Episode 22: The Latest on EU Privacy Regulations

Transcript:

Bill Tolson:

Greetings, my name is Bill Tolson and I'm the vice president of compliance and e-discovery at Archive 360. Today's podcast is titled A Review of EU Privacy Regulations and by EU, I mean the European union. Joining me today is Tara Taubman-Bassirian, consultant and owner of DATARAINBOW, a GDPR and data protection consultancy with a background in French law and Tara is located, I believe in London. Tara, welcome and thanks for joining me today to discuss what's been going on in the EU around data privacy and GDPR. Can you tell us a little bit about your company, DATARAINBOW?

Tara Taubman-Bassirian:

Hello Bill, first of all, thanks for inviting me to this chat. DATARAINBOW is a consultancy as you've mentioned on anything compliance, data protection and anything IT, law, and what concerns compliance with the specific regulation on digital and internet.

Bill Tolson:

Great, that sounds really fantastic. Actually, one of the and I know you probably know a heck of a lot more of this than I do, and I'll bring it up later on, but the new development in the privacy shield potential replacement that just happened I believe last Friday, or at least that's when I read about it, but that's a really interesting thing, but we'll get into that. The biggest topic or the most important topic, most people know about in our industries is around data privacy is the GDPR in the EU and the fact that it was the first kind of big all encompassing privacy law that really took everybody I think. At least took a lot of people in the United States by surprise because they weren't really following it, but it was a very detailed law around consumer data privacy.

Bill Tolson:

And I think part of the push of the GDPR is that the EU now considers PII or personally identifiable information and the data subjects control of it as a human right, which I think is great. It obviously causes questions and issues for companies who deal in that kind of data, but I think it's a great step. So one question Tara I hear a lot around the GDPR is how is the GDPR authority set up in the EU? Is there one central kind of federated authority or does each country have a separate data protection kind of organization that works hand in hand with the GDPR?

Tara Taubman-Bassirian:

That's a really good question. GDPR stands for general regulation that was passed by all EU nations. Everyone talks about it suddenly while actually GDPR was not a major revolution. There was already a directive for existing GDPR. There is also the charter of human rights that pays the principle of previously as a fundamental right. There is a convention 108 that's been going on around, but what make the GDPR become a big news in the press was the far bigger fines that were introduced. So suddenly everyone talks about it. The difference between the directive and the regulation is that directive needs national entry into each legislation. While the GDPR in principle, once it was voted, it's directly applicable into any EU national legislation.

Tara Taubman-Bassirian:

There are some exceptions to what I'm saying, but mainly everything was just directly applicable, and then one of the very important principle in the GDPR is the consistency mechanism trying to harmonize the enforcement application of GDPR. Every EU nation has its own data protection authority or some people call it supervisory authority. They are in principle expected to enforce the regulation in a harmonized way. Funds should be consistent and everything is overviewed by the European data protection board, which is composed by a representative of each national data protection authority. So this is the way that the password is spread. They are again, exception into what I'm saying because Germany being a Federation, they have more than one DPA, but we are represented by one person at the European data protection level.

Bill Tolson:

Okay, that's really interesting and I know a lot of people have wondered about that. You see references to the Irish DPA and the German or the Bavarian DPA, tho those kinds of things. So yeah, it kind of gave me a hint that countries have their own authorities as well, but the overriding kind of set of rules of the GDPR is what they all follow.

Tara Taubman-Bassirian:

Yeah, the expectation was that everyone would apply and enforce GDPR the same level with the same principal, but of course, national legislation sometimes interfere with the regulation and some data protection authorities haven't been that much active. You mentioned the Irish DPC. There's been a lot of questions around the lack of enforcement, the Austrian data protection authority has actually been directly complaining that the Irish DPC is not enforcing and funny enough, it's very important because this is where all the big corporations are based. Yeah, it's intensive, but they are now kind of data protection intensive to be in Ireland.

Bill Tolson:

Well, you sort of answered my next question and it was around I know when the GDPR first came into effect, the authorities were relatively hands off for a period of time so that companies could figure out what was going on and how they should wrap that kind of technology, what kind of processes they need to build even though they had several years before that they knew it was coming, but nowadays in 2020, 2021, I've read stories both ways where the GDPR authorities have been more aggressive in their enforcement, but like you just said that I've read the articles about complaints that they haven't been aggressive enough.

