Episode 27: Discussing US Privacy Legislation with Jordan Crenshaw

Transcript:

Bill Tolson:                        

Welcome to Archive360's Information Management 360 Podcast. This week's episode is titled, A discussion on U.S. privacy legislation with Jordan Crenshaw. My name is Bill Tolson and I'm the vice president of compliance and e-discovery at Archive360. Joining me today is Jordan Crenshaw, Vice President of the U.S. Chamber of Commerce's Technology Engagement Center. Jordan, welcome, and thanks for taking the time to join me today. Really appreciate it.

Jordan Crenshaw:           

Of course, it's a pleasure to chat with you today about one of my favorite topics.

Bill Tolson:                        

That's fantastic. Mine too, by the way. So I think we could just jump right into it. And I think this might have been one of the original kind of topics I had raised with you, and I asked you to be on the podcast, but I had seen that the... A couple of months ago, actually. It was in January. The chamber published a letter directed to the U.S. Congress, urging them to pass a national privacy law, which they obviously haven't done that yet. Jordan, what prompted the chamber to write this and then publish the letter to the Congress?

Jordan Crenshaw:           

So privacy has been a major concern for the business community, ensuring that consumers have protection, have control over the use of personal information, but also giving businesses the real certainty they need and making pretty fundamental day-to-day business operating decisions with the use of data.                           

And back, about four and a half years ago, when California passed the California Consumer Privacy Act, a real concern grew that more states, and as they have, would start to pass their own legislation. And while we think privacy is something that consumers should have, we want to make sure that there is a uniform set of privacy standards across the country to ensure that all Americans' privacy is protected equally. And so what we have done at the U.S. chamber, we have advocated consistently over the last four and a half years, for a national privacy standard that protects all Americans in the same way. And why we brought together this group of local and state chambers, which actually was about over about 80 groups, we really wanted to press on Congress, the need to pass a national privacy bill. We were the first association to release a privacy bill right after the CCPA was enacted. And we want to see Congress actually fulfill the goal of actually implementing a standard that is uniform and really provides consistent protections across the country.

So it's clear Congress has listened and is taking up some legislation now, but we really want to make sure that there's a consistent standard that there's certainty in the market in which consumers know what their rights are and businesses know what their obligations are as well.

Bill Tolson:                        

Yeah. Now that's a great point. And I think like you say, businesses have been looking for this kind of action and relief for a long time. And as you say, I think currently we have five of the U.S. states that have actually passed privacy laws. They're all somewhat the same. I don't know if you've had a chance to go through them or have had any input on them, but you mentioned the American Data Privacy and Protection Act. I take it that you and the chamber works directly with the house and the Senate to help them construct these bills. Correct?

Jordan Crenshaw:           

So we've engaged constructively with both the house and the Senate over the last few years, to get to a privacy bill that is workable for the business community, and also is workable for consumers. And this bill, you mentioned, the American Data Privacy and Protection Act, I think it does have some very good points to it. And it provides consumers the ability to obtain the data that's kept about them. It gives them the right to have that data deleted. It gives them the right to opt out of data sharing. So some very good consumer rights on that front. I think where we have some concerns about the current draft and that could once again change day to day as it goes through the committee process, is we want to make sure that we don't shut off data flows, particular large swaths of data that could have critical societal importance and benefit.

Also, some of the pieces of that ADPPA, which is the acronym for it now, they have some concern for the business community is we worry that it could not potentially have strong enough preemption that courts could end up ruling that it doesn't effectively preempt the states enough. And also there are some provisions in there that have redress through what is known as a private right of action, in which private parties and attorneys and litigants can sue companies for violations of the act, that we've seen some cases before where laws like the Telephone Consumer Protection Act and the Illinois Biometric Information Protection Act have really been used for troll campaigns by the plaintiff's bar to really get attorney's fees and money for the trial bar, but in the end doesn't necessarily actually help the consumers themselves.

 But there are good things to the ADPPA. There are other things on the base level that concern us about what is covered and how it's enforced, but we're continuing to constructively engage with the Congress to ensure that we get to a good bill that protects Americans consistently and robustly.

