Meet the expert: Yugo Nagashima to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Yugo Nagashima is a partner at Frost Brown Todd LLP. Yugo works with American and Asian companies in the IP arena, his practice focusing on intellectual property infringement litigation in the high-tech and manufacturing technology industry.

Yugo has litigated before the US International Trade Commission and Federal District Courts. He is also experienced with assisting and advising Japanese companies and foreign-owned subsidiaries in the U.S. with various legal needs. 

Yugo Nagashima appears exclusively at PrivSec Global to discuss the evolution of US Data Privacy laws. Below, Yugo elaborates on his career to date and introduces some of the key themes of his  PrivSec Global panel session.

Could you outline your professional journey so far?

I began my career as an intellectual property litigator about 13 years ago. At that time, if you wanted to do technology law, most people recommended pursuing a career in intellectual property, especially patent law. So, that was the field that I originally focused on until around 2018. 

In 2018, the General Data Protection Regulation (GDPR) became a very hot topic, and I found it very interesting that it discussed data flows, the protection of data, and how it affects individuals. It is quite different from patent law because patents are more about protecting inventions, and protecting someone’s property, hence the property element of intellectual property. But data protection was a little more about regulatory compliance, and I just found a very strong affinity with it and a great interest in it.

Given that I always wanted to work with technology, and with my computer science background, I saw data privacy as the perfect pivot to working with technology transactions.

Around 2018, I began to study for the IAPP/E exam. As I studied the topic more, I became increasingly interested in it, and wanted to become a privacy expert. But, I was nearly a decade into my career as an attorney which made it hard to pivot and change the focus of my practice. I was very fortunate that I had the opportunity to join Frost Brown Todd and focus my practice on data privacy and security.

My career as a data privacy attorney has been great. I worked with a mentor who knew privacy law and the area really well. I have now taken over as one of the subteam leaders for data privacy, focusing my expertise on international data transfer and U.S. privacy laws.

To what extent has the GDPR been a shining light for legislative frameworks in the US to follow?

GDPR has had an influence on most U.S. state privacy laws but there is a distinct difference on how GDPR influences the U.S. state laws compared to how it influences other laws in around the world. U.S. state privacy laws follow the opt-out model for general personal information. 

This means that data controllers are required to inform the consumers about the processing of data but does not have to obtain consent upfront, so long as the consumer can opt-out from the processing later. This is different from the GDPR model which requires consent before personal data collection.

For sensitive personal information, certain U.S. state privacy laws follow the GDPR model. For example, Virginia’s Consumer Data Protection Act and Colorado Privacy Act require consumers to consent before collecting sensitive personal information.

In terms of certain procedures, like consumer requests, GDPR has been a guide. There are certain requirements for processors must abide by, such as cooperating with the controller to respond to data subject requires. 

Will we one day see a national data protection regulation across the US?

We will definitely see federal data protection law. That said, no one really knows how long it’s going to take for Congress to pass such a law. In the U.S., politics drives whether legislations pass or not. As those who follow international news will realise, U.S. politics right now, especially in the House of Representatives, is dealing with other issues facing the United States.

There is no doubt that privacy law has bipartisan support, and both political parties want a federal privacy legislation to pass. However, due to minor differences, like the private right of action, the two parties have not agreed. I am confident that if enough time and attention are given, Congress will pass national legislation. As to when? It is very hard to guess, given the political climate we have today.

How is consumer trust being impacted by the evolution of data protection regulations in the US?

The latest media coverage informs us that consumers still do not trust a lot of private entities, especially social media websites, collecting and processing their personal information.

As new state privacy laws come into play and companies begin to comply with the laws, I believe consumers will experience and feel that their data is protected. But we’re only in the starting stages. So, presently, we only have about five states that have privacy laws in effect: California, Colorado, Connecticut, Virginia, and Utah.

So, not everyone is feeling the effects yet. I think it will take a little longer for consumers to realise that their information is being protected. As more states pass laws, and when the federal data privacy legislation passes, consumers will see the effects of the privacy laws and feel more secure about their data.

Will the new EU-U.S. Data Privacy Framework put an end to legal challenges over the adequacy of protections governing personal data transferred from the EU?

I believe the success of the EU-U.S. Data Privacy Framework (DPF) is closely tied to the U.S. passing federal data protection legislation.

Today, the DPF is based on the U.S. President’s executive orders and government agency regulations. It is true that some of the issues noted in the Schrems II court decision were addressed. However, this does not change the fact that the U.S. is still without a national privacy law that should address the privacy issues raised in Schrems II.

E.U.’s adequacy requirement should not rely on an executive order, which may be revoked by the President at any time. If there’s no legislation, the groundwork for the DPF is not as stable. The executive order may rely on an interpretation of a different law or the constitution, which may be revoked or changed by the President, Congress, or the Courts.

I believe there is still hope for an EU-U.S. data protection framework to exist, but the key will be the U.S. having national data protection legislation. Of course, this is only my attempt to read the tea leaves, and we really don’t know when it’s going to end. It will be up to Congress to pass a robust national data protection law that is comparable to the GDPR requirements for the U.S. to truly attain adequacy.