August 23, 2018

GDPR Update: Your Questions Answered About GDPR and Data Privacy
With Michael Jones, Attorney 

(c) Trusted Counsel (Ashley) LLC. All Rights Reserved.


John:                    Our guest today is Michael Jones. He's a recent addition to Trusted Counsel with a strong background as a corporate attorney, and particularly in intellectual property and business oriented technology matters.

Evelyn:                  Perhaps even more importantly, Michael is focusing on not only licensing arrangements and operating type every day contracts, but he has a real expertise and knowledge, a deep specialty in privacy.

John:                    Absolutely. Yes. He's worked on a number of issues. Actually Michael, how about you tell us a little bit about your professional background.

Michael:               Sure. Absolutely. I came to law a little bit later in life. I was an academic in my first go round, but I've been practicing law for gosh, wow. I don't really know if I want to say this, but yes. Almost 15 years now. Hard to believe. I got into the tech and privacy space sort of gradually. I started out really more in the IP area. I did a lot of IP work. Then what I found in the various law firms I was an associate at and then also in-house, is that a lot of the traditional intellectual property issues sort of morphed and became technology issues. That was true sort of across the board.

                           There was a time, and it seems very distant, but it really hasn't been that long ago, where technology was kind of this sort of very easily identified area that's sort of in the corner in a box, and you sort of knew what it was. Now it permeates everything. That's what makes my practice so challenging and so interesting. I did a lot of work in digital marketing. What we like to call advanced advertising. All of the stuff that you may be annoyed by when you see pop ups on your browser and your computer, those sorts of things helping brands to market their products and services, but also advertising agencies, marketing technology companies. I've done work with all of them.

                           More recently, I have been ... I was very recently in-house for five years at New York Life Insurance Company in New York City, and there I did really soup to nuts technology work. Everything from giant enterprise wide licensing deals with Microsoft, with Salesforce, you name it, to very small but often very important strategic deals with startups. We has sort of an in-house ... almost sort of an in-house incubator, and that was a lot of fun.

                           Yes, I mean there was sort of a part of it that was very much specific to life insurance, but a lot of what I did was just tech work and the kind of stuff that I could do everywhere. Privacy became increasingly important during my time at New York Life, and also sort of the sibling I guess in a way of privacy information security. They really do sort of go hand in hand. Certainly as a regulated entity like a life insurance company is, risk management, compliance, being able to track what your customers, your ... Well, in case policy holders had consented to, and what they had not was extremely important not only for good customers relations, but because or regulators were extremely sensitive to those sorts of issues. We took it very seriously. That was really ... I know we'll be talking about it. That was really where I sort of cut my teeth on the GDPR, which we'll talk about in a little bit, and our efforts to comply with that

John:                    Yes. It's interesting, because you were talking about how intellectual property ended up morphing into technology. But now similarly, technology is morphing into data privacy issues, which of course we do have the GDPR, which most of our audience hopefully is aware of now, but possibly not. Do you want to give us a little bit of an overview of what that stands for, and what it is?

Michael:               Absolutely. The GDPR stands for the General Data Protection Regulation. You've probably heard about it. You may have gotten lots and lots of emails in the months of say, April and May that say, "Hey, our privacy policy has been updated. Please take a look at it." What was driving that was in fact the GDPR in almost all instances I suspect. It went into effect on May 25th. That's why we were all getting bombarded with these sorts of emails, because it was one of the requirements of the GDPR that customers, consumers, users be notified of certain changes to privacy policies.

                           That was the date. I call it the GDPR day. What's been interesting to me in the practice here at Trusted Counsel ... Well, and actually even beginning before that at New York Life, it took us a while to figure out if it applied to us. Certainly with a lot of our clients here, they take a look at it, and they say, "Well, wait a minute. This is an EU regulation," which it is. I don't know if I said that. European Union. They may dismiss it and say, "Well, we don't have any business in the EU. We're a US company." Wrong because ... I can get into more detail about this. What's really striking about the GDPR is it's, I'm going to use a fancy word, extraterritorial effect. Which means that it protects the personal information of EU residents. A business can process, that's the term that they use, hold, maintain, use, the personal information of EU residents even if they're not based in the EU. You could be in Georgia, you could be anywhere in the world. It applies.

John:                    One common thing that I hear all the time is, "Well, we're not a B2C business, so we don't need to worry about that." But that's not actually correct. I mean, do you want to tell people how this might apply to them, even if they're a B2B business.