Bill Tolson:                        

Yeah, that's great. I did actually read the first draft and pulled out some of the things that you mentioned. I actually sat in on the energy and commerce committee hearing last week, was a four hour review of it, with various experts and stuff. And that was really interesting, but you pulled out two of the things that I had immediately looked at as well, provisions in it, and that's the idea of preemption or superseding the state bills and obviously business in the U.S. and around the world are hoping that it's clean complete preemption because then, you would be dealing with, potentially in the coming years, 50 state privacy laws with slightly differing provisions and definitions and exemptions and rights and things like that. And then you'd have the federal one, but also all the other ones around the world that have that global reach as well.

So I think, yeah. The preemption or the superseding of the state bills, I think needs to be total. And I know that's obviously going to be a problem with states like California and so forth. But the other thing was the private right of action. And I've been recording podcasts, this podcast series, and I've had several of the state co-author senators on to talk about their bills and/or laws. I've had Virginia, Utah, Colorado, boy, several others. I can't remember them all now. And they're all very good, but that was one of the things I asked all of them, was I noticed in the earlier drafts and stuff, you had talked about the private right of action and they all to a person said, "Yes, that's been the universal sticking point. We've had to take it out of all of them." I don't even think, does California have the private right of action?

Jordan Crenshaw:           

So California has a private right of action for what's considered the data breach provision, California Privacy Act. There is not a state in the country throughout the five bills that we've seen past over the last few years that has a blanket private right of action for privacy violations, which could end up becoming technical violations that get abused by the trial bar. There is an element of breach and somewhat of a situation where you may deal with potential harms coming from the breach side, but there are no bills that have passed yet in states that have had private right of action. In fact, states like Florida and Washington had bills that got very close to passage, but it was private right of action that prevented those bills from getting passed because it was too controversial to get across the finish line.

I think one thing I would note too, on the preemption side, you mentioned about the ADPPA and I think that's interesting note about California, is that the earlier drafts of this ADPPA do have some significant carve outs for preemption for what states can do. And I think that concerns the business community, and should concern consumers that this may not be total preemption. Chairman Frank Pallone of the Chairman of the House Energy and Commerce Committee recently promised to work on those issues at a recent markup of the bill. But one of the things that I find concerning about this current language that we've looked at in the earlier drafts, and then the one that got through the NC subcommittee, is that it has language that says, "Only what's covered by the act is preempted", which means that you could pass privacy requirements that may not be what's specifically in the act, and that could survive preemption specifically, even in circuits that may be more keen on preserving what's passed in states.

They may actually be able to kind of whittle away at that preemption. Usually, there's kind of a hierarchy of preemption. If a bill relates to a certain subject area, and you have to use kind of those keywords, relates to, it's more broad based. This is what's considered covered under the act. So already somewhat starting from a little bit of a narrower position on what might be total preemption. The other piece is that the bill would carve out 15 different types of state laws, and it would carve out the biometric law, only in Illinois, not Texas, surprisingly. And it would carve out that private right of action section in California, which states could then try to go back in and backfill those code requirements of new provisions. The other side is that preserves consumer protection statutes, and as written, there's not... What I would describe yet is adequate guardrails to prevent, say the private trial bar in a state from using a consumer protection statute to make claims about data practices, while at the same time also now using the federal law to go after companies.

So then you're getting yourself into uncertainty and dual enforcement on that side. There have been some attempts to say in that language, while you can't use the fact that there's a violation of the federal act as an element of a claim, and a state case practicality and attorney may not claim that in the pleading and filing on the state level, but they still have that digital breadcrumb trail of that other case to come up with some other creative claims. And so, I think that is a part that would need to be tightened up, especially if you've got the private right of action provisions still in place and the federal law. But you're right, some work needs to be done on the preemption side and on the enforcement side, if you're really going to get the total preemption.

Bill Tolson:                        

You mentioned enforcement. I think I know, but the bill, I think... Who's the enforcement agency for this law, if it becomes law?

Jordan Crenshaw:           

So from a federal perspective, that's the federal trade commission. And that's a good thing. I think industry has always said that they are the expert agency. They need the right funding in place to be able to handle the workload for a new federal privacy bill, and that's something that should come. State attorneys general would also be able to enforce the act on behalf of their citizens and get things like restitution and damages as well. And then finally, it does enable for those private rights of action on behalf of consumers by private attorneys, to go out there and get what are known as compensatory damages to a little bit more theoretical and what those could be and more expansive than say a private right of action that only enabled actual damages you could prove from a violation of the act.

