Episode: 071
Title: General Data Protection Regulation (GDPR)
Aired: February 03, 2018
Featured Segments: General Data Protection Regulation (GDPR)
Synopsis:
Bret Piatt, CTR Host, and Van Lindberg, Dykema Cox Smith Attorney, discuss the General Data Protection Regulation (GDPR) and EU data privacy.
Follow Us & Stay Informed:
Bret Piatt (left), Van Lindberg (right)
Tweet us: @cybertalkradio, @bpiatt, @VanL / Stream on iHeartRadio: Android or iOS
Transcript:
00:00:02 from the dark web to your radio Gotham 00:00:05 you were listening to cyber talk radio 00:00:07 on news 1200 w olya 00:00:10 [Music] 00:00:18 welcome to cyber talk radio I'm your 00:00:21 host Bret Pyatt a 20-year internet 00:00:24 security veteran I'm joined by a former 00:00:27 guest and he's agreed to come back we've 00:00:29 got some exciting new stuff to talk 00:00:30 about European law and you wonder why 00:00:33 this matters with cybersecurity but it's 00:00:35 a European data privacy and we're gonna 00:00:38 have a bit of a hypothetical discussion 00:00:40 throughout the program today nothing 00:00:42 here that's offered on this by myself 00:00:45 who's not an attorney or by my guest van 00:00:47 Lindberg who is an attorney is legal 00:00:49 advice this is not legal advice these 00:00:50 are hypothetical discussions and some 00:00:53 background on these new European data 00:00:56 privacy rules to Vann thank you for 00:00:58 joining us today I'm happy to be here 00:00:59 yeah so gdpr what is this new acronym 00:01:03 stand for it stands for the general data 00:01:06 protection regulation which is designed 00:01:09 to enable individuals to better control 00:01:11 their own data and the way in which it's 00:01:14 used by companies both those who they 00:01:17 directly work with and this is where it 00:01:20 reaches a lot more people the companies 00:01:22 that subcontract or work with other 00:01:25 companies for the processing of that 00:01:26 data yeah so if we rewind back in the 00:01:30 the world of EU data privacy and EU 00:01:33 being the European Union and it's 00:01:35 somewhat different from like an American 00:01:38 federal law where you have one 00:01:40 government that passes the law that gets 00:01:41 rolled out across all 50 states in the 00:01:45 EU you have a collective of nations with 00:01:48 they've agreed to operate under this EU 00:01:52 agreement and they'll pass legislation 00:01:56 laws write laws at the European Union 00:02:00 level across the group of Nations there 00:02:02 and then they all roll it out 00:02:04 individually into the country so help 00:02:06 our audience understand this safe harbor 00:02:08 things that they may have heard about 00:02:09 privacy shield gdpr and just how does 00:02:12 this flow through out into the U in 00:02:16 general so I think the way to start is 00:02:19 by thinking about the difference between 00:02:22 the way Europeans think about personal 00:02:25 privacy and think about the rights of 00:02:28 citizens and consumers versus the United 00:02:30 States 00:02:31 in the united states we have a long 00:02:33 history of saying that almost anything 00:02:37 goes when it comes to contract you while 00:02:41 there are some there are some 00:02:44 restrictions on that that have been 00:02:46 developed over years in general we have 00:02:50 a lot of freedom for almost any sort of 00:02:54 business to go in and to deal with 00:02:57 people and to deal with their 00:02:58 information and to try and create value 00:03:00 out of it as long as there is proper 00:03:04 proper notice ie they're going to tell 00:03:05 you more or less what they're going to 00:03:07 do and that there's some sort of 00:03:08 exchange of value they will you get some 00:03:13 value of out of whatever they're doing 00:03:14 by and large US regulators have been 00:03:19 hands-off so if I was a social network 00:03:21 and you and I and and then you as a 00:03:24 consumer signed up for my social network 00:03:26 and I collected all sorts of information 00:03:27 about you so I could serve you very 00:03:29 relevant advertisements totally fair 00:03:32 inside the US in general absolutely and 00:03:35 this is important because this is 00:03:38 largely the business model for the 00:03:40 Internet is collecting information 00:03:43 packaging it up slicing and dicing it 00:03:45 and making sure that you can provide 00:03:48 relevant advertisements now this is true 00:03:52 worldwide but the EU takes a very 00:03:55 different take on the rights of their 00:03:58 citizens and they've always been much 00:04:00 more privacy focused than the United 00:04:02 States and so they used to have they 00:04:07 used to have a lot of agreements between 00:04:09 the United States and various countries 00:04:12 in the EU focused on how you can make 00:04:16 sure that you citizens have the proper 00:04:18 protections and so you would have their 00:04:21 for a long time we were under something 00:04:23 called the safe harbor which is that if 00:04:26 you had you you had a certain level of 00:04:30 privacy protections under underneath our 00:04:34 laws and in your contracts then you were 00:04:37 okay to transfer information back and 00:04:39 forth and this enabled a lot of 00:04:42 cross-border digital commerce a lot of 00:04:45 what they would 00:04:45 a processor and it versus a control 00:04:48 people doing various stuff with the data 00:04:50 in all sorts of different juries yeah if 00:04:52 I was a us-based ecommerce company and I 00:04:55 wanted to be able to ship product to 00:04:57 people in Europe and and I wanted to 00:04:58 have European citizens be able to sign 00:05:01 up for my ecommerce service share their 00:05:03 information with me and and be able to 00:05:06 purchase goods off of my website I could 00:05:08 do that with a safe harbor agreement 00:05:10 that's right the you could also if you 00:05:14 even if you were a purely European 00:05:15 company and you wanted to use a USA Us 00:05:19 credit card processor like stripe or you 00:05:21 wanted to use a US backup company or you 00:05:25 wanted to use any any sorts of 00:05:27 underlying business service you would 00:05:30 also need these sorts of contractual 00:05:32 provisions you know that you also had 00:05:35 things called model clauses which were 00:05:37 agreed upon specific contractual 00:05:40 language that had to be included word 00:05:42 for word 00:05:43 that governed some of the transfers 00:05:45 between data well a couple years back 00:05:48 someone sued Facebook from Ireland where 00:05:52 they said you know what these prove this 00:05:54 safe harbor is