Tara Taubman-Bassirian:

Yes, there are frustrations. As a consultant, I do find it sometimes difficult that what would I advise my clients especially in the UK. I tell them don't do this and that, and then they come back to me and say, "Well, all our competitor are doing it." So for me it becomes an issue. I try to sell GDPR by showing the positive aspect on it. It's not only complying with the regulation. It's also what it brings to you as a matter of trust or also security, but it is true that when some data authorities do not enforce, it's kind of problematic. We've got some Spanish DPA is extremely active. They are one of the good clients I would've found. It's nearly once a month they get fined. Pretty small fines. In principle, the fines should be proportionate. They should be deterrent. Now, the other question is finding the best option.

Tara Taubman-Bassirian:

We've got a recent case where the data protection authority actually asked the data unlawfully obtained to be deleted. I think that's worth more than fining. In UK, the main big fines were given to British Airways for data breach and to Marriott International for another data breach. The amount was lowered partly because of financial situation and the COVID that also makes it worse. Fining BA actually result on BA bringing up the price of the tickets. So somehow the BA clients that are double fined.

Tara Taubman-Bassirian:

First time they get their data breach, and second time they will pay more because obviously the company needs to compensate what the millions that we're going to pay for the fine. So I wrote an article, I've been discussing if finding the best thing, UKICU Elizabeth Denim, it has changed now it's John Edwards, but at the time she started the first annual meeting she organized. She said that she might make the directors personally liable. Might be a better intensive that's simply a financial fine. We've got the statistic on who's been fined and for what amount. I've been asking about have they actually recovered the fines and I haven't seen the result, that's the other point.

Bill Tolson:

Yeah, actually that was a question I had just read an article last week that said that 2021 was a record year for GDPR fines. I think was somewhere over a billion just for that year. Have you heard that and like your question you just brought up, are those fines actually being recovered or are they just being fined and kind of they'll play with it in court for 10 years?

Tara Taubman-Bassirian:

Don't have the answer. Some DPA, I think the Spanish is the case, they use the money themself. That's not the case France or UK for example, the money goes to another department. Have they actually recovered? That is a question that I haven't found the answer.

Bill Tolson:

And this is a question that we haven't spoken about before, but it aligns closely with this into the GDPR. Within the United States, many states are creating their own privacy bills and privacy laws and one of the things that a small percentage of the states are putting in the bills is the idea of private right of action meaning my data gets breached or stolen from company X, Y, Z. In certain states, I have the ability to personally sue that company for not keeping my PII secure and for basically violating in my case, the Colorado Privacy Law. Is there a private right of action for the GDPR in the EU?

Tara Taubman-Bassirian:

Absolutely, there are actually three kind of sanctions. What the data protection of authority does is the administrative sanction. They can act based on individual complaint, a group compressed or they can self decide to investigate a company. Sometimes it has been because the case came out on the press and that attracts the data protection authorities attention. Next to that, there is the article 82 in the GDPR that allows the damage to individuals or a class action based on a non-material damage. It's more of a civil law principle. We sometimes call it the moral damage, but that so far, I've been following that very closely. I personally think if I had my data breached, I should have a compensation. That for me, worked more than what the DPA would fine because I would like the companies to be more meaningful of keeping personal data safe especially with the pandemic, we've seen in a very serious increase of security breaches.

Tara Taubman-Bassirian:

I see too many companies that are not doing what they should be doing to keep the data secure and there is article 32 GDPR requests that appropriate security measures been taken. The first part of the article 32 mentions encryption, but there are the means they refer to the state of the art. The French translation is the state of the knowledge, and that is put on balance. Everything in GDPR is put in balance is what we call the balance of proportionality. Depending on the level of sensibility of the data, the level of the finance of the data controller, what is available and the cost of what is available, security measures should be taken. I've specifically been fighting with some law firms telling them you're by confidentiality, the data you are holding on behalf of your client, oh, sometimes they are the opponent's data that you're dealing with.

Tara Taubman-Bassirian:

You ought to keep it secure, but they still send all documents by simple email attachment and that today should be absolutely totally banned. We should not anymore send anything by email and the UK has actually produced documents saying you should not send sensitive documents by email. One is because it's hackable, although during a transmission of email is okay, but once the email is standing on the inbox, anyone could access it and a lot of passwords are too weak. There should be systematically multiple factor authentication password, but it's very easy to make a human error. You're sending documents, you often start to type the email and it suggests you the full email. It happens, you wouldn't check properly if it is the right email or not, you send it to the wrong person. My home address is actually been on Google used by a private detective.

