Episode: 071

Title: General Data Protection Regulation (GDPR)

Aired: February 03, 2018

Featured Segments: General Data Protection Regulation (GDPR)


Bret Piatt, CTR Host, and Van Lindberg, Dykema Cox Smith Attorney, discuss the General Data Protection Regulation (GDPR) and EU data privacy.

Follow Us & Stay Informed:

Bret Piatt (left), Van Lindberg (right)

Tweet us: @cybertalkradio, @bpiatt, @VanL / Stream on iHeartRadio: Android or iOS


00:00:02 from the dark web to your radio Gotham
00:00:05 you were listening to cyber talk radio
00:00:07 on news 1200 w olya
00:00:10 [Music]
00:00:18 welcome to cyber talk radio I'm your
00:00:21 host Bret Pyatt a 20-year internet
00:00:24 security veteran I'm joined by a former
00:00:27 guest and he's agreed to come back we've
00:00:29 got some exciting new stuff to talk
00:00:30 about European law and you wonder why
00:00:33 this matters with cybersecurity but it's
00:00:35 a European data privacy and we're gonna
00:00:38 have a bit of a hypothetical discussion
00:00:40 throughout the program today nothing
00:00:42 here that's offered on this by myself
00:00:45 who's not an attorney or by my guest van
00:00:47 Lindberg who is an attorney is legal
00:00:49 advice this is not legal advice these
00:00:50 are hypothetical discussions and some
00:00:53 background on these new European data
00:00:56 privacy rules to Vann thank you for
00:00:58 joining us today I'm happy to be here
00:00:59 yeah so gdpr what is this new acronym
00:01:03 stand for it stands for the general data
00:01:06 protection regulation which is designed
00:01:09 to enable individuals to better control
00:01:11 their own data and the way in which it's
00:01:14 used by companies both those who they
00:01:17 directly work with and this is where it
00:01:20 reaches a lot more people the companies
00:01:22 that subcontract or work with other
00:01:25 companies for the processing of that
00:01:26 data yeah so if we rewind back in the
00:01:30 the world of EU data privacy and EU
00:01:33 being the European Union and it's
00:01:35 somewhat different from like an American
00:01:38 federal law where you have one
00:01:40 government that passes the law that gets
00:01:41 rolled out across all 50 states in the
00:01:45 EU you have a collective of nations with
00:01:48 they've agreed to operate under this EU
00:01:52 agreement and they'll pass legislation
00:01:56 laws write laws at the European Union
00:02:00 level across the group of Nations there
00:02:02 and then they all roll it out
00:02:04 individually into the country so help
00:02:06 our audience understand this safe harbor
00:02:08 things that they may have heard about
00:02:09 privacy shield gdpr and just how does
00:02:12 this flow through out into the U in
00:02:16 general so I think the way to start is
00:02:19 by thinking about the difference between
00:02:22 the way Europeans think about personal
00:02:25 privacy and think about the rights of
00:02:28 citizens and consumers versus the United
00:02:30 States
00:02:31 in the united states we have a long
00:02:33 history of saying that almost anything
00:02:37 goes when it comes to contract you while
00:02:41 there are some there are some
00:02:44 restrictions on that that have been
00:02:46 developed over years in general we have
00:02:50 a lot of freedom for almost any sort of
00:02:54 business to go in and to deal with
00:02:57 people and to deal with their
00:02:58 information and to try and create value
00:03:00 out of it as long as there is proper
00:03:04 proper notice ie they're going to tell
00:03:05 you more or less what they're going to
00:03:07 do and that there's some sort of
00:03:08 exchange of value they will you get some
00:03:13 value of out of whatever they're doing
00:03:14 by and large US regulators have been
00:03:19 hands-off so if I was a social network
00:03:21 and you and I and and then you as a
00:03:24 consumer signed up for my social network
00:03:26 and I collected all sorts of information
00:03:27 about you so I could serve you very
00:03:29 relevant advertisements totally fair
00:03:32 inside the US in general absolutely and
00:03:35 this is important because this is
00:03:38 largely the business model for the
00:03:40 Internet is collecting information
00:03:43 packaging it up slicing and dicing it
00:03:45 and making sure that you can provide
00:03:48 relevant advertisements now this is true
00:03:52 worldwide but the EU takes a very
00:03:55 different take on the rights of their
00:03:58 citizens and they've always been much
00:04:00 more privacy focused than the United
00:04:02 States and so they used to have they
00:04:07 used to have a lot of agreements between
00:04:09 the United States and various countries
00:04:12 in the EU focused on how you can make
00:04:16 sure that you citizens have the proper
00:04:18 protections and so you would have their
00:04:21 for a long time we were under something
00:04:23 called the safe harbor which is that if
00:04:26 you had you you had a certain level of
00:04:30 privacy protections under underneath our
00:04:34 laws and in your contracts then you were
00:04:37 okay to transfer information back and
00:04:39 forth and this enabled a lot of
00:04:42 cross-border digital commerce a lot of
00:04:45 what they would
00:04:45 a processor and it versus a control
00:04:48 people doing various stuff with the data
00:04:50 in all sorts of different juries yeah if
00:04:52 I was a us-based ecommerce company and I
00:04:55 wanted to be able to ship product to
00:04:57 people in Europe and and I wanted to
00:04:58 have European citizens be able to sign
00:05:01 up for my ecommerce service share their
00:05:03 information with me and and be able to
00:05:06 purchase goods off of my website I could
00:05:08 do that with a safe harbor agreement
00:05:10 that's right the you could also if you
00:05:14 even if you were a purely European
00:05:15 company and you wanted to use a USA Us
00:05:19 credit card processor like stripe or you
00:05:21 wanted to use a US backup company or you
00:05:25 wanted to use any any sorts of
00:05:27 underlying business service you would
00:05:30 also need these sorts of contractual
00:05:32 provisions you know that you also had
00:05:35 things called model clauses which were
00:05:37 agreed upon specific contractual
00:05:40 language that had to be included word
00:05:42 for word
00:05:43 that governed some of the transfers
00:05:45 between data well a couple years back
00:05:48 someone sued Facebook from Ireland where
00:05:52 they said you know what these prove this
00:05:54 safe harbor is not sufficient to
00:05:57 guarantee my rights as an EU citizen
00:06:00 that everyone has agreed upon and to a
00:06:03 lot of people surprise this person
00:06:06 actually succeeded yeah so this one up
00:06:08 to the the European Court of Justice
00:06:09 which is kind of the equivalent of the
00:06:12 European Supreme Court yes for for these
00:06:15 sorts of transnational issues that's
00:06:16 correct and so this essentially
00:06:20 invalidated a lot of this pre-existing
00:06:23 safe harbor and for a series of months
00:06:28 there was a lot of uncertainty in terms
00:06:29 of what could you do because the
00:06:32 existing legal framework for for
00:06:34 handling these sorts of transnational
00:06:36 data trend transfers was that there
00:06:40 wasn't anything yeah they're effectively
00:06:42 was not a digital trade agreement
00:06:44 between even countries in the EU and
00:06:46 each other on how they should handle it
00:06:47 if I if I was France and I was storing
00:06:49 German citizen data or vice versa or
00:06:52 even outside the EU to the US or other
00:06:54 places yeah so we sat in limbo here
00:06:57 until this u.s.