not sufficient to 00:05:57 guarantee my rights as an EU citizen 00:06:00 that everyone has agreed upon and to a 00:06:03 lot of people surprise this person 00:06:06 actually succeeded yeah so this one up 00:06:08 to the the European Court of Justice 00:06:09 which is kind of the equivalent of the 00:06:12 European Supreme Court yes for for these 00:06:15 sorts of transnational issues that's 00:06:16 correct and so this essentially 00:06:20 invalidated a lot of this pre-existing 00:06:23 safe harbor and for a series of months 00:06:28 there was a lot of uncertainty in terms 00:06:29 of what could you do because the 00:06:32 existing legal framework for for 00:06:34 handling these sorts of transnational 00:06:36 data trend transfers was that there 00:06:40 wasn't anything yeah they're effectively 00:06:42 was not a digital trade agreement 00:06:44 between even countries in the EU and 00:06:46 each other on how they should handle it 00:06:47 if I if I was France and I was storing 00:06:49 German citizen data or vice versa or 00:06:52 even outside the EU to the US or other 00:06:54 places yeah so we sat in limbo here 00:06:57 until this u.s. 00:06:59 you privacy shield was was drafted and 00:07:02 then put into law exactly and the 00:07:04 privacy shield is a little bit different 00:07:08 a little bit more stringent but it puts 00:07:09 in place some of the same types of 00:07:12 arrangements but all that was really a 00:07:15 preface to the gdpr 00:07:18 which was negotiated over a series of 00:07:21 years it was put right if I'd in early 00:07:25 2016 and is going to be effective 00:07:28 throughout the EU on May 25th I believe 00:07:32 of 12 this year of 2018 and that is a 00:07:37 big day because already a number of 00:07:40 these data protection authorities are 00:07:41 starting to either prepare companies for 00:07:45 the ways in which they are going to 00:07:46 enforce it or they've started writing 00:07:50 regulations that are preparatory for the 00:07:52 enforcement of the gdpr 00:07:53 and this is a very big deal for anyone 00:07:56 who does business even indirectly with a 00:08:00 citizen of the EU yes and then this is 00:08:03 some of the difference between Europe 00:08:05 and the US on this if in the US if a 00:08:08 federal law gets passed typically 00:08:10 federal rules are written and there's a 00:08:12 federal agency that would enforce it so 00:08:14 we just passed a major tax overall here 00:08:17 the IRS is a federal agency they're 00:08:19 gonna write rules about that and the IRS 00:08:21 will be responsible for enforcement of 00:08:23 that new tax bill we're in the EU my 00:08:26 understanding is a EU drafts these gdpr 00:08:31 law and then each country has its own 00:08:36 enforcement agency that's going to go 00:08:38 handle the enforcement that'd be the 00:08:40 equivalent of I guess in the US the feds 00:08:42 drafting something and then a state 00:08:44 drafting their own rules and there and 00:08:46 having their own enforcement agency for 00:08:48 it that's right the the EU has this 00:08:52 interesting point counterpoint the this 00:08:56 push both for both for centralization 00:08:59 and for individual sovereignty and that 00:09:03 results in some sometimes you get at 00:09:06 push toward more centralization and 00:09:08 sometimes you have a various country 00:09:12 saying well we really want 00:09:13 have the final say on how this applies 00:09:15 to our citizens and so where the 00:09:18 original legislation was drafted so 00:09:21 there would be a single gdpr enforcement 00:09:23 authority that's not where it ended up 00:09:25 for reasons of sovereignty 00:09:28 yuria there may be a lead gdpr 00:09:31 enforcement agency and other other 00:09:34 agencies are supposed to take their 00:09:36 follow their lead or date take the 00:09:39 things that they say and implement them 00:09:40 you really need to deal with each 00:09:43 individual enforcement agency and who 00:09:46 you may be dealing with ends up being a 00:09:48 country specific matter yeah so this so 00:09:52 folks have had a couple of years now to 00:09:55 look at gdpr and look and see where and 00:09:59 how this is gonna be set up and enforced 00:10:03 so with this time and background and 00:10:07 with this is I think still for most US 00:10:10 based business owners a fairly new topic 00:10:12 to them to think about this so if I'm 00:10:14 over here in in the US why would this be 00:10:18 relevant to me to a first approximation 00:10:20 approximation if you either do business 00:10:24 with and where it's available worldwide 00:10:27 even incidentally or 00:10:30 you do business with people who do 00:10:32 business worldwide even incidentally 00:10:34 then as written the scope of the gdpr 00:10:38 applies to you because it is not about 00:10:41 where your company is and it's not about 00:10:44 where you do business or where you are 00:10:46 organized it is because it is designed 00:10:50 to be tied to the rights of European 00:10:52 European Union citizens it is actually 00:10:56 about who your customers or your 00:10:58 customers customers are if you end up 00:11:01 doing business with someone in the EU 00:11:04 then the gdpr applies to that it applies 00:11:08 to you because of that transaction or if 00:11:11 you are a service provider just to 00:11:13 someone who does or potentially does 00:11:15 business within the EU again it's going 00:11:18 to apply to you at least to some extent 00:11:20 so to a first approximation if you are a 00:11:24 company that has 00:11:26 business over the internet or has 00:11:28 significant commercial contracts you 00:11:31 need to be thinking about the GDP are 00:11:32 yeah and you're listening to 1200 W AI 00:11:36 this is cyber talk radio and we're 00:11:38 talking about the EU data privacy on 00:11:41 this program I'm joined by van Lindbergh 00:11:43 who's a an attorney here in San Antonio 00:11:46 and a one who reads up on this and as 00:11:49 attorneys will say they're always 00:11:50 practicing they're always learning more 00:11:52 so I might call him an expert he may not 00:11:54 call himself an expert yet but I think 00:11:56 between the two of us we we know enough 00:11:58 about this hopefully where I can ask 00:12:00 some good questions and we can have some 00:12:02 insightful discussion if you are just 00:12:04 joining us on air right now during the 00:12:06 broadcast you can listen to this in full 00:12:09 if you're not able to stay around during 00:12:11 the evening on itunes podcasts or pocket 00:12:14 casts or any other podcasting service 00:12:15 across the internet