GDPR Innovation Briefing

Presentation Transcript
Martin Abrams Martin Abrams
Executive Director & Chief Strategist
Information Accountability Foundation (IAF)
Wojciech Wiewiórowski Wojciech Wiewiórowski
Assistant Supervisor
European Data Protection Supervisor (EDPS)
Hilary Wandall Hilary Wandall
General Counsel & Chief Data Governance Officer
Gary LaFever Gary LaFever
Chief Executive Officer
Gary LaFever Gary LaFever (Anonos):
[00:06] Hi. Thank you for everyone. We appreciate you joining this GDPR Innovation Briefing. We have a very impressive host of panelists, and I know you're here to listen to them speak and answer questions that you have already proposed or will during the event. So we'll get started.

[00:24] First off, I'd like to note that the idea for this briefing came about at a recent Health Privacy Summit in Washington DC where people were talking about: “Wouldn't it be great if the kind of innovation and breakthrough that people hoped for in healthcare were possible because HIPAA was more like the GDPR and that the GDPR had more of a controlled means of sharing information, respecting both the fundamental rights of individuals either data subjects or patients as well as the rights and needs of society to make greater use of that information.”

[00:58] And it was interesting because we had never heard of the GDPR talked about in that light. And so, that's why we've assembled this group to talk about how the GDPR could actually significantly advance innovation by having controlled use of information. Typically, companies look at the GDPR from one of two perspectives, and some background information was provided to you that goes into more detail on this. First is they see that the GDPR has lots of innovation, lots of data, and they can't make use of it. And therefore, they kind of see this as an impingement on their rights. And secondly, it's shocking to me still the number of companies that have not yet prepared for and even the projected number of those companies that will not be ready for the GDPR.

[01:40] And it's as if they think it's optional and it's not. Like any other law, it's a regulatory requirement that must be complied with. And in fact, they're disregarding the rights of their customers, of their data subjects, of their patients. And that's not what you would think a good data steward would do. And so, those two options of either not being able to use your data or ignoring the rights of your data subjects seemed like two untenable options at two ends of the extreme. But there's a third option and that's what we're really here to talk about today. And that is the capability of using data for even more purposes under controlled conditions. So, with that, I would like to introduce very briefly and give you some background on our panelists.

[02:16] We're going to start with Marty Abrams. Marty is the Executive Director and Chief Strategist for The Information Accountability Foundation (IAF). He has over 35 years of experience as an information and consumer policy innovator. His work is generally in new laws and regulatory guidance, and in jurisdictions that span from Asia, across Europe, and the Americas. He has led educational seminars on almost every continent and has been a key advisor to four international conferences of data protection and privacy commissioners. He's been deeply involved in the APEC Cross-Border Privacy Rules (CBPR), and has also been involved with the OECD Working Party on Information Security and Privacy (WPISP). He is as well an advisor to numerous benchmark corporate privacy programs as well as governments and regulatory regimes across the globe. So, first off will be Marty.

[03:16] Following him will be Wojciech Wiewiórowski. And Wojciech, I hope I did okay with your last name. Wojciech is the Assistant Supervisor at the EDPS, the European Data Protection Supervisor. He was appointed by a joint decision of the European Parliament and the European Council in December of 2014 for a term of 5 years. Before his appointment to the EDPS, he served as Inspector General for the protection of personal data at the Polish Data Protection Authority, a position that he had held since 2010. Wojciech also served as vice chair of the Working Party Article 29 Group.

[03:59] Lastly, we will have Hilary Wandall. Hilary is the General Counsel and Chief Data Governance Officer of TrustArc, which you may know as TRUSTe, and she will speak to that and the change in name later. Hilary oversees all legal, regulatory, and policy matters and manages policy and data governance and international regulatory affairs at TrustArc. She joined TRUSTe in 2016 after 22 years at the global pharmaceutical company Merck where she was prior to leaving ADP of Compliance and Chief Privacy officer. Hilary led the global privacy program at Merck since 2014.

[04:43] My name is Gary LaFever, and I'm your host for this GDPR Innovation Briefing. I am the Chief Executive Officer and co-founder at Anonos. Since 2012, Anonos has been actively engaged in research and development to advance the state of the art in data protection privacy and security technology including our first of its kind BigPrivacy privacy rights management platform. My background is in both law and technology having started in Accenture and practiced for 10 years at the international law firm of Hogan Lovells. So with that, we will now start with Marty Abrams. Marty, please.
Martin Abrams Marty Abrams (IAF):
[05:24] Oh, thank you very much, Gary, and I'm really pleased to be here with Wojciech and with Hilary, two people I respect a great deal. I will try to summarize in 5 or 6 minutes sort of the platform or state we're in and hopefully put my colleagues in a position to build on that. If you change the slide, please.

[05:50] When you think about the way we govern information historically, we've always begun with this concept that privacy really is about two things. It's about our right to control our data and the way people see us and think about us, but also the right to have our data processed in a fair fashion. We've always felt more comfortable with this concept of individual control. So, since the very early days of data protection, we've built consent in as the main means for permissioning the processing of data.

[06:29] As we move from the static data that was there in the early 1970s when we had mostly mainframe computers to the platforms we have today, we've seen an acceleration of observational data, that is the data that is observed about us, not provided directly but observed about us, and the mathematical computation of that data. And as those technologies have accelerated, our ability to truly govern data based on those consents has become more and more difficult. That doesn't mean that consent isn't important. It means that we have real difficulty trying to understand the way technologies work.

[07:13] Think for a moment about, which is an app that helps healthcare providers in the mental health area truly keep track of their clients or their patients. That technology works not just based on the consents that people give, but it's based on observing how people move, how they use email, whether they're active, whether their GPS is moving around, it's really hard for people to understand how those technologies work. So, consensus becomes more and more troubled over time and it has become less of an effective means for governing these types of technologies.

[07:54] Now, European law since 1995 has actually recognized that consent is not always effective as a means of providing permission and has provided other permissioning methodologies, but they were not really well implemented under the old Data Protection Directive. Under the GDPR, all the permission methodologies are actually balanced against each other, all of them are relevant, and an organization should use the right one. And that really comes into play. When we think about innovation and innovative uses of data. Please change the slide.

[08:31] If you think about Europe versus the United States or even the United States versus Canada or the United States versus Latin America, the United States has always had a competitive advantage. In the United States, we don't govern the processing of data. We process the end use of data. So, I am free to think with data and it's thinking with data, the looking for correlations, the looking for causations that really begins to build out the innovation that comes with data. So, it is not surprising that many of the technology companies have emerged in the United States because of its ability to think with data without it really requiring any permissions except really in the healthcare area is really part of what has made innovation possible.

[09:23] When we think about this concept of rebalancing the equation so that we can use data in the same fashion in other places in the world, we need to understand that all processing is covered by the law in almost every other jurisdiction. So, every time I touch data, it requires some sort of permission to process that data. When we think about the GDPR, the GDPR and its ability to go beyond this concept of consent makes it possible for organizations to both think with data, come up with the trends and understandings of how people behave, and then apply them and that's called acting with data.

[10:04] So, the fact is that the GDPR by the way it's structured and the way it permissions research and the way it permissions the uses of data for legitimate interest really begins to move us to that next step. And the concept of legitimate interest is really a balancing of all the interests involved to make sure that people are protected. But data is used to create innovation. Please change the slide.

[10:31] And as we think about this balancing process, the balancing process is really about the fairness and the processing of data. At The Information Accountability Foundation, we say the processing of data needs to be legal, fair, and just. Legal means it's not prohibited by the law. Fair means that all of the interests of the stakeholders are balanced. Just means that we're not doing inappropriate discrimination. So, when we think about this concept of using data in a productive fashion that enhances the individual's outcomes, but also allows for innovation.

[11:13] We, again, go back to this concept of thinking with data, which is very much like research. It does not have personal impacts and acting with data where we do actually have impact on individuals. The GDPR requires one to enhance the benefits for people while reducing risks. If one looks at the commentaries about the GDPR, that's one of the key objectives of the GDPR. Please change the slide.