00:06:59 you privacy shield was was drafted and
00:07:02 then put into law exactly and the
00:07:04 privacy shield is a little bit different
00:07:08 a little bit more stringent but it puts
00:07:09 in place some of the same types of
00:07:12 arrangements but all that was really a
00:07:15 preface to the gdpr
00:07:18 which was negotiated over a series of
00:07:21 years it was put right if I'd in early
00:07:25 2016 and is going to be effective
00:07:28 throughout the EU on May 25th I believe
00:07:32 of 12 this year of 2018 and that is a
00:07:37 big day because already a number of
00:07:40 these data protection authorities are
00:07:41 starting to either prepare companies for
00:07:45 the ways in which they are going to
00:07:46 enforce it or they've started writing
00:07:50 regulations that are preparatory for the
00:07:52 enforcement of the gdpr
00:07:53 and this is a very big deal for anyone
00:07:56 who does business even indirectly with a
00:08:00 citizen of the EU yes and then this is
00:08:03 some of the difference between Europe
00:08:05 and the US on this if in the US if a
00:08:08 federal law gets passed typically
00:08:10 federal rules are written and there's a
00:08:12 federal agency that would enforce it so
00:08:14 we just passed a major tax overall here
00:08:17 the IRS is a federal agency they're
00:08:19 gonna write rules about that and the IRS
00:08:21 will be responsible for enforcement of
00:08:23 that new tax bill we're in the EU my
00:08:26 understanding is a EU drafts these gdpr
00:08:31 law and then each country has its own
00:08:36 enforcement agency that's going to go
00:08:38 handle the enforcement that'd be the
00:08:40 equivalent of I guess in the US the feds
00:08:42 drafting something and then a state
00:08:44 drafting their own rules and there and
00:08:46 having their own enforcement agency for
00:08:48 it that's right the the EU has this
00:08:52 interesting point counterpoint the this
00:08:56 push both for both for centralization
00:08:59 and for individual sovereignty and that
00:09:03 results in some sometimes you get at
00:09:06 push toward more centralization and
00:09:08 sometimes you have a various country
00:09:12 saying well we really want
00:09:13 have the final say on how this applies
00:09:15 to our citizens and so where the
00:09:18 original legislation was drafted so
00:09:21 there would be a single gdpr enforcement
00:09:23 authority that's not where it ended up
00:09:25 for reasons of sovereignty
00:09:28 yuria there may be a lead gdpr
00:09:31 enforcement agency and other other
00:09:34 agencies are supposed to take their
00:09:36 follow their lead or date take the
00:09:39 things that they say and implement them
00:09:40 you really need to deal with each
00:09:43 individual enforcement agency and who
00:09:46 you may be dealing with ends up being a
00:09:48 country specific matter yeah so this so
00:09:52 folks have had a couple of years now to
00:09:55 look at gdpr and look and see where and
00:09:59 how this is gonna be set up and enforced
00:10:03 so with this time and background and
00:10:07 with this is I think still for most US
00:10:10 based business owners a fairly new topic
00:10:12 to them to think about this so if I'm
00:10:14 over here in in the US why would this be
00:10:18 relevant to me to a first approximation
00:10:20 approximation if you either do business
00:10:24 with and where it's available worldwide
00:10:27 even incidentally or
00:10:30 you do business with people who do
00:10:32 business worldwide even incidentally
00:10:34 then as written the scope of the gdpr
00:10:38 applies to you because it is not about
00:10:41 where your company is and it's not about
00:10:44 where you do business or where you are
00:10:46 organized it is because it is designed
00:10:50 to be tied to the rights of European
00:10:52 European Union citizens it is actually
00:10:56 about who your customers or your
00:10:58 customers customers are if you end up
00:11:01 doing business with someone in the EU
00:11:04 then the gdpr applies to that it applies
00:11:08 to you because of that transaction or if
00:11:11 you are a service provider just to
00:11:13 someone who does or potentially does
00:11:15 business within the EU again it's going
00:11:18 to apply to you at least to some extent
00:11:20 so to a first approximation if you are a
00:11:24 company that has
00:11:26 business over the internet or has
00:11:28 significant commercial contracts you
00:11:31 need to be thinking about the GDP are
00:11:32 yeah and you're listening to 1200 W AI
00:11:36 this is cyber talk radio and we're
00:11:38 talking about the EU data privacy on
00:11:41 this program I'm joined by van Lindbergh
00:11:43 who's a an attorney here in San Antonio
00:11:46 and a one who reads up on this and as
00:11:49 attorneys will say they're always
00:11:50 practicing they're always learning more
00:11:52 so I might call him an expert he may not
00:11:54 call himself an expert yet but I think
00:11:56 between the two of us we we know enough
00:11:58 about this hopefully where I can ask
00:12:00 some good questions and we can have some
00:12:02 insightful discussion if you are just
00:12:04 joining us on air right now during the
00:12:06 broadcast you can listen to this in full
00:12:09 if you're not able to stay around during
00:12:11 the evening on itunes podcasts or pocket
00:12:14 casts or any other podcasting service
00:12:15 across the internet we also have a
00:12:16 youtube channel as well as a Facebook
00:12:20 and a Twitter page for cyber talk radio
00:12:22 we post up the rebroadcast and replays
00:12:25 every Tuesday after our episodes air on
00:12:27 Saturday evenings so van had gone
00:12:31 through and given kind of the background
00:12:32 of how we arrived at gdpr from safe
00:12:36 harbor and privacy shield and the
00:12:38 background on where the EU was organized
00:12:40 so now I'm here in the US I'm a business