we also have a 00:12:16 youtube channel as well as a Facebook 00:12:20 and a Twitter page for cyber talk radio 00:12:22 we post up the rebroadcast and replays 00:12:25 every Tuesday after our episodes air on 00:12:27 Saturday evenings so van had gone 00:12:31 through and given kind of the background 00:12:32 of how we arrived at gdpr from safe 00:12:36 harbor and privacy shield and the 00:12:38 background on where the EU was organized 00:12:40 so now I'm here in the US I'm a business 00:12:43 let's say I mean I make t-shirts and I'm 00:12:48 making t-shirts and I'm selling them on 00:12:51 my own ecommerce website and I have 00:12:54 people come in that there are EU 00:12:56 citizens I assume they might be because 00:12:59 they're ordering with a European credit 00:13:02 card and they have a European address 00:13:03 that I'm shipping this out to so as a 00:13:07 t-shirt maker what am I gonna need to 00:13:10 think about this gdpr maybe because I'm 00:13:13 gonna store a list of all of my 00:13:14 customers in my system and I'm pretty 00:13:18 sure they're consumers because maybe I'm 00:13:19 making band t-shirts or other things 00:13:21 where I these are orders going to 00:13:23 individuals not orders going to 00:13:25 businesses over there so in that case 00:13:28 you definitely are the the any 00:13:32 information that you're holding that can 00:13:34 be used to identify somebody is going to 00:13:37 come under the scope of the Gd 00:13:39 pyaare and you are going to have that 00:13:42 you're going to be required to to manage 00:13:45 it and comply with with GDP our 00:13:48 processes and rules in terms of how you 00:13:50 hold it and what you do with it and 00:13:53 you're going to need to be a little bit 00:13:56 more explicit in terms of your 00:13:58 agreements with what you say to your 00:14:00 various customers say for example you've 00:14:04 got you've got information associated 00:14:09 with people people size their address 00:14:12 their some of their I don't know very 00:14:15 various personal information you're 00:14:17 already going to need to apply certain 00:14:20 sorts of protections associated with 00:14:24 protecting the financial data a lot of 00:14:26 times people think of the PCI compliance 00:14:29 that's focused on preventing fraud 00:14:32 preventing the loss of the credit card 00:14:34 information to a first approximation 00:14:37 you're going to need to do a lot have a 00:14:39 lot of those same or even more stringent 00:14:41 things associated with the protection of 00:14:44 the identities and the information that 00:14:46 can be used to identify the particular 00:14:48 people who are in your database yeah no 00:14:51 I mean the one that I've been reading 00:14:54 about on this that most folks are a 00:14:57 little bit up in arms about is this the 00:14:59 right to be forgotten which is tied to 00:15:02 GDP are but is also maybe even some of 00:15:04 the individual countries in Europe have 00:15:06 written some individual laws about this 00:15:08 can you explain this concept about the 00:15:11 right to be forgotten and and what if I 00:15:14 got that notice from an EU individual 00:15:16 citizens said forget me out of your 00:15:19 system wipe all of my records out in 00:15:21 your system what what am I gonna have to 00:15:23 do there is a business hey I'm that 00:15:25 t-shirt ship manufacturer still screen 00:15:28 printing shop so this again comes with 00:15:32 comes from the EU perspective of the 00:15:35 ultimate right of consumers to control 00:15:37 the use of their data and it came out in 00:15:41 especially when people had people had 00:15:46 various unflattering things that were 00:15:48 posted about them on the Internet and 00:15:51 one of the rights 00:15:53 was recognized by various countries and 00:15:55 is now roughly enshrined into the GDP 00:15:58 our is this ability to say I want those 00:16:01 negative things about me to be taken off 00:16:04 the internet and it doesn't really 00:16:06 matter who is holding them it really 00:16:10 matters that they are about me and 00:16:12 because they are about me I have a I 00:16:14 have certain rights to that information 00:16:16 in particular the right to have not be 00:16:19 disseminated because this is is really 00:16:24 about the the dissemination and the the 00:16:27 manifestation of information this has 00:16:30 been broadly called the right to be 00:16:32 forgotten and it really came up in the 00:16:34 content frequently in the context of 00:16:36 either social media or or website search 00:16:40 engines especially but then people said 00:16:43 you know what I can see that you comply 00:16:45 you removed the particular link but you 00:16:49 can still see it else played other 00:16:51 places or you still have a cached copy 00:16:53 and so the courts went a little bit 00:16:55 further and they said well what about 00:16:57 backups and cached copies and all sorts 00:16:59 of things and it is evolved into a 00:17:01 fairly substantial right for certain 00:17:05 people to go back and say remove me from 00:17:07 your from all of your systems now if 00:17:11 you're the t-shirt manufacturer that's 00:17:13 probably going to be easier to do 00:17:17 because you've got a list of customers 00:17:20 what you can do is you can say delete 00:17:23 that particular delete that particular 00:17:24 customer alternatively zero out their 00:17:28 information and replace it with your 00:17:30 dummy 00:17:31 you know deleted information if you if 00:17:34 that's what's required by your database 00:17:35 for example yeah and if let's say though 00:17:38 I'd say I have relatives over in Europe 00:17:41 that are European citizens and I'm the 00:17:42 customer and I shipped a t-shirt to that 00:17:44 person in Europe so you might have like 00:17:46 even the t-shirt manufacturer may be 00:17:48 able to look at their customer database 00:17:51 all of their shipping destinations which 00:17:53 might not even be their customer and 00:17:54 they're gonna have some second order 00:17:55 information but if you're a social 00:17:58 network this gets much more complicated 00:18:00 that's right and the right to be at the 00:18:04 right to be forgotten is not 00:18:07 not absolute it depends upon for what 00:18:10 reason you originally you originally had 00:18:16 the need to collect the information for 00:18:19 example there's an absolute ability 00:18:22 there's an absolute right to opt out of 00:18:23 direct marketing but the organization's 00:18:29 may continue to process data the data 00:18:31 remains necessary for the purposes for 00:18:33 