These are likely to pick up once the vaccines are rolled out. The panel will look at the future of privacy for the US now the Democrats have gained power of the Whitehouse, whether this will be a game-changer for Privacy and it will be pushed higher up the agenda.
The transcript has been edited for grammatical reasons
Andrew Menniss 1:15
Hi, good morning, good afternoon or good evening wherever you’re joining us on planet earth and welcome to PrivSec Global we’re into the last couple of hours of day one here we’ve been live for almost eight and a half hours with superlative content on data privacy, data security and data governance.
Before I hand over to the next panel, I just wanted to make you aware of that left hand menu on your screen. Click on it register your interest for a number of the new initiatives in 2021, including In Conversation With which is a monthly series of hour long conversations between our hosts and special guests from the world of privacy, security and financial crime with Nina Schick and Oliver Bullough. The series with Michael Rasmussen is a monthly 90 minute digital event that will identify and debate current and future critical risks and regulatory changes that can impact businesses.
So it gives me great pleasure now to introduce Joe Tidy, who is the Cybersecurity Correspondent for BBC News. And panellists speaking on US privacy the year for change over to you, Joe.
Joe Tidy 2:24
Thank you very much, Andrew. And thank you to everybody who’s watching from wherever you are in the world. This, as Andrew said, is a panel discussion 45 minutes long. And the topic is US Privacy, The Year of Change, lots of things to discuss about what’s happening with US privacy right now and in the future. And I am the perfect host for this because I don’t know very much about this topic. So we’re going to learn a lot from our panellists. There will be a 10 minute Q&A at the end. So we’ll probably talk amongst ourselves with questions that me and the panel group have decided upon, and then we’ll go to Q&A questions. So if you have anything you’d like to ask the panellists, please drop them in the questions in the comments box below the screen, and we’ll get to those as we go through towards the end.
So I wanted to read you the blurb for the discussion just in case you clicked on the wrong link and to make sure that you’re in the right place and give you a feel of what we’re going to be talking about. So this is the blurb footfall for this panel. The US privacy landscape is currently fragmented, with nearly half of the states planning to introduce new privacy laws in the first half of 2020, but having to postpone them due to Covid 19. These are likely to pick up once the vaccines are rolled out. This panel will look at the future of privacy for the US now the Democrats have gained power of the White House. Whether this will be a game changer for privacy, and whether or not it will be pushed higher up the agenda.
So let’s go and introduce you to the panel now we’ve got Jim Trilling who is speaking to us from Washington, DC. There he comes now. Hi, Jim. Jim works at the division of privacy and identity protection at the Federal Trade Commission. He is a senior attorney where he leads policy initiatives investigations litigation. From LA we’ve got Dominique Shelton Leipzig. Dominique is co chair, there she is, hello, she is co chair of Perkins Coie’s ad tech privacy and data management practice. She focuses on privacy, data strategy, and avoiding litigation which she knows a lot about, of course, because she was a litigator for 22 years. We’ve got Jeff Gary, who’s also in DC. He’s a policy director at, and there he is there, a policy director at Georgetown laws Institute of Technology, law and policy. He oversees the institute’s research agenda and advises state and federal officials on key emerging issues in Technology Policy, including privacy, content, moderation, and algorithmic decision making. And talking to us from Boston we have David Blaskowsky, who leads HeliosData, a personal data privacy technology vendor. David has held leadership roles relating to the management, commercialization and regulation and compliance of sensitive and personal data and business intelligence for 25 years.
So amongst us amongst you rather, we have got probably about over 100 years of experience, which isn’t bad, is it? So we’re going to go with the questions now we’ve got about sort of nine questions that I was hoping we could get to. And then we’ll have the q&a with the audience at the end. So we’ll start off straight away, Dominique this one’s for you, and we’ll pass it around once you’ve answered it. So there’s no doubt that change is coming to US privacy law. But when? Is this the year has, for example, President Biden said much about changing things on a federal level dominate? What do you think?