[11:44] And the key to this and the key to making sure that data is used in an appropriate and fair fashion are the whole concept of assessments. So, if one thinks about the law in Europe, it creates the flexibility but it creates the flexibility in part by requiring the organization to understand the risks it creates for others, the benefits that come from that risk, and balance the risks and benefits to those other parties with the interests of the organization. So, first and foremost, they ask the organization: “Do you create risks for the individual that are fairly high?” This requires a data protection impact assessment.

[12:30] The law also requires if you're not going to use consent to really understand the balancing of interests involved in all of the stakeholders that is also an assessment process that the end of the day says that the organization's interests are legitimate that the interests of all the individuals impacted by the processing have been taken into consideration. The positives are greater than the negatives, and the negatives are mitigated away based on interventions with things like technology to obscure data. The fact is that when we think about thinking with data other than with sensitive data, it's almost always relying on this concept of legitimate interest as a legal basis. Please change the slide.

[13:22] So, a simple summary, the GDPR, if implemented well, and that is still a question in play because we have 28 Data Protection Authorities, we have thousands of companies that all have to do their job. But the GDPR, if implemented well, enhances the protection of individuals, while encouraging innovation. It does so by transferring risk from the individuals who historically may have given consents to 40-page privacy notices to instead saying that the risk is owned by the organization that needs to be accountable for owning that risk. So, at first, it encourages innovation by allowing for these transfer risks. It requires companies to clearly understand who benefits from the data, and what are the risks they create. And it requires companies to have policies and processes that assure that stakeholders interests are enhanced, and then the risks are mitigated. Thank you very much, Gary.
Gary LaFever Gary LaFever (Anonos):
[14:25] Absolutely. Thank you, Marty. Before we move on to Wojciech, I just want to remind the press and the audience that if you have any questions, you can submit those through the web interface. You can also submit those to We're getting live questions. We also got some prior to the event. We're going to be going through the questions that we received before the event after Hilary speaks. But now, it's our pleasure and my pleasure certainly to introduce and for all of us to listen to Wojciech.
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[14:59] Thank you very much. First of all, thanks for the possibility of meeting with you in this electronic form. I'm sorry my English is not as good as Marty’s and not as good as Hilary's, but I believe that you will be able to somehow survive this Polish version of the language that you are all speaking with. Greetings from Brussels! Greetings from the center of the European Union, the capital of the European Union. Just at the beginning, I would like to say that the European Data Protection Supervisor is one of the Data Protection Authorities in the European Union. You are aware of the fact that there are 28 jurisdictions in Europe and 28 Data Protection Authorities on the national level. Of course, the situation is slightly more complicated in some countries. In Germany, you have also 16 Data Protection Authorities on the land levels. So, in fact, these are not only 28 that are dealing with data protection.

[15:57] But the 29th Data Protection Authority is the European Data Protection Supervisor who supervises the EU institutions, bodies, and agencies. So, we are not directly supervising the market. But we are supervising the institutions plus we are taking part of the advisors and all the legislative processes that are going on in the European Union including, of course, those that are connected with the General Data Protection Regulation and the other rules that are right now on the table and which perform the reform of the Data Protection Law in the European Union. They are also the members of the Working Party Article 29, which is going to be changed by GDPR into the European Data Protection Board, and from 25th of May next year EDPS is going to provide the Secretariat for the European Data Protection Board.

[16:54] I say all of that because my idea was to tell you more on what's going on right now as far as the changes of the law are concerned, including the work which is done by the Working Party of Article 29 on the road to the European Data Protection Board, including these things, which are right now the most interesting I must say for the market, which are the guidelines referred by the Working Party of Article 29. Well, we are used to think that the change or the reform of the Data Protection Law has been already done, that everything is already prepared and the new system will start to fully be implemented from the 25th of May 2018. But actually, this is not 100% true.

[17:53] The General Data Protection Regulation is just the part of the reform which is going on right now in the European Union. Some of the things, which are connected with this reform are not that much interesting for the business like, for example, the second legal act, which was also passed in 2016, which is the directive or so called the police directive and the official name of that is the Directive on Protection of Natural Persons with regard to processing of personal data by competent authorities for the purposes of prevention, investigation, detection, prosecution of the criminal offences or execution of criminal penalties and the free movement of such data. That's the so-called police directive as I said.

[18:42] This one is maybe not that much interesting for the representatives of the business, but we have to remember that at the same time there are other data protection regulations, which are on the table in the European Parliament and European Council and that may have a big influence on how we will deal with the General Data Protection Regulation principles. Well, one of them, which is interesting for us, is the Data Protection Law for the EU institutions. But once again, that's not the one that is a clue for the business. But the second one, which is right now on the table in the European institutions is very important. That's so called ePrivacy Regulation.

[19:25] You are aware of the fact that we already have for some years the directive on ePrivacy, and this directive is going to be exchanged with the regulation dealing with the privacy protection in electronic communication, and it means that some of the rules which we are used to as far as the GDPR is concerned, may be slightly changed when it goes to the electronic communication and the protection of the privacy as the second fundamental right in the European Union and the exceptions include the problem of the consent for the processing of data in electronic communication.

[20:14] The other thing which is extremely important for the practicalities of the GDPR is the fact that GDPR does not cover all the scope of the Data Protection Law. There are the parts which have been left for the national legislators to be decided upon. Some of them are quite normal when we know that the construction of the Data Protection Authorities shall be done on the national level, or that the judicial review shall be decided on the national level. But we have to remember that GDPR has left a significant number of fields of areas where the exception can be made by the national legislator. Right now, all these 28 countries of the European Union are preparing their national legislation while reacting on all these possibilities that have been revealed.

[21:11] Well, I remember the representatives of the German Ministry of Interior who were saying that if they count properly there are about 60 places where they may make the national exemptions. And, of course, they don't want to do all of them, but these are the possibilities that we have. And we should remember that in some important areas, such exemptions will exist. I guess the most important one for the business is the fact that the labor law and the data protection of the employees has been also left for the national legislators to be decided. Well, I'm afraid to say that most of the 28 countries of the European Union will definitely make such exemptions.

[21:59] Then, we have to remember that under the directive from 1995, we had a number of countries and territories in the world that have been recognized in different forms as the adequate places to process the data. These decisions have been done as I said in different forms mostly by the European Commission. So, we have the countries of the European Economic Area, which are Norway, Iceland, and Liechtenstein that have this act that was making them adequate, which has been prepared by EFTA and by the European Economic Area. It has to be done again because it applies to the directive from 95. It does not apply to GDPR. So, this is the thing which is quite formal only, but it has to be done as well.

[22:57] Then, we have the decisions on adequacy, which are given by the Commission to Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and the special act which is right now the Privacy Shield, which applies to USA. All these 12 adequacy decisions that I said above have to be revised in order to be compliant with the GDPR. If we think that Privacy Shield is fully compliant with the GDPR, that's definitely the assumption at the moment, but we will have the review of the Privacy Shield as well this year in autumn.

[23:43] And apart from that, we have about 110 countries in the world, which have the General Data Protection Rules in their national legislation, and some of them have been directly invited by the European Commission to have such adequacy decisions, and this is not the secret that such discussions with Japan are very advanced and Korea has been also invited to that. I will say that there are at least a few countries more who want to apply for the typical adequacy decision in the nearest future.

[24:21] And just to say what the environment is, we have the data flow communication from the Commission. We have the reform of the Schengen Information System. We have the decisions to be taken about interoperability of large-scale IT systems in the European Union. We have the European Travel Information and Authorization System that is created. We have then probably the discussion about e-justice in Europe during the Estonian presidency, and we have European Electronic Communication Code, which is another directive that is on the table. All of that creates quite a complicated environment that we have at the moment. GDPR is definitely the most important act - the act that applies to the biggest amount of organizations and entities both in the market and in the public sphere. But it's not the only one and they have to be taken into consideration all of them together.