Michael:               Well, I mean essentially, if you read the GDPR, which I unfortunately have. It's rather lengthy. It's still-

Evelyn:                 Come on. We've all read it.

John:                   We've all read it. We keep it on our nightstand.

Evelyn:                It's a good way to go off to sleep in the evening.

Michael:              Exactly. Look, we still don't know an awful lot about how it's going to be enforced. It's brand new, so it's going to take a while for all of that to shake out. But to John's point, there's really nothing in there that says, "Hey, this only applies to consumers." It applies to any personal information, which is defined very broadly. We may think we know what that is. In fact, a lot of companies that traffic and trade in personal information have heard the term personally identifiable information, or PII. It's broader than that.

                          It's basically any information that can be used in any sort of circumstance, however remote, to identify an individual. If you think about it, even in the B2B context, there could be and often is personal information that meets that definition, so it's flowing through the pipes. Yes, there are certain extra steps, there are certain things you have to be very conscious of if you are a B2C business, but that's been the case even before the GDPR. It's not like we don't have any privacy laws in the United States, although it's a very different regimen. It's very much a patchwork quilt. But businesses have always, at least for a long time, had to be very conscious of how they interact with customers. But what's so interesting/scary I guess in a way about the GDPR is they don't make that distinction in that regulation. It applies regardless.

Evelyn:                 Basically to everyone. I think it's important that from a ... Maybe bringing it down to a practical level, I'm a B2B business. My customer is a US company, but it has locations in the European Union.

Michael:               Exactly.

Evelyn:                Just by nature of that relationship with that US company, I probably do have data of European Union residence.

John:                   Yes. I do think, Michael you and I, we've gone through this analysis a couple times. It's funny, people, they say, "Well, I don't think this applies to us." Or sometimes I think it doesn't even on the face apply to our clients. But then we go through a ... We go through a series of questions, and then all of a sudden it's, "No, this is an issue."

Evelyn:                 It really applies.

Michael:               I tell you, be careful when you ask a question. You never know what you're going to find out.

John:                   What are some of the questions businesses should be asking themselves?

Michael:               Well I mean, I really think ... I mean, first of all as a threshold matter, are you trafficking and trading ... I use that term sort of loosely. Are you processing personal information? Which as I said is defined very broadly. I mean, there are some instances where you might be able to say no, but I think a lot of times the answer is going to be yes. Then you can sort of take it to the next step and say, "Okay. Well, is any of this personal information the personal information of an EU resident?"

                           But what you find out, and that's what's so interesting and I think valuable about this whole exercise is that a lot of times you don't have a business, and it's not the businesses fault, they don't even have the systems in place often to be able to determine that easily. To be able to say, "Well, we're able to bucket our users in such a way that we know for certain that this is a non-EU resident versus this is an EU resident." Now sure, I mean if the email address has got a clear country identifier or something like that, you can figure that out. But a lot of times, you can't.

                         I think a lot of it is just really starting with that basic sort of step. Do you have personal information? Is it the personal information of an EU resident? Then go from there. I think what we've engaged in, begun to engage in with some of our clients is to take them step by step through what is really a data map. It's really if you think about it, where does the data that you have as an entity, as a business, where does it come from? What do you do with it while you have it, right? Where does it go? That sounds simple, and it's simple to articulate, but it's often very ... It's very difficult to-

Evelyn:               They don't necessarily know.

Michael:             They don't know.

Evelyn:               Sometimes they just don't know. I mean, and I think that it's also hard because if you are a company that doesn't actually pay much attention to where your data is coming from, it's even harder to just give them examples because people will start to pigeonhole. Okay, so we don't buy any lists of people in order to reach out for customer purposes. Or we don't buy data from any other provider that goes into our system. Therefore, nope. We don't have any data. Yes. I think that's kind of maybe the bigger challenge, and somewhat ... Well, I think for all companies a pretty overwhelming undertaking, because even if you do know where the data is coming from, it's still an overwhelming process to actually comply.

Michael:             It is. That's why we try to help. To your point, Evelyn, I think examples can be useful. But if they're misused, then what they tend to do is they reinforce I think assumptions that folks have. That they don't have to comply, and," Oh, we don't do that." Or "We know where our data is." Then you sort of ask sometimes even I think of them as basic questions, but they're often not. They're sort of things that folks just don't think about. Well, okay wait a minute. Is your data hosted? Who's hosting your data? Is it Amazon Web Services? Is it Microsoft Azure?