Dominique Shelton Leipzig 5:35
I think that there is going to be a tremendous focus on privacy at the federal level. We have so many state laws coming up, which I know we’re going to talk about later. There is one bill that just got recently introduced from a Senator Suzan DelBene from Washington State. I understand, unfortunately, that that bill is not really going to be moving forward because of other priorities that the federal government and Congress does have. I do think this is remaining as a priority for President Biden and Vice President Harris, however, especially as it relates to dealing with data transfers from the EU, and negotiations on a new Privacy Shield.
Joe Tidy 6:18
And what do you think, Jim?
Jim Trilling 6:21
I agree with everything that Dominique said, there certainly will be a lot of interest in Congress this year, as there has been in past years. And certainly the amount of activity in state legislatures, as well as continued work to implement the GDPR, and other international analogues all certainly will help keep a focus on privacy and security issues at the federal level in the US. And also I need to just state, briefly that my views today are my own and don’t necessarily represent the views of the Federal Trade Commission or any of the individual commissioners.
Joe Tidy 7:14
And Jeff, and David, are you in agreement there? Do you think that that Dominique and Jim are right, in their reading of the situation in terms of in terms of the politics? Jeff, you want to jump in?
Jeff Gary 7:29
Yeah. You know, I think that’s right. And I think in addition to that, one thing we’ll see and especially with unified democratic control of government right now is a focus on other areas of privacy outside of consumer privacy, specifically, and places like employment and labour policing, and government access at the border into other issues like that. So I think there’s a wide swath of areas where privacy is likely to be a big player.
Joe Tidy 7:56
And a big question. Oh, sorry. David, do you have something to add?
David Blaskowsky 7:59
Yeah, my apologies for that. I mean, I have a slightly slightly different opinion, I do think that this, this is the year where the issues really need to be raised and where consensus needs to be developed along the whole host of issues that aren’t completely clear, opt out, versus opt in private rights of action, pre-emption, all kinds of things that really need to be worked out. And also, to gain insight from the business community, when it comes to a number of different issues. I think there’s a lot of things that need to be discussed, and the laboratories around the world, the GDPR, and its progeny, as well as the couple of examples in the US need to really be understood and studied by regulators, by advocates, and by other interested parties.
Joe Tidy 8:37
And you mentioned GDPR there and I was going to come on to that. The question that I have is sort of why now and is the now because of GDPR? Have we got GDPR to thank for this interest in data privacy in the US? What do you think, David?
David Blaskowsky 8:52
I think GDPR did indeed stir the pot. But on top of Cambridge Analytica and the parade of breaches that we’ve been used to here, it raised the issue, it’s motivated us advocates and of course, by its extraterritorial reach, which we Americans are accustomed to being on the receiving end of, you know, it’s really gained the attention of business. I mean, in our experience, I mean, companies come to HeliosData to bring their data into privacy, governance and compliance and these are technology for control. But they need to view GDPR as not necessarily a success, yet. It’s a fact. And understanding how it becomes a success and how we, with the ability to, you know, hindsight to look back on other rules, and to relate it to our system, how we make it more successful, and also connected to the fact that we’ve got 56 jurisdictions internally, as well as a world of other countries that we need to and I’ll bring in this more European word to harmonise with so that it actually becomes possible to be able to get all of this done successfully.
Joe Tidy 9:56
Dominique, do you think that the US view of GDPR is that of success?
Dominique Shelton Leipzig 10:02
I think that, you know, it’s interesting. I think that there is a lot of communication between us as well as the EU and an effort to kind of gather lessons learned. I know from communications that I’ve had with the California Attorney General’s office that there were communications between our former California AG, who’s now the Secretary of Health and Human Services Attorney General, with data protection authorities in the EU. And I would say that American officials are very cognizant of some of the consumer criticism that Max Schrems and others have sort of levied against data protection authorities in the EU as not being strong enough in terms of enforcing the GDPR. And at least in California, there is an effort to learn from those lessons, and perhaps have greater enforcement or be seen to have greater enforcement from the outset to be able to sort of calm the consumer groups concerns.
Joe Tidy 11:13
Jim, what do you think of the GDPR? From your perspective, how are you? How are you sort of viewing, viewing its progress so far?