00:12:43 let's say I mean I make t-shirts and I'm
00:12:48 making t-shirts and I'm selling them on
00:12:51 my own ecommerce website and I have
00:12:54 people come in that there are EU
00:12:56 citizens I assume they might be because
00:12:59 they're ordering with a European credit
00:13:02 card and they have a European address
00:13:03 that I'm shipping this out to so as a
00:13:07 t-shirt maker what am I gonna need to
00:13:10 think about this gdpr maybe because I'm
00:13:13 gonna store a list of all of my
00:13:14 customers in my system and I'm pretty
00:13:18 sure they're consumers because maybe I'm
00:13:19 making band t-shirts or other things
00:13:21 where I these are orders going to
00:13:23 individuals not orders going to
00:13:25 businesses over there so in that case
00:13:28 you definitely are the the any
00:13:32 information that you're holding that can
00:13:34 be used to identify somebody is going to
00:13:37 come under the scope of the Gd
00:13:39 pyaare and you are going to have that
00:13:42 you're going to be required to to manage
00:13:45 it and comply with with GDP our
00:13:48 processes and rules in terms of how you
00:13:50 hold it and what you do with it and
00:13:53 you're going to need to be a little bit
00:13:56 more explicit in terms of your
00:13:58 agreements with what you say to your
00:14:00 various customers say for example you've
00:14:04 got you've got information associated
00:14:09 with people people size their address
00:14:12 their some of their I don't know very
00:14:15 various personal information you're
00:14:17 already going to need to apply certain
00:14:20 sorts of protections associated with
00:14:24 protecting the financial data a lot of
00:14:26 times people think of the PCI compliance
00:14:29 that's focused on preventing fraud
00:14:32 preventing the loss of the credit card
00:14:34 information to a first approximation
00:14:37 you're going to need to do a lot have a
00:14:39 lot of those same or even more stringent
00:14:41 things associated with the protection of
00:14:44 the identities and the information that
00:14:46 can be used to identify the particular
00:14:48 people who are in your database yeah no
00:14:51 I mean the one that I've been reading
00:14:54 about on this that most folks are a
00:14:57 little bit up in arms about is this the
00:14:59 right to be forgotten which is tied to
00:15:02 GDP are but is also maybe even some of
00:15:04 the individual countries in Europe have
00:15:06 written some individual laws about this
00:15:08 can you explain this concept about the
00:15:11 right to be forgotten and and what if I
00:15:14 got that notice from an EU individual
00:15:16 citizens said forget me out of your
00:15:19 system wipe all of my records out in
00:15:21 your system what what am I gonna have to
00:15:23 do there is a business hey I'm that
00:15:25 t-shirt ship manufacturer still screen
00:15:28 printing shop so this again comes with
00:15:32 comes from the EU perspective of the
00:15:35 ultimate right of consumers to control
00:15:37 the use of their data and it came out in
00:15:41 especially when people had people had
00:15:46 various unflattering things that were
00:15:48 posted about them on the Internet and
00:15:51 one of the rights
00:15:53 was recognized by various countries and
00:15:55 is now roughly enshrined into the GDP
00:15:58 our is this ability to say I want those
00:16:01 negative things about me to be taken off
00:16:04 the internet and it doesn't really
00:16:06 matter who is holding them it really
00:16:10 matters that they are about me and
00:16:12 because they are about me I have a I
00:16:14 have certain rights to that information
00:16:16 in particular the right to have not be
00:16:19 disseminated because this is is really
00:16:24 about the the dissemination and the the
00:16:27 manifestation of information this has
00:16:30 been broadly called the right to be
00:16:32 forgotten and it really came up in the
00:16:34 content frequently in the context of
00:16:36 either social media or or website search
00:16:40 engines especially but then people said
00:16:43 you know what I can see that you comply
00:16:45 you removed the particular link but you
00:16:49 can still see it else played other
00:16:51 places or you still have a cached copy
00:16:53 and so the courts went a little bit
00:16:55 further and they said well what about
00:16:57 backups and cached copies and all sorts
00:16:59 of things and it is evolved into a
00:17:01 fairly substantial right for certain
00:17:05 people to go back and say remove me from
00:17:07 your from all of your systems now if
00:17:11 you're the t-shirt manufacturer that's
00:17:13 probably going to be easier to do
00:17:17 because you've got a list of customers
00:17:20 what you can do is you can say delete
00:17:23 that particular delete that particular
00:17:24 customer alternatively zero out their
00:17:28 information and replace it with your
00:17:30 dummy
00:17:31 you know deleted information if you if
00:17:34 that's what's required by your database
00:17:35 for example yeah and if let's say though
00:17:38 I'd say I have relatives over in Europe
00:17:41 that are European citizens and I'm the
00:17:42 customer and I shipped a t-shirt to that
00:17:44 person in Europe so you might have like
00:17:46 even the t-shirt manufacturer may be
00:17:48 able to look at their customer database
00:17:51 all of their shipping destinations which
00:17:53 might not even be their customer and
00:17:54 they're gonna have some second order
00:17:55 information but if you're a social
00:17:58 network this gets much more complicated
00:18:00 that's right and the right to be at the
00:18:04 right to be forgotten is not
00:18:07 not absolute it depends upon for what
00:18:10 reason you originally you originally had
00:18:16 the need to collect the information for
00:18:19 example there's an absolute ability