which it was originally corrected and 00:18:35 this is one of the things that is going 00:18:38 to be most useful for for example for 00:18:41 backups as opposed to a cache if you 00:18:43 have a need to maintain business 00:18:45 integrity or audit ability and that is 00:18:48 the reason for which certain information 00:18:50 was collected then as long as you don't 00:18:53 expose that information that's one way 00:18:56 in which the right to be forgotten may 00:18:59 not require you to actually restore all 00:19:01 your backups and delete that individual 00:19:03 person well on that t-shirt example so 00:19:05 if I collected their information 00:19:07 initially so I could process a purchase 00:19:10 and then I kept their shipping address 00:19:12 because that was required to send them 00:19:13 the t-shirt under the right to be 00:19:16 forgotten do I not have to forget them 00:19:18 maybe so this is where this all seems 00:19:19 like a really complicated gray area to a 00:19:21 non-attorney here I think that even for 00:19:24 a lot of attorneys it's still 00:19:26 complicated gray area okay that's good 00:19:28 the I think that a lot of what people 00:19:32 are saying is that it depends upon the 00:19:34 purpose for example let's say that you 00:19:36 had a you also when someone signed up 00:19:41 for signed up for your t-shirt they also 00:19:46 collected a little thing that said and 00:19:48 you can send me periodic marker 00:19:51 marketing about future t-shirt sales 00:19:53 yeah probably you would need to if 00:19:56 someone said I would like you to stop 00:19:58 that you have an option they have an 00:20:00 absolute right to opt out of that sort 00:20:03 of marketing yeah on the other hand if 00:20:06 what you need to do on an ongoing basis 00:20:08 is make sure that you did not have a 00:20:12 fraudulent transaction and so you need 00:20:14 to maintain certain records about actual 00:20:17 purchases that they made yeah 00:20:19 well then again you you may be able to 00:20:22 maintain those so that for that 00:20:24 legitimate purpose especially if that 00:20:27 was was provided to them at the time of 00:20:31 purchase yeah and this is interesting is 00:20:34 in the in the US I think as most folks 00:20:36 that do digital marketing are aware of 00:20:39 what's called the can-spam act and 00:20:41 requirements around allowing for opt out 00:20:44 on email there and different 00:20:46 restrictions on where and how you can 00:20:48 collect email addresses and the gdpr 00:20:52 doesn't exactly aligned with it so use a 00:20:56 lot more stringent yeah it's it's much 00:20:57 more stringent and and it and in set up 00:21:01 in the different ways so you end up with 00:21:03 organizations having to incur a 00:21:06 significant amount of overhead in order 00:21:09 to set up business systems to handle one 00:21:12 set of regulations or another set of 00:21:13 regulations and even in the u.s. we have 00:21:16 a little bit of this California has 00:21:17 different data privacy laws than the 00:21:20 rest of the country they have some more 00:21:22 stringent laws Massachusetts is another 00:21:23 state with some pretty stringent data 00:21:26 privacy laws for residents of those 00:21:28 states so in the u.s. we're not immune 00:21:31 to creating regulatory conflict either 00:21:33 but I mean from a small business 00:21:36 perspective this all seems pretty 00:21:38 overwhelming I think that I think that 00:21:43 for a lot of businesses particularly if 00:21:45 you are dealing with stuff you're the 00:21:48 t-shirt example there are ways in which 00:21:51 you need to think about this it needs to 00:21:52 be on your radar where it becomes a lot 00:21:55 more difficult is if you're starting to 00:21:57 deal with either social networking or 00:21:59 marketing where you're dealing where 00:22:01 your business is people to a certain 00:22:03 extent yeah when you go there you've got 00:22:08 a lot floor near issues that are going 00:22:11 to take a lot more time to work out yeah 00:22:14 and so as I think it was we dive into 00:22:17 this some more after the break we can 00:22:18 talk some hypotheticals on the 00:22:20 enforcement side and just a little bit 00:22:22 of a teaser lead-in if if I was China I 00:22:25 have some pretty clear ways to enforce 00:22:27 my laws on the Internet on companies 00:22:30 that operate servers outside 00:22:32 China I've got the Great Firewall and I 00:22:35 can control access to those systems for 00:22:37 my citizens Russia's got some similar 00:22:40 things some other countries have done 00:22:41 certain things to control access to the 00:22:44 internet from their citizens and and 00:22:46 control businesses being able to go into 00:22:48 and operate inside of those countries 00:22:50 the EU doesn't have anything like this 00:22:53 and then I'm not aware of any EU member 00:22:55 state right now that has any sort of 00:22:57 border level internet filters to handle 00:23:01 a us-based 00:23:02 Internet operation and to block their 00:23:06 citizens from connecting out to it I I 00:23:11 don't I'm not aware of anything like 00:23:13 that either I think that that would 00:23:15 actually be contrary to some of the 00:23:17 agreements that they've got especially 00:23:20 in either with the US or with inside the 00:23:22 EU but what they've done is they 00:23:25 eventually effectively have what we'd 00:23:27 call in the US a long-arm statute that 00:23:29 says if you're going to transact with 00:23:31 our citizens than you have availed 00:23:33 yourself of our laws and our protection 00:23:35 which means that even if you're 00:23:39 someplace else our laws apply yeah now 00:23:43 and it's an interesting one in the u.s. 00:23:46 gets beat up about that it's like we've 00:23:48 done on that the tax bill and the tax 00:23:50 changes here the u.s. was the only 00:23:53 company country major country that taxed 00:23:56 foreign income before now that's sort of 00:23:59 getting undone and unwound while the EU 00:24:01 is actually sort of creating foreign 00:24:05 privacy oversight on people that operate 00:24:07 around the whole world if you want to 00:24:09 interact with the citizens over the 00:24:10 Internet so we've got tax things going 00:24:12 one way and we've got privacy 00:24:15 legislation going the other 00:24:16 you're listening to 1200 W AI this is 00:24:19 cyber talk radio we're going to go ahead 00:24:21 and take a quick break here for the news 00:24:22 traffic and weather update at the bottom 00:24:24 of the hour and I will be back with van 00:24:26 Lindbergh while we will