And the bill also would enable the winning party if you're filing to obtain attorney's fees, which think there's a lot of concern as we've seen with the paper law and Illinois, as well as the Telephone Consumer Protection Act that could generate cases that are filed that may not be as well intended to fix privacy concerns as it may be to enrich the trial bar.

So those are some concerns that we have about that provision. But the federal trade commission is the agency that would be the lead federal agency tasked with enforcing this act.

Bill Tolson:                        

It sounds... By how you've referred to them, you probably assume that they're pretty well equipped to handle the enforcement, right?

Jordan Crenshaw:           

They've been the expert agency for years on privacy, under their authority to enforce against unfair and deceptive practices in the market. And that's a pretty broad based authority that they've had. Now, they have to go through a whole process of notifying a company, going through a consent process, and then before they can even get to enforcement on that side. But they've been the agency that has predominantly been the lead on privacy and have the expertise. And that's a right call by the drafters of this act, to put them as the lead of this.

Now, there are certain provisions of the ADPPA that would give rule making authority under the administrative procedure act to the commission, which they've never had in the privacy space. I think in some areas that make sense so that they can more nimbly create guidance type regulations on things like notice and what types of notice are adequate, but there's some other rule making authority provisions that would enable the commission to define what is sensitive data, the subject to either companies not being able to use that data at all, or having to get consent, and that could fundamentally alter the balance of the act.

I think it may make more sense for the FTC in areas where they can fundamentally alter privacy regulations at large, that still have to go through some type of heightened rulemaking authority like they currently have to now under the Magnuson-Moss rulemaking that they have. But that's also another issue that has come up on the privacy debate, is what type of rulemaking authority the commission should have going forward.

Bill Tolson:                        

Yeah. I've been reading a lot about this, obviously. It sounds like the ADPPA is maybe one probably the front runner privacy bill and the Congress right now?

Jordan Crenshaw:           

At this point, it's the one that's getting the most attention, and it's the first time we've ever gotten Republican leadership in one committee and democratic leadership in another, to agree to at least a base framework of text for a privacy bill, and also Senator Roger Wicker, who's ranking member of the Senate Commerce Committee for the Republicans also, is on board with this. But at the same time, we've also got Senator Maria Cantwell from Washington state, who is the majority leader on commerce, has not publicly said that she's on board with this proposal. She would like to see, at least in her words, even greater privacy protections are more robust protections in place. So she also has her consumer online privacy rights act that she put forward a few, actually, earlier this year reintroduced, but has put forward in earlier congresses as well. That does have things like a duty of loyalty, which would effectively be a fiduciary duty for data.

Bill Tolson:                        

I saw that.

Jordan Crenshaw:           

And if you were to tie that with a private right of action, I think there's some concerns there that, since there's not really a standard in place quite yet, that could get litigated over quite some time to determine what the standard is. And as we seek to kind of create more certainty through a privacy bill, that might for the short and medium term create quite a bit of uncertainty. So that's another piece of the puzzle there. I think she has had concerns about the use of arbitration, and of prohibiting the use of arbitration is ways to subtle privacy disputes. And that's another area that she's come to the table on talking about that. And so those are really at this point, kind of the two major competing bills. There's also another bill that was put forward by Representative Suzan DelBene, that we actually supported when that came out earlier on.

And that's the information transparency and personal data control act. And that bill basically would require opt in for sensitive data for consent, the collection use and sharing, would be opt out for any other types of data, or would require audits of industry practices, but providing really solid preemption, no private right of action, FTC enforcement and actual FTC funding so the agency actually could handle the workload. So that's a bill that I think is a pretty good approach that's out there, but I think at this point right now, the lead horse ADPPA, the one and close second is Cantwell's bill. And then there are obviously the other privacy proposals that have gone out there as well too.

Bill Tolson:                        

Yeah. I've watched those. I think, didn't Senator Gillibrand have one in there?

Jordan Crenshaw:           

At one point she did, at one point Senator Schatz actually had a bill that really centered around this duty of loyalty concept. Senator Kennedy and Klobuchar have done some work on social media privacy legislation, Castor who's in the house, has put forward some amendments to the children's online privacy protection act. So there are a lot of proposals out there in this space, but I think in terms of the real vehicle to watch right now, it's ADPPA, and whether or not they can actually get to a good spot with Senator Cantwell on negotiations on that front to get that bill fully across the finish line. I think a lot to watch for.