Jim Trilling 11:20
Well, it’s definitely something that federal policymakers and those of us at the FTC where we have more of an enforcement mission than what I would call a regulatory mission, we’re more focused on enforcing the legal authorities that Congress has provided us than, for example, making rules. So the way that we approach these issues we have the Federal Trade Commission Act itself, which gives us the ability to take action against companies that engage in deceptive practices, so misrepresenting their privacy practices, or what are called unfair practices, which are those that cause or likely to cause substantial injury to consumers that consumers can’t reasonably avoid. And that aren’t outweighed by benefits to competition or to consumers, as well as we have some authorities that apply to certain types of data, such as data collected from children under what’s called the children’s online privacy protection act.
Data having to do with eligibility decisions and credit worthiness under the Fair Credit Reporting Act. We in thinking about how to use the tools that we have, and in providing technical advice to Congress, as Congress considers legislation, certainly look at developments under the GDPR and other international analogues. We had a series of hearings in 2018 and 2019 on consumer protection and competition in the 21st century, and we had entire sessions devoted to, you know, early implementation of GDPR, for example, to study things such as what is the effect on the online advertising market, are consumers still able to have access to services as some in the business community and other stakeholders expressed concerns about the ability to monetize content, for example. On notice issues are the types of notices that GDPR calls for effective or are consumers resolving some of the asymmetries in terms of information they have about what data it is collected about them and how it’s used.
Joe Tidy 14:07
And, Jeff, we’ve got some good, good reasons there why now this year is a good time to address privacy in the US. But just playing devil’s advocate, reason why it could be a bad time is because there are so many companies who are struggling because of the pandemic, and will this add extra burden to them to try and get their head around new laws? Or do you think it’s just something that we have to press on with?
Jeff Gary 14:31
Well, you know, I think a lot of privacy laws certainly do not come into effect immediately. Right. And you see this with CCPA, GDPR. And I don’t think anyone is expecting that, you know, on April 1st, a jurisdiction will pass a law on April 2nd, full compliance is required. Right. So I’m not sure that I see that as a barrier. And I think in a lot of ways, actually the pandemic and and some of the accommodations we’ve all had to make for that have shown why some of these laws are especially needed, right and you know.
For instance, my friend and colleague, Julie Cowen at Georgetown sort of makes the analogy to tort law where if you know, you sit down in a chair, you are pretty sure your chair is not going to break. And it’s not because you trust the chair or you trust the chair manufacturer, right? It’s because there’s a legal structure of tort law and manufacturer liability, that, that puts in place obligations and requirements before it gets to the consumer that that product will be safe, that it will work well, that the consumer will be able to rely upon it. And especially now that we’re using Zoom, you know, Streamyard, all these different products every day all day that children are using them for increased amounts of time, that they’re being used for increased amounts of capabilities, health, telemedicine, employment education, I think it’s really time to think about what these products are, what these products are doing, and what it means that we’re interacting with them for so many for so much time.
Joe Tidy 15:02
Do you think that the current system, then, in some ways broken then Jeff, do you think we are you know, long overdue?
Jeff Gary 16:11
You know, I think we are overdue. And I think and this is maybe getting ahead of our queue a little bit in questions. But I think that the past couple years have really shown that there’s a pretty strong mismatch between what companies have been doing and what consumers as well as regulators and enforcers are sort of thinking about in terms of what the companies are doing. And we’ve really had a lot of that divergence out in the open in the past couple of years. And that’s been fodder for a lot of really interesting and meaningful conversations, both in terms of what companies ought to be doing under the current frameworks, but also what frameworks ought to be in place to establish, you know, strong normative privacy protections and rights. And ultimately, these are questions about how we structure interactions in society and I think that they’re very important questions to get right or at least to be thinking about carefully.
Joe Tidy 17:01
David, do you think there’s an urgency right now to to fix things?
David Blaskowsky 17:05
So having also been a rule writer at the SEC for six years in a treasury, I mean, I feel pretty, pretty confident that our institutions, the economists, the rule writers, the lawyers, are all that strong enough to walk and chew gum at the same time, right? That there’s enough attention that can be paid to, to not just writing something as a copycat, but also to doing the analysis, doing the homework to understanding what’s worked, and what hasn’t, what’s compatible with our system and what’s not, you know, some things may be a bigger lift, when are we going to go down a consumer approach, or we’re going to go down a rights approach.
