1 Origins and Concepts of Data Privacy 11.1 Questions and Challenges of Data Privacy 21.1.1 But Cupid Turned Out to Be Not OK 31.2 The Conundrum of Voluntary Information 31.3 What is Data Privacy? 51.3.1 Physical Privacy 51.3.2 Social Privacy Norms 51.3.3 Privacy in a Technology-Driven Society 51.4 Doctrine of Information Privacy 61.4.1 Information Sharing Empowers the Recipient 61.4.2 Monetary Value of Individual Privacy 71.4.3 "Digital Public Spaces" 71.4.4 A Model Data Economy 81.5 Notice-and-Choice versus Privacy-as-Trust 91.6 Notice-and-Choice in the US 91.7 Enforcement of Notice-and-Choice Privacy Laws 111.7.1 Broken Trust and FTC Enforcement 111.7.2 The Notice-and-Choice Model Falls Short 121.8 Privacy-as-Trust: An Alternative Model 131.9 Applying Privacy-as-Trust in Practice: The US Federal Trade Commission 141.9.1 Facebook as an Example 151.10 Additional Challenges in the Era of Big Data and Social Robots 161.10.1 What is a Social Robot? 161.10.2 Trust and Privacy 171.10.3 Legal Framework for Governing Social Robots 171.11 The General Data Protection Regulation (GDPR) 181.12 Chapter Overview 19Notes 212 A Brief History of Data Privacy 232.1 Privacy as One's Castle 232.1.1 Individuals' "Castles" Were Not Enough 242.2 Extending Beyond the "Castle" 242.3 Formation of Privacy Tort Laws 242.3.1 A Privacy Tort Framework 252.4 The Roots of Privacy in Europe and the Commonwealth 252.5 Privacy Encroachment in the Digital Age 262.5.1 Early Digital Privacy Laws Were Organic 272.5.2 Growth in Commercial Value of Individual Data 272.6 The Gramm-Leach-Bliley Act Tilted the Dynamic against Privacy 282.7 Emergence of Economic Value of Individual Data for Digital Businesses 292.7.1 The Shock of the 9/11 Attacks Affected Privacy Protection Initiatives 292.7.2 Surveillance and Data Collection Was Rapidly Commercialized 302.7.3 Easing of Privacy Standards by the NSA Set the Tone at the Top 302.8 Legislative Initiatives to Protect Individuals' Data Privacy 312.9 The EU Path 332.9.1 The Internet Rights Revolution 342.9.2 Social Revolutions 342.10 End of the Wild West? 372.11 Data as an Extension of Personal Privacy 372.12 Cambridge Analytica: A Step Too Far 392.13 The Context of Privacy in Law Enforcement 39Summary 41Notes 413 GDPR's Scope of Application 453.1 When Does GDPR Apply? 453.1.1 "Processing" of Data 463.1.2 "Personal Data" 473.1.3 Exempted Activities under GDPR 513.2 The Key Players under GDPR 523.3 Territorial Scope of GDPR 543.3.1 Physical Presence in the EU 543.3.2 Processing Done in the Context of the Activities 553.3.3 Users Based in the EU 563.3.4 "Time of Stay" Standard 573.4 Operation of Public International Law 57Notes 574 Technical and Organizational Requirements under GDPR 614.1 Accountability 614.2 The Data Controller 624.2.1 Responsibilities of the Controller 634.2.2 Joint Controllers and Allocating Liability 654.2.3 The Duty to Cooperate with the SA 684.3 Technical and Organizational Measures 694.3.1 Maintain a Data-Protection Level 694.3.2 Minimum Requirements for Holding a Data Protection Level 694.3.3 Weighing the Risks 704.3.4 The Network and Information Systems Directive 714.4 Duty to Maintain Records of Processing Activities 724.4.1 Content of Controller's Records 724.4.2 Content of Processor's Records 734.4.3 Exceptions to the Duty 734.5 Data Protection Impact Assessments 734.5.1 Types of Processing That Require DPIA 744.5.2 Scope of Assessment 754.5.3 Business Plan Oversight 784.6 The Data Protection Officer 804.6.1 Designation of DPO 804.6.2 Qualifications and Hiring a DPO 814.6.3 Position of the DPO 814.6.4 Tasks of the DPO 824.6.5 An Inherent Conflict of Interest? 