Bill Tolson:                        

Yeah. I had actually on this podcast, I had New York state Senator Kevin Thomas on several months ago, and I had read his bill. And had jumped right out at me that the data fiduciary responsibility... And I asked him about that. And he said, "Yeah. That was obviously a major problem." One of the reasons why the bill didn't make it into law. I think it was this year, he introduced another one and I had read it and I asked him, I said, "Well, Senator, it looked like you took the data fiduciary responsibility out." And he said, "Well, we changed the name. Now we call it, duty of loyalty and care."

Jordan Crenshaw:           

You got to love a good rebrand. I'll tell you that.

Bill Tolson:                        

Yeah. And I've noticed that actually show up in other places. So when he was talking about a data fiduciary, I mean, he was out there all by himself, but I think, isn't there in the ADPPA, a duty of loyalty in there?

Jordan Crenshaw:           

And speaking of rebrands, there is a duty of loyalty section that would as currently sits, and things are changing quickly, would ban certain types of activity. Like you can't share aggregated internet search history without permission, or you can't use sensitive data unless it's a very strict subset of reasons to actually operate your business. But it's not the duty of loyalty that Senator Schatz. And I think Senator Thomas back in New York, would've described as the fiduciary duty. Now, that could be a tip of the hat that folks across the... In the different chamber on the Senate, or it just could be their own rebrand or what they're calling those rights. But you're not wrong that there's provision in there that calls itself that, but I think there's been a little bit of a federal rebranding of that concept as well too.

Bill Tolson:                        

Okay. The ADPPAs obviously being talked up a lot, like you said. And I've sat on many podcasts and webinars and all kinds of stuff, where all kinds of experts are at least talking about it. And it really hasn't been out there that long, but the majority of them seem to think that it's going to be passed into law by the end of this year. I personally don't see that. I don't know if you have an opinion on that.

Jordan Crenshaw:           

There is definitely an attempt to get this pushed through this Congress by the end of this year. And I will say, I have never seen momentum in a bipartisan manner for privacy like I've seen right now. I would say, on the views of the business community as we continue to urgently seek a national privacy standard, that makes sense and that is workable and is the right bill. May not be perfect, but is right. I would say, urge the folks on the hill, let's get this right. And let's not rush this thing so fast that we actually don't know what's in it, or we haven't had an opportunity to really see how the pieces work together before it gets passed.

And so, I think, as I've said numerous times, a patient urgently needs medication at times like we do now, but you want to make sure you give them the right medication first and take your time to get that. And I think that's the way we view about this legislation as well. But it's a good thing that Congress is talking about national privacy legislation seriously, but let's just make sure we get this right.

Bill Tolson:                        

Well, and along with President Biden's executive order last year around cyber for at least the agencies, that has really been some interesting following that too, that the various types of security, that agencies are going to have to incorporate. But I know, in my talks, and I think I mentioned it to you before that businesses are worried about the complexity of over the next several years, that there isn't a federal bill or federal law that kind of brings it all together, then they're looking at spending huge amounts of money, trying to stay compliant with these. In fact, one of the data points, and this was from a couple of well known market research firms, and it was all around the idea of data subject access request.

I might dig a subject and I can email Archive360 and ask what personal data did he have on me. And then, if they have some, I could say delete it, all that stuff. But these market research firms basically came out and they said that the whole DSAR phenomenon, data subject access request, is going to be like a massive surprise for business, because they haven't been thinking of it, about this cost. They basically came out and said, currently worldwide... And this includes GDPR response as well and mostly California. But the average number of DSARs a company is receiving today is in the 140-147 range. And at an actual average cost to respond at $1,400 each, meaning $200,000 per month, just right now, responding to these requests. And that's just for two laws. What's that going to look like when you have 50 potential privacy laws in the U.S., and then you have another 140 around the globe.

I think companies, and I've been talking about this for about a year now, but I think companies don't understand what kind of capability, what kind of processing they're going to need to be able to just respond to this relatively simple request.