I mean, all of these require considerable thought and consultation with many different communities, the ad tech community, for example, in the marketing tech community, as well as with the human rights community, I think that’s one of the big lessons that can be taken from the pandemic that we’re through is you can lock down, you can also choose not to lock down either approach on the extreme doesn’t really work really well, something gets destroyed either people or businesses, they aren’t and some jurisdictions have been more successful at it than others none perfectly, is how do you make it actually work. And I have confidence that Jim and his colleagues and also with the other agencies involved in privacy, the financial and the health agencies, and well can all get that job done, hopefully, with coordination and collaboration in search of that that word that I think is so important for both business and people, which is harmonisation.
Joe Tidy 18:31
Yeah, that word keeps coming up. And I suppose that’s one of the things that people come back to with US privacy law is how disjointed it is, in a sense, because different different rules are applying in different areas. Dominique, can you give us a sort of a state of play if you if you wouldn’t mind? What what what the situation is? Because I understand that California is way ahead of other states, is that right?
Dominique Shelton Leipzig 18:54
That’s right. So I’m speaking to Joe from Los Angeles and California, like in so many other consumer protection, ways is as sort of taking them a step out in front of the country. And so we do have, in the US, one comprehensive privacy and data security law, which is already in effect, which is the California Consumer Privacy Act. We just voted on November 3, just not even 18 months after CCPA went into effect. We voted on an update, which is the California Consumer Privacy Rights Act, CPRA, and that will go into effect in January 2023. Just earlier this month, the Virginia Governor signed into law the Virginia Data Consumer Protection Act, the CDPA.
And so we’re going to see, I just read in today’s dashboard that we have Oklahoma, that’s moving very quickly with a lie understand Minnesota might be next in line. And there’s they’re just I think we’re gonna see it like popcorn, just new laws cropping up all across the country. And in large part that’s because the federal government has not stepped in. These laws are designed to really give consumers fresh rights to have more transparency, as Jeff said, but I think we also are going to be engaging in a very interesting dialogue over the next couple of years, which is, how much is the responsibility of the platform? And how much of the risk is the responsibility of the actual users of the platform? And I’m thinking of, you know, platforms like this one, or zoom or otherwise, I know, Georgetown had a recent big scandal where some professors were talking about grading students in as socially biassed way that yes, it was caught on zoom, and was that conversation private? Sure. But, but the point is, you know, are certain are certain of these tools, allowing some transparency and other unintended ways like social justice. And so with that, I’ll turn it back to you.
Joe Tidy 21:11
Yeah, I suppose that’s a really good point. Actually, we’ve got another whole reason there. Why now is the time for these these laws, because we’re all starting to use even more technology in the workplace that we didn’t have before. Jim, can you give us a timeline when you think we will see major change? Because the key question of this panel is, will this be the year of change? So get your crystal ball out, what do you think will be the state of play? Will it be very different to what Dominique just described by the end of the year?
Jim Trilling 21:42
I think that it’s very likely that a lot of what you’re going to continue to see and in 2021 is additional bills, or were, perhaps, debate in congressional committees on some of the bills. You’re going to continue to see those advanced in state legislators, some states may enact new laws. And while harmonisation is important, I also think that at the federal level, what you’re going to certainly see a focus on is as the states continue to be laboratories that the baseline for what realistically can get through Congress is going to go up. That debate has certainly changed over the past few years, there are different views, both because of what’s happened in state legislatures, what’s happening internationally, what’s been happening in courts, there’s a wider recognition of what types of harms consumers can suffer based on data collection and use practices.
And so I think that’s going to up the ante in terms of what a federal bill would have to include in order to pass and as I’m sure we’ll talk about in a few moments, some of the major hurdles to enactment of a federal bill previously are, you know, still there to be contended with in terms of pre-emption. What do you do with all the state laws, private rights of action, some of the state laws, including Virginia that Dominique mentioned, have rights for the company to cure in order to avoid at least some sort of actions or some sort of some of the types of damages that might occur for violation. So there are tricky issues still to be worked out. But I do think that the the debate and the baseline expectation for what a federal bill would have to include will continue to evolve in a pro consumer manner.