                          A lot of times it is peeling an onion. It is really having the patience. It really, it does. It takes time, it takes patience on all sides to do it. Like you said, it can be ... I think when faced with this sort of undertaking, it can be overwhelming. It can be daunting. Again, I don't want to suggest that it's one and done. That you do this and then you're in compliance forever. No, unfortunately that's not the way the world works. But I really do think this is the way it is with a lot of things in life in my experience.

                         It's never going to be as hard as it is the first time. It's just a bit like ripping off the band aid. Because you haven't in many cases ... Look, lawyers are in much the same position. This is a very brand new piece of legislation. A regulation, but it is legislation. It's got some aspects of it where even the folks ... I don't know. I haven't asked them, but the folks that actually wrote it, they might not even be able to tell you exactly what it means because it was also the process that ... It came at the end of a long process of negotiation. There's give and take.

                         It's going to take a while for it to shake out. Absolutely. I think that if you keep focused on the basics, what data do you have? Where does it come from? What do you do with it? Be able to answer it in plain English, because at the end of the day, that's what you're going to need to do for your customers, right? That's what regulators are going to be focused on, right? They're different schools of thought in terms of what you should have, in terms of a privacy policy. Most folks have probably heard the ... They're usually the things that are hyperlinked at the bottom of the page that no one ever reads, or there's a splash page or a box that comes up that you check that says, "Oh, yes. I read it. Yes."

                         Look. In all honestly, most folks don't read it. We read them. We have to. Regulators certainly read them, and they're important, but they need to be clear, and there are some thinking that they should just be short and sweet maybe. But I think the most important thing about the privacy policy, and what would get you in trouble even in the United States where we're not as ... Our regulations are not ... in some ways, haven't been as harshly enforced as they have been in the EU, is that if you say you're doing something in your privacy policy, or not doing it, it better be the truth. That's where you'll get in trouble.

John:                 Actually, that's the thing that scares me about GDPR is that you have to make it flexible enough to deal with your US customers, but hopefully address some of your EU customers. In the US, we are a very litigious society. We really need to make sure that it is right. The old privacy policies used to basically leave a back door and allow you to do whatever you wanted with the data.

Michael:             Those were the days. Right, right, right, right.

John:                 This requires much more careful thought.

Michael:             Absolutely. Absolutely.

John:                 I know that you've gotten calls from people that have said, "Can you redo my terms of service and privacy policy to make me compliant." Can you talk about what true compliance means under the GDPR?

Michael:             Well I mean, right. Just to make people feel a little bit better, even large, large and well-known companies, if you woke the general counsel up in the middle of the night, or the chief privacy officer and sort of shook them awake and said, "Are you fully compliant with the GDPR," I'm not sure they would say yes. I mean, it's a very complicated piece of legislation. A lot of companies have spent a lot of time and money to get compliant, or to at least get as close as they could to being compliant.

                         There are a lot of things that a business ... If you're going to be fully ... You can't see me, but I'm doing air quotes. Fully compliant with the GDPR, there are internal things that you have to do. You have to ... We've sort of already alluded to it. You have to know where your data is, where it comes from, where it's going, what you're doing with it, and again, this is really important, be able to document it in such a way that you can show a regulator if a regulator comes knocking, or if there is a lawsuit. I mean, if there's a private action, you need to be able to say, "Look, maybe we're not in 100% compliance, but we did our best. Here's what we did." You need to be able to show that.

                         You need to train your employees, your workforce. Don't just think of it as your own employees. You also have to push obligations onto your subcontractors. Make sure they're aware of their obligations under the GDPR, because it flows down. There's a lot of stuff that you have to do internally. But then when they say, "Well, what do I have to do to my privacy policy?" There's also the external side of it as well. I think there, the reason that this sort of data mapping exercise is so important is ultimately, what you're going to do is you're going to take that who, what, when, where, why, and you're going to put it into your privacy policy, privacy statement. Whatever you want to call it.

                         You're going to describe so that a consumer, customer, user, can if they choose open the privacy policy and understand what you're doing with their data, and why you're doing it. I won't get into the detail, but one of the things that the GDPR requires is that a company has to have a basis for treating, for processing personal information. There are a variety of basis that you can rely on. But at the end of the day, I think the key concept here is transparency. You want to be as transparent as you possibly can be with your users, and ultimately, you want to give them choice. You want to give them an option in some instances, particularly where you're dealing with marketing. That's where it gets really, really important that they are informed of what you are doing with their data. They've given informed consent. Under the GDPR, they can withdraw that consent, which is going to ... That's going to be very tough for a lot of companies that are in the marketing space for sure.