Bill Tolson:

Oh boy.

Tara Taubman-Bassirian:

I would receive mails from a law firm concerning a divorce in my address thinking I'm the private detective. Error happens where email encryption is extremely easy. The cost is nearly close to zero. So the balance of proportionality means systematically encrypted. Even though the UK ICO has been one of the most what I call dormant DPAs, they have recently fined a law firm for 100,000 pound because they had not encrypted their server. They hadn't done the appropriate update on their system. They were five months late, which to compare with many cases, five months is short time, but UK ICO said, "According to proportionality, counting what you had, according what you should have done, you've been negligent." Therefore, they were fined 100,000 because they were attacked by ransomware that published a small part of the data on the internet.

Bill Tolson:

Yeah and I think we talked about this on a call, but we've reached a point with technology and you just mentioned it where PII at all times, but especially when it's being set in transit and while it should be encrypted, it's not like you say, tough to do. The technology exists, it could be done very quickly, very cost effectively and that's been my question. I've been doing podcasts with the United States Senators and representatives, usually the co-authors of privacy bills and laws that have passed and usually one of my first questions is, and they all have used almost exactly the same language across all the state bills, but the one thing that I standed on and you just mentioned it here, it's not exactly the same words, but they all refer to PII must be protected using appropriate security measures and what's appropriate?

Bill Tolson:

Or actually United States Senate don't use appropriate, they say reasonable and I say, "Well, what does reasonable mean? Any first year new attorney can make the argument that what they did was reasonable." So I've asked them why haven't you said all PII must be encrypted using at least a 128 or 256 or whatever, but it must remain encrypted at all times at least in transit and while stored, and the senators don't know why, they don't have a real good explanation and really, that's the input they're getting from other state governments as well as industrial or companies in certain industries like cloud computing and that kind of stuff that are helping them write the bills, and they're being as kind of general as they can so it's not locking people down, and three of the senators that I talked to, I said, "You understand what I'm talking about now?" And they said, "Oh yeah, over the next year or two as we amend the new laws that we've put in place, they see trying to add the need for encryption at least of the PII."

Tara Taubman-Bassirian:

Yeah GDPR and principle is what we call technology neutral. However, in that case, article 32 1a explicitly request anonymization and encryption of personal data.

Bill Tolson:

That's 1a?

Tara Taubman-Bassirian:

Yep.

Bill Tolson:

Okay.

Tara Taubman-Bassirian:

Article 32 1a.

Bill Tolson:

By the way, I noticed in another part of the GDPR that they talk about encryption and I think you and I actually discussed this on a call as well and it was the idea that if there's a breach within a given company system, then breach notification laws come into effect and you have to start notifying everybody and it's a very costly process, and the GDP I think makes reference that if the breached PII was actually, and the encryption keys were not accessed, then in reality, the breach notification is not triggered cause the data could not have been viewed.

Tara Taubman-Bassirian:

Exactly. However, during increasingly discussion about how actually an anonymization is anonymized because with the evolution of technology obviously, re-identification is becoming more and more feasible.

Bill Tolson:

Yeah, with just a few number of personal attributes, right? I know there are companies and I won't name them, but there are companies who can gather five, six, 10 personal attributes, like hair color, your zip code, your make of car, and basically determine who you specifically are by name and where you live down to it, like a 98, 99% accuracy rate. So controlling all of those attributes and making sure that those are protected as well is just as important.

Tara Taubman-Bassirian:

Yeah, this is an important element. If you are identifiable, even without giving your name, then its personal data and should be protected. I've recently read a judgment. It was a French tax office finding an African citizen from Kabun I think. His name was not appearing, but they were citing member of his family, his children, his wife, where they are based. He's got a mistress in Gabon and they were giving the name of his companies and where they're located. Very easily, you put all these that together and you know exactly who he is and from him, you know who his children are and that's become a problem.