[25:26] And then, let me say a few words only at the end about the guidelines and the work of the Working Party of Article 29. You are aware of the fact that the General Data Protection Regulation has left the possibility for the European Data Protection Board to create the guidelines that would explain the most important parts of the GDPR in order to have a harmonized approach and harmonized interpretation of data in all the European countries and that's something to be remembered. The guidelines that are right now under preparation are first of all the guidelines to be finally decided by the European Data Protection Board. Secondly, they are mostly for the Data Protection Authorities. So, these are Data Protection Authorities that are preparing a harmonized way of interpreting the law. They are not directly addressed to the market. They are addressed to the Data Protection Authorities in order to harmonize the way they approach GDPR.

[26:33] But of course, if you want to harmonize it and if you want to explain how we understand it as Data Protection Authorities, we are giving a lot of information to the market at the same time. So, two points to be remembered. First of all, all the work which is done right now by the Working Party of Article 29 is a preparation of the guidelines to be created by the European Data Protection Board. This is not the Working Party of Article 29 that was allowed by GDPR to create such documents. This is the European Data Protection Board to do that.

[27:08] Well, of course, our way of thinking is that we will prepare the documents right now, we will discuss them with the stakeholders, and we will be able at the first or the second meeting of the European Data Protection Board in 2018 act to adopt them finally as the guidelines of the European Data Protection Board. But theoretically, it may happen that this group of people which will meet in 2018 in May as the European Data Protection Board although these are the same persons that met as the Working Party for Article 29 before. They will say: “Oh, let's forget about the legacy of the Working Party Article 29 and let's do everything from scratch.” Theoretically, it's possible because nobody believes it. Our idea is, as I said, to create it in this year to come in order to be ready to adopt the least of the guidelines and the first meetings of the Working Party of Article 29.

[28:08] But we have to remember that this is the European Data Protection Board only that can take the decision when it will be created and what guidelines we should expect. You are probably aware of the fact that we already have the guidelines on right to portability, Data Protection Officer, and the guidelines on identifying the lead to supervisory authority for the controller processor. These were the ones which were prepared in December last year, then they were given to consultation to the stakeholders, and finally adopted in April 2017.

[28:49] That's important how it goes. I mean, we prepared the draft. The draft is presented. Then, there are some moments for discussion, and then the re-draft and revised version is proposed as the final guidance of the Working Party of Article 29. And what do we expect in the nearest future? Well, first of all, Data Protection Impact Assessment and the interpretation of the high risk that is meant in the GDPR. Then, sanctions, certification and accreditation, profiling, data breach notification, and consent. These are the things which are in the program and the plan of the Working Party of Article 29. And as far as I can say at the moment while that’s not me to decide because these are all the Data Protection Authorities to do so, but the Chair of the Working Party, Isabelle Falque-Pierrotin, is also quite clear about it. We should not expect any other guidelines until the beginning of the EDPB existence.

[30:03] So, we are working on those that are in the plans. We are not working on any other. But we have to remember that during all the work on the GDPR, we have been asked mostly by the business to not to over-regulate. So, I have to say I'm quite surprised right now, when I hear a lot of voices in the business that we need the guidelines from the Working Party of Article 29 or we need the guidelines from the European Data Protection Board. Well, the accountability wins there and it has been stressed many times by the stakeholders during the discussion on GDPR that these are the processors and these are the controllers who know how to process the data and how to control the way the data is processed.

[30:55] So, it means that the controllers were saying: “We know our business better than you Data Protection Authorities or you the parliamentarians or you the government. We know how to deal with it.” And I agree with it. I think that the guidelines should give the point of view of the Data Protection Authorities but these are not the checklist. This is not that we will go through the checklist, and we'll find out that we are compliant with the GDPR. So that's the environment that we work on right now. One of these guidelines that I was talking about is the guidelines on consent. It's still under preparation. We think that by the end of 2017, we will be ready with the draft text to be discussed with the stakeholders. The document is not an easy one for the only reasons that you will also ask about in the questions, but we have to remember that the current rules in GDPR on consent have been prepared according to another Working Party document. I mean, the Opinion 15/2011, which dealt with the problem of the definition of consent in the European Union.

[32:14] Well, I have to say at the end that when I joined the Working Party of Article 29 in 2010, that was the beginning of the discussion about the Opinion on consent. Having some experience in the other EU bodies, I was very skeptical about the possibility to reach an agreement on consent. Well, seeing all these people at the table all of them with high ego and thinking that they know everything about privacy in their countries and in Europe, I thought they will never reach an agreement. And surprisingly enough, in 3 months actually, we had a draft of the Opinion that was later on finally adopted by the Working Party of Article 29 and I have to say that I got a lot of good thoughts about the Working Party of Article 29 after I saw the work on the previous Opinion on consent. I hope I didn't bore you to death. I'm ready for answering the questions that will appear.
Gary LaFever Gary LaFever (Anonos):
[33:20] Thank you very much, Wojciech. We have our last panelist, which is Hilary Wandall. And after she is finished, we will go to questions. So, Hilary, please.
Hilary Wandall Hilary Wandall (TrustArc):
[33:29] Oh, thank you, Gary very much. And it's really a pleasure to join this session along with Wojciech and Marty. I'd like to bring a little bit of a different perspective to the conversation that really focuses a bit more on the technology side of things and how that's relevant to controlled data innovation.

[33:49] So, greetings from San Francisco. You likely will see the sunrise behind me over the East Bay, as it's so quite early here in the morning. It's a pleasure to talk about technology from the heart of San Francisco though and the technology industry in the Bay Area. I actually came here about a year ago, as Gary mentions already, and I came to this issue and this problem that we are facing with respect to data innovation and effective data innovation in the context of much more data being generated and sensed and observed as Marty already said.

[34:25] I came to this through the research-based pharmaceutical industry in which I was part of for about 20 years prior to joining my current company, TrustArc. As Gary mentioned already, TrustArc is actually the new TRUSTe. And so, many of you may have heard of TRUSTe. We have been a certification provider that was founded back in June of 1997. And we’re founded at that time really focused on things that were much easier to control, if you will, at the time at the advent of e-commerce.

[34:58] People were trying to ensure that they were providing for safe interaction and engagement in e-commerce transactions online. And so they had websites that they wanted to show people were trustworthy, and to be able to get people's consent simply through a check of a box and that was an easy interaction for people at the time. What's happened over time though is there's been a significant change, as Marty already alluded to in how data are generated, how data are collected, how data are sensed and observed.

[35:28] And the way in which today's organizations are trying to maximize the opportunities associated with the data that is available to them and to really maximize the value associated with that data is by bringing all these different sources of data together and understanding what that means for their businesses to be able to grow and to be able to provide the right kinds of services they want to their customers. And in order to do that effectively, it's really important that organizations understand the data that they have available to them and they're able to appropriately manage that data and my view with technology-based control. So, how do we come out of that?

[36:07] Going back to my days in the research-based pharmaceutical industry, one of the things that we were confronted with for many, many years, but really long before a lot of organizations were doing what we today characterize as big data analytics, we were looking at research not only in the context of controlled clinical studies, but we also were looking at a research in the context of secondary analyses. It's often very common in the healthcare space to actually have data come up through ongoing observations of people who are being managed for particular disease and to have that data actually inform or provide, as Marty mentioned earlier, additional insights as to potential disease-related issues, potential safety problems that people may be encountering, as well as other potential indications and new treatment modalities associated with a particular disease or condition.

[36:58] In order to do that effectively, it's oftentimes not possible to go back and actually get consent from people in order to be able to further study a problem. And so, we frequently in the research-based pharmaceutical industry and more broadly in healthcare, as Gary was alluding to earlier, we would just make sure that we had what we characterized at the time anonymized data or anonymous data, which was a very, very different thing back before genetic data became more identifiable and before we had all these different sources of data, and we would use those data for secondary analyses.