00:18:22 there's an absolute right to opt out of
00:18:23 direct marketing but the organization's
00:18:29 may continue to process data the data
00:18:31 remains necessary for the purposes for
00:18:33 which it was originally corrected and
00:18:35 this is one of the things that is going
00:18:38 to be most useful for for example for
00:18:41 backups as opposed to a cache if you
00:18:43 have a need to maintain business
00:18:45 integrity or audit ability and that is
00:18:48 the reason for which certain information
00:18:50 was collected then as long as you don't
00:18:53 expose that information that's one way
00:18:56 in which the right to be forgotten may
00:18:59 not require you to actually restore all
00:19:01 your backups and delete that individual
00:19:03 person well on that t-shirt example so
00:19:05 if I collected their information
00:19:07 initially so I could process a purchase
00:19:10 and then I kept their shipping address
00:19:12 because that was required to send them
00:19:13 the t-shirt under the right to be
00:19:16 forgotten do I not have to forget them
00:19:18 maybe so this is where this all seems
00:19:19 like a really complicated gray area to a
00:19:21 non-attorney here I think that even for
00:19:24 a lot of attorneys it's still
00:19:26 complicated gray area okay that's good
00:19:28 the I think that a lot of what people
00:19:32 are saying is that it depends upon the
00:19:34 purpose for example let's say that you
00:19:36 had a you also when someone signed up
00:19:41 for signed up for your t-shirt they also
00:19:46 collected a little thing that said and
00:19:48 you can send me periodic marker
00:19:51 marketing about future t-shirt sales
00:19:53 yeah probably you would need to if
00:19:56 someone said I would like you to stop
00:19:58 that you have an option they have an
00:20:00 absolute right to opt out of that sort
00:20:03 of marketing yeah on the other hand if
00:20:06 what you need to do on an ongoing basis
00:20:08 is make sure that you did not have a
00:20:12 fraudulent transaction and so you need
00:20:14 to maintain certain records about actual
00:20:17 purchases that they made yeah
00:20:19 well then again you you may be able to
00:20:22 maintain those so that for that
00:20:24 legitimate purpose especially if that
00:20:27 was was provided to them at the time of
00:20:31 purchase yeah and this is interesting is
00:20:34 in the in the US I think as most folks
00:20:36 that do digital marketing are aware of
00:20:39 what's called the can-spam act and
00:20:41 requirements around allowing for opt out
00:20:44 on email there and different
00:20:46 restrictions on where and how you can
00:20:48 collect email addresses and the gdpr
00:20:52 doesn't exactly aligned with it so use a
00:20:56 lot more stringent yeah it's it's much
00:20:57 more stringent and and it and in set up
00:21:01 in the different ways so you end up with
00:21:03 organizations having to incur a
00:21:06 significant amount of overhead in order
00:21:09 to set up business systems to handle one
00:21:12 set of regulations or another set of
00:21:13 regulations and even in the u.s. we have
00:21:16 a little bit of this California has
00:21:17 different data privacy laws than the
00:21:20 rest of the country they have some more
00:21:22 stringent laws Massachusetts is another
00:21:23 state with some pretty stringent data
00:21:26 privacy laws for residents of those
00:21:28 states so in the u.s. we're not immune
00:21:31 to creating regulatory conflict either
00:21:33 but I mean from a small business
00:21:36 perspective this all seems pretty
00:21:38 overwhelming I think that I think that
00:21:43 for a lot of businesses particularly if
00:21:45 you are dealing with stuff you're the
00:21:48 t-shirt example there are ways in which
00:21:51 you need to think about this it needs to
00:21:52 be on your radar where it becomes a lot
00:21:55 more difficult is if you're starting to
00:21:57 deal with either social networking or
00:21:59 marketing where you're dealing where
00:22:01 your business is people to a certain
00:22:03 extent yeah when you go there you've got
00:22:08 a lot floor near issues that are going
00:22:11 to take a lot more time to work out yeah
00:22:14 and so as I think it was we dive into
00:22:17 this some more after the break we can
00:22:18 talk some hypotheticals on the
00:22:20 enforcement side and just a little bit
00:22:22 of a teaser lead-in if if I was China I
00:22:25 have some pretty clear ways to enforce
00:22:27 my laws on the Internet on companies
00:22:30 that operate servers outside
00:22:32 China I've got the Great Firewall and I
00:22:35 can control access to those systems for
00:22:37 my citizens Russia's got some similar
00:22:40 things some other countries have done
00:22:41 certain things to control access to the
00:22:44 internet from their citizens and and
00:22:46 control businesses being able to go into
00:22:48 and operate inside of those countries
00:22:50 the EU doesn't have anything like this
00:22:53 and then I'm not aware of any EU member
00:22:55 state right now that has any sort of
00:22:57 border level internet filters to handle
00:23:01 a us-based
00:23:02 Internet operation and to block their
00:23:06 citizens from connecting out to it I I
00:23:11 don't I'm not aware of anything like
00:23:13 that either I think that that would
00:23:15 actually be contrary to some of the
00:23:17 agreements that they've got especially
00:23:20 in either with the US or with inside the
00:23:22 EU but what they've done is they
00:23:25 eventually effectively have what we'd
00:23:27 call in the US a long-arm statute that
00:23:29 says if you're going to transact with
00:23:31 our citizens than you have availed
00:23:33 yourself of our laws and our protection
00:23:35 which means that even if you're
00:23:39 someplace else our laws apply yeah now
00:23:43 and it's an interesting one in the u.s.