John:                 Yes. We've had this conversation. I do think it's interesting with the Facebook breeches, people don't always trust what Google is doing with information. But trust is like a currency, and we've had this conversation. Companies that get ahead of this, they can have a competitive advantage via transparency and building trust with either their customers, or the other ... I guess it could be a B2B customer. It could be a B2C customer. But that transparency can really become a competitive advantage to that business.

Michael:             Absolutely. Absolutely. The reputational value of being ahead of the curve, of being an honest broker, being transparent when it comes to your data practices I think is something that again, you may not be able to put a hard and fast dollar sign to it, but it is extremely important going forward. This is only given what's happened with Facebook and the increasing ... There's increasing attention paid to it in the United States, the California legislation that was passed not too long ago, which in some cases is ... in some aspects is really not a carbon copy of the GDPR, but is very much GDPR like. It's not going away.

John:                 Yes. I think that's interesting. Can you tell us what they've passed in California, because I think that's the future? This is where this is trending, right?

Michael:             Yes.

John:                 Even if GDPR does not affect a business, tell us why it's so important.

Michael:             Right. The California Legislature passed really about a month after the GDPR went into effect. The California Consumer Privacy Act, and it is currently really the gold standard for privacy legislation in the United States. The requirements that the GDPR has, it mimics a lot of them. It doesn't go into effect ... It was passed, but it doesn't go into effect until January 1st of 2020.

                         It's a little bit unclear what may happen in the interim period in terms of whether it might be amended, lobbyists get ahold of it, who knows. But the other thing that it might actually ... Because again, it is so ground-breaking ... Again, the same sorts to things that are included in the GDPR. Transparency, consumers can opt-out of certain uses of their information. They can basically say, "You can't sell my information. In fact, there has to be a link on your web page that says, 'If you don't want your information sold, click here and ... '" There has to be a process in place.

                         It's very potentially burdensome legislation, but what it may drive partly because it's California, we don't have in the United States an overarching privacy regime. We don't. It's a patchwork quilt. We have data breech laws in all 50 states. We have sector regulation, whether it's HIPAA for protected health information, or banking information under GLBA, Gramm-Leach-Bliley. That's how we do it. I think there's going to be real momentum now that the California legislation has been passed to do something on a national basis. I think tech companies are going to want to do it. It's just going to be way too difficult to comply.

Evelyn:              I think the reality is if you have to comply with this in California, then you have to comply because your ... Every-

Michael:            It's the fifth largest economy in the ... Right. I mean, in the world, right? That's right. Right. It applies to California residents. Much like the GDPR, you may think, "Well, I don't have a business in California." But chances are somewhere in your database, you've got personal information of a California resident.

John:                California, we talk about litigation. They are class action oriented over there. I mean, they have a whole-

Evelyn:             I figure they adopted it because all of the big names got sued immediately by the GDPR, so they were like, "We're going to get them."

John:                I think that's going to be what's actually going to drive this. I don't know if a government agency would probably be as effective as maybe the class action lawsuits that are going to come out of this regulation in California.

Michael:           You've pointed out a big difference between the GDPR and the California legislation. The CCPA. It's also got an acronym. It is the private right of action. Under the GDPR ... Now look, it's scary. I mean, most people have heard that for certain violations of the GDPR, you could be fined by a regulator the greater of 4% of your global revenue, or 20 million euros. That's a lot of money.

Evelyn:              Yes.

Michael:            But what you don't have ... The trade off is under the California legislation, the Attorney General of California can fine you, but it's $750 per violation. Of course, if it's 1.3 million residents in California, that could add up. But you can have a private right of action as well, and the class action bar is going to just go crazy. Absolutely.

Evelyn:             So Michael, we've dealt with lots of clients. We've participated in panel discussions where we've even had lawyers in the audience, and lots of companies and lots of individuals say, "Come on. Given the size of certain businesses, why would I have to worry about GDPR? No one's going to come after me."

Michael:           That's a natural reaction. I can understand why they might say that, especially given the well-publicized troubles that giants like Facebook and Google have had in Europe. But now we're talking about California. This California legislation is really I think every bit as serious as the GDPR. It imposes the same sorts of obligations on businesses. Even if you currently or don't even have plans to do business with EU residents, chances are you already are doing business with California residents. This legislation applies to their personal information, regardless of where your ...

