Some items on our site have recently moved. Visit our News Hub for selected articles, special reports, podcasts and other resources.
Five Californians named to lead first US standalone privacy enforcer
18 March 2021 02:06 by Mike Swift, Amy Miller
The three women and two men picked today to lead the new California Privacy Protection Agency — the first stand-alone privacy enforcer in the US — received positive reviews for their diversity of experience but also a few raised eyebrows in that several haven’t held traditional data-protection roles.
Jennifer M. Urban, a law professor at the University of California-Berkeley who is co-director of the Berkeley Center for Law & Technology and who studies the intersection of technology and regulatory structures, was appointed by California Governor Gavin Newsom to be chair of the CPPA. The agency will join the US Federal Trade Commission as the lead privacy regulatory bodies in the US, but in some ways, the CPPA will have superior enforcement powers to the FTC once it's fully operational in 2023.
The other four members of the CPPA board named by Newsom and other senior California senior officials are: John Christopher Thompson, a former utility executive from Southern California who also was a chief of staff to US Senator Dianne Feinstein; Angela Sierra, who headed the Civil Rights Enforcement Section of the California attorney general’s office; Lydia de la Torre, a professor at Santa Clara University Law School and a recognized expert in international data protection issues; and Vinhcent Le, who works on consumer privacy and algorithmic bias issues for a San Francisco Bay Area non-profit.
Newsom, who also appointed Thompson, along with California Attorney General Xavier Becerra, who appointed Sierra, and legislative leaders said their goal in making the appointments is to stand up a new enforcer that will hold companies accountable for abuses such as excessive data-mining.
“Californians deserve to have their data protected and the individuals appointed today will bring their expertise in technology, privacy and consumer rights to advance that goal,” Newsom said in a written statement. “These appointees represent a new day in online consumer protection and business accountability.”
A candidate who interviewed for a seat on the CPPA board told MLex that Newsom staffers who interviewed candidates for the CPPA were looking not just for data-protection experts, but people willing to work with the state legislature and who have the organizational experience to build up a new agency from scratch. The new privacy agency was created as part of Proposition 24, the ballot initiative approved by California voters in November that passed the California Privacy Rights Act, updating California’s current privacy law, the California Consumer Privacy Rights Act.
Urban, 47, would appear to fit that profile of institution-building along with data-protection expertise. Jules Polonetsky, chief executive officer of the Future of Privacy Forum, noted that she has research experience with topics ranging from “Do Not Track” browser settings, mobile payments, and privacy concerns about utility “smart grids.”
“Jenn is certainly a wonderful choice as leader in that she’s a strong proponent of consumer privacy rights,” said Polonetsky, who first met Urban working on privacy issues around electric utility smart meters and the smart electrical grid. “She comes to it from a real grounding of academic scholarship, but with an eye toward pragmatic applications. She’s very much not an ivory-tower scholar.”
Urban's research at Berkeley has focused on information policy, including intellectual property, privacy and data protection, and security. Chris Hoofnagle, a Cal-Berkeley professor and research collaborator with Urban who wrote a history of the FTC, compared Urban to Janet Dempsey Steiger, chair of the FTC from 1989 to 1995 under Presidents George H.W. Bush and Bill Clinton.
“She is circumspect in all things, balanced, genuine, incorruptible,” Hoofnagle said. “I've always thought Jennifer would make an excellent judge. Perhaps most importantly for the CPPA, Jennifer cares about institutions.”
Not all of the new CPPA members are so deeply grounded in traditional consumer privacy issues, although de la Torre, a native of Spain who has been advising corporations and teaching students about California and European privacy laws such as the General Data Protection Regulation, certainly is.
“Few potential board candidates have the breadth and depth of expertise on the CCPA and CPRA as she has,” Eric Goldman, an associate dean at the Santa Clara law school, wrote in a letter he shared with MLex recommending de la Torre for the board job. “In addition, Lydia is a bona fide GDPR expert.”
Many lawyers claim to be GDPR experts, Goldman wrote, but “only a lawyer fully versed in European law — like Lydia — truly understands the GDPR. Thus, she has exceptionally rare expertise that will be helpful to the CPPA as it encounters many questions that are novel to California but more familiar to GDPR experts.”
In a Tweet today, de la Torre said she will resign from law firm Squire Patton Boggs, where she specializes in privacy, data protection, and cybersecurity, to focus on the CPPA.
Thompson, 49, does have regulatory experience, but working for the Southern California Edison electric utility, where for several years he oversaw regulatory and legal tasks related to the decommissioning of the San Onofre nuclear power plant. He also spent more than a decade working as a congressional staffer, providing him experience working with elected lawmakers.
For Sierra, it won’t be the first time launching a new California government entity. In 2016, Sierra was appointed by California's then-attorney general – now US Vice President – Kamala Harris to serve on the state’s new Racial and Identity Profiling Advisory Board. Sierra’s appointment, Harris said at the time, was based on her experience in police practices, voting rights, housing and employment discrimination, civil prosecution of hate crimes, and discriminatory and unlawful business practices.
“It’s notable, but quite appropriate, that the appointees aren’t simply top privacy scholars, but rather come from a range of backgrounds and a diversity of directions,” Polonetsky told MLex. “Privacy is no longer solely the province of those who worry about information being inadvertently disclosed. It’s about power; it’s about race; it’s about inclusion; it’s about equity; and these appointments reflect individuals who will bring a range of perspectives to the task.”
Le, designee of California Assembly Speaker Anthony Rendon, will bring his expertise on algorithmic bias to the CPRA board.
“I'm excited to bring a pro-consumer and race-equity lens to the important work of safeguarding the privacy of Californians,” he wrote on Twitter following the announcement. “Lets get to work!”
Since 2016, Le has been an attorney with the Greenlining Institute in Oakland, advocating for policies and regulations that prevent algorithmic bias and economic discrimination. He works on strategies to protect consumer privacy and prevent bias that can stall economic opportunity for vulnerable groups.
One notable name missing from the CPPA board was Alastair Mactaggart, the San Francisco Bay Area real estate developer who led the drive to pass both the CCPA in 2018 and the CPRA in 2020. Many privacy insiders speculated privately that Mactaggart, a controversial figure in the eyes of some, would get a seat on the CPPA or would control the appointments, and said they were surprised when he didn’t.
“I want to congratulate the new board of the California Privacy Protection Agency and look forward to working with them to uphold and strengthen privacy laws for all Californians,” Mactaggart said in a written statement. “The creation of this commission is the genesis of a real enforcement arm to help consumers protect their data.”
26 May 2023 14:59 by Sam ClarkWhen the EU’s General Data Protection Regulation came into force five years ago, some said it would usher in a new era of EU supremacy over Silicon Valley's tech giants, reining in their rampant data-driven power.
24 May 2023 15:39 by Mike SwiftSince the General Data Protection Regulation took effect five years ago this week, more than 40 countries have enacted national privacy laws, most of which drew liberally from the canonical text of the EU law.
23 May 2023 23:47 by Mike SwiftThe count of countries with data protection laws more than doubled to 162 over the past dozen years, a total that includes a wide majority of the world’s nations, with new research suggesting data protection rules are approaching ubiquity.