Information Privacy Summer Courses

Global Privacy Law:

2 credits/ 12 CLEs (May 26 - 29, 2020)
Professor Gabe Maldoff


Course description:
Personal data has become the raw material for business models in industries ranging from online advertising, social networking, cloud computing, health and financial services. Governments, too, rely on personal data for purposes such as national security and law enforcement, urban planning and traffic control, public health and education. Emerging technologies greatly enhance data collection, storage and analysis. In this context, privacy laws strain to continue to protect individual rights. This course will place privacy within a social and legal context and will investigate the complex mesh of legal structures and institutions that govern privacy at state, national and international levels. Students will be taught how to critically analyze privacy problems and make observations about sources of law and their interpretation, with an emphasis on the global nature of data. Students will be provided with the technological details needed to explore information security and management issues in domestic and international contexts. The final grade will be based on class participation, attendance and an exam. 

Privacy & Data Security from the Consumer's
Point of View

1 credit/ 6 CLEs (June 1-2, 2020)
Professor Ryan Kriger


Course description:
The only federal privacy or data security “regulation” that applies to all businesses regardless of industry is Section 5 of the FTC Act, which prohibits “unfair and deceptive acts and practices.”  Every state also has some form of “Little FTC Act” which operates in parallel to the FTC and is usually enforced by the State Attorney General. Together these are called UDAP laws. But what does unfairness and deception mean when applied to privacy and data security? That’s the question. There is very little caselaw to provide answers. In the absence of guidance from the courts, the FTC and AG’s have developed a “common law of settlements” in which each settlement with a company for violating UDAP law gives guidance to businesses as to what is within and outside of bounds for privacy and data security.

Healthcare Privacy & Security

1 credit/ 6 CLEs (June 3-4, 2020)
Professor Kirk Nahra


Course description:
One of the most heavily regulated areas of information privacy law is in the health care industry, where privacy and data security issues are of paramount importance. This course explores the key data privacy and security issues facing health care enterprises and their vendors (and the broad variety of other entities that use and disclose health care information), including compliance with HIPAA and a broad variety of other state and federal privacy and data security laws applicable to healthcare data and the healthcare industry. We will discuss how health care privacy and data security law is evolving, what the key policy issues are for this debate and will provide practical advice on evaluating and applying law, regulations and best practices to the creation, use and disclosure of health care data.

Privacy & Security Implications of Data Sharing

2 credits/ 12 CLEs (June 8,9,11,12, 2020)
Professor Rita Heimes


Course Description:
Privacy lawyers – whether in-house or outside counsel – commonly draft, review and negotiate business-to-business contracts where personal data will be transferred, including across national borders. These agreements are heavily influenced by changes in privacy laws, including the European Union’s General Data Protection Regulation, the California Consumer Privacy Act, and a variety of U.S. state laws that highlight the importance of protecting the consumer’s data along the supply chain. They are not new – HIPAA influenced the creation of relatively standardized Business Associate Agreements long ago – but the variety of new comprehensive privacy laws has heightened the risk of vendor agreements and increased the workload on attorneys. Indeed, privacy counsel is often involved at the vendor selection phase, well before the contract is negotiated, to help characterize the vendor (processor, co-controller, service provider, third party) as well as to help assess its trustworthiness as a recipient of personal information. This course will cover the cases and statutes that highlight the risks associated with data transfers to vendors, provide opportunities for students to create and deploy vendor vetting tools, and dive into the details of contracts between typical parties to transactions involving personal information. It will leave students with a solid understanding of the roles the parties play and the importance of terminology in characterizing these roles, as well as a tool kit for negotiating vendor agreements (including cross-border data transfer issues) globally.

right body border
© Copyright 2017 Center for Law and Innovation | 246 Deering Avenue, Portland, ME 04102