00:23:46 gets beat up about that it's like we've
00:23:48 done on that the tax bill and the tax
00:23:50 changes here the u.s. was the only
00:23:53 company country major country that taxed
00:23:56 foreign income before now that's sort of
00:23:59 getting undone and unwound while the EU
00:24:01 is actually sort of creating foreign
00:24:05 privacy oversight on people that operate
00:24:07 around the whole world if you want to
00:24:09 interact with the citizens over the
00:24:10 Internet so we've got tax things going
00:24:12 one way and we've got privacy
00:24:15 legislation going the other
00:24:16 you're listening to 1200 W AI this is
00:24:19 cyber talk radio we're going to go ahead
00:24:21 and take a quick break here for the news
00:24:22 traffic and weather update at the bottom
00:24:24 of the hour and I will be back with van
00:24:26 Lindbergh while we will continue talking
00:24:27 about data privacy and how that affects
00:24:30 your business here in the US when you're
00:24:33 interacting with European citizens
00:24:35 [Music]
00:25:02 [Music]
00:25:10 welcome back to cyber talk radio I'm
00:25:14 your host Brett Pyatt a twenty year
00:25:15 Internet and security veteran joined
00:25:17 this week by a van Lindbergh we're
00:25:20 talking about data privacy laws
00:25:22 specifically as they relate to the
00:25:24 European Union and the new gdpr which is
00:25:27 gonna go into effect a little bit later
00:25:29 this summer in this segment of the
00:25:31 program we're gonna dive into some of
00:25:33 the different terms if you've not heard
00:25:35 of a controller or a custodian or a
00:25:37 processor before and you do business
00:25:40 with Europe or if you have customers
00:25:42 that do business with Europe stay tuned
00:25:44 and learn more about this and how it
00:25:45 will impact your business and what you
00:25:48 need to be thinking about when you're
00:25:49 storing information on a European
00:25:51 citizen so man thanks again for joining
00:25:54 us this week to talk about this topic
00:25:57 and it's one in the cyber security world
00:25:59 we're often so much talking about
00:26:01 hackers and the rest of these things but
00:26:03 much of cyber security really ties in to
00:26:06 data privacy and the custody of
00:26:07 information and how you track and
00:26:09 control and allow access to and then
00:26:13 what you ultimately decide to do with
00:26:15 that information under the different
00:26:16 laws as well yeah it's interesting that
00:26:19 you that you talk about the hackers and
00:26:23 and the misuse of information to a
00:26:26 certain extent a lot of this was
00:26:27 designed to to kind to help various
00:26:32 citizens deal with that issue I mean it
00:26:35 also has a lot of restrictions upon what
00:26:39 commercial entities can do with your
00:26:40 data but there are significant
00:26:42 protections associated with not having
00:26:45 your identity stolen and not having your
00:26:48 your information X Y or your information
00:26:53 exfiltrated by various people who who'd
00:26:56 want to do you harm yeah
00:26:58 so as we go through this and when we're
00:27:02 talking about data privacy let's go
00:27:05 through some of the terms that help
00:27:08 people understand in data privacy what
00:27:11 does this mean
00:27:12 so as a you have a citizen there the
00:27:15 user this is the one who has that
00:27:17 personally identifiable information and
00:27:19 then you're sharing it with businesses
00:27:21 and those businesses have different role
00:27:23 that's right so then the number one
00:27:27 thing that you want to talk about is
00:27:28 this idea of between a controller and a
00:27:31 processor now companies may be
00:27:35 controllers for some for some types of
00:27:37 data and for some purposes and
00:27:38 processors for others now the way to
00:27:41 think about it is to go back to the
00:27:44 underlying your in your sense of what
00:27:47 those words mean
00:27:48 a controller is someone who's going to
00:27:50 be making the decisions about what
00:27:53 happens with the data they're the ones
00:27:55 who have the the business need they're
00:27:58 the ones who are frequently interacting
00:28:01 with the in interacting with the the
00:28:04 data or sometimes with the customer
00:28:06 itself although you can have
00:28:08 subsidiaries who are also controllers
00:28:10 the primary thing to think about if
00:28:12 you're a controller is are you making
00:28:15 the decisions about what happens with
00:28:17 the data a processor is someone who does
00:28:24 something with the data stores it and
00:28:28 restores it you know correlates it does
00:28:31 whatever does whatever with it under the
00:28:35 direction of a controller so for example
00:28:39 if you are let's say if I was an email
00:28:44 provider and I and my customer is the
00:28:47 controller of their email INBOX and
00:28:50 there are the control of their email
00:28:51 domain they decide which email normally
00:28:54 to keep and not keep which email they're
00:28:56 gonna delete and how they manage all
00:28:57 that information inside that email INBOX
00:28:59 oh you're saying they they control it
00:29:01 but again anyone anytime you've got a
00:29:05 you've you've got EU citizens they're
00:29:08 going to be in the role of user yeah and
00:29:11 so even if they have some sort of
00:29:14 control what you're talking about is
00:29:16 extending their control that doesn't
00:29:18 make them the controller that means that
00:29:19 they're the ones that have the right a
00:29:21 right of control that is going to be
00:29:25 enforced through the controller through
00:29:27 the processors so in that sort of
00:29:29 situation probably the primary
00:29:32 controller is going to be the is going
00:29:36 to be the email service
00:29:38 because they're the ones that are making
00:29:39 decisions about how that how that varies
00:29:43 how that data is going to be used and
00:29:45 managed in the context of the email
00:29:47 system yeah so let's I mean take this
00:29:49 out to a hypothetical here this sounds
00:29:51 kind of complicated for maybe an email
00:29:54 provider but if I was an EU citizen
00:29:57 could I email or could I send notice to
00:29:59 an email provider saying I don't want my
00:30:02 personal information transmitted by your
00:30:04 email platform by anybody so I'm
00:30:06 revoking your rights to transmit my
00:30:08 personal information to and from anyone
00:30:10 on your email platform so I think that
00:30:16 that what you can't see is me squirming
00:30:22 right here because I don't think that it
