Okay. I want to point out a couple of things. First off, if you asked a question and it’s not answered during the webinar, we will do our best to answer within the next couple of weeks. So please don't feel that if you asked a question and wasn't addressed, it's not going to be covered.
Also, if you have follow-up questions and you think about following the event, you can actually send those to questions@anonos.com. So that's questions@anonos.com. We also want to make everybody aware that there's an IAPP conference, webinar conference next week on legitimate interest processing under the GDPR that has different people, has somebody from Privacy International and someone who used to be with the Italian Garante, has much of a European orientation. But it's similar topics.
Also, Khaled gave a fantastic webinar just yesterday on de-identification. That's available at replica-analytics.com/knowledgebase. And if you have any questions on pseudonymisation, you can go to www.pseudonymisation.com or anonos.com.
So with that, let's open it up to questions now for those on the webinar and see what we get.
Oh, by the way, just to give you an indication, we had over 500 people registered for this webinar. So very high level of interest and the legitimate interest webinar has over a thousand already. So this is a very, very topical point and could not be more appreciative of the panelists in giving us their time. So let's take advantage of that now and take questions from the audience.
Dave:
Yes. Thanks, Gary. This is Dave from IAPP coming back on the line. Appreciate that. And so we do have some questions from the audience. Before we get started with those, let me remind all of you that the way to handle questions is to submit them via the field that's just to the right of the PowerPoint window. There is an open field there. You can type your questions right in and submit them to us. They will be anonymous. So please go ahead and forward those over to us.
So now, let's get started. We do have a few in the queue here. And to start, here's one, “For sale, would a scenario where the data is transferred to a third party service provider to analyze/process the data and deliver the data back be clearly not a sale or in the gray area?”
A question, I'm sure, many are wondering about. Gary, let me throw that to you first and then we'll see what others have to say about that as well.
Gary:
Yes. So we are waiting for guidance from the Attorney General. There are certain exemptions for service providers that are providing work on your behalf. But I think we need further clarification.
It's a great question because it highlights, sale does not just mean exchange of data for cash, okay? And there's a number of good quotes and stuff within the deck itself. So my answer would be, it's unclear and we hope to have further guidance from the Attorney General.
Gary:
Good point.
Deven:
For why you don't think it's a sale. And you actually might be able to use some of the HIPAA language around what constitutes a sale of data, which is really very clear that payment for services, even when data is exchanged as part of those services, does not constitute a sale. That was part of the omnibus regulation out of the HITECH legislation in 2013, I think.
So this is a hint. Look, it’s bootstrapping, right? But you're pointing to another plausible legal source for why this shouldn't be considered to be a sale in addition to using CCPA sites.
Gary:
That also raises another point and that's the difference between what's lawfully required versus what's ethically expected from the customer base or the consumer base. And so, we won't know that for a while, right? So there may be a technical out under the law. You also have to ask yourself, what is my customer base going to think when they find that I'm still doing it?
So that's why it's going to take a couple of years to completely clear up, right? I think part of the broader and why the IAPP audience is so powerful is data governance, right? It’s also business governance. What makes most sense which has to be aware of what's legally required but then we also have to put on our business hats and think, how is that going to be perceived in the marketplace?
So great question.
Dave:
Yeah. And Deven, I really think …
Justin:
The one other thing I might add, this is Justin, is that it's pretty clear that there are certain service provider functions that are secondary processing as you covered it earlier, that are very likely to be treated as a sale. So one example of that is, if you have an opt out of the sale of data, [inaudible] CCPA and you transfer data to somebody to surface an ad and the ad provider is using that personal data for things like contextualization or for any other purpose, it's pretty clear that the AG is going to be treating that kind of use when there's an opt out of the sale of data as a sale.
So I agree with you there. There is some revision coming out here, I think in the final leg, but I'd say, some of the secondary processing that we all take for granted that's involved in MarTech and the contextual ads surfacing right now, are pretty clearly going to be viewed as a sale under the California law.
Gary:
Great discussion. Anyone else on that?