[37:28] But what we encountered really about 15 or so years ago is that genetic data became more identifiable as there were more and more sources of data that became relevant to studying healthcare problems. So, for example, as people were wearing devices that were actually collecting data, as more and more people started to in about 10 years ago wearing devices on their wrists. So, for example, like Fitbits and other data that are actually relevant to understanding people's everyday healthcare issues, it became more and more important to think about other ways to address the issue of secondary research.

[38:06] And so, that is where we started thinking about how we could better use technology to actually help solve that problem. Technology, really about 10 years or at the beginning of this decade in the pharmaceutical industry became something that we felt was important to solving privacy related problems, and really being able to effectively manage privacy and data protection issues in an accountable way at scale within organizations. But what does that really mean? And so, I think it's important to understand how GDPR and really the expectations that GDPR has around data protection by default and to appropriately use technology-based controls to pseudonymise data and to manage it effectively that becomes critically important for people thinking about how best to use data within the organization and how to control that effectively.

[39:00] How that all relates to the company that I’ve decided to join last year is that as we in TRUSTe, now known as TrustArc, were beginning to think about what the future of privacy look like and respond to the needs of the market in terms of what people needed to be able to manage privacy more effectively, we realized that it really wasn't just about certifications. There's lots of different certifications that we provide whether it's for helping people manage data across borders in an interoperable way, whether it's helping people manage their websites or their technologies, but it's also about understanding how to better manage privacy programs overall.

[39:44] And so, as a company, we looked at what was really the growing need in the market. We realized people need technology to manage their privacy programs. And for me, coming from the pharmaceutical industry where we realized that in terms of managing healthcare data at scale, it was a logical nexus for me to join the company last August. What we decided since I joined is that really the focus on technology is at the core of how we want to be able to serve the market going forward. We've seen an acceleration in the technology market overall with respect to supporting privacy and appropriate data protection over the last year so.

[40:20] We've seen further that the growing interpretations as Wojciech was mentioning by the Article 29 Working Party, as well as we expect in the future of the European Data Protection Board, will help people better understand how to comply with the requirements under GDPR, especially with respect to appropriate uses of data and really maximizing data within their organizations. So, we decided actually just last month at our 20-year anniversary of the company to actually rebrand our company as TrustArc to help people better understand that we are now a company that provides technology to help people manage privacy at scale on the one hand, but on the other hand to really help people manage their data within their organization and the opportunity for innovation within the organization more effectively through the use of technology.

[41:18] And as I mentioned already, I believe that the focus on data protection by default really makes that fundamental to how organizations comply with the GDPR going forward. So, for example, in deciding how an organization is going to structure observation of data through, for example, a new device that actually can observe information or collect information from an individual without their actual engagement or active engagement with that device and sort of monitoring as they go along. It's important to have ways to manage that data effectively without having to actually ask a person every single time that data is being collected and evaluated and actually giving the individual relevant information.

[42:03] You can't ask for their consent. First of all, it's the type of interaction that people don't want with their device. They don't want to continually be prompted with requests for consent. And oftentimes when those data are collected by an organization and combined with other data from other sources, it's just not feasible to be able to obtain consent. And so, other means of actually being able to ensure that data are adequately protected under the GDPR becomes critically important. If we could go to the next slide, please.

[42:33] I just like to emphasize that in a survey we did with about a little bit more than 200 respondents related to their preparation for GDPR as we were planning to announce our name change, we heard from a number of people that technology is actually a growing need for them to be able to manage privacy. And as I said already, there were about 200 or so respondents based in the US who are looking at managing GDPR across all sizes of industries and all industry sectors. These organizations as a whole said that either technology is becoming a significantly greater need to be able to manage privacy or is becoming slightly greater. So, in the aggregate, about 95% of people recognize that technology is going to be critically important for managing privacy going forward.

[43:21] But if we go to the next slide, one of the things I wanted to call out and Gary already mentioned, is that a lot of people aren't fully ready for managing these issues. In fact, the GDPR readiness state that we heard from a number of different organizations as they responded to the survey that we conducted in combination with interventional research is that people are just beginning to think about how best to tackle the complexity of GDPR. As we know, there are many different requirements that organizations have under GDPR to be able to ensure compliance and to make sure that they are properly managing the risk associated with processing data about individuals and respecting individual’s fundamental rights and freedoms as is required under the GDPR.

[44:09] A lot of organizations what we have found are actually still trying to wrap their arms around appropriate data governance and understanding all the different types of data that they have and the different uses for those data within the organization. It's that need that organizations have to actually identify all the different records of processing, and all the different ways in which data are used that is actually a precursor being able to effectively determine how they're going to control that data and it's because a lot of people are still in the fairly early phase - 61% or so based on our survey research have not even begun implementation.

[44:47] They're actually still figuring out what those data are. But we expect once people complete that phase of the process, and we expect this and what we're seeing that many will do so later this year that they're really going to turn more into how do they maximize the value of data within their organizations and how do they use it effectively to drive business strategy going forward. And in that context, the controlled uses of data for innovation are going to become increasingly important. We believe technology will be a critical part of that. So, I'll now turn back to Gary and look forward to answering questions as well. Thank you.
Gary LaFever Gary LaFever (Anonos):
[45:21] Thank you very much, Hilary. We've had some fantastic questions come in during the presentations, plus we had 5 submitted last night. So, we want to rush and get to those. But we have had a couple of people join since we started. So, I just want to remind everyone that with us today we have Marty Abrams who's the Executive Director and Chief Strategist for the Information Accountability Foundation (IAF). We also have Wojciech Wiewiórowski, Assistant Supervisor at the European Data Protection Supervisor (EDPS). And Hilary who was just speaking, General Counsel and Chief Data Governance Officer at TrustArc. And my name is Gary LaFever. I'm the moderator and Chief Executive Officer at Anonos. a provider of privacy rights management technology.

[46:01] So, let us start first with the questions from last night. The first question that was submitted, and there was no panelist indicated for this. So, I would like to actually try to get each panelist’s perspective. But if you don't have one, that's fine. This question was the following. Actually, if we can go to the prior slide, I want to just hit upon the background. This was included in the backgrounder that was sent around to all participants on the call. By the way, if you did not get this or if you would like copies of the deck or anything else, you can submit an email to

[46:40] But these questions were at the beginning of the backgrounder, and we believe they're key to the discussion we're about to have, which is first consent, which Marty has spoken on, Hilary has spoken, Wojciech has touched upon. It used to be key to the right to use data. That has changed. There's no longer the right to continue to use data based on consent if you can't describe it in sufficient detail in advance. So, much of what fuels the digital economy, analytics, artificial intelligence, machine learning needs a new legal basis. And this applies not only to data as it flows or real-time data, but also to all historical databases. So, historical databases, which represent significant assets of companies have to be retreated so they continue to be legal.

