by Mike Swift
The number of data privacy lawsuits filed in federal courts in the US has more than doubled over the past five years, but there’s little evidence the surge of litigation is solving the harms many plaintiffs claim.
Paul Schwartz, a Berkeley law professor, noted at today’s conference the absence of two major institutions from the shaping of privacy litigation – the US Supreme Court and Congress. The key federal wirtetapping act, he noted, is nearly 40 years old.
“A lot of this speaks to Congressional gridlock,” Schwartz said. “We have major statutes in this area dating back to 1986. The Congress at that time had no notion of how the Internet was going to develop – how could you? – so [current laws] are quite antiquated in terms of being applied to technology that nobody could dream of at the time.”
The Illinois Supreme Court has been active in shaping interpretation of that state’s most prominent privacy law, the Biometric Information Privacy Act, Schwartz said. But compare that with the US Supreme Court, “which has been largely absent, for better or worse, from the privacy landscape,” he said.
Tabloid Hired Gun Tells of Shady Hunt for Meghan Markle Scoops
The New York Times, Mar. 18, 2021 by Sarah Lyall and Mark Landler
Mr. Portley-Hanks logged in to TLOxp, a service with a vast database of restricted information about individuals and businesses, and pulled up a trove of details — home addresses, cellphone numbers, Social Security numbers and more — about Ms. Markle, her parents, her siblings and her ex-husband. He then sold it to the U.S. editor, James Beal, for $2,055, according to an invoice reviewed by The New York Times.
Licensed private investigators like Mr. Portley-Hanks have the right to access such information on behalf of clients to use, for example, in civil and criminal cases. But it is a violation of U.S. privacy statutes for people to pass these reports on to news organizations. (U.S. news outlets can research some information on TLOxp and similar services, but only have access to a limited set of data.)
“There’s lots of things you can use these reports for — but not this,” said Paul M. Schwartz, an expert in privacy law and professor at Berkeley Law School.
Opinion: Regulating Big Tech will be hard, and California is Proving it
MarketWatch, Jan. 2, 2021 by Therese Poletti
“CCPA really changed a lot, for California law, and for the world,” said Paul Schwartz, a professor at the Berkeley Law School and director of the Berkeley Center for Law and Technology at U.C. Berkeley. “Both CCPA and CPRA govern businesses based in California and processing information of California residents. Since California is the fifth largest economy in the world, that is a lot of information. It’s a wide reach.”
The CPRA, he said, is an elaborate amendment to the CCPA. Enforcement of the new law will not begin until July 2023, giving businesses some time to address the new requirements, which provide more consumer protections.
How California could benefit from a privacy deal with the EU
Politico Pro, Jan. 9, 2019 by Katy Murphy
Bruno Gencarelli, the European Commission’s head of international data protection, stated that the European Union “in principle” could reach a data-transfer agreement with the state of California. Such an agreement would depend on whether the European Commission deems the California Consumer Privacy Act (CCPA) to sufficiently protect Europeans’ personal data. To reach an agreement, California must apply for an adequacy arrangement with the European Union. “The process and ensuing negotiations can drag on for months, and even years,” said University of California, Berkeley School of Law professor Paul Schwartz, an information privacy expert. A proposed initiative by Alastair Mactaggart, the wealthy privacy advocate and original proponent of CCPA, would provide the CCPA with an “EU-friendly makeover” by creating a new data protection regulatory authority in California, adding restrictions on use of sensitive data and automated decision-making, and other elements similar to GDPR. “It’s really striking how much of this is like EU law,” Schwartz said.
Column: Shadowy data brokers make the most of their invisibility cloak
Los Angeles Times, Nov. 5, 2019 by David Lazarus
Apple preaches privacy. Lawmakers want the talk to turn to action.