00:30:25 is it ends up being as cut-and-dry
00:30:27 because what you're asking implicitly is
00:30:31 how can the to control the actions of
00:30:37 third parties now what you can control
00:30:40 is the ability to represent or represent
00:30:45 that data or have it available but I I
00:30:50 don't think that there's any reasonable
00:30:52 way to say no one is someone mentions
00:30:55 Bret Pyatt in an email we're not
00:30:59 delivering that email sorry I mean it's
00:31:01 it's like as you get into spam filtering
00:31:03 and email filtering an email content
00:31:05 filtering it does is this gonna require
00:31:08 email providers to go all the way out to
00:31:11 the macro level of their whole system
00:31:12 and that they won't receive or send
00:31:15 email that contains information about an
00:31:18 individual EU citizen that says I don't
00:31:19 want my information transmitted via
00:31:21 email I think what you need to do is you
00:31:24 need to step back and say what is the
00:31:25 role of the of the company that you are
00:31:28 addressing and you need to say in the in
00:31:32 the realm of which you control data and
00:31:35 what you are a controller that's the
00:31:37 realm in which you have the right to
00:31:39 absolutely ask them to respect and to
00:31:43 not have anything to do with your
00:31:44 private data so for example you can ask
00:31:48 that your own personal
00:31:51 information be deleted and it be finally
00:31:54 deleted I think that that is going to be
00:31:57 yeah that that that will definitely come
00:32:01 in the realm of the sorts of things that
00:32:02 are that will be required can you can
00:32:06 you require that any sort of secondary
00:32:09 service providers that were taking
00:32:13 information that included your
00:32:15 information that they remove it
00:32:17 particularly that was going to be used
00:32:18 for a for an advertising or targeting
00:32:23 purpose probably can you say I want you
00:32:27 to proactively filter anything that any
00:32:32 email that someone talks about me and
00:32:34 remove that I don't think that you can
00:32:37 say that although I can see where you're
00:32:39 asking that question because of the
00:32:41 broader context of hey what about caches
00:32:45 of information where people were saying
00:32:47 negative things about me online you know
00:32:49 and the requirement to remove that I
00:32:52 think that the difference is is between
00:32:56 private communication and public
00:32:59 communication in a public communication
00:33:01 in the for example in the search engine
00:33:04 sends you know I think they have been
00:33:07 various people have been successful in
00:33:09 getting courts to say no you must D list
00:33:13 that information and and other copies of
00:33:16 that information and caches of that
00:33:17 information yeah hence the dark web now
00:33:20 where there's all this information
00:33:22 that's out there on the internet that's
00:33:23 no longer entered indexed by major
00:33:25 search engines but I think that the the
00:33:27 public nature of that information is is
00:33:31 part of what makes that enforceable I
00:33:35 don't think that you I don't think that
00:33:37 even the European courts would ever get
00:33:39 to the place where there's a prior
00:33:41 restraint restraint on individuals right
00:33:44 to express themselves in a private form
00:33:46 yeah and this is it's an interesting
00:33:48 gray area and that email provider they
00:33:50 may come back and say you know what I'm
00:33:51 not actually the controller I'm only the
00:33:53 processor here my customers are the
00:33:55 controllers I don't control what they
00:33:57 send and receive I stay out of that I
00:33:59 just provide them a mailbox and I
00:34:01 provide them a delivery platform so
00:34:04 yeah it's gonna be interesting to see
00:34:06 how this all sorts out and I think
00:34:08 you'll see different companies take
00:34:09 different stances here on how they view
00:34:11 it I think that that's absolutely true
00:34:14 part of what I'm thinking through here
00:34:16 is you you always want to go to go to
00:34:22 the place where you think about how are
00:34:25 the regulator's how are the judge is
00:34:28 going to think through this issue yeah
00:34:30 and so the fact that you can make an
00:34:32 argument you have to filter that through
00:34:34 how likely is that argument to be
00:34:36 accepted and the experience that that
00:34:41 various companies have had with the
00:34:44 European courts is that unlike the u.s.
00:34:47 that the US and this goes back to some
00:34:50 of the differences in Beart and the way
00:34:53 EU courts and US courts have addressed
00:34:56 this historically you know is that for
00:34:59 purposes of data protection and
00:35:02 protection of privacy the EU courts have
00:35:06 not shied away of finding some sort of
00:35:09 responsibility even when even when
00:35:13 companies have tried to distance
00:35:15 themselves from the ability to that from
00:35:20 some sorts of responsibility in order to
00:35:23 try and make the regulatory boat run a
00:35:25 little lighter yeah so let's go into
00:35:28 another area here so the email provider
00:35:30 I think creates a great gray area on how
00:35:32 to think about that one let's say I say
00:35:34 my business is an information broker so
00:35:36 in the US there's tons of these you can
00:35:39 go online you can say I'd like to I'd
00:35:41 like to buy information about 20,000
00:35:45 residents of San Antonio with in this
00:35:48 age range this and this is e this income
00:35:50 level and I can go online and I can buy
00:35:52 name address phone number email address
00:35:54 how many years they've lived at the
00:35:56 address I can buy all sorts of
00:35:57 information about US citizens if I'm an
00:36:00 EU citizen let's say I also happen to be
00:36:02 in that database and I sent a request to
00:36:05 this information broker saying remove me
00:36:07 from your system how is gdpr look at at
00:36:13 that request coming in from an EU
00:36:16 citizen
00:36:17 I think that they're going to be very
00:36:19 generous in terms of their a court would
00:36:22 be very generous in terms of their
00:36:24 expansive view of what sorts of
00:36:26 protections are going to be given to the
00:36:29 EU citizen let me give me an example of
00:36:32 that in terms of ways in which this is
00:36:35 really going to concretely affect
00:36:36 various businesses companies regularly
00:36:40 engage in different sorts of processing
00:36:44 different sorts of business ideas with
00:36:48 with with customer data and in the u.s.