Tara Taubman-Bassirian:

On one between others calling for having open access to court decisions, France has open court decision recently with the highest Supreme court and the administrative and the civil courts. With this condition that there would be anonymized, and they have thought about these things that it's not simply taking the names off. Any other element that could put together and reveal the identity of person should be not appearing. Then lawyers have asked the name not to appear because they would be revenge or whatever. I ask we find it really good that the name of the lawyers in each parties would appear because that's the best way actually to choose your lawyer. You know exactly which case they have worked on and if they were not on it, obviously they don't want to always appear.

Bill Tolson:

Lawyers are interesting people. A real basic question here and I get asked it a lot. GDPR is effective worldwide, right? So if a company based in Colorado actually collects PII from their website or whatever from an EU citizen, then that company sitting in Colorado is subject to the GDPR requirements, correct?

Tara Taubman-Bassirian:

Usually it was always with the US that we used that long arm of the US legislation. For once is the GDPR has a long arm, whoever target or deal or trade with anyone based within the EU, no matter the citizenship of the person, it's more with when you are based in the EU, then GDPR would apply and the criteria is data is a personal data which is slightly wider than what is in the US regulation with the PII. If I don't mistaken, PII doesn't include cookies for example. Cookies are personal data. IP address are personal data. If you are based outside the EU, but you're targeting or aiming to have business with anyone based in the US, the criteria would be for example, if you're using the currencies of any European country, your e-commerce website in the US selling and delivering to the EU and selling by using any EU currency, then you're on the GDPR.

Bill Tolson:

Oh wow, I never realized that. That's really interesting.

Tara Taubman-Bassirian:

The use of the language, the use of the currency and the targeting, the delivery, then you're on the GDPR.

Bill Tolson:

Wow. Yeah, so it is far reaching and by the way, the individual US state privacy bills and laws have the same kind of apt reaction they're protecting data subjects in Colorado, Virginia, whatever it happens to be if their data's being collected by a UK company, they're still subject to the attorney general within that state and that law. So this is one of the things that I've had conversations with others about is the complexity that is basically rising with potentially over the next three or four years, 50 slightly different US state privacy laws, a Canada Privacy Law, the EU GDPR Australia's, China's India's, and none of them are the same. So companies that deal with data subjects in all those areas are going to have to find a way to figure out how that specific PII needs to be managed and reacted to if somebody asks about it.

Tara Taubman-Bassirian:

There is not a huge difference, but yes, wherever you target one specific geographic area, you need to check that you're compliant with them, but Asia Pacific, people, however you pronounce it in China has also been introduced. In US, you have a patchwork of further regulations, so that's pretty much more complicated.

Bill Tolson:

Well yeah, and I've looked at the vast majority of them, especially the bills that have passed into law. You have people who've glanced at them and said, "Yeah, they're all the same." They have basically the same rights and so forth, but if you get into the specific inclusions or exemptions within the Colorado law or how they define certain things from state to state, they can be wildly different. In the New York law that hasn't passed yet, but I talked to the state Senator on a podcast and he's the only one who's done it so far, but he included the duty of loyalty and care in the bill, which is basically another way of saying that the data collector has to act as a data fiduciary. They have treat the PII for the best interest of the data subject and not the best interest of the company itself, and I don't think that will pass anywhere, but it was a really interesting subject on that part. Staying with the GDPR, has there been any additional amendments or reforms to it in the last year or two?

Tara Taubman-Bassirian:

No, there was a recent review and thanks God they decided to keep it as it is good.

Bill Tolson:

Yeah, I mean it is the law privacy law worldwide that everybody still is focused on because it was the first, but it's also prescriptive. It's relatively complex and it's not just technology. I think the vast majority of it is processes and procedures by the actual humans handling the data, right?

Tara Taubman-Bassirian:

A lot of it is based on the accountability principle where you have to have done some thinking before acting to make sure that you are keeping data secure and you're not taking unnecessary risk around the data. There is the data protection impact assessment when there are higher risk. When you have a subcontractor or sub processor, you have to sign specific article 28 contract with them to show that you've made sure that they would respect the data the same ways that they have to do. You have to keep some logs on what's going in and out.

Tara Taubman-Bassirian:

You've got what we call the ROPA for the bigger companies where you need to keep an accountability of where data goes and what you're doing with that record of processing, this code. So yeah, there are some formalities, but most of it is the five principle, which is keeping data secure, confidentiality of the data, data minimization, this is one of my favorite principle. Won't have more data than necessary where you are safe from a lot of issues including security problem. Limiting access to data, that's another principle that's important.