834.6.6 DPO Liability 844.7 Data Protection by Design and Default 844.7.1 Data Protection at the Outset 844.7.2 Balancing the Amount of Protection 854.7.3 Applying Data Protection by Design 864.7.4 Special Case: Blockchain Technology and GDPR 914.8 Data Security during Processing 924.8.1 Data Security Measures 934.8.2 Determining the Risk Posed 944.8.3 Data Protection Management Systems: A "Technical and Organizational Measure" 944.9 Personal Data Breaches 944.9.1 Overview of Data Breaches 954.9.2 The Controller's Duty to Notify 1034.9.3 Controller's Duty to Communicate the Breach to Data Subjects 1064.10 Codes of Conduct and Certifications 1074.10.1 Purpose and Relationship under GDPR 1074.10.2 Codes of Conduct 1084.10.3 Certification 1104.11 The Data Processor 1124.11.1 Relationship between Processor and Controller 1124.11.2 Responsibilities of Controller in Selecting a Processor 1134.11.3 Duties of the Processor 1144.11.4 Subprocessors 116Notes 1165 Material Requisites for Processing under GDPR 1255.1 The Central Principles of Processing 1255.1.1 Lawful, Fair, and Transparent Processing of Data 1265.1.2 Processing Limited to a "Purpose" 1275.1.3 Data Minimization and Accuracy 1305.1.4 Storage of Data 1315.1.5 Integrity and Confidentiality of the Operation 1315.2 Legal Grounds for Data Processing 1325.2.1 Processing Based on Consent 1325.2.2 Processing Based on Legal Sanction 1445.2.3 Changing the Processing "Purpose" 1485.2.4 Special Categories of Data 1495.3 International Data Transfers 1615.3.1 Adequacy Decisions and "Safe" Countries 1625.3.2 Explicit Consent 1665.3.3 Standard Contractual Clauses 1665.3.4 The EU-US Privacy Shield 1695.3.5 Binding Corporate Rules 1725.3.6 Transfers Made with or without Authorization 1755.3.7 Derogations 1775.3.8 Controllers Outside of the EU 1805.4 Intragroup Processing Privileges 1825.5 Cooperation Obligation on EU Bodies 1835.6 Foreign Law in Conflict with GDPR 184Notes 1856 Data Subjects' Rights 1936.1 The Controller's Duty of Transparency 1946.1.1 Creating the Modalities 1946.1.2 Facilitating Information Requests 1956.1.3 Providing Information to Data Subjects 1956.1.4 The Notification Obligation 1966.2 The Digital Miranda Rights 1976.2.1 Accountability Information 1976.2.2 Transparency Information 1986.2.3 Timing 2006.2.4 Defenses for Not Providing Information 2006.3 The Right of Access 2016.3.1 Accessing Personal Data 2016.3.2 Charging a "Reasonable Fee" 2026.4 Right of Rectification 2036.4.1 Inaccurate Personal Data 2046.4.2 Incomplete Personal Data 2046.4.3 Handling Requests 2046.5 Right of Erasure 2056.5.1 Development of the Right 2056.5.2 The Philosophical Debate 2066.5.3 Circumstances for Erasure under GDPR 2096.5.4 Erasure of Personal Data Which Has Been Made Public 2116.5.5 What is "Erasure" of Personal Data? 2126.5.6 Exceptions to Erasure 2126.6 Right to Restriction 2146.6.1 Granting Restriction 2156.6.2 Exceptions to Restriction 2166.7 Right to Data Portability 2166.7.1 The Format of Data and Requirements for Portability 2176.7.2 Business Competition Issues 2186.7.3 Intellectual Property Issues 2196.7.4 Restrictions on Data Portability 2206.8 Rights Relating to Automated Decision Making 2216.8.1 The Right to Object 2216.8.2 Right to Explanation 2236.8.3 Profiling 2246.8.4 Exceptions 2256.8.5 Special Categories of Data 2256.9 Restrictions on Data Subject Rights 2266.9.1 Nature of Restrictions Placed 2266.9.2 The Basis of Restrictions 227Notes 2287 GDPR Enforcement 2337.1 In-House Mechanisms 2337.1.1 A Quick Review 2347.1.2 Implementing an Internal Rights Enforcement Mechanism 2357.2 Data Subject Representation 2407.2.1 Standing of NPOs to Represent Data Subjects 2407.2.2 Digital Rights Activism 2417.3 The Supervisory Authorities 2417.3.1 Role of Supervisory Authority 2417.3.2 The Members of the Supervisory Authority 2427.3.3 An Independent Body 2437.3.4 Professional Secrecy 2437.3.5 Competence of the Supervisory Authority 2447.3.6 Tasks of the Supervisory Authority 2467.3.7 Powers of the SA 2487.3.8 Cooperation and Consistency Mechanism 2507.3.9 GDPR Enforcement by Supervisory Authorities 2527.4 Judicial Remedies 2537.4.1 Judicial Action against the Controller or Processor 2537.4.2 Courts versus SA; Which is Better for GDPR Enforcement? 