Jordan Crenshaw:           

And that's an excellent point. There was a study that came out by ITI very recently that said that a privacy patchwork of 50 states cost the economy around a trillion dollars, and about 200 billion of that is in the range there for small businesses that they would be kind of more directly incurring. But I think you're right. And I think that also leans itself to, we urgently do need a national privacy law, but at the same time in terms of getting privacy right, as we talk about those data access requests, there are expensive on an individual level and relatively speaking, we haven't seen too many of them yet.

But what changes that, I think as we go forward, is if there is a private right of action, either in a state law or in a federal law, there is an incentive on the part of trial lawyers and there are firms dedicated to this going out and genning up clients and going out there and kind of becoming a conduit to start going after mass data access requests, so that you can begin to really bulk up the class in the size of a class for a lawsuit.

There's not that incentive unless you yourself now are a very privacy minded person to go out and do these requests. But when there is the promise of potential payday for the lawyers or promises that you can get a settlement for your clients, I think that you will begin to see those requests skyrocket, once you insert a private right of action, unless guardrails are put in place on those, what we call PRS or private rights of action.

Bill Tolson:                       

Yeah, I agree. Because they could very well in certain circumstances be used as kind of an offensive kind of tactical attack mode by all kinds of people that just want to cause trouble. Because I think that has happened in the EU with the GDPR.

Jordan Crenshaw:           

And the thing about that even makes it a little bit different with GDPR is, I think it's going to be a little bit worse in the United States, because there is no private right of action in GDPR. There is not the litigious environment like you see in Europe.

Bill Tolson:                        

Yeah. Their culture isn't like ours around litigation.

Jordan Crenshaw:           

Yeah. There's certain states that you drive in this country and you can't throw a rock without seeing a billboard or hitting one that actually has an attorney advertising their services. And so I think that is what concerns me the most about the United States if we pass something with a private right of action, is that there is going to be what I would describe as abusive enforcement of this, against all kinds of businesses like restaurants, retail, not necessarily even larger tech companies, but just everyone, because it'll be incentive to go after any company that may not have as sophisticated a privacy system in place, but is in good faith trying to work with data and the European union. You've only got a 4% cap as to what the regulations for a global GDP can get in terms of enforcement.

To some extent you can kind of bake those numbers in if you're a larger company but at the same time, there's not that kind of guardrail in place if you have private right of action, enabling suits against basically everyone and there's an incentive for private enforcement. So that is somewhat of the concern there too.

And the other thing I would note between Europe and the United States and one thing Europe got right, is it provided adequate time for companies to really know what the law was, to get their compliance systems in place, and it provided a two year runway from knowing what the regulations were to having to be on the hook for them. Our concern too, as we've seen in some recent legislation here in the United States is that they're looking to do maybe like six months, which is a really, really, really short time period. A, for agencies to get up to speed, to get ready and also for consumers to know what their rights are, for companies to get compliance in place. And we're seeing a lot of noble concepts and some of this leading legislation now that's not in place in Europe, or is not in place in the states.

And I think it would make sense definitely for the American business community to remain competitive with other nations, to at least have the same compliance timeline in place that other nations have established. And I think that's something that definitely should be considered as we move forward with any privacy legislation. But I think we had concerns when California enacted in a very quick manner as well, a pretty short window for when compliance kicked in. And that was a concern for businesses as well, but I think we wanted to make sure the companies know how and when for these systems to kick into place.

Bill Tolson:                        

Well, and California included that 12 month lookback period too, which kind of complicated everything.

Jordan Crenshaw:           

Exactly.

Bill Tolson:                        

Yeah. I think the whole DSAR thing is going to be very costly, as well as just complying with the law. And what I've been telling clients for the last year, year and a half is, number one, raising question. Why does that DSAR cost an average of $1,400? Well, it's because they're not really consolidating and keeping track of all of the data within the company. So they have to send people out to look at 20 different repositories, get into various Cloud accounts. And there's still overlooking stuff. And this is kind of one of the problems I've seen, is there's so much data in a given company that's not tracked, not centrally viewable, and it's all sitting on our laptops and workstations and stuff like that. And what if there's PII in documents on that and you get a deletion request, how can you say, yes, we've deleted everything, when you don't even have access to 70% of the data in the company.

Jordan Crenshaw:           

Yeah. I think you bring up a good point, especially for larger and more complex companies, or ones that may not be data-centric companies, but use data, like a restaurant or smaller business. I think you're right. I think in terms of trying to navigate where data is, is a complex issue in a lot of... That's why we've got lawyers and consultants to help out with that in a lot of ways. And you have to go through things like data mapping and categorization of data and-

Bill Tolson:                        

And consolidation. I mean-

Jordan Crenshaw:           

Exactly.