continue talking 00:24:27 about data privacy and how that affects 00:24:30 your business here in the US when you're 00:24:33 interacting with European citizens 00:24:35 [Music] 00:25:02 [Music] 00:25:10 welcome back to cyber talk radio I'm 00:25:14 your host Brett Pyatt a twenty year 00:25:15 Internet and security veteran joined 00:25:17 this week by a van Lindbergh we're 00:25:20 talking about data privacy laws 00:25:22 specifically as they relate to the 00:25:24 European Union and the new gdpr which is 00:25:27 gonna go into effect a little bit later 00:25:29 this summer in this segment of the 00:25:31 program we're gonna dive into some of 00:25:33 the different terms if you've not heard 00:25:35 of a controller or a custodian or a 00:25:37 processor before and you do business 00:25:40 with Europe or if you have customers 00:25:42 that do business with Europe stay tuned 00:25:44 and learn more about this and how it 00:25:45 will impact your business and what you 00:25:48 need to be thinking about when you're 00:25:49 storing information on a European 00:25:51 citizen so man thanks again for joining 00:25:54 us this week to talk about this topic 00:25:57 and it's one in the cyber security world 00:25:59 we're often so much talking about 00:26:01 hackers and the rest of these things but 00:26:03 much of cyber security really ties in to 00:26:06 data privacy and the custody of 00:26:07 information and how you track and 00:26:09 control and allow access to and then 00:26:13 what you ultimately decide to do with 00:26:15 that information under the different 00:26:16 laws as well yeah it's interesting that 00:26:19 you that you talk about the hackers and 00:26:23 and the misuse of information to a 00:26:26 certain extent a lot of this was 00:26:27 designed to to kind to help various 00:26:32 citizens deal with that issue I mean it 00:26:35 also has a lot of restrictions upon what 00:26:39 commercial entities can do with your 00:26:40 data but there are significant 00:26:42 protections associated with not having 00:26:45 your identity stolen and not having your 00:26:48 your information X Y or your information 00:26:53 exfiltrated by various people who who'd 00:26:56 want to do you harm yeah 00:26:58 so as we go through this and when we're 00:27:02 talking about data privacy let's go 00:27:05 through some of the terms that help 00:27:08 people understand in data privacy what 00:27:11 does this mean 00:27:12 so as a you have a citizen there the 00:27:15 user this is the one who has that 00:27:17 personally identifiable information and 00:27:19 then you're sharing it with businesses 00:27:21 and those businesses have different role 00:27:23 that's right so then the number one 00:27:27 thing that you want to talk about is 00:27:28 this idea of between a controller and a 00:27:31 processor now companies may be 00:27:35 controllers for some for some types of 00:27:37 data and for some purposes and 00:27:38 processors for others now the way to 00:27:41 think about it is to go back to the 00:27:44 underlying your in your sense of what 00:27:47 those words mean 00:27:48 a controller is someone who's going to 00:27:50 be making the decisions about what 00:27:53 happens with the data they're the ones 00:27:55 who have the the business need they're 00:27:58 the ones who are frequently interacting 00:28:01 with the in interacting with the the 00:28:04 data or sometimes with the customer 00:28:06 itself although you can have 00:28:08 subsidiaries who are also controllers 00:28:10 the primary thing to think about if 00:28:12 you're a controller is are you making 00:28:15 the decisions about what happens with 00:28:17 the data a processor is someone who does 00:28:24 something with the data stores it and 00:28:28 restores it you know correlates it does 00:28:31 whatever does whatever with it under the 00:28:35 direction of a controller so for example 00:28:39 if you are let's say if I was an email 00:28:44 provider and I and my customer is the 00:28:47 controller of their email INBOX and 00:28:50 there are the control of their email 00:28:51 domain they decide which email normally 00:28:54 to keep and not keep which email they're 00:28:56 gonna delete and how they manage all 00:28:57 that information inside that email INBOX 00:28:59 oh you're saying they they control it 00:29:01 but again anyone anytime you've got a 00:29:05 you've you've got EU citizens they're 00:29:08 going to be in the role of user yeah and 00:29:11 so even if they have some sort of 00:29:14 control what you're talking about is 00:29:16 extending their control that doesn't 00:29:18 make them the controller that means that 00:29:19 they're the ones that have the right a 00:29:21 right of control that is going to be 00:29:25 enforced through the controller through 00:29:27 the processors so in that sort of 00:29:29 situation probably the primary 00:29:32 controller is going to be the is going 00:29:36 to be the email service 00:29:38 because they're the ones that are making 00:29:39 decisions about how that how that varies 00:29:43 how that data is going to be used and 00:29:45 managed in the context of the email 00:29:47 system yeah so let's I mean take this 00:29:49 out to a hypothetical here this sounds 00:29:51 kind of complicated for maybe an email 00:29:54 provider but if I was an EU citizen 00:29:57 could I email or could I send notice to 00:29:59 an email provider saying I don't want my 00:30:02 personal information transmitted by your 00:30:04 email platform by anybody so I'm 00:30:06 revoking your rights to transmit my 00:30:08 personal information to and from anyone 00:30:10 on your email platform so I think that 00:30:16 that what you can't see is me squirming 00:30:22 right here because I don't think that it 00:30:25 is it ends up being as cut-and-dry 00:30:27 because what you're asking implicitly is 00:30:31 how can the to control the actions of 00:30:37 third parties now what you can control 00:30:40 is the ability to represent or represent 00:30:45 that data or have it available but I I 00:30:50 don't think that there's any reasonable 00:30:52 way to say no one is someone mentions 00:30:55 Bret Pyatt in an email we're not 00:30:59 delivering that email sorry I mean it's 00:31:01 it's like as you get into spam filtering 00:31:03 and email filtering an email content 00:31:05 filtering it does is this gonna require 00:31:08 email providers to go all the way out to 00:31:11 the macro level of their whole system 00:31:12 and that they won't receive or send 00:31:15 email that contains information about an 00:31:18 individual EU citizen that