[47:22] Those two things cause a lot of people to think: “Oh my god! The GDPR is going to be anti-innovative.” But as you'll see on this slide and hopefully it comes out in these discussions, the GDPR actually provides a means to increase innovation if the law is followed. And lastly, there tends to be on the part of some parties the thought that: “Oh, I'll just increase security.” But GDPR goes beyond security. Security is at the heart and soul of the GDPR. But it also has these new concepts like Hilary mentioned data protection by default that melds privacy, security, and law together and that's a new thing. So, it has to be addressed newly. So, with that, the first question from last night, which is why I had to have the buildup to that: “Why do you believe more companies are not aware that consent does not legally support data analytics under the GDPR?” And we'll start with Hilary.
Hilary Wandall Hilary Wandall (TrustArc):
[48:18] Yeah. So, Gary, I think it’s similar to what I was just mentioning in my remarks. I think a number of organizations aren't aware because they're just still too early in the process of analyzing their data and how their data actually are being managed within the organizations. They're still at that phase of the evaluation as opposed to really thinking about maximizing the kinds of data analyses that they will need to do going forward under the GDPR. I think once people turn from the strict compliance with determining the records of processing, they're going to actually be looking to: “Okay. How do we actually use this data in the organization? And what do we need to do to make sure that we're complying with the requirements of GDPR going forward?” As they get to that phase of determining the appropriate uses, they're going to have to look at what is the legal basis for the processing of the data and they're going to realize that at that point in time that consent isn't going to facilitate it. They're going to need to look to other means.
Gary LaFever Gary LaFever (Anonos):
[49:15] Gotcha! Marty, would you like to comment, please?
Martin Abrams Marty Abrams (IAF):
[49:18] Sure, sure. First of all, there are 173 recitals in the GDPR. There are 99 articles. It's a fairly complex law. Second, as Hilary has mentioned, many organizations are only really now beginning to understand their data flows and how they're going to govern it. Historically, privacy has been managed in a checklist manner. I have a set of obligations. Consent was the first. I write a privacy notice that's fairly deep and hard to understand. I check off that box. I move on. The GDPR and all modern privacy law is actually more based on the concept of organizational accountability, and organizational accountability requires an organization to be both responsible and that's responsible to all their stakeholders including shareholders who want to maximize the benefit of data, but also all the persons and states that the organization touches and that's part of responsible. The other is that it requires them to be answerable and explain how they're going to be responsible. As Wojciech pointed out in his comments, this law requires organizations to truly understand what they're doing, and how they're going to both benefit the individuals they touch, as well as protect the individuals and then clearly articulate it. That's a hard thing for organizations to come to grips with until they really think about all the questions that Hilary mentioned.
Gary LaFever Gary LaFever (Anonos):
[50:55] Great. Wojciech, do you have a perspective on this as well?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[50:59] Well, I think that this sentence is said a little bit too strong. To say that the consent will no longer support data analytics, artificial intelligence, and machine learning under GDPR is a little bit too far. It definitely requires a review from the controllers what consent has been the basis so far. So, do we meet all the requirements that are set in the GDPR? But at the same time, we of course have the same situation we had before that consent is not the only basis for the processing of data and it's not the queen of this basis. You can find that there are jurisdictions in the world where the consent is a queen. For me, the best example is Korea. With Korea, it's well said that the consent is the most important thing.

[51:53] It's not true in the EU. Of course, it's the first one to be mentioned in the article. But not the most important one. At the same time, we have to also take into consideration some of the recitals that Marty was talking about. I would especially mention these that are dealing with the use of the data for scientific purposes. And that will be first of all, Recital 33. But also probably even more importantly, Recital 161 and 159 which says what should be the understanding of scientific research and where you can apply the rules in a slightly different way. And taking these recitals into consideration, we can say that even the idea of explicit consent is much, much more delicately used in scientific research.

[53:02] So, especially when we deal with the use for scientific researchers, we may find a lot of specific solutions in the GDPR. But I think we should not threaten the people that the consent they had so far is no longer valid. You have to get it again, and you have to definitely revise what kind of consent you had. Another exception that exists in the GDPR are the exemptions for the specific kinds of processing. Once again, here, the Recital 161 has to be taken into consideration for the clinical trials, for example, where it said precisely that clinical trials have their own rules on the European level to be taken into consideration. I often get the question about the clinical trials and the problem of getting again the consent for that, which I think shows the people are reading the rules, the norms, and not necessarily the Recitals.
Martin Abrams Marty Abrams (IAF):
[54:17] Oh, by the way, Gary, this is the heft and size of the GDPR. So, like Wojciech said, it's a complex document.
Gary LaFever Gary LaFever (Anonos):
[54:28] All right. So, let's move on. We've got some great questions. So, let's try to get to all of them. And what we'll do here is we have touched upon this a little bit. So, what I would ask is any panelist who feels that they have an answer that has not already been touched upon could just raise their hand and I'll call upon you so we don't have too much confusion. So, here's the second question: “Statistics and the press background document sent around show that more than 50% of companies are not expected to be in compliance with the GDPR by May 2018. Why do you believe more companies are not taking the regulation seriously?” So, if anyone has a thought that they believe has not been -- Marty?
Martin Abrams Marty Abrams (IAF):
[55:12] So, I don't think it's that companies aren't taking it seriously. There are a lot of resources that are required to get to compliance. Organizations have to go to their boards, request the resources to do it, hire those resources, and train them. It's a complex law. So, there are organizations that are moving towards compliance that won't fully be a compliance when the law goes into effect. On the flipside, there are also Data Protection Authorities that are running as fast as they can to be prepared to enforce the GDPR. I was at two agencies last week who were still fighting with their governments to have the resources to be effective stewards of the oversight of the law. So, it's complex and requires lots of resources. So, in some cases, it's not a lack of intent. It's a lack of this is a complex law that requires lots of resources.
Gary LaFever Gary LaFever (Anonos):
[56:11] All right. Wojciech?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[56:15] I never know how they come to this person in the surveys they do, and how they can say that this is the real answer from the market. The first question I would ask to those who are answering the survey like that is: “Are you prepared to deal with the directive from 1995? Are you compliant at the moment? Will you be able to be accountable if the accountability works under the data protection laws that you have at the moment, including your national one?” And I guess the answer will not be easy as well.

[56:54] So, first of all, I think that those organizations that were compliant so far, and they did not have the problems with the directive from 1995 should not have any problem to achieve the results which are expected in GDPR. I'm not saying that it does not require any work. No, it requires effort. But I don't think it will be that much difficult because the changes are not in the sense going too far. But of course, I can imagine that the problem of compliance with the new regulation may exist in the next few months or years. What we have to say as Data Protection Authorities and what we are stressing all the time is that when you don't do anything in order to reach compliance with the GDPR, then you are absolutely wrong. If you find some problems to do so especially because of the special situation in your sector, then you definitely could be understood by the Data Protection Authorities because they struggle with the same problems. They struggle also with the preparation for the new legal system that exists.
Hilary Wandall Hilary Wandall (TrustArc):
[58:23] Gary, if I could just add one other thing related to this, I agree with all the comments that were made so far. I think one of the things that organizations who were compliant with the directive are still finding challenging and do find challenging under the GDPR is the much greater complexity of how all the requirements fit together on the one hand. At the same time, organizations are dealing with much more data than they were dealing with in the past. And so, those two factors combined together create a need for organizations to take a much more comprehensive and holistic approach to managing their privacy programs from identifying what the data are to putting in processes within the organization to really manage that data effectively so they can demonstrate their compliance in accordance with the accountability requirements of the GDPR.

[59:12] It’s those kinds of things in addition to some of the newer requirements like determining the risk associated with data so that you know what your obligations are for doing a Data Protection Impact Assessments, determining whether or not you are potentially going to have obligations with respect to security breach notification which we know that security breach notification requirements under GDPR are more extensive and apply to a broader scope of data than most organizations have had to deal with even here in the US where we've had security breach notification law since 2003. So, I think it’s the broad comprehensive nature, the complexity of the requirements, the fact that organizations can't take a piecemeal approach but rather needs to take a more holistic approach going forward. that's causing organizations to be in a situation where they may not be fully implemented in terms of all these requirements by May of next year.
Gary LaFever Gary LaFever (Anonos):
[1:00:00] Great point. And also, I would think it's the fact that the GDPR is extrajurisdictional and that it says it's not just if you have a physical location or physical processing in the EU. It's used for processing any data in the EU regardless of whether you’ve got revenues or physical processes. So, it encompasses more companies than it has in the past. Let's move on to our next question. This is a very interesting one. It quotes PwC cyber leader Pat Moran and the quote is: “We expect consumer litigation and class actions to quickly follow once the GDPR goes live as has happened in the US. We are already seeing niche legal firms being established to cater for the anticipated demand. Which do you see is the more effective deterrent? (A) Administrative fines of up to 4% of global turnover? (B) Class action lawsuits by data subjects or (C) Joint liability Among data controllers and processors as predicted in the press background document?” And that was a reference to an article by Dan Sullivan, which he believes that it will be the peer pressure between business partners that will cause compliance because if you don't comply, you can hold your partner's lien. So, why don't we start with Wojciech on this one?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[1:01:24] Okay. So, I don't know what should be the answer to this question. I still remember one of the representatives of the business who said that the definition of hell is the European legislation with American enforcement. And there might be a little bit of truth in it. Especially, we can say that during the discussion about the GDPR, the European legislators and also the drafters of the proposal have been looking very carefully at what's going on in the USA but also in some European countries. Well, litigation is also the way to achieve good results. So, I don't know which of these things is more important. But what I definitely know is the fact that in each and every situation where the Data Protection Authority will issue a fine, it will be taken to the court. So, the court will be making the judicial review of that. If so, it means that the Data Protection Authority has to be really ready to defend its position in the independent court because every situation where the Data Protection Authority will lose, as far as the fines are concerned, will have a very bad effect on the market and to the future of the implementation of this regulation.