Tara Taubman-Bassirian:

That accuracy is one that is often forgotten. It's part of the fact that you should not keep data longer than necessary and if the data that you're holding is not accurate, you should delete it. You should not keep data that is inaccurate. I usually advise my clients on their previously notice to request a data subject to tell you about any change of their personal data. Otherwise, we arrive for holding a data that is not accurate.

Bill Tolson:

Yes, one of the other things that I talk about a lot and it's because of the GDPR and then all of these other global privacy laws that are coming into being is I think it's forcing companies to manage all of their data versus just the records, the compliance records and at least in the United States, only 5% of the data that flows through any corporation is actually regulated or compliant data that has specific retention policies, but it's the other 95% of the data that the companies don't track, don't even know exists because it's sitting on individual laptops or it's up in cloud accounts, but it's all company related and that data can hold personally identifiable information too. So when a data subject like me calls or sends an informant to Archive 360 and saying, "What data do you have on me?" If they're not managing all of their data, not just their records, then they can't give me an answer to that, right?

Tara Taubman-Bassirian:

Yeah, absolutely. It's very important to have a data mapping. You have to be able to know where your data is held, where it goes, where it comes from and where it's sitting.

Bill Tolson:

And how it's secured and who has access to it because if you're reacting to a data subject access request, you need to know, like you say, via data map where that data is potentially and get access to it because they might ask you to delete it. They might ask for a right to be forgotten type of thing and then you have to go find that data and delete it.

Tara Taubman-Bassirian:

We also got under the GDPR data portability. So you go to one company and then you decide to change to go to another company. Company A has to be capable of providing portability of data to company B. So they need to know in which box the data is.

Bill Tolson:

And brings another question, again related but nothing we've talked about. I don't believe we talked about it in the past is ideal backups. If I request Archive 360 to delete my data and they have to do it in 45 days or whatever it happens to be, what about those backups that contain my PII? Has there been a decision via the GDPR?

Tara Taubman-Bassirian:

Yeah, there's been a recent clarification by one of the DPA. I cannot remember who that was because you have to prove that you actually received that delayed request and you have done what was necessary. So the DPA has said that you could keep some backup as they prove that the request came and you deleted.

Bill Tolson:

But if that PII that was deleted off of the active systems still remains on the backup page?

Tara Taubman-Bassirian:

You should retrieve that backup and delete it.

Bill Tolson:

Well and that's the question because I've read several opinions from European law firms and some in the US and they all said, and I think we'd acknowledge that's extremely expensive. Especially if you're getting 15, 100 deletion requests per month, you have to go find the individual tapes that may have my data on it. Do separate restores, find the data, delete it, redo the backup, put the tape back, do the next one and I've read opinions from especially European lawyers that say they think they could get away with not going to the backup tapes to specifically address a PII deletion request, but keeping a priority list. It says the next time that company accesses any of those tapes, then this list of data subjects need to be deleted. So there might be a month, two month, six months lag time, but the idea is that no one's accessing the backup tapes until they have to for a restore, and if they do the restore, then they're obligated to go find that PII and delete it, does that make sense to you?

Tara Taubman-Bassirian:

Well I have somewhere in my mind, a case that actually said, "No, it's your duty to go and retrieve the backup." But I cannot be 100% sure unless you prove that this backup is totally disconnected and hardly anyone got access to it.

Bill Tolson:

So in technical terms, it's air gap.

Tara Taubman-Bassirian:

Yeah.

Bill Tolson:

Interesting. Yeah, I'd like to track that down because that's been a question I've been asking and discussing ever since the GDPR actually became law and I think it's a really interesting one that everybody I've talked to doesn't have an answer for. I think you're the first person who said, "Yeah, I think there was a decision on that and that you can obviously determine that would be awfully costly." So if that actually is enforced, then you could see the whole backup industry having to change.

Tara Taubman-Bassirian:

It all depends how you argue what you have to do or you try not to do. Going back to the balance of proportionality. If you could actually on your accountability document justify that retrieving this data would be costly. If the data is not accessed by anyone so you can justify that it's just sleeping data and keeping doesn't make much difference. According to the sensitivity of the data, you can always document that and saying, "Well, we eventually, putting that into the balance of proportionality, decided that we would keep it onto the next time we will access the data."

Bill Tolson:

Yeah, but it's not a hard and fast rule that might differ from geography to geography, right? Ireland might look at it differently than Germany for example.