Joe Tidy 24:07
We’ve got about 10 more minutes of this, this open discussion, and we’ll go to the q&a. Thank you very much to the people who’ve already sent in some brilliant questions there. So I think we might come to the questions a bit a bit sooner, but wanted to move on slightly if we can. Jeff, we spoke a little bit in our preparation for this. And I know that we had a discussion about it. What do you think in terms of the general public and consumers view on privacy? Do you think that data issues like David mentioned, I think it was David, the Cambridge Analytical scandal, the constant data breaches and hacks that we’re seeing some of these mass hacks like solar winds and Microsoft Exchange servers, do you think there is a there is more of a awareness of privacy as an issue and you think because of that, these things are going to move faster in the US now?
Jeff Gary 24:53
You know, I think there are some competing interests here. Right. And we I think someone had mentioned earlier that there’s a common conversation to be had here as well of how much responsibility goes to a platform versus to the users of the platform. And I think that that comes into this conversation as well. Right. And it’s both, you know, I do think that consumers now are much more aware, much more sophisticated about what types of data are being used by companies and the breadth of that, as well as just the scale and magnitude of the amounts of data. They’re giving up on a regular basis. And I think we’re really seeing an awareness of consumers that it’s not necessarily just the parties that they’re interacting with.
It’s not just the Facebook’s and the Googles, it’s, it’s the third parties and the aggregators, and all the parts of the ecosystem behind the scenes, and I think that’s become a pretty that’s really been a place where consumer awareness has increased in the past couple years, especially with Cambridge Analytica, which, of course, no one had ever heard about and you know, it’s people didn’t interact with it, and Facebook gave friends data, and you know, all of that that happened.
I think the flip side of that, though, is that consumers often don’t really have a lot of choice, right. It’s not that a lot of the debate that we’ve been kicking around in terms of opt in opt out or anything like that, it’s is sort of obfuscated by the idea that, you know, if you’re not going to go to Facebook, where are you going to go and be on Twitter? And I think there’s a really interesting example, right after Donald Trump got kicked off Twitter, a bunch of his followers decided they were going to leave Twitter as well and they tried to start their own social media platform, and it went terribly and so these companies want to say that, well, you can, you can move around, you know, you’re not stuck with us, but really in meaningful ways, the platforms do have an immense amount of leverage, both legally and in sort of soft social power in this space that makes it hard for consumers, even if they know kind of what’s happening to do anything about it, or to sort of change the practices in meaningful ways.
Joe Tidy 26:53
I think that’s a really good point. And if I, I always think about the great Twitter hack that happened last summer, you know, the social engineering attack, that was probably the biggest hack on a social network that we’ve ever seen. The likes of Elon Musk’s Musk’s account, Bill Gates, they’re all hacked. And they all did this Bitcoin scam. It was a huge, huge data security problem. But no one stopped using Twitter. You know, it’s one of these things where in my job, as a reporter, you know, you’re trying to tell people how serious these things are. But in the end, the consumer doesn’t have much choice, as you say, and things carry on as they are, David, but I wonder for you, are you getting phone calls and emails from people in the last sort of six months or a year that are saying, right, I need help. I’m now starting to take this seriously.
David Blaskowsky 27:42
Yeah, so there are two issues in there. One is in terms of companies, yeah, I think companies have gotten the message, they may like it, or they may not like it. But I think the question is moved to what are the strategies that you adopt? What are the technologies that are available in order to understand the data, you’ve got to bring it under compliance, to map it to processes and the other legal tech sides, as well as if you’re going to share the data or use it internally for intelligence purposes, which could count as sharing also strategic planning, marketing? Or if you’re going to engage in AD tech or marketing tech, you know, other things? What are the rules that we need to play by?
And I think the realisation is there we are getting calls. That’s our business. And our core business is being able to help folks share data using confidential compute technology successfully. People want that they don’t want to have their names in the news, because of the next breach. I do think, though, that in all of this, there is also a great waiting for the regulatory community to be able to also come up with some creative and useful answers that won’t necessarily maximise one side or the other, but provide a durable regime for enabling productive use of personal data, while ensuring that any personal data that’s used is consented. It’s ethical, and it’s compliant.