[1:02:55] So, in this sense, we should not expect that all the Data Protecion Authorities will go on the first day to decide about the highest fines possible to be issued. And the examples from the consumer protection law show this very well as well. I would say that one of the reasons for not wanting to have the problems with the fines is maybe also the fact that even if the fines will be questioned in court, well you need to have the lawyers to fight it in the courts. So, it's not that easy, that whenever I am fined that I will go to court and the court will change the decision. All of these three general rules that you just said about - the fines, the litigation, and the internal pressure from the controllers, processors, and from shareholders have to be taken into consideration as the reasons to look at GDPR in a very careful way.
Martin Abrams Marty Abrams (IAF):
[1:04:11] So, from my perspective, Gary, the 4% fines get the general counsel’s attention right away. That is the immediate effect. When sales organizations begin talking with their business partners and finding their business partners say: “Prove to me you're accountable before I'll do business with you.” That suddenly switches it over to a market imperative that you have to be able to demonstrate that you have the appropriate processes in place. So, then that becomes the big driver. I think on the backend, this concept of the fact is that consumers are newly empowered under the GDPR is then sort of the tricky last piece of the puzzle, and I think that organizations in 2020 are saying: “Holy cow! That was the hell I didn't expect.” So from my perspective, it begins first with the fines. Second, the business part of what my partners are demanding. And then last, the consumer suits.
Gary LaFever Gary LaFever (Anonos):
[1:05:14] Hilary, anything to add on that one?
Hilary Wandall Hilary Wandall (TrustArc):
[1:05:16] The only thing I would add is I think with respect to what organizations will focus on in part depends on whether they're B2B or B2C. I think the B2B organizations definitely are going to have significant influence by their business partners, and that will be a key driver. What we have been hearing so far is that most people, and it does start with the GC are very concerned about the potential liability. Such significant fines actually just changes the paradigm for people. It's not something they've dealt with previously, as a general matter in the privacy and data protection space. So, it's caused a lot of people who haven't really focused on these issues as a high priority in the organization. So, they think about them a lot differently because of the risk.
Gary LaFever Gary LaFever (Anonos):
[1:05:59] I have two more questions that were submitted in advance, and we'll go to the live questions. This question, Marty, if you would answer first please: “The GDPR reallocates risk from individuals to companies. Is the GDPR an aberration in this respect? Or is it the beginning of a trend? And if it's the beginning of a trend, what other countries or regions are examples of similar reallocation?”
Martin Abrams Marty Abrams (IAF):
[1:06:23] So, we're going to put out a blog today on the fact that the Ibero-American Data Protection Network has issued its standards document. They have the English translation that has just been issued this week. And if you read that standards document, you can see it is in many ways a reflection of the GDPR. In fact, the recitals for that were inspired in part by response to the issues raised by the GDPR. But even before that, Latin America is the region that's first going to respond to that. But you're also seeing responses from Japan and South Korea that are both interested in adequacy in terms of the transfer of data. So, you're seeing a political response. I'm not sure I've seen it yet in the way those laws are laid out. So, my first answer is the responses first from Latin America. And then, that will flow to the other countries that have adequacy or one adequacy. And so, it's Latin America, Canada, Northern Asia, and then the balance of the world will follow after that.
Gary LaFever Gary LaFever (Anonos):
[1:07:30] Thoughts from the other panelists? Wojciech?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[1:07:38] Okay. I absolutely agree with what Marty said. But I actually disagree with the question. Well, I don't think this is fair to say that GDPR reallocates risk from individual to the company. That is something which definitely I would not agree with. Of course, it depends what "risk" means. But if you mean that risk is the processing of the data in the wrong way, the way which is incompatible with the requirements that the risk is and was on both sides. So, the person is risking when he or she is deciding about the way his data is going to be passed to the controller or to anybody that is going to process the data. And the company or any other organization is taking the risk as well. So, I don't see a big change between the situation that we had before and the solution that we have now, although I agree with Marty that the solutions from GDPR are definitely influential in many places in the world, not only in those that share the same political, cultural, or political history or legal history with Europe.
Martin Abrams Marty Abrams (IAF):
[1:09:02] So, Wojciech and I will disagree on this question of whether the GDPR exclusively is transferring risk. I think the practicalities are I think we can live with the fact that we disagree. I see more and more organizations saying I have to move up the data governance curve. And as I move up the data governance curve, it means I'm taking on more of the risk related to: “Did I make a decision based on my assessment of what it means to be beneficial to the market?” And I think that's a big change whether it's driven by the nature of technology or the GDPR. It's a change that's happening in the marketplace.
Hilary Wandall Hilary Wandall (TrustArc):
[1:09:41] And I would just jump in if I could on this point. So, maybe it's the word “risk.” Maybe I would re-characterize this as the responsibility is much more so on the organization for deciding how to manage and actually being able to show that they're managing data effectively. Whereas in the past, organizations could say: “Oh, I have consent for that. So therefore, I can do whatever I want under GDPR and the various different obligations set forth in GDPR.” And certainly, there's other laws as Marty already mentioned that are beginning to take similar approaches.

[1:10:15] You need to be able to show as an organization that you have these various different mechanisms in place. You cannot just rely on consent as a primary basis for saying: “I've done what I need to do. Therefore, I can do whatever I want.” So, it shifts the ethical paradigm, if you will, away from one strictly of autonomy of the individual, signing away their rights, making a choice about the data versus the obligations of an organization to really think responsibly about that data and making sure (I'll use Marty's terms) that the uses are ethical, fair, and just.
Gary LaFever Gary LaFever (Anonos):
[1:10:49] So, the last question that was submitted in advance was specifically for Wojciech. And Wojciech, this may be what is meant by the reallocation of risk, which is that prior to this size of the penalties, the company could make a business decision to assume the risk. But the question is as follows: “Max Schrems said, “in Austria, the maximum fine is 25,000 Euros. So, many lawyers in Austria, tell me that companies end up finding it more expensive to pay a lawyer to be compliant than to just break the law and pay the fine. So, will GDPR fines really be assessed? Or will it be business as usual?” So, perhaps the person asking this question is getting to the point of risk reallocation unless and until the fines were as we said before the class action lawsuits actually make a difference, it enables businesses if they so chose to make a business decision to say it's less expensive to be non-compliant. What is your answer to his question or her question? Will GDPR fines really be assessed or will it be business as usual?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[1:11:59] Well, first of all, Max Schrems says about the situation that exists in Austria at the moment. So, there is no doubt that there are big differences between the countries in Europe as far as the fines are concerned. There are the Data Protection Authorities that are generally of the Ombudsman style. So, they do not issue any kind of fines. They are the ones that have this possibility sometimes for very short periods of time like option one. Like the one in my country of origin. They have very symbolic fines to be issued at the moment. And of course, we also have the Data Protection Authorities in Europe that are actually living out of fines. I mean, they are creating the budget by fining the organizations in their market. So, so far, there are definitely big differences. And it has been found at the very beginning of the discussion on the GDPR as one of the biggest problems that exists in Europe. There is a different approach to the sanctions.

[1:13:03] So, I think there will be a change because this 25,000 Euros that exists in Austria would not be a limit anymore and that's a good solution and that's a good way for the authorities and for the regulators even if many of the regulators have to learn how to deal with it because they do not have the experience. They do not have the tradition of doing the things like that in their countries. But of course, we have examples of the telecom authorities or competition authorities in Europe that could deal with it in the past.

