Georgetown Law
Technology Review

On October 14–16, thought leaders from across the country attended the fifth annual Privacy + Security Forum. Professor Daniel Solove of George Washington University Law School and Professor Paul Schwartz of UC Berkeley School of Law organized the forum. Their goal was to craft presentations and sessions to help businesses implement solutions to privacy and security issues in the real world. Participants included hundreds of attorneys, academics, policymakers, chief information officers, and experts from NGOs.

One session, led in combination by Professor Melissa Goldstein from GW and Kirk Nahra, a partner at WilmerHale, covered evolving privacy issues in research involving human participants. The Common Rule, originally codified as a federal regulation in 1991, sets the standard for human research ethics. Although the updated Common Rule provides guidelines on how to handle research participants’ data, Professor Goldstein emphasized that “with enough information, motivation, and effort,” anonymized records can be used to re-identify people. In the international research domain, Mr. Nahra noted that the Common Rule and the EU’s General Data Protection Regulation (GDPR) provide differing guidance on obtaining consumer consent, which has led to increased confusion among researchers.

Another session—titled “The Tale of Multi-Jurisdiction Privacy Laws”—provided very practical guidance on putting together an effective privacy program at a company. The panelists discussed the varying breach notification standards across the United States, the different definitions of “sensitive data” among jurisdictions, and tips on how to operationalize a privacy program. Above all, they stressed the importance of developing good relationships between privacy compliance officers, security teams, and senior management. Strong intra-company relationships are key in creating a company culture where privacy is a top priority for all professionals within the organization.

In addition to the two main session days, this year’s conference also featured a bonus pre-conference, which was titled the Cybersecurity + Risk Summit, and focused on GDPR and international privacy and security. Attendees also had the chance to participate in specific workshops on the California Consumer Privacy Act, blockchain, and data mapping.

Overall, the conference was a great opportunity for attendees to learn more about complex privacy and security issues, as well as how current professionals are addressing them. The conference brought together a diverse group of practitioners and afforded them the occasion for valuable information exchange and future collaboration. The next conference will be in May 2020 and is currently accepting proposals for speakers and sessions.