00:36:52 you have frequently have some sort of
00:36:53 thing that says we may from time to time
00:36:55 engage with some of our partners to
00:36:57 offer you better goods or services yes
00:37:01 what that means in English my
00:37:04 understanding is the non-attorney is
00:37:05 that we're gonna share your information
00:37:07 with other people that might want to
00:37:08 sell you stuff yes and they're not
00:37:11 really limited on at least under US law
00:37:16 as long as they say that and it's
00:37:18 somewhere in the checkbox it reads a big
00:37:21 tent yes
00:37:22 there are lots of things that they can
00:37:23 do for the GDP are you have to get
00:37:28 explicit knowing consent for each
00:37:32 separate type of information processing
00:37:37 affiliate processing or affiliate
00:37:39 transaction or related party transaction
00:37:42 and it's for and it's not just hey we're
00:37:45 listing all the different types of
00:37:48 things that we we do it is that you need
00:37:51 to have explicit affirmative consent all
00:37:54 right we are putting right in front of
00:37:56 your face this is the thing that we're
00:37:58 going to do and this is how we want to
00:38:00 sell to you is that okay check yes
00:38:03 here's another way in which we'd
00:38:05 explicitly like to sell to you is that
00:38:07 okay
00:38:08 check yes I mean there's going to be I
00:38:10 think almost anyone has run into the
00:38:13 little cookie banner this I uses cookies
00:38:16 you know to to do whatever
00:38:19 click okay even that a lot of people are
00:38:23 even saying expect not even more of that
00:38:25 but things that are much more I don't
00:38:29 necessarily want to say
00:38:30 intrusive because it is it's not about
00:38:35 intruding on the process but it is about
00:38:37 putting a know a knowledge barrier about
00:38:40 what this company is going to do with
00:38:43 your data and making sure that you are
00:38:46 affirmatively agreeing to it yeah
00:38:48 this is if you're keeping uniquely
00:38:52 identified information that's tied back
00:38:53 to PII or is this just if let's say you
00:38:56 were even just keeping a cookie you knew
00:38:58 this cookie was coming from some person
00:39:00 in Europe that was browsing to your
00:39:02 website from a European location you
00:39:05 don't know if they're a European citizen
00:39:06 or not you so there could be a u.s.
00:39:09 person over there on vacation are you
00:39:11 gonna be responsible for asking for
00:39:14 explicit permission in that kind of
00:39:16 cookie world or only where you're tying
00:39:18 it to a specific EU citizen where you
00:39:20 have direct knowledge that they are n EU
00:39:22 citizen if it can be used if the
00:39:25 information could be used to identify an
00:39:27 EU citizen then these sorts of things
00:39:30 apply now again that's a that's a gray
00:39:33 area whether an anonymous cookie that
00:39:36 where you come come in and you don't
00:39:38 have essentially any necessary
00:39:41 relationship can be tied in but I think
00:39:43 as soon as you start correlating
00:39:45 information and cross multiple websites
00:39:47 or across multiple cookies as most out
00:39:51 of what networks do I think that the
00:39:55 chance that you can use it to
00:39:56 de-identify data or essentially come to
00:40:00 a knowledge of who that GU citizen is
00:40:04 even if it is not exact knowledge like
00:40:06 this is you know someone in Ireland that
00:40:10 we believe is between the ages of 30 and
00:40:14 45 based off of course that lives in
00:40:16 Cork based off of their shopping habits
00:40:18 and they have browsed from that location
00:40:21 in Cork for the last three years so they
00:40:24 either live in Ireland which might make
00:40:26 them a pretty good chance to be an Irish
00:40:27 citizen or the long term worker over
00:40:30 there that type of where you start to
00:40:32 get to this like belief that if someone
00:40:35 reasonable would say yeah that's
00:40:36 probably a European citizen that's right
00:40:38 it doesn't need to be this is Sean
00:40:41 O'Malley it can be this
00:40:43 is this is someone who is probably in
00:40:46 there they have a right to have their
00:40:47 information protected yeah so as a
00:40:49 business right now I can go in on a lot
00:40:52 of these ad platforms if I wanted to
00:40:54 advertise to people that were age thirty
00:40:56 to forty five that have lived in Cork
00:40:59 Ireland for more than three years I can
00:41:01 select that as a advertising target
00:41:04 category across a whole broad number of
00:41:06 advertising platforms is this gonna
00:41:09 potentially affect that or is it going
00:41:10 to be on the individual Shaun O'Malley's
00:41:12 of the world to individually go submit
00:41:15 to each of these advertising platform
00:41:17 saying stop tracking me so the the
00:41:22 default rules under GDP are our opt-in
00:41:24 yeah so what if they but what happens
00:41:27 with things before this summer effective
00:41:30 dates so if all these platforms have
00:41:32 already collected all this information
00:41:33 do they have to go back and get
00:41:35 permission or do they get to keep all
00:41:37 the information they had we've now
00:41:38 created a incumbent wall or barrier for
00:41:41 new people entering the world you're
00:41:43 going to have the same it doesn't matter
00:41:45 if you collected the information
00:41:46 beforehand or later you're going to have
00:41:49 the same sorts of the same sorts of
00:41:53 requirements in terms of your ability to
00:41:55 use or to process that information or
00:41:58 use it to target as soon as the gdpr
00:42:02 comes in and starts to apply it doesn't
00:42:05 matter that you collected it beforehand
00:42:06 there's no grandfathering in existing of
00:42:10 existing data so potentially so this
00:42:12 potentially creates a blank slate then
00:42:15 everyone has to as of the effective date
00:42:17 of this everyone has to go back and get
00:42:19 permission from every EU citizen to use
00:42:21 their data for any especially in the
00:42:23 marketing side of things for any
00:42:25 marketing purposes they're gonna have to
00:42:26 go back and re obtained permission from
00:42:30 everyone so all of the incumbent
00:42:32 advantages potentially wiped out then as
00:42:34 of this date that's the worry for a lot
00:42:38 of people so and one of the things is to
00:42:41 realize is that while the gdpr itself
00:42:44 has been the text has been known for a
00:42:47 couple of years some of the ways in
00:42:51 which is going to be enforced have only
00:42:54 been developed
00:42:56 made known and developed relatively
00:42:58 recently and there's going to be a lot
00:43:00 of interpretation that is going to occur
00:43:03 over the first couple of years of its of
00:43:06 its enforcement so the question for a
00:43:11 lot of companies particularly those who
00:43:12 are doing marketing and and other sorts