[1:13:47] Let's have a very interesting discussion on applying the same problem of sanctions to the public authorities because GDPR has left the possibility for the member states to decide if they want to fine the public authorities as well, and I observed this discussion with great interest because it shows also what is the practical meaning of the fines because many of us think that fining the public authority is a stupid thing because you are just moving the money from one part of the budget into the other part of the budget, and that doesn't change anything.

[1:14:24] But when you talk with the people working in the public institutions, they say whatever will be the level of fines that may be created for the public authorities, that's really an important thing because if I'm fined or if my institution is fined and even if it is 25,000 Euros, I have to talk with all the financial authorities inside and outside of my institution to find the money for that to budget it the right way, to have it in the plan for the future as well, and finally to explain why I was fined. So, from the very administrative point of view, even if the institution is not harmed by that, those who are working there are really afraid of having the fines. So, the fines may have an economic impact, but they are also important from the organizational point of view of the organizations.
Martin Abrams Marty Abrams (IAF):
[1:15:28] You actually have a laboratory for this, Gary, in Canada, British Columbia, and Alberta who share responsibility for privacy for both the private sector and public sector, have fining powers, and there is some sense that they are taken more seriously than the Federal Commissioner who has no fining power, and the Federal Commissioner in Canada has actually asked for that authority. So, it's not just the European problem.
Gary LaFever Gary LaFever (Anonos):
[1:15:55] And let me just mention, we may not get to all the questions. I will submit all the questions to the panelists. And obviously, I can't speak for you, but to the extent we can try to respond to the questions, we've had a ton of questions here and they're all great. I'm going to hit another one because it's also for Wojciech. It's the first slide, and it also talks about trends. What effect do you think the impending Schrems II Decision we'll have on data transfers out of the EU?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[1:16:25] Well, it will have the same effect as the first decision in the Schrems case. I'm not that familiar with the outcome of the hearings that were done in this case where you know that the basic materials for this case include 43,000 pages that it's not easy to say what will be the result and what is the possible outcome of the case. I would refrain from any kind of predictions on what will be the result of the case and then what will be the practical solutions should be taken after that. I don't know who will be the ones who will go to cut the fiber cables between Europe and the United States in case the solution goes in that direction.
Martin Abrams Marty Abrams (IAF):
[1:17:30] Data just needs to flow, Gary. The fact is that the issues are incredibly important issues. But at the end of the day, we will find ways for organizations to be accountable, so the data will flow.
Hilary Wandall Hilary Wandall (TrustArc):
[1:17:45] Yeah. And I'll just add further. I mean, one of the things we saw very clearly as a result of Schrems I is that organizations who historically relied on a single mode of our mechanism for transferring data out of the EU have actually implemented multiple different mechanisms so that they can fall back on. Other mechanisms that, for example, you can't allow model clauses anymore. So, we expect to see more and more of that. But to Marty's point, it's really the fundamentals of implementing an accountable program within the organization, and being able to demonstrate the data being protected appropriately is becoming increasingly important for organizations as a result, not only GDPR, which clearly is driving a significant amount of it, as was discussed already, but also to be able to deal with situations like potential restrictions on cross border data flows, data localization, and other things like that.
Gary LaFever Gary LaFever (Anonos):
[1:18:35] So, let’s try to get to at least two more questions if we can. We have about 10 more minutes. So, the last couple of questions kind of tied a lot of things together that lead into these questions. And that is that the fines are getting a lot of people's attention, and that's what's causing particularly companies that may not have been subject to EU data protection laws before to pay attention to this, and then they're looking at how technology can enable them to be good data stewards - both the new companies and the older companies as complexities of data use has come about.

[1:19:05] And so, I'm going to ask the entirety of the question so that we can give responses to them. “How hard will this be to enforce in reality? Those who are against it argue that the complexity of compliance will require businesses of all sizes to hire people to focus on data compliance. They argue it will kill as many jobs as it creates. Some say it will benefit tech giants who won't be crippled by compliance issues like small businesses. Others argue that the fines are too rigorous.” Now, there are three following questions for this. But I think in order to respond to this and another question, I'm going to ask all of them and then perhaps each of you could give a Gestalt overall reaction to the question. One: “What are the upsides to this economically?” Two: “What is the impact on cybersecurity and identity protection?” And three: “Are consumers excited about this? Or are they dreading the user experience change?”
Martin Abrams Marty Abrams (IAF):
[1:20:18] Who do you want to start with, Gary?
Gary LaFever Gary LaFever (Anonos):
[1:20:20] You, because you spoke first, Marty.
Martin Abrams Marty Abrams (IAF):
[1:20:23] Consumers don't get up in the morning and say, “How am I going to be impacted by the GDPR?” I think what consumers increasingly say is: “How am I going to be assured of a fair market in a world where data is getting increasingly complex? It's irrational for me to be asked my permission for data to be used to improve the quality of the brakes in my collision avoidance system in my car.” So, the fact is that consumers want data protection to work when all the innovation comes in an information society and expect that to be something that works the way fire prevention in a toaster works. And not that anything is as simple as the toaster. But at the end of the day, they want the world to do that.

[1:21:23] There are also times when consumers do want to still have the right to control their data when it relates to the communities they form around themselves, and they want some control over that. So, it's a very complex marketplace. The fact is that we're not going to stop technology innovation. We're going to continue to have a world where the integration of data from our medical devices and our pharmaceuticals and the smartwatch we wear is just going to continue. That evolution and that innovation are going to happen. But we have to find a way to make sure that we are not harmed by the data, that we have a sense of how the data processes work. But we don't want to have to be the party that implements controls.

[1:22:15] In terms of the size of fines, I'm an anthropologist and I'm not a lawyer. I think the fines have to be big enough to get people's attention. I think the risks of not complying have to be there. And then, the last piece is the organizations that are going to be successful or the organizations that embrace data governance, and data governance is not pure compliance. Data Governance is: How do I use data to create benefits for my organization and benefits from my other stakeholders? So, the organizations that are going to be truly successful are those that embrace data governance and don't see this as a pure compliance issue, but rather an issue of how do I use this asset to create real value for all the stakeholders involved.
Hilary Wandall Hilary Wandall (TrustArc):
[1:23:02] If I could jump in on that point because I agree so wholeheartedly. I think what's really interesting and perhaps not surprising is that right now we're faced with this interesting juxtaposition of both organizations. Most organizations now realize that data is core to being able to drive growth and understanding what data are available to them to both analyze their internal operations better and understand the markets that they're serving better is really critical to growth within organizations. At the same time, you have increased regulation because of the risk associated with not managing data effectively within organizations especially if that data relates in any way, shape, or form to people.

[1:23:46] And so, these two things at the same time where GDPR actually is tying those regulatory obligations to significant fines is causing organizations to think about: “What is my data strategy on the one hand? And how do I make sure that I'm appropriately maximizing the data use of the organization and minimizing the data risk so I don't end up having a significant amount of liability associated with that?” The fact that this is happening across the board where so many organizations of different sizes have to deal with this, I actually think it creates an economic upside, as opposed to a potential economic downside because more organizations are forced to think about this in a way that actually will create and drive greater data analysis with respect to appropriate management of that data and greater data governance as Marty said already.

[1:24:33] With respect to cybersecurity risk, it's very difficult to predict given the kinds of evolving threats that we all know and are seeing happening in the broader environment with respect to cybersecurity. But I do think that one thing is fundamental. Organizations understanding where their data are, what data they have, and the risk associated with those data helps organizations understand what kinds of safeguards they need to put in place whether it's for purposes of data protection by default, as we talked about earlier, or for purposes of basic security controls that organizations need to have this type of regulation under GDPR will force organizations holistically to put more controls in place, and that should have a favorable impact on at least better organizational control of data and hopefully a lower adverse impact of cybersecurity threats going forward.
Gary LaFever Gary LaFever (Anonos):
[1:25:27] Great. Last question. Obviously -- Yes, Wojciech?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[1:25:33] Just two things to the previous question. Well, the first thing is that, of course, the implementation of these laws outside of the EU is the problem that Data Protection Authorities have to deal with. But, first of all, this is not the first time that we have extrajurisdictional impact of the laws like that. Actually, the law that FTC is implementing has an extraterritorial effect as well. So, the other countries and the organizations in other countries have to apply it at the time when they want to offer the goods to the United States and to its citizens.