Joe Tidy 28:58
Over to you, then, Jim, that’s your challenge, I suppose. Is that all doable?
Jim Trilling 29:04
Well. It is there. There are certainly a lot of important principles underlying what David said. And, you know, in terms of whether it’s doable, one issue that is of importance to the FTC with respect to legislation, and especially if Congress does enact new, substantive protections or give the FTC or rulemaking authority, for example, is we need resources. And one of the interesting things that people commented on in some of our recent public fora on you know, the possibility of new privacy legislation is many of the the data protection authorities in Europe are close to the size of the entire federal trade commission, where our mandate isn’t just to deal with data or data privacy and data security, but to deal with any type of unfair or deceptive act or practice, and with competition issues across all sectors of the economy.
The group I work in, that is the primary FTC group for work on privacy and data security issues is about 40 people for all of the enforcement and policy work across the economy. So in addition to thinking about what rights should exist, yeah, we hope Congress will, you know, consider giving continuing to get the agency additional resources as well.
Joe Tidy 31:06
So the rules and laws aside, Dominique, we talked a bit about the culture around privacy. Do you think that before, you know, we talk about the new regulations and things there could be more work to be done to improve the the culture of how the C suite view privacy issues?
Dominique Shelton Leipzig 31:25
Yes, this is so important, and they’re going to be both legal imperatives to do so. But I think more beyond what just the exposures are in the US because of course, we have shareholder derivative actions. And we’re seeing more and more CEOs named specifically in those shareholder derivative actions as well as board members. So there’s liability there, coming from privacy and data security and statements that companies have made in their 10 Ks or 10 Q’s in their public filings about their state of their GDPR readiness, or their ccpa readiness or, you know, soon other privacy laws. So beyond that, though, there is a real need for responsible data management.
This is becoming, as you guys alluded to, 9 out of 10 Americans, there was a recent study done in August 9 out of 10 americans believe that privacy is a fundamental human right. That’s not something we used to see before that is something we thought of for Europe and in other jurisdictions, but that’s the case now. And so there’s going to be a lot for David’s group to do and a lot for the students to study at Georgetown, which is my alma mater for law school. And you know, a lot for, for Jim to focus on. But this is this is something that if the C suite, and boards want to be responsive to their customers, this discussion, whether they are B2B companies, business to business or business to consumer has to be had at the C suite level. And so I think we’re starting to see more and more discussion happening there and on privacy in particular. And I’m really happy to see that.
Joe Tidy 33:08
And before we move on to the questions, anything else, anyone wants to add to that, that point about culture and privacy?
David Blaskowsky 33:15
I might add one point, if I may, that one of the things that’s coming down from the C suite, as well, is the emphasis on data, right, not just the fastest computer or the fastest software, but the missing part of that trio, which is the data and the need to introduce, let’s get it out there data governance, to have rigorous understanding of it, whether it’s for business purposes, or for or for compliance purposes. And that’s created, you know, basically, in the past 10, maybe 15 years a new profession, but you have to understand your data, you have to keep track of it, you have to understand it through its entire lifecycle in order to make any of these things work. And that’s hard. That’s hard to do. But it’s important to do.
Jeff Gary 33:53
Yeah, and I just flagged something on the extreme other end, right. And I think that everything that has been said is right, that just the culture of approaching products and product design and and business practices has changed immensely. And on the regulatory side, you know, what compliance looks like has changed, but also something we’ve touched less on is enforcement. And for instance, I work a lot with state attorneys general in this space. And you know, they often come to us with a question that looks a lot like, you know, we’re suing this big tech company. And we’re not the FTC. So we’re not going to get $5 billion out of them, like the FTC did with Facebook. And we think that even if we did, that wouldn’t mean anything, right? That that wouldn’t change what they’re doing that that wouldn’t help us get what we want for our consumers. And so what should we even ask for? Like, let’s say we win? What should we even be asking for in this in this case, right. And so just from, you know, from product conception all the way to enforcement at the other end, and in terms of remedies, I think people are really challenging expected notions of what’s happening in this space.