2547.4.3 Judicial Action against the Supervisory Authority 2547.4.4 Controller Suing the Data Subject? 2567.4.5 Suspending the Proceedings 2577.5 Alternate Dispute Resolution 2587.5.1 Is an ADR Arrangement Allowed under GDPR? 2607.5.2 ADR Arrangements 2607.5.3 Key Hurdles of Applying ADR to GDPR 2617.5.4 Suggestions for Implementing ADR Mechanisms 2637.6 Forum Selection Clauses 2657.7 Challenging the Existing Law 266Notes 2678 Remedies 2718.1 Allocating Liability 2718.1.1 Controller Alone Liable 2718.1.2 Processor Alone Liable 2728.1.3 Joint and Several Liabilities 2728.2 Compensation 2738.2.1 Quantifying "Full Compensation" 2738.2.2 Conflict in the Scope of "Standing" in Court 2748.3 Administrative Fines 2758.3.1 Fines for Regulatory Infringements 2758.3.2 Fines for Grave Infringements 2768.3.3 Determining the Quantum of the Fine 2768.4 Processing Injunctions 2798.4.1 Domestic Law 2798.4.2 The EU Injunction Directive 2808.4.3 The SA's Power to Restrain Processing 2818.5 Specific Performance 283Notes 2849 Governmental Use of Data 2879.1 Member State Legislations 2879.2 Processing in the "Public Interest" 2919.2.1 What is Public Interest? 2919.2.2 Public Interest as a "Legal Basis" for Processing 2929.2.3 State Use of "Special" Data 2929.2.4 Processing Relating to Criminal Record Data 2949.3 Public Interest and the Rights of a Data Subject 2949.3.1 Erasure and Restriction of Data Processing 2949.3.2 Data Portability 2959.3.3 Right to Object 2969.3.4 Right to Explanation 2969.4 Organizational Exemptions and Responsibilities 2979.4.1 Representatives for Controllers Not within the EU 2979.4.2 General Impact Assessments in Lieu of a Data Protection Impact Assessment (DPIA) 2979.4.3 Designation of a Data Protection Office (DPO) 2989.4.4 Monitoring of Approved Codes of Conduct 2999.4.5 Third-Country Transfers 2999.5 Public Documents and Data 3019.5.1 The Network and Information Systems Directive 3019.5.2 Telemedia Data Protection 3029.5.3 National Identification Numbers 3039.6 Archiving 3049.7 Handling Government Subpoenas 3059.8 Public Interest Restrictions on GDPR 3059.9 Processing and Freedom of Information and Expression 3069.9.1 Journalism and Expression under GDPR 3069.9.2 Combating "Fake News" in the Modern Age 3079.10 State Use of Encrypted Data 3089.11 Employee Data Protection 3099.11.1 The Opening Clause 3109.11.2 Employment Agreements 3119.11.3 The German Betriebsrat 3129.11.4 The French "Comité d'enterprise" 313Notes 31410 Creating a GDPR Compliance Department 31910.1 Step 1: Establish a "Point Person" 31910.2 Step 2: Internal Data Audit 32110.3 Step 3: Budgeting 32210.4 Step 4: Levels of Compliance Needed 32310.4.1 Local Legal Standards 32310.4.2 Enhanced Legal Standards for International Data Transfers 32410.4.3 International Legal Standards 32410.4.4 Regulatory Standards 32410.4.5 Contractual Obligations 32410.4.6 Groups of Undertakings 32510.5 Step 5: Sizing Up the Compliance Department 32510.6 Step 6: Curating the Department to Your Needs 32610.6.1 "In-House" Employees 32610.6.2 External Industry Operators 32610.6.3 Combining the Resources 32710.7 Step 7: Bring Processor Partners into Compliance 32710.8 Step 8: Bring Affiliates into Compliance 32810.9 Step 9: The Security of Processing 32810.10 Step 10: Revamping Confidentiality Procedures 32910.11 Step 11: Record Keeping 32910.12 Step 12: Educate Employees on New Protocols 33010.13 Step 13: Privacy Policies and User Consent 33110.14 Step 14: Get Certified 33110.15 Step 15: Plan for the Worst Case Scenario 33110.16 Conclusion 332Notes 33211 Facebook: A Perennial Abuser of Data Privacy 33511.1 Social Networking as an Explosive Global Phenomenon 33511.2 Facebook is Being Disparaged for Its Data Privacy Practices 33511.3 Facebook Has Consistently Been in Violation of GDPR Standards 33611.4 The Charges against Facebook 33611.5 What is Facebook? 