[1:26:14] We have similar solutions in some parts like the antitrust or competition law. And secondly, finally we have the solutions like that for hundreds of years in maritime law and in the international trade and of course the efficiency of that is different. We had just yesterday the decision of the court about the liability of the Russian Federation in the case connected with the Greenpeace Arctic ship, which was sent by the Russian authorities 2 years ago almost. And well, nobody believes that it will be given back by the Russian Federation. But the liability of the state is still the problem for this country.

[1:27:05] And the second thing is what you said about the people who will be sent in order to prepare and answer the questions about compliance, I may anecdotally say that the Data Protection Authorities are afraid of another problem - the problem of having artificial intelligence entity that is preparing the answer to accountability. Why not ask the well-organized artificial intelligence entity, if the company is compliant and accountable according to GDPR? The Data Protection Authorities ask themselves when they will be the first time that we will ask the question which will not be answered by the person or by the people, but by the artificial intelligence entity and should we prepare our own artificial intelligence entity to ask the questions and to talk with the other bots that are talking to us from the other side of the cyberspace.
Gary LaFever Gary LaFever (Anonos):
[1:28:08] So, if I could ask the panelists, are you willing to put in just a few more minutes so we can answer one more question. Is that okay? Thank you. Both great questions and answers. So, the last question that we will take is the following: “Obviously, the intended consequences of this are data protection and security for citizens. But the regulation will shock the system, for those that rely on data exchanges for their businesses.” There’s then four following questions. I'll ask them all and we'll have Gestalt answers. How's that? One: “How will data-based publishers like Facebook and Twitter be able to compete in the marketplace?” Two: “How will customer service and optimization websites be able to compete?” Three: “What will the future of e-commerce look like if data is less transferable?” Four: “How does this impact the growth of the digital economy and the internet of things?” How about you, Marty?
Martin Abrams Marty Abrams (IAF):
[1:29:23] Thanks. You always put this burden on me. So, let's start with the fact of the Internet of Things, artificial intelligence, and machine learning. That's actually the frontier that the IAF is now actually getting into and trying to figure out what it means to arc accountability up from being a steward of data to being with custodial responsibilities to a steward of data that has really fiduciary responsibilities, and we're just really beginning to explore that. There's a session at the International Conference of Data Protection and Privacy Commissioners that's going to put forth the concept of essential elements to begin to do that work.

[1:30:12] So, the fact is artificial intelligence, the Internet of Things, and machine learning is inevitable. It's built into things. Observation is built into things, and it means a structuring up of accountability and that's an hour discussion and not a 1-minute discussion. In terms of this question about information intermediaries and their function in the market, they were going to continue. What I think is going to be more important over time is that each of the parties within an ecosystem understands the roles of the other parties of the ecosystem and that those specifications and rights and duties between the parties is specified in a more clear fashion.

[1:31:04] If you think about a smartphone and I bet you everybody on this call today has a smartphone, an app on the smartphone probably has six different controllers involved in making that app work. That's just the norm going forward and we have to figure that out, and we will figure it out. They're not going to disappear. And in terms of the movement of data, the fact is that the obligations that come with data will continually have to move the data, and we have to figure out better technological ways for those obligations to move with the data. And with that, I'll give it over to Hilary.
Hilary Wandall Hilary Wandall (TrustArc):
[1:31:44] Thank you, Marty. I completely agree that the technology piece is going to be increasingly important, as I said earlier, to appropriately manage data across the ecosystem. I'd like to touch on a point that Wojciech mentioned earlier in his opening remarks about the fact that people generally in the context of the lobbying that took place around and the policymaking aspects of the GDPR are actually being adopted. So, they wanted the ability to determine within their own organizations how to actually make GDPR work and how to actually implement it effectively. And that's very, very true I think across. Most organizations want to have the flexibility to make sure that it works within their own organizational culture and their own organizational structure. That is really important to get the appropriate adoption and enforcement internally within organizations.

[1:32:39] On the other hand, however, one of the key factors is how organizations all operate within the data ecosystem. There are various different data ecosystems. There are some great examples that were mentioned in the question that I certainly know from my own experience the healthcare ecosystem is one where it has certainly been fraught with a lot of challenges as to how you can share data effectively amongst the various different parties who are regulated in different ways. It's important for people to understand how they can share data in order to together achieve the appropriate outcomes that they're trying to achieve.

[1:33:14] It's so rare that organizations make decisions in a vacuum or in their own silos whether it's complex supply chains or multiple business partners that are important to actually being able to process data effectively. Partnerships are really important. Having good data standards, expectations, that are understood amongst all the parties actually helps to ensure that innovation is continuing to drive forward because barriers understanding and lack of understanding is what slows things down. So, having more consistency of what standards actually should be and how people can work together to make sure those are implemented effectively across the ecosystem will actually help drive forward the pace of innovation and the way in which organizations share data In order to better maximize the value of the data across the various different ecosystems.
Gary LaFever Gary LaFever (Anonos):
[1:34:06] Thank you. Wojciech?
Wojciech Wiewiórowski Wojciech Wiewiórowski (EDPS):
[1:34:07] Well, I would like to first read the Article 1 Paragraph 1 of GDPR, which says that the regulation lays down the rules related to the protection of natural persons with regard to processing personal data and rules relating to the free movement of personal data. The free movement of personal data is the same goal of the GDPR as the protection of personal data itself. Of course, we like to believe as Data Protection Authorities that the Data Protection Law is not an obstacle to innovation and is not an obstacle to the flow of data. It's rather the way to civilize the way that we are dealing with this phenomenon.

[1:34:55] Sorry for giving very primitive comparisons and pretty primitive metaphors. But this is more or less like electricity when electricity is lethal. Electricity can kill a person. And when it was invented, it could be used in different ways. But we started to realize that we can use it in a civilized way. And my 3-year-old daughter is already taught how to deal with it, although it's lethal, although it could kill a person. And the second example is, of course, the traffic on the road. The road code is created in order to facilitate the way that we transport things and how we transport people. But of course, somehow it limits the way that we try to invent new solutions. But I think that is the kind of price that we pay for this civilized way of the flow of personal data in the world. So, that's one of the goals as important as the protection of the data itself.
Gary LaFever Gary LaFever (Anonos):
[1:36:08] Well, it sounds like technology is the cause, the effect, and also the solution on how we can continue to use data. Control those flows and get the benefit of that data while still respecting the fundamental rights of the individuals. And that one way to look at it perhaps is previously, when consent was too easy to secure, the data controllers and processors were more concerned with their convenience of processing. And now they have to realize that in addition to their convenience of processing, they also have to look at the rights of individuals. And so, the controls that enable the data governance and the predictability of how data flows within an ecosystem can enable all of us both the individual data subjects, data controllers, and processors to continue to benefit. With that, is there any closing comment anyone would like to make? I very much appreciate the time. We've gone over. I think it's been very, very helpful. But I do want to give all the panelists one last opportunity if there's something that you would like to note or mention.
Martin Abrams Marty Abrams (IAF):
[1:37:10] I think there is a very simple concept that's been put forth, as we think about the new data world by Wojciech’s colleague, Giovanni Buttarelli, when he said that: “Data should serve people. People shouldn’t serve data.” I think that’s the underlying fundamental for data governance and it’s the underlying fundamental for how regulation should work effectively. And if we always think about that goal that data should serve people and people should not serve data, I think in the end we have good outcomes.
Gary LaFever Gary LaFever (Anonos):
[1:37:48] Very good. All right. Well, thank you all very much. I appreciate your contributions and thank you for those on the line as well and everyone have a great day. Again, this has been the GDPR Innovation Briefing. Thank you for your time.