Dave:
That was terrific, Justin and I think Deven, some pretty sage advice from you there in terms of practical business approach. And that is, document your rationale and chose a thoughtful approach and due diligence at the very least. So that's really good advice.
Let's go ahead and move on. We just have a couple of minutes left here. We have time for a couple more questions. Gary, this one is for you. It goes back to something that you covered very early on in the web conference and that is, “Why are there different risks between local and distributed processing?”
Gary:
Yes. And so, here's the point and this very much goes to how data use has evolved over the years. And it also goes to, in the expert determination under HIPAA, part of the issue of assessing what controls are necessary is, who is the intended recipients and users of the data, right?
And if I can control the people who have access to that data, I can, on a risk basis say, I don't need a stringent of protections. Once that data starts to be used in a more distributed fashion, you have to be able to protect against the re-linking and re-identification, unacceptable longitudinal analysis, because it wasn't intended. It wasn't authorized.
And so, as you have more distributed data use, you need higher levels of protections that protect the data in those distributed use cases. And so, in essence, the newer laws, the CCPA, the GDPR are there to allow this broader data usage, but it requires a higher level of protection. You can always go back to just enclave processing, but then you have to be careful. Let’s not forget about data breaches.
And when your data is breached, the person who did it did not agree to not misuse the data. That's another reason why de-identification, pseudonymisation as a security solution is advantageous because if the data you're processing has been de-identified, okay? There's less risk to the consumer or the data subject if it's breached.
Dave:
Terrific. And I think we have time for just about one last question. Gary, I’m actually going to stay with you for this one. Someone is asking about repeating the three options. There was taking steps to stay within the exception, evaluate whether the de-identification satisfies the CCPA and then there was a third one. Would you mind just covering those again?
Gary:
Sure. And I really liked that interaction and it's a great question. So what came out were three possible approaches and this is healthcare-specific, okay? The exception for HIPAA is PHI. So if you're processing protected health information, there's an exception under the CCPA. I should point out that same thing is true for GLBA and the Fair Credit Reporting Act. But in all three instances, it's not a blanket exception, okay?
So the exception for Fair Credit Reporting Act does not mean banks aren't covered. It's the same thing. The kinds of data that are required under the FCRA are exempted, but the rest of the data that's usually collected in connection with a credit report are not. So it's very similar. It is the key elements of data.
So the three options that we talked about were, one, keep it within the exception by keeping it as PHI, not protecting the data. Now, what that means, tying it back to the prior question, is you can only have localized processing, okay? You can't process PHI on a broad distributed basis, because what I mean by the term broad distributed basis is one where you can't control the recipients, okay?
So the first one is keep it within the exception by not protecting the data with technology and having other types of protections in place. So it remains PHI and therefore, excepted.
The second one, okay? Was to evaluate whether or not your current HIPAA de-identification approaches satisfy CCPA. And this is going to go into whether they're risk-based, how advanced they are. It's very unlikely that the Safe Harbor would work. But an expert determination approach that actually is risk-based combined with some security controls may be adequate.
So option number two, assess your current de-identification under HIPAA and see if it's compliant. And option number three, is there are, as Khaled mentioned, advanced technologies, right?
Anonos, my company, Khaled's company actually works in that space. There is, and there are ongoing advances in de-identification technologies that could enable you to satisfy the heightened CCPA requirements, and therefore, you would definitely satisfy the HIPAA requirements.
So those are the three. One, keep within the exemption because you don't protect with the technologies, you have other approaches in place. Two, evaluate whether your current HIPAA de-identification satisfies CCPA or three, upgrade the CCPA-level de-identification and therefore, satisfy both the state statute as well as the federal legislation.
Dave:
Terrific. Thanks so much, Gary. And unfortunately, we're just about out of time here, but as Gary mentioned earlier, if you did submit some questions and we weren't able to tackle them on this program, we're going to try to answer them post-program. So look for a follow-up on that.
Also, as you can see in front of you, everyone's email addresses are there and we've also got questions@anonos.com address where you can submit further questions. So please do get those into us so we can see if we can tackle some of those.