Dominique Shelton Leipzig 34:57
Yeah, I think that the ability of the C suite and boards to set the tone about responsible data management. And actually, this involves informing themselves a little bit more about how their reliance on data, how data is being collected, used and shared in the company, it’s an important discussion to have, and to make sure that the data collection actually aligns with mission. And there’s also responsibility on behalf of the users. And I want to just, you know, point out what we’ve seen with video cam and the collision between privacy and and what we’re seeing in the States, with the social justice movement going on all across the country. And, you know, sometimes these videos and body cams have been the basis for information that we wouldn’t ordinarily see behaviour that is exposed and transparent because those tapes are visible. And and so I think there’s a lot that we’re gonna have to have a dialogue that involves consumers, business, as well as regulatory and legislative to really tackle all of the issues that privacy cuts across in our society right now.
Joe Tidy 36:09
A busy couple of years ahead. Let’s go to the questions then. So I will raffle through them. We’ve got one we got, we got just under 10 minutes, and we have 12 questions. Right. Okay. So question one. And I think the maybe the best way of doing this will be if you, sound a bit school like but if you wouldn’t mind raising your hand, and I’ll then know who to throw the question to. So first one is what lessons can the US take from the implementation of GDPR in Europe? And how can these lessons be applied in the US?
And I want to jump in on that. Yeah, go on, Dominique.
Dominique Shelton Leipzig 36:45
Yeah. So I think the lessons learned are, number one to ensure that there is a good back and forth between business, the consumer groups and the data protection authorities. I think the the EU, their data protection authorities, did a very good job of communicating what was expected for GDPR compliance in the form of guidance, but also in responding to individual questions that were posed by consumers and businesses. I’m hoping that in California with our new Data Protection Authority that is devoted purely to privacy first in the country, which will be the California privacy rights agency board, I’m hoping that they will adopt that in their culture. The other thing that we need to keep in mind is for the laws to be taken seriously, there has to be enforcement. And I do think that we will see that in the states in their state approaches. And certainly in California, I know, that was that has been the tone with enforcement activity happening on day one on July 1 when that could occur. And I do think that’s an important component.
Joe Tidy 37:56
We’ve definitely seen that in Europe with the GDPR. Some of the fines being handed out have been well, I watering. David, did you want to add something there?
David Blaskowsky 38:04
Yeah, if I can add to that sort of built on what Dominique was saying, I mean, what GDPR in many ways, maximises the rights. And that’s a very good thing. However, we also see some buyer’s remorse in the European regulator community, because the effort to build a data industry, right to be able to compete successfully against US big tech has faltered because many things are difficult to do, in fact, or impossible to do. We see projects out of the Commission, such as the trust project, which is trying to build data markets where there had been before, and we see new regulations on data governance and privacy that are being prepared as we speak, and will probably come to life. I think we can avoid much of that by understanding these lessons, carrying out the consultations and we have, you know, and looking to Jim, we have very good provisions and you know, the APA and other laws to be able to gather the information that’s needed to try and get it right, even if it takes a year or two at the process.
Joe Tidy 39:01
And question two, then in the financial services industry, the business might be located in one state with customers in multiple states, if not all of them. Is there any guidance on which regulations or laws should take priority over others?
Anyone want to jump in? Dominique?
Dominique Shelton Leipzig 39:20
Yeah, I would just say the Gramm–Leach–Bliley Act preamps any laws that are less stringent than GLBA. But that allows for states like California, which has a more stringent Financial Information Privacy Act to co exist. And those rights do follow the individual In addition, with the ccpa, which has extraterritorial effect, for things that are not covered by GLBA or FCRA, where there are exemptions in the CCPA
They’re like cookie data and marketing data. The CCPA rights do follow the California individual wherever they are, so they might be travelling in New York but would able to assert claims, and indeed, there are some law suits that are under the CCPA pending right now in other states in Florida as one right, at the moment.
Joe Tidy 40:00
And to what extent should a federal bill be based on the CPPA, what should the areas of divergence be? What do you think Jeff?