                       You may not have any brick and mortar operation in California, but again, the chances are it's going to apply. Let's just think about it for a second. Would you really want to be in a business where you would have to somehow cordon off the entire state of California? First of all, that would not be a good idea for your business given the size of California and its economy. But at the end of the day, that might actually be as burdensome if not more so, and expensive to try to figure out how to do that than to just comply, or at least make an honest effort to comply.

                       I think that is what I think I want to make sure that we sort of ... I want to drive this point home. I think it's going to be nearly impossible for anybody to get to 100%. I don't even think at the end of the day that the regulators are expecting everyone to get to 100%. They are trying to drive change. They are trying to steer the boat or whatever large vessel you choose to greater accountability, transparency, and consumer choice. Those are the real buzz words and the real ... Yes.

Evelyn:             I think the whole concept of in Europe and in England particularly, they call it the right to be forgotten.

Michael:           Absolutely.

Evelyn:             While we could go on for hours discussing whether it's reasonable to impose that on business now after not having that right, basically the business right to ask the be forgiven, which is a completely different ... The right to be forgotten is not what we've been doing here. I do think there's a high cost and an impact, but let's face it. The other states are going to follow suit. New York is going to be out there, Massachusetts is definitely going to be out there. At the point that you have these major metropolitan centers also falling in line, you know that you must prepare now.

Michael:           Absolutely.

John:               Yes. I mean, for us I think what we've seen is that as the laws get put in place, they find its way into the contracts. Then that comes into the business deal. The question now becomes, "Are you GDPR compliant?" In the future it will be, "Are you compliant with the state's privacy laws?" It will mean if you cannot say that, then maybe you lose the deal. Maybe you can't become a vendor for this business. The fact is is that this is too complex now to actually put in place in a period of a couple weeks and slap together. If you have it in place, you can be nimble and you can comply.

Evelyn:             You're ready.

John:                Yes. Evelyn, we were talking about offline, you said, "This is going to trickle into M&A transactions."

Evelyn:             Absolutely. You want to sell your business? The only way you're going to do that is you're going to have a representation that you are in compliance with these privacy laws.

John:               Right. We've already seen ... We already see that on the data privacy side and everything else, but it's going to start to become more specific, and the diligence I think is going to start to become more regulation oriented than the broad reps that we used to see in the past.

Michael:           The last thing you want to do is to get a diligence memo with that question, and first of all, not understand what it means. Well, maybe pick up the phone and call us, right? But then freak out that you haven't gone through that exercise.

Evelyn:             It's too late at that point.

Michael:           It's too late at that point. I mean, in all honesty. It doesn't take forever, but it does ... It takes sustained effort, and it takes some patience. Absolutely.

John:               Do you have any advice for people that are looking at or reviewing their data privacy issues?

Michael:          Yes. I mean, I think first of all, identify the folks in your company that know where the data is, or are likely to know where the data is. Get them together and start talking about it. Well first of all, call us. Right. Then we can join you in that room. But I think that's right. I think it's to just not ... The worst thing you can do at this point is stick your head in the sand and hope it goes away, because it won't. It's not scary. It takes time, it takes effort, it is a little bit daunting at first, but I think once you start the process, that's the hardest thing. It's like anything. It's like going to the gym, it's a diet. It's just getting started.

                       I think if you start there, and just see where it leads, and then just keep good notes I would say. Make sure that you document everything. Then once you sort of know where your data is, and where it's going, what you're doing with it, then you can work together with us and with others in your company to put together a compliance plan that will allow you not only to be in compliance now, but to stay in compliance. Be nimble like you said as this changes.

John:               Absolutely. We have found it does take a team.

Michael:           It does.

John:               Well Michael, this has been great. I mean, I always love hearing your thoughts on technology, privacy, data security, and where things are going. You stay abreast of all of it. You've written a very, very interesting blog post on CCPA, which can be found at our website trusted-counsel.com. Do you want to let people know how they can get in touch with you?

Michael:           Absolutely. The easiest way is to go to the website that John just mentioned, www.trusted-counsel.com, and go to the tab about us, and there you will find my bio and my contact information.

John:               Perfect.

Evelyn:            Thanks very much, Michael. Excellent.

Michael:          Thank you.

Evelyn:            We'll see you next time.

Speaker 1:       This has been In Process: Conversations about Business in the 21st Century with Evelyn Ashley and John Monahon. Presented by Trusted Counsel, a corporate and intellectual property law firm. Are you interested in being a guest on our show? Email our show producers at inprocess@trusted-counsel.com. For more information on Trusted Counsel, please visit trusted-counsel.com.