Bill Tolson:                        

Exactly. You don't want it in 30 different potential places, you want it in one, two or three.

Jordan Crenshaw:           

But then that also brings up the other point too, is if you have two owners restrictions that require you to actually have to start keeping data, to figure out where data is, is that create a data pool situation in which you actually create more exposure to a cyber issue, where if you're hacked, it's all in one place. And so I think there are a lot of... This is why this issue is so complex and why we need to make sure that we get this right, is that you may have one requirement of a bill that says to do one thing, but at the end of the day, it may require you to keep more sensitive data, to actually comply with other parts of the law. And so it's why it's important for companies, now, if you're not already, to have a forward thinking and forward leading approach to how you collect, process, use, and share data. So you're ahead of the game for whenever legislation either comes down from Washington DC, or it comes down in Washington state, or other states.

And having good data hygiene and good data practices in place now, should be a priority of nearly every company in the United States.

Bill Tolson:                        

Yeah. It will sure save them money. And I would expect that if a company has a general counsel, they would be out there really pushing this because it is all about risk mitigation and cost and everything else. So yeah, this is going to be really interesting. Jordan, one of the things that I've asked all the senators I've had on and state reps about their laws, and I don't fault them for this, they all seem to borrow from each other. Sometimes it's a great deal, which I think when we first started this conversation, you were saying, yes, the chamber wants the laws to not differ wildly, so they're easier to follow and make more sense and all that kind of stuff.

But one of the things I being from a data company, at least an information management company, one of the things I saw in all of Maine, and even in bills that did make it into a law is their wordage around how to secure PII, how to secure that sensitive data. And they almost to use the same sentences here across the various bills. And they all say, they must use reasonable security practices. And my question has been to all of them and I haven't really gotten a good answer yet. Is couldn't or shouldn't the laws and the bills, maybe be a little bit more specific around security practices. Maybe like saying, all PII sensitive data must be encrypted while in transit and while rest, something like that. I mean, that's an old technology. That's not something new. I would love to get your opinion on that.

Jordan Crenshaw:           

Well, I think you're right that there are certain areas like encryption that are pretty key for securing networks. And we have a cybersecurity team at the U.S. chamber that is really expert in this field that I would actually point to as a resource for anyone who listens to this. That team is run by Christopher Birdie and Matthew Agers over at the chamber. But in terms of security practices, yeah. Encryption is an important tool to be used and a very reasonable tool. I also think at the same time, we want to make sure that we have flexibility for companies as they're going forward in securing their systems, to be able to innovate and based their security based on different factors of their company. You have to look at things like sensitivity. You have to look at the size of the company.

But you're right. And a lot of these states require things like reasonable, physical administrative and technical safeguards, you have to have in place to secure your systems. I don't think necessarily that the reasonableness... Standard is a problem per se, especially if you have expert agencies that are enforcing. And I always hate to take this back to private action, but I think when you have a standard, that's that broad and then you have a trial bar that's incentivized than to go to court, that's when things get murkier, is that you have courts interpreting that definition, either on a district to district, or circuit to circuit level, and then you start injecting less certainty and to the market.

And the other thing that I think is concerning is that in a lot of cases, you've got companies out there that are trying their best. And even some of the best companies in the world with security are still going to have trouble competing with state actors like Russia, China, North Korea, and Iran, who have state resources at play to really combat them. So I think we need to have some flexibility, but at the same time, we also need to have some safe harbors in place for industries, say they're following something like this cybersecurity framework, or they're following ISO standards and things like that, if they're following those in good faith to provide some relief to these companies that are trying their best to secure their networks against state actors that seek to do us harm.

Bill Tolson:                        

Well. And that's why I thought President Biden's executive order 14,028 last year, I thought was so neat because it did lay out some pretty basic stuff. You must encrypt your data. You must employ multifactor authentication. You must employ zero trust architecture, and move to the Cloud. But those are pretty straightforward that I think people should... And when I talked to the centers, they've all said, "Yeah, we know it's a little squishy and we'll look at doing amendments to the various bills or laws going forward." But I understood what you said there. That sort of satisfies me on that question.