Jeff Gary 40:21
Yeah, I think one place where the CCPA is very strong is recognising that the conversation of opt in, opt out is not necessarily the end of consumer protection. And that for instance defaults are sticky, that consumers often don’t change them and even if you have a opt in protection, what happened after declining that opt-in matters. For instance, California has allowed for there to be a default signal on your browser that says opt me out of everything ad they’ve not instituted with the CPRA a provision that says basically if you’re going to give it a one-step opt in, you have to give it a one-step opt out. You can’t bury it under provisions, and you have to make it easy and make these choices symmetrical.
So I think that’s a much more nuanced conversation than what’s been happening at the federal level in terms of the opt in opt out and what the step means and I think that can be followed.
Joe Tidy: 41:22
And question 4 then, do you anticipate significant changes in the HIPAA privacy rules this year? There are so many acronyms aren’t there? Anyone know anything about that one?
Dominique Shelton Leipzig 41:36
It’s hard to say. I think we’re really going to have to see what sectors health and human services Xavier Becerra prioritises, I know he’s really focused on covid and the use of the covid data and making sure that that’s used for expected purposes but whether that’ll turn into regulations that change or modify what’s already in HIPAA that will depend I know that there’s a new text messaging rule that’s out. I don’t expect huge changes in the law right now but I do expect to see a lot of enforcement more so than ever across the country as it relates to heath data and that collision of health technology and society.
Joe Tidy 42:22
And here’s a question, out of ten, how likely does the panel think it is that the US will ultimately adopt a federal privacy bill. So out of ten, I’m going to go round, just give me your out of ten figure?
Jim Trilling 42:36
Well ultimately is a long time so for ultimately, I’ll say 9 and a half.
Joe Tidy 42:42
Let’s say in the next two years?
Jim Trilling 42:46
In the next two years my personal opinion is that it would be lower on the scale more in the middle of the scale.
Joe Tidy 42:57
So six, five or six then. Dominique?
Dominique Shelton Leipzig 43:00
I think eventually yes were going to get there I’m hoping that it comes into being by 2023, I think a viable law will be there by 20202 were not going to be abl to go less than the California law we have to many California people in the congress right now and they just cannot vote for something that’s totally pre-empted, so California is kind of the floor. But I think well see something viable come up in 2022, for implementation in 2023.
Joe Tidy 43:31
You’ve both dodged giving me a number here, out of 10 jeff?
Jeff Gary 43:40
I’m less bullish I think, I think nothing’s going to happen in 2022 because it will be midterms and that throws everything up in the air in terms of how congress works. And I think that there are some substantial philosophical disagreements on what otherwise looks like minor technical provisions so in this congress I think I would give it a 3 out of 10.
Joe Tidy 43:58
David Blaskowsky 44:00
I’m going to be a bit more optimistic, especially if more state level rigs are passed and there’s more pressure from the EU in the wake of the privacy shield not being kept. I think it will be by part as in here in cry for someway of being able to harmonise, again that word, to harmonise regulations, it wont be this year, 22 hopefully, I accept the political challenges, if not then, hopefully 23. But data is a huge, well the rights advocates have important issues of course, I feel that way personally, but the business community from the Chamber of Commerce on down also have a need to some kind of predictability and reliable framework for carrying out business and that will pressure things.
Joe Tidy 44:44
Ok right, we have one minute. Let’s try one more question. Will a Federal privacy data law pre-empt other laws like HIPPA and COPPA or is it more likely to be focused on consumer privacy like the state laws? Can anyone give us a very quick answer on that?
Is that Jim? Go for it.
James Trilling 45:08
That’s another one that all I’m going to have to say is tough answer but experience in congress in the past has showed that when it comes to existing sector specific privacy or security laws its tough effort to try to pre-empt what is already on the books.
Joe Tidy 45:32
Great okay well we have done okay I could’ve come to the questions sooner, that is my fault, sorry if we haven’t got through your questions but thank you very much for sending them in and thank you so much to the panel, Jim Trilling, Dominique Shelton Leipzig, David Blaskowsky and Jeff Gary. Thanks so much for your time and for your expertise, and thank you for watching.