says I don't 00:31:19 want my information transmitted via 00:31:21 email I think what you need to do is you 00:31:24 need to step back and say what is the 00:31:25 role of the of the company that you are 00:31:28 addressing and you need to say in the in 00:31:32 the realm of which you control data and 00:31:35 what you are a controller that's the 00:31:37 realm in which you have the right to 00:31:39 absolutely ask them to respect and to 00:31:43 not have anything to do with your 00:31:44 private data so for example you can ask 00:31:48 that your own personal 00:31:51 information be deleted and it be finally 00:31:54 deleted I think that that is going to be 00:31:57 yeah that that that will definitely come 00:32:01 in the realm of the sorts of things that 00:32:02 are that will be required can you can 00:32:06 you require that any sort of secondary 00:32:09 service providers that were taking 00:32:13 information that included your 00:32:15 information that they remove it 00:32:17 particularly that was going to be used 00:32:18 for a for an advertising or targeting 00:32:23 purpose probably can you say I want you 00:32:27 to proactively filter anything that any 00:32:32 email that someone talks about me and 00:32:34 remove that I don't think that you can 00:32:37 say that although I can see where you're 00:32:39 asking that question because of the 00:32:41 broader context of hey what about caches 00:32:45 of information where people were saying 00:32:47 negative things about me online you know 00:32:49 and the requirement to remove that I 00:32:52 think that the difference is is between 00:32:56 private communication and public 00:32:59 communication in a public communication 00:33:01 in the for example in the search engine 00:33:04 sends you know I think they have been 00:33:07 various people have been successful in 00:33:09 getting courts to say no you must D list 00:33:13 that information and and other copies of 00:33:16 that information and caches of that 00:33:17 information yeah hence the dark web now 00:33:20 where there's all this information 00:33:22 that's out there on the internet that's 00:33:23 no longer entered indexed by major 00:33:25 search engines but I think that the the 00:33:27 public nature of that information is is 00:33:31 part of what makes that enforceable I 00:33:35 don't think that you I don't think that 00:33:37 even the European courts would ever get 00:33:39 to the place where there's a prior 00:33:41 restraint restraint on individuals right 00:33:44 to express themselves in a private form 00:33:46 yeah and this is it's an interesting 00:33:48 gray area and that email provider they 00:33:50 may come back and say you know what I'm 00:33:51 not actually the controller I'm only the 00:33:53 processor here my customers are the 00:33:55 controllers I don't control what they 00:33:57 send and receive I stay out of that I 00:33:59 just provide them a mailbox and I 00:34:01 provide them a delivery platform so 00:34:04 yeah it's gonna be interesting to see 00:34:06 how this all sorts out and I think 00:34:08 you'll see different companies take 00:34:09 different stances here on how they view 00:34:11 it I think that that's absolutely true 00:34:14 part of what I'm thinking through here 00:34:16 is you you always want to go to go to 00:34:22 the place where you think about how are 00:34:25 the regulator's how are the judge is 00:34:28 going to think through this issue yeah 00:34:30 and so the fact that you can make an 00:34:32 argument you have to filter that through 00:34:34 how likely is that argument to be 00:34:36 accepted and the experience that that 00:34:41 various companies have had with the 00:34:44 European courts is that unlike the u.s. 00:34:47 that the US and this goes back to some 00:34:50 of the differences in Beart and the way 00:34:53 EU courts and US courts have addressed 00:34:56 this historically you know is that for 00:34:59 purposes of data protection and 00:35:02 protection of privacy the EU courts have 00:35:06 not shied away of finding some sort of 00:35:09 responsibility even when even when 00:35:13 companies have tried to distance 00:35:15 themselves from the ability to that from 00:35:20 some sorts of responsibility in order to 00:35:23 try and make the regulatory boat run a 00:35:25 little lighter yeah so let's go into 00:35:28 another area here so the email provider 00:35:30 I think creates a great gray area on how 00:35:32 to think about that one let's say I say 00:35:34 my business is an information broker so 00:35:36 in the US there's tons of these you can 00:35:39 go online you can say I'd like to I'd 00:35:41 like to buy information about 20,000 00:35:45 residents of San Antonio with in this 00:35:48 age range this and this is e this income 00:35:50 level and I can go online and I can buy 00:35:52 name address phone number email address 00:35:54 how many years they've lived at the 00:35:56 address I can buy all sorts of 00:35:57 information about US citizens if I'm an 00:36:00 EU citizen let's say I also happen to be 00:36:02 in that database and I sent a request to 00:36:05 this information broker saying remove me 00:36:07 from your system how is gdpr look at at 00:36:13 that request coming in from an EU 00:36:16 citizen 00:36:17 I think that they're going to be very 00:36:19 generous in terms of their a court would 00:36:22 be very generous in terms of their 00:36:24 expansive view of what sorts of 00:36:26 protections are going to be given to the 00:36:29 EU citizen let me give me an example of 00:36:32 that in terms of ways in which this is 00:36:35 really going to concretely affect 00:36:36 various businesses companies regularly 00:36:40 engage in different sorts of processing 00:36:44 different sorts of business ideas with 00:36:48 with with customer data and in the u.s. 00:36:52 you have frequently have some sort of 00:36:53 thing that says we may from time to time 00:36:55 engage with some of our partners to 00:36:57 offer you better goods or services yes 00:37:01 what that means in English my 00:37:04 understanding is the non-attorney is 00:37:05 that we're gonna share your information 00:37:07 with other people that might want to 00:37:08 sell you stuff yes and they're not 00:37:11 really limited on at least under US law 00:37:16 as long as they say that and it's 00:37:18 somewhere in the checkbox it reads a big 00:37:21 tent yes 00:37:22 there are lots of things that they can 00:37:23 do for the GDP are you have to get 00:37:28 explicit knowing consent for each 00:37:32 separate type of information processing 00:37:37 affiliate