The Washington Post, July 15, 2019 by Reed Albergotti and Tony Romm
The Telegraph, July 6, 2019 by Laurence Dodds and Olivia Rudgard
Massive La Liga Fine Just the Beginning of Sports Media’s Newest Battle
Sports Illustrated, June 14, 2019 by Jacob Feldman
Spain’s top soccer league, La Liga, was fined €250,000 ($280,000) by the country’s data protection agency for monitoring its Android app users’ microphones and locations without proper approval. The feature was designed to imperceptibly identify bars playing league games by obtaining geographic information to check whether the establishment had paid to license the content or was showing it illegally. According to Berkeley Law professor Paul Schwartz, such a tactic would be met with similar rebuke in the U.S. Regardless of what is in the fine print, Professor Schwartz stated that if an analysis found the behavior to be outside the bounds of user expectations, the Federal Trade Commission maintains the power to rule the practice deceptive and/or unfair.
Verizon gives away cool freebies, as long as you give away your privacy
Los Angeles Times, September 15, 2017 by David Lazarus
Verizon is bribing people into giving up their privacy through their rewards program called Verizon Up. The reward credits can be used to “get exclusive access to prime sporting events, shows, concerns, and live experiences.” But consumers may not realize how much personal information and behavioral data they are giving up just to get their hands on a fast freebie. “All sorts of companies—Google, Facebook— are already in the data collection business,” said Paul Schwartz, a law professor at UC Berkeley and co-director of the Berkeley Center of Law and Technology. “Now we’re seeing older companies—cable companies, cellular companies—placing a great emphasis on it,” he said.
Experts criticize US electronic devices ban on some flights from Middle East
The Guardian, March 21, 2017 by Sam Thelma
On March 20th, the U.S. Transportation Safety Administration (TSA) rushed out a “confidential” ban that prohibits laptops, iPads, and other electronics “larger than a cellphone” on flights coming from 10 airports in the Middle East. The ban has been sharply criticized by technology experts who questioned both its purpose and effectiveness. As noted by Professor Paul Schwartz, “terrorists have cells throughout the entire world.” As an example, the hijackers responsible for 9/11 had a cell in Hamburg, Germany. Thus, “[o]ne potential problem with this approach where you single out countries is that you ignore the extent to which the terrorist threat is kind of state-less.”
Privacy regulations increasingly unwieldy heading into 2017
Daily Journal, December 29, 2016, by Joshua Sebold
The year 2016 witnessed a dramatic expansion of privacy regulations from federal agencies, foreign countries, and state governments. The increase has led to an almost unmanageable amount of information. As stated by Professor Paul Schwartz, a special adviser at Paul Hastings LLP and the Jefferson E. Peyser Professor at UC Berkeley School of Law, “I don’t know how we can keep up at this pace. For those of us who practice and teach in this field, it’s almost scary.” In particular, the invalidation of the U.S.-EU Safe Harbor Framework by the EU Court of Justice forced the United States and the European Union to scramble to create the replacement Privacy Shield, which requires that companies have agreements with third party contractors with whom they share data. A recent update to HIPAA, the Health Insurance Portability and Accountability Act, similarly requires companies to rewrite contracts with third party contractors.
Kanye West may have broken the law by recording call with Taylor Swift
The Guardian, July 18, 2016, by Sam Levin
Music star Kanye West may have broken California law by secretly recording a phone call with pop star Taylor Swift. California law requires “two-party consent,” meaning that it is a crime to record any form of communication without the consent of all involved parties. West could thus be facing both civil and criminal liability if it turns out that he secretly recorded the call. While criminal prosecution is unlikely, Swift could bring a tort claim for damage to her reputation. As explained by Professor Paul Schwartz, co-director of the Berkeley Center for Law and Technology and a professor at the University of California, Berkeley, School of Law, Swift could also bring a tort claim based on West’s “public disclosure of private facts.”