Two more questions, Jordan. And it's around the right to erasure, the right to be forgotten, GDPR wise and stuff. I mean, I've asked this question too, of many, many, many privacy lawyers, and it comes up on the idea of, if I basically ask a company, delete the data, and there's no legal or regulatory reasons to refuse it. And they go ahead and do that. What about that data sitting on backup tapes? Have you guys talked about that? Or do you have any thoughts on that? Because I've posed that question to lawyers in Europe and all over the world and they all have opinions, but they don't have a specific answer.

Jordan Crenshaw:           

I think as we look at that issue, and we talked about this issue in particular, when we drafted our model privacy legislation four years ago, is legacy data systems. And is it actually possible to a hundred percent erase everything? Where we came down was that it would make more sense if there was a good faith attempt to delete on the part of a company. I know that gets a little bit squishy in terms of what that might be, but a company actually in good faith attempting to honor that request, versus there may be a system from 30 years ago, for example, that still has data that theoretically you could get access to if you is the right equipment to get access to the hard drive or something like that. I think there should be a degree of legislation taking that into account, whether or not how feasible it is to either identify the data or completely erase it.

But if there is a good faith attempt made on the part of the company, I think that makes sense from a deletion request requirement. Now, I will say this too on the right to be forgotten piece though. It's going to be really interesting to see though, if there was ever an attempt to really have a true right to be forgotten, like there is in Europe, how that would handle and stand up in the United States. Obviously, there are first amendment protections in place that would enable companies and private citizens to continue to say things that are relevant in the public square and having yourself truly deleted off of such, may not be as legally possible in the United States as say it may be in Europe, where you don't have those defined bounds of first amendment free speech rights. So that's another consideration as well too as we look at that issue.

Bill Tolson:                        

Well, that's a great point. And the follow on question that's closely related to that is especially, again, back on the right to eraser is, and you probably know this, but when a computer system erases a file, it doesn't really erase it. It's changing a pointer or it's changing the first letter of the file name, whatever it happens to be. So what they do is soft deletes. And again, my question to various people around the world is, doesn't the right to deletion imply a complete unrecoverable or irreversible data deletion?

Jordan Crenshaw:           

I think... And I hate to punt this too, but I think this is going to be the topic of a lot of law review articles probably coming out over the next few years as these laws go into place, is that, what is true deletion? And I think at this point, we haven't had as much of a litigation of this issue that would actually define what that is. And as I said, I would say that if there are processes in place to delete the data and prevent the harms that those laws are attempting to address, there should be some consideration to that as we move forward with enforcement deletion. But I think a lot is left to be said about what these laws, how they're going to be interpreted. And I think, if we have a truly expert federal agency in place to help make those determinations, I think they're the right folks who can make that call.

Bill Tolson:                        

That's a great point, because I think if in two years somebody went to the FTC and said, can we get evidence that companies are actually doing an irreversible delete, and they might perk up. Obviously, they would eventually put into a regulation, but I agree with you. I think that's the way to go. And like I say, I've asked lots and lots of people, very smart people, they all have opinions but none of them know. It's an interesting point.

Well, Jordan, I think that wraps up this edition of the Information Management 360 Podcast. I really want to thank you for this really interesting discussion today. I got a lot out of it there. You obviously told me a lot that I didn't really know. Hopefully you enjoyed it.

Jordan Crenshaw:           

Definitely. It was a great conversation. I think it's incredibly timely. And I think we want to make sure that we can get a workable national privacy bill across the finish line. So, really great conversation and looking forward to seeing what happens next.

Bill Tolson:                        

Yeah. Great. I appreciate it. So if any of our listeners today has questions on this topic, or would like to talk to a subject matter expert, please send an email mentioning this specific podcast to info, I-N-F-O, @archive360, (not in word).com, or my email. You can email me directly at bill.tolson, T-O-L-S-O-N, @archive360.com. And we'll get back to you just as soon as possible. Also check back at the Archive360 resource page for new podcasts with leading industry experts, like Jordan here, on a regular basis. We have a great deal align up. I have some more state legislators that are going to be recording with me here in the coming couple of months. So look forward to that. I also have several podcasts that I'm going to record on some technical stuff around security and data privacy as well. So I really appreciate everybody taking the time. Jordan, it was fantastic having this discussion with you, and thanks everyone for listening.