processing or affiliate 00:37:39 transaction or related party transaction 00:37:42 and it's for and it's not just hey we're 00:37:45 listing all the different types of 00:37:48 things that we we do it is that you need 00:37:51 to have explicit affirmative consent all 00:37:54 right we are putting right in front of 00:37:56 your face this is the thing that we're 00:37:58 going to do and this is how we want to 00:38:00 sell to you is that okay check yes 00:38:03 here's another way in which we'd 00:38:05 explicitly like to sell to you is that 00:38:07 okay 00:38:08 check yes I mean there's going to be I 00:38:10 think almost anyone has run into the 00:38:13 little cookie banner this I uses cookies 00:38:16 you know to to do whatever read more or 00:38:19 click okay even that a lot of people are 00:38:23 even saying expect not even more of that 00:38:25 but things that are much more I don't 00:38:29 necessarily want to say 00:38:30 intrusive because it is it's not about 00:38:35 intruding on the process but it is about 00:38:37 putting a know a knowledge barrier about 00:38:40 what this company is going to do with 00:38:43 your data and making sure that you are 00:38:46 affirmatively agreeing to it yeah 00:38:48 this is if you're keeping uniquely 00:38:52 identified information that's tied back 00:38:53 to PII or is this just if let's say you 00:38:56 were even just keeping a cookie you knew 00:38:58 this cookie was coming from some person 00:39:00 in Europe that was browsing to your 00:39:02 website from a European location you 00:39:05 don't know if they're a European citizen 00:39:06 or not you so there could be a u.s. 00:39:09 person over there on vacation are you 00:39:11 gonna be responsible for asking for 00:39:14 explicit permission in that kind of 00:39:16 cookie world or only where you're tying 00:39:18 it to a specific EU citizen where you 00:39:20 have direct knowledge that they are n EU 00:39:22 citizen if it can be used if the 00:39:25 information could be used to identify an 00:39:27 EU citizen then these sorts of things 00:39:30 apply now again that's a that's a gray 00:39:33 area whether an anonymous cookie that 00:39:36 where you come come in and you don't 00:39:38 have essentially any necessary 00:39:41 relationship can be tied in but I think 00:39:43 as soon as you start correlating 00:39:45 information and cross multiple websites 00:39:47 or across multiple cookies as most out 00:39:51 of what networks do I think that the 00:39:55 chance that you can use it to 00:39:56 de-identify data or essentially come to 00:40:00 a knowledge of who that GU citizen is 00:40:04 even if it is not exact knowledge like 00:40:06 this is you know someone in Ireland that 00:40:10 we believe is between the ages of 30 and 00:40:14 45 based off of course that lives in 00:40:16 Cork based off of their shopping habits 00:40:18 and they have browsed from that location 00:40:21 in Cork for the last three years so they 00:40:24 either live in Ireland which might make 00:40:26 them a pretty good chance to be an Irish 00:40:27 citizen or the long term worker over 00:40:30 there that type of where you start to 00:40:32 get to this like belief that if someone 00:40:35 reasonable would say yeah that's 00:40:36 probably a European citizen that's right 00:40:38 it doesn't need to be this is Sean 00:40:41 O'Malley it can be this 00:40:43 is this is someone who is probably in 00:40:46 there they have a right to have their 00:40:47 information protected yeah so as a 00:40:49 business right now I can go in on a lot 00:40:52 of these ad platforms if I wanted to 00:40:54 advertise to people that were age thirty 00:40:56 to forty five that have lived in Cork 00:40:59 Ireland for more than three years I can 00:41:01 select that as a advertising target 00:41:04 category across a whole broad number of 00:41:06 advertising platforms is this gonna 00:41:09 potentially affect that or is it going 00:41:10 to be on the individual Shaun O'Malley's 00:41:12 of the world to individually go submit 00:41:15 to each of these advertising platform 00:41:17 saying stop tracking me so the the 00:41:22 default rules under GDP are our opt-in 00:41:24 yeah so what if they but what happens 00:41:27 with things before this summer effective 00:41:30 dates so if all these platforms have 00:41:32 already collected all this information 00:41:33 do they have to go back and get 00:41:35 permission or do they get to keep all 00:41:37 the information they had we've now 00:41:38 created a incumbent wall or barrier for 00:41:41 new people entering the world you're 00:41:43 going to have the same it doesn't matter 00:41:45 if you collected the information 00:41:46 beforehand or later you're going to have 00:41:49 the same sorts of the same sorts of 00:41:53 requirements in terms of your ability to 00:41:55 use or to process that information or 00:41:58 use it to target as soon as the gdpr 00:42:02 comes in and starts to apply it doesn't 00:42:05 matter that you collected it beforehand 00:42:06 there's no grandfathering in existing of 00:42:10 existing data so potentially so this 00:42:12 potentially creates a blank slate then 00:42:15 everyone has to as of the effective date 00:42:17 of this everyone has to go back and get 00:42:19 permission from every EU citizen to use 00:42:21 their data for any especially in the 00:42:23 marketing side of things for any 00:42:25 marketing purposes they're gonna have to 00:42:26 go back and re obtained permission from 00:42:30 everyone so all of the incumbent 00:42:32 advantages potentially wiped out then as 00:42:34 of this date that's the worry for a lot 00:42:38 of people so and one of the things is to 00:42:41 realize is that while the gdpr itself 00:42:44 has been the text has been known for a 00:42:47 couple of years some of the ways in 00:42:51 which is going to be enforced have only 00:42:54 been developed 00:42:56 made known and developed relatively 00:42:58 recently and there's going to be a lot 00:43:00 of interpretation that is going to occur 00:43:03 over the first couple of years of its of 00:43:06 its enforcement so the question for a 00:43:11 lot of companies particularly those who 00:43:12 are doing marketing and and other sorts 00:43:16 of related activities where they're 00:43:18 aggregating and using information about 00:43:20 people is how much are they going to to 00:43:27 be able to really effectively use that 00:43:29 information because it could be that 00:43:32 what happens is that this throws certain 00:43:36 aspects of the marketing back to 00:43:38 effectively the 1990s before 00:43:41 personalization