Scope of EU Privacy Law Has Companies Scrambling to Comply
Law360, April 20, 2016, by Allison Grande
Last week the European Parliament approved the proposed general data protection regulation, or GPDR, which will supplant Europe’s current data protection framework. The GDPR is a uniform regime that increases restrictions and provides national privacy regulators with the authority to fine companies up to either 4 percent of a company’s annual global revenue or $22.2 million. Because the regulation increases the burden on multinational companies, most businesses will have to establish new guidelines for working with EU customers. As explained by Professor Paul Schwartz, a special adviser at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, “To some extent, U.S. companies welcome the GDPR because they feel that it offers greater harmonization, but there are national differences and differences between the various national data protection authorities that are not going to go away.”
EU Privacy Pushback Prompts Lawyers to Look for Plan B
The Recorder, April 13, 2016 by Ben Hancock
On April 13th the Article 29 Working Party, composed of Europe’s data protection regulators, sharply criticized the draft US-EU “Privacy Shield” framework as insufficient to uphold EU law and limit the collection of data by US companies. As a result, attorneys may advise clients to employ different mechanisms to abide by EU law. Although the working party’s opinion is non-binding on the European Commission, it has important political ramifications ahead of decisions by EU member states on whether to approve the deal. As explained by Paul Schwartz, a Special Advisor at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, the opinion “puts down a marker” by which the EU Court of Justice can evaluate the new framework.
Feds Lose Leverage With Breakthrough in Apple Phone Fight
Law360, March 30, 2016, by Allison Grande
Despite the FBI’s insistence that it needed Apple’s help to unlock an iPhone used by one of the suspects in the San Bernardino shooting, the government has now confirmed that it found a way to break into the phone without Apple’s assistance. While this particular fight may be over, the outcome may weaken the government’s argument in future disputes that it requires assistance from a third party technology company. In addition, the publicity surrounding the debate will likely incentive these companies to further bolster their security. As explained by Professor Paul Schwartz, a Special Advisor at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, “A takeaway for Internet service providers and tech companies is that the government is going to be coming for us, so we need to continue to make our protections even stronger.”
Apple Peels Away At DOJ Bid To Unlock Phones With NY Win
Law360, March 1, 2016 by Allison Grande
U.S. Magistrate Judge Judge James Ornstein ruled on Monday that Apple does not have to help the government unlock a drug dealer’s iPhone. The New York order undermines the government’s position in a separate California case, in which prosecutors are arguing that their request for access to the suspected San Bernardino shooter’s phone is an isolated incident. As explained by Paul Schwartz, a Special Advisor at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, “While the New York order is not directly binding outside this particular case, it does boost Apple because it undercuts the government’s argument that what is being requested in the San Bernardino case is minimal and unique by showing that these types of requests are being made all over the country.”
Lawyers Anticipate More Teeth in New Data-Transfer Pact
The Recorder, February 3, 2016, by David Ruiz
Paul Hastings special adviser Paul Schwartz, a law professor at UC-Berkeley, said the proposed Privacy Shield, when taken together with another soon to be adopted data-privacy regulation, signals a new mode of thinking for European enforcement. That law, the General Data Protection Regulation, exposes companies to high fines for violations. According to the new law, a company could be fined either 2 million euros or 4 percent of their global revenue for infractions. For Alphabet, Google’s new corporate parent, a 4 percent fine could approach $3 billion based on the earnings figures it posted Feb. 1. “If that’s their new model,” Schwartz said, “people are going to have to take this much more seriously.”
VW Refuses to Give American States Documents in Emissions Inquiries
The New York Times, January 8, 2016 by Danny Hakim and Jack Ewing
Volkswagen has refused to give emails or other executive communications to attorneys general in the United States on the basis of German privacy laws. The delay is impeding American investigators trying to determine the extent of the company’s emissions-cheating scandal. Germany has stricter privacy laws than the United States, including its Federal Data Protection Act, which limits access to data, particularly outside the European Union. “In the E.U., data protection is a fundamental right that is in the European Charter,” said Paul M. Schwartz, a law professor at the University of California, Berkeley and co-director of its Center for Law & Technology. The German federal constitutional court has also identified a right to “informational self-determination,” he said. Such laws are “real obstacles,” he said, adding, “Europeans really take privacy seriously.”