00:43:16 of related activities where they're
00:43:18 aggregating and using information about
00:43:20 people is how much are they going to to
00:43:27 be able to really effectively use that
00:43:29 information because it could be that
00:43:32 what happens is that this throws certain
00:43:36 aspects of the marketing back to
00:43:38 effectively the 1990s before
00:43:41 personalization yeah so if and I'm I
00:43:45 pace fairly close attention of the stuff
00:43:48 but I don't feel like I've seen any of
00:43:50 the big internet advertising companies
00:43:53 for those out there that don't pay
00:43:55 attention to stock filings and SEC
00:43:57 filings for for publicly listed
00:43:59 companies they have a whole business
00:44:01 disclosure warning section and every
00:44:03 quarterly and annual filing where they
00:44:05 say hey there's a big risk to my
00:44:08 european-based revenue for my
00:44:10 personalized advertising platform as of
00:44:12 this date that GD P R goes into effect I
00:44:14 don't feel like I've seen companies
00:44:16 warning about this so it's interesting
00:44:19 to see I wonder what their their take is
00:44:21 or strategy on on how they believe
00:44:23 they're gonna mitigate it well the the
00:44:25 biggest companies have been working on
00:44:27 this for years already and it's starting
00:44:29 to bear fruit for example even just I
00:44:31 think in the past week or two Facebook
00:44:34 just rolled out and largely influenced
00:44:38 by the GD P are a whole new privacy
00:44:40 section of their their account controls
00:44:43 and it is focused upon the ability of
00:44:47 each person to know what is being done
00:44:50 with their data and to opt-in and
00:44:51 opt-out on various things and in a
00:44:54 fairly granular manner and it's a more
00:44:56 comprehensive look at the the way in
00:45:00 which facebook uses data and including
00:45:03 in some of their advertising then has
00:45:05 ever really been made made available
00:45:08 before yeah
00:45:09 Google's had the the Google privacy
00:45:11 manager for individuals to go in
00:45:14 interestingly enough you have to create
00:45:16 a Google account in order to be able to
00:45:19 manage your Google privacy so without a
00:45:22 Google account I'm not aware of an
00:45:24 online way you could manage your privacy
00:45:26 with them so I think that I'm not aware
00:45:30 of that either if I were to do wonder
00:45:35 about if I were to think about that it
00:45:36 was probably they would argue that if
00:45:39 you don't have an account then while
00:45:41 there may be incidental information
00:45:44 associated with they're scraping of the
00:45:46 web or other people mentioning you
00:45:49 that's actionable through existing
00:45:52 existing laws but unless you have some
00:45:55 sort of arrangement directly with them
00:45:58 they're not directly that they don't are
00:46:01 not identifying you and in such a way
00:46:03 that they could be covered by gdpr
00:46:05 yeah I'm not sure that that's their
00:46:07 rationale but I wouldn't be surprised
00:46:09 yeah this so this is interesting I guess
00:46:11 maybe and all the incumbents might view
00:46:12 that this is gonna affect everybody
00:46:14 equally so if people are still going to
00:46:19 advertise in Europe even if the
00:46:20 advertising is not as effective as it
00:46:22 was before this date the changes are
00:46:25 gonna impact everybody equally and
00:46:27 advertisers will continue to buy from
00:46:30 the ad platforms at the same dollar
00:46:32 amounts so or pound or euro amounts and
00:46:37 and with advertisers are still spending
00:46:39 the same then there is no risk to any of
00:46:42 the ad platforms based off of the
00:46:44 changes with gdpr
00:46:46 I think that the thing that people is
00:46:48 really getting people's attention are
00:46:50 the penalties yeah now the penalty
00:46:53 provisions for the GDP are are shall we
00:46:57 say robust yeah extreme it is it's four
00:47:02 percent of worldwide revenue or I think
00:47:05 20 million euros whichever is higher
00:47:07 yeah so when you think about that that's
00:47:11 a that's a pretty significant whack at
00:47:13 any company of any size yeah but if
00:47:17 you're if you're a Google who does
00:47:19 roughly a hundred billion dollars in
00:47:21 revenue to these days or Facebook that's
00:47:23 at
00:47:23 50 billion dollars in revenue that's a
00:47:26 fine of four billion dollars where I
00:47:29 believe Google's already paid a three
00:47:30 billion dollar fine to the EU so maybe
00:47:32 again back into normal course of
00:47:34 business yeah this is this see these
00:47:37 things are and that's not a one-time
00:47:39 fine you can be fine multiple times Oh
00:47:41 is there any frequency restriction and
00:47:44 then just find you on Tuesday find you
00:47:45 again on Thursday or is it annually I
00:47:47 don't know I don't know it'll be
00:47:49 interesting to see how that sorts out -
00:47:51 but it is enough that for companies that
00:47:55 are that are doing a lot of business and
00:47:58 know that they are international they
00:48:00 have been dealing with this for a long
00:48:02 time I think that there's a large second
00:48:06 tier of companies though that are who
00:48:12 are going to be covered by this or more
00:48:15 correctly are covered by this and don't
00:48:17 really realize it or aren't properly
00:48:20 appreciating it or aren't appreciating
00:48:22 the risk in not too long as these things
00:48:26 go one or more of those companies are
00:48:28 going to get whacked and at that point a
00:48:31 lot of companies in the United States
00:48:33 are going to get scared because they're
00:48:34 going to realize that they have exposure
00:48:37 that they didn't really properly deal
00:48:39 with and mitigate now this is something
00:48:43 that depending upon what your company is
00:48:47 and what your company does and maybe
00:48:49 something that you can deal with
00:48:50 relatively easily I think that for
00:48:54 anyone who's listening to this regularly
00:48:56 and adopting proper security measures
00:49:00 there is more ceremony associated with
00:49:03 with gdpr compliance then people are
00:49:07 probably regularly used to but that
00:49:10 doesn't mean that it is something that
00:49:12 people can't deal with particularly for
00:49:16 a lot of these companies the question is
00:49:18 if you're one of those ones who really
00:49:21 is dealing with this data and you
00:49:24 take proper precautions it can lead to
00:49:28 some some pretty serious issues this is
00:49:31 a topic that we could go on about for
00:49:34 many many hours so it's a interesting
00:49:37 one reach out to us on Facebook Follow
00:49:40 us on Twitter start a conversation and
00:49:42 continue it on through there and we can
00:49:44 keep talking about data privacy and
00:49:46 maybe we'll have van back for another
00:49:47 program here in the future
00:49:50 [Music]