yeah so if and I'm I 00:43:45 pace fairly close attention of the stuff 00:43:48 but I don't feel like I've seen any of 00:43:50 the big internet advertising companies 00:43:53 for those out there that don't pay 00:43:55 attention to stock filings and SEC 00:43:57 filings for for publicly listed 00:43:59 companies they have a whole business 00:44:01 disclosure warning section and every 00:44:03 quarterly and annual filing where they 00:44:05 say hey there's a big risk to my 00:44:08 european-based revenue for my 00:44:10 personalized advertising platform as of 00:44:12 this date that GD P R goes into effect I 00:44:14 don't feel like I've seen companies 00:44:16 warning about this so it's interesting 00:44:19 to see I wonder what their their take is 00:44:21 or strategy on on how they believe 00:44:23 they're gonna mitigate it well the the 00:44:25 biggest companies have been working on 00:44:27 this for years already and it's starting 00:44:29 to bear fruit for example even just I 00:44:31 think in the past week or two Facebook 00:44:34 just rolled out and largely influenced 00:44:38 by the GD P are a whole new privacy 00:44:40 section of their their account controls 00:44:43 and it is focused upon the ability of 00:44:47 each person to know what is being done 00:44:50 with their data and to opt-in and 00:44:51 opt-out on various things and in a 00:44:54 fairly granular manner and it's a more 00:44:56 comprehensive look at the the way in 00:45:00 which facebook uses data and including 00:45:03 in some of their advertising then has 00:45:05 ever really been made made available 00:45:08 before yeah 00:45:09 Google's had the the Google privacy 00:45:11 manager for individuals to go in 00:45:14 interestingly enough you have to create 00:45:16 a Google account in order to be able to 00:45:19 manage your Google privacy so without a 00:45:22 Google account I'm not aware of an 00:45:24 online way you could manage your privacy 00:45:26 with them so I think that I'm not aware 00:45:30 of that either if I were to do wonder 00:45:35 about if I were to think about that it 00:45:36 was probably they would argue that if 00:45:39 you don't have an account then while 00:45:41 there may be incidental information 00:45:44 associated with they're scraping of the 00:45:46 web or other people mentioning you 00:45:49 that's actionable through existing 00:45:52 existing laws but unless you have some 00:45:55 sort of arrangement directly with them 00:45:58 they're not directly that they don't are 00:46:01 not identifying you and in such a way 00:46:03 that they could be covered by gdpr 00:46:05 yeah I'm not sure that that's their 00:46:07 rationale but I wouldn't be surprised 00:46:09 yeah this so this is interesting I guess 00:46:11 maybe and all the incumbents might view 00:46:12 that this is gonna affect everybody 00:46:14 equally so if people are still going to 00:46:19 advertise in Europe even if the 00:46:20 advertising is not as effective as it 00:46:22 was before this date the changes are 00:46:25 gonna impact everybody equally and 00:46:27 advertisers will continue to buy from 00:46:30 the ad platforms at the same dollar 00:46:32 amounts so or pound or euro amounts and 00:46:37 and with advertisers are still spending 00:46:39 the same then there is no risk to any of 00:46:42 the ad platforms based off of the 00:46:44 changes with gdpr 00:46:46 I think that the thing that people is 00:46:48 really getting people's attention are 00:46:50 the penalties yeah now the penalty 00:46:53 provisions for the GDP are are shall we 00:46:57 say robust yeah extreme it is it's four 00:47:02 percent of worldwide revenue or I think 00:47:05 20 million euros whichever is higher 00:47:07 yeah so when you think about that that's 00:47:11 a that's a pretty significant whack at 00:47:13 any company of any size yeah but if 00:47:17 you're if you're a Google who does 00:47:19 roughly a hundred billion dollars in 00:47:21 revenue to these days or Facebook that's 00:47:23 at 00:47:23 50 billion dollars in revenue that's a 00:47:26 fine of four billion dollars where I 00:47:29 believe Google's already paid a three 00:47:30 billion dollar fine to the EU so maybe 00:47:32 again back into normal course of 00:47:34 business yeah this is this see these 00:47:37 things are and that's not a one-time 00:47:39 fine you can be fine multiple times Oh 00:47:41 is there any frequency restriction and 00:47:44 then just find you on Tuesday find you 00:47:45 again on Thursday or is it annually I 00:47:47 don't know I don't know it'll be 00:47:49 interesting to see how that sorts out - 00:47:51 but it is enough that for companies that 00:47:55 are that are doing a lot of business and 00:47:58 know that they are international they 00:48:00 have been dealing with this for a long 00:48:02 time I think that there's a large second 00:48:06 tier of companies though that are who 00:48:12 are going to be covered by this or more 00:48:15 correctly are covered by this and don't 00:48:17 really realize it or aren't properly 00:48:20 appreciating it or aren't appreciating 00:48:22 the risk in not too long as these things 00:48:26 go one or more of those companies are 00:48:28 going to get whacked and at that point a 00:48:31 lot of companies in the United States 00:48:33 are going to get scared because they're 00:48:34 going to realize that they have exposure 00:48:37 that they didn't really properly deal 00:48:39 with and mitigate now this is something 00:48:43 that depending upon what your company is 00:48:47 and what your company does and maybe 00:48:49 something that you can deal with 00:48:50 relatively easily I think that for 00:48:54 anyone who's listening to this regularly 00:48:56 and adopting proper security measures 00:49:00 there is more ceremony associated with 00:49:03 with gdpr compliance then people are 00:49:07 probably regularly used to but that 00:49:10 doesn't mean that it is something that 00:49:12 people can't deal with particularly for 00:49:16 a lot of these companies the question is 00:49:18 if you're one of those ones who really 00:49:21 is dealing with this data and you 00:49:24 take proper precautions it can lead to 00:49:28 some some pretty serious issues this is 00:49:31 a topic that we could go on about for 00:49:34 many many hours so it's a interesting 00:49:37 one reach out to us on Facebook Follow 00:49:40 us on Twitter start a conversation and 00:49:42 continue it on through there and we can 00:49:44 keep talking about data privacy and 00:49:46 maybe we'll have van back for another 00:49:47 program here in the future 00:49:50 [Music]