33711.6 A Network within the Social Network 33711.7 No Shortage of "Code of Conduct" Policies 33811.8 Indisputable Ownership of Online Human Interaction 33911.9 Social Networking as a Mission 33911.10 Underlying Business Model 34011.11 The Apex of Sharing and Customizability 34111.12 Bundling of Privacy Policies 34111.13 Covering All Privacy Policy Bases 34211.14 Claims of Philanthropy 34311.15 Mechanisms for Personal Data Collection 34411.16 Advertising: The Big Revenue Kahuna 34611.17 And Then There is Direct Marketing 34711.18 Our Big (Advertiser) Brother 34711.19 A Method to Snooping on Our Clicks 34811.20 What Do We Control (or Think We Do)? 34911.20.1 Ads Based on Data from FB Partners 35011.20.2 Ads Based on Activity on FB That is Seen Elsewhere 35011.20.3 Ads That Include Your Social Actions 35111.20.4 "Hiding" Advertisements 35111.21 Even Our Notifications Can Produce Revenue 35211.22 Extent of Data Sharing 35311.23 Unlike Celebrities, We Endorse without Compensation 35411.24 Whatever Happened to Trust 35511.25 And to Security of How We Live 35511.26 Who is Responsible for Security of Our Life Data? 35611.27 And Then There Were More 35911.28 Who is Responsible for Content? 35911.29 Why Should Content Be Moderated? 36011.30 There are Community Standards 36111.31 Process for Content Moderation 36911.31.1 Identifying and Determining Content Removal Requests 36911.32 Prospective Content Moderation "Supreme Court" 37011.33 Working with Governmental Regimes 37011.34 "Live" Censorship 37111.35 Disinformation and "Fake" News 37211.35.1 "Disinformation" 37211.35.2 False News Policy 37411.35.3 Fixing the "Fake News" Problem 37511.36 Conclusion 380Notes 38612 Facebook and GDPR 39312.1 The Lead Supervisory Authority 39312.2 Facebook nicht spricht Deutsch 39312.3 Where is the Beef? Fulfilling the Information Obligation 39412.4 Data Processing Purpose Limitation 39512.5 Legitimate Interests Commercial "Restraint" Needed 39612.6 Privacy by Design? 39812.7 Public Endorsement of Personalized Shopping 39812.8 Customizing Data Protection 39912.9 User Rights versus Facebook's Obligations 40012.10 A Digital Blueprint and a GDPR Loophole 40112.11 Investigations Ahead 40212.12 Future Projects 403Notes 40413 The Future of Data Privacy 40713.1 Our Second Brain 40713.2 Utopian or Dystopian? 40913.3 Digital Empowerment: Leveling the Playing Field 410Notes 412Appendix: Compendium of Data Breaches 413About the Authors 467Index 469

SANJAY SHARMA, PHD, is the founder and chairman of GreenPoint Global - a data privacy, risk advisory, education, and technology services firm headquartered in New York with over 350 employees and a global footprint.Sanjay is a 30-year veteran of the financial services industry and has held C-level positions in banking, technology, and risk management at firms including Royal Bank of Canada, Goldman Sachs, Merrill Lynch, Citigroup, Moody's, and Natixis. He teaches graduate courses at four universities in New York City, London, and Nice, France. He has extensive experience in data privacy and management of risk associated with large data frameworks.He holds a PHD in finance and international business from New York University and an MBA from the Wharton School of Business, and has undergraduate degrees in physics and marine engineering. He lives with his family in Rye, New York.