Tara Taubman-Bassirian:

Indeed, but they're usually sensible onto the reasoning that you are deploying, and if your company hasn't done anything else wrong, if it's just this, you get away with it. It's all depending on case by case on how you've justify it, that's very important.

Bill Tolson:

Okay and like you say and you've said it a lot and I think you need to is the idea of proportionality is built into the GDPR, and that makes a lot of sense.

Tara Taubman-Bassirian:

A lot of it is justifying why you have decided to do this and that. A little bit, like at the math test at school, if you simply give the answer to the calculation without explaining how you came to that result, it doesn't worth anything. What the teacher in the math wants that if that you explain exactly the reasoning behind the operation.

Bill Tolson:

Yeah, I mean it's like the legal argument in at least the United States around e-discovery and the plaintiff saying, "I want you to check all your backup tapes for potentially responsive data." And the newer versions of the federal rules of procedure get in the idea proportionality and the judge could very well say for this case, the cost of restoring 50 or 500 backup tapes doesn't justify it so that's taken off the table and move on and I think that really made sense. By the way, I read this last week and I just to see if you've heard about it, but I read, I think it was a press release that basically said last week, EU lawmakers have made it clear that explicit permission is required from site visitors to install cookies on their computers. A visitor simply browsing through a website does not imply consent for their information to be captured.

Tara Taubman-Bassirian:

Absolutely, the principle was based on a European court of justice decision Planet 49. I believe it was 2018 that said there should be an explicit consent given by a positive act and of course there's a need of transparency. So there should be a privacy notice explaining who is accessing and namely not saying some of our colleagues would access it. No, it has to be every company that access it.

Tara Taubman-Bassirian:

These data should be named and there should be an explicit button by saying yes, and recently the French CNIL has fined Google and Facebook because the way of accepting and rejecting should be as easy. Now, what I mean, there are a lot of websites, you would have the choice of saying yes or learn more, usually this kind of expression, and then you go different steps until you can actually say, "No thank you, I don't want anything." Well, it has said clearly now Google and Facebook have been fined. You should have two buttons, one accept and one reject. Can put something else, but it should be two exactly the same, not even two different colors. They should be two exactly the same and rejecting should be as easy as accepting the cookies.

Bill Tolson:

Well and that gets into the idea of dark patterns. Have you run across that?

Tara Taubman-Bassirian:

The European union has published actually a project on the dark patterns. I won't go further into that because I haven't yet completely analyzed the document, but this is on the radar.

Bill Tolson:

Yeah, it's an interesting concept and I've run across it. I've run across sites that do their best to fool you into giving consent even to the point where you say no deny consent behind that button is I accept, even the state laws here in the United States now are starting to call out dark patterns to say, "No, you can't do that." But I know we're getting short on time and I wanted to ask you about the new development in the privacy sheet that was invalidated. I think in 2020, it was the Max Schrems decision, which I thought was really interesting, but just last week I read on very many sites that said the EU and the US reach an agreement on a privacy shield replacement to enable translating data flows. Have you gotten any more information on that? Is it actually assigned agreement or is an agreement in principle that still needs to be?

Tara Taubman-Bassirian:

It's a political agreement between the European commission and the US government, but it's not concrete yet. The reason why the privacy shield that before was called.

Bill Tolson:

Safe Harbor?

Tara Taubman-Bassirian:

Safe Harbor, thank you. They were invalidated is because EU citizens whose data is processed in the US and don't have a redress option.

Bill Tolson:

Yeah, the US government, various agencies could demand access to that data either via direct court request or via secrecy warrants where you could go to a cloud provider and say give me all of Bill's data and if you encrypted it and you have the encryption keys, decrypt it and give it to us, and by the way, it's against the law for you to tell him that you gave it to us, and that freaked a lot of people out and it's also the FISA laws, FISA 702, but I don't see how a new version of the privacy shield is going to get around those FISA laws and the Cloud Act and others in the United States where it does give government agencies permission to access any data held by US equipment or US property.

Tara Taubman-Bassirian:

They shouldn't. They can be a political agreement, but until FISA 702 and the executive order 1233 hasn't been amended or a new executive order saying we are not continuing to do the same kind of investigation of European data or initiating a right redress for a European citizen and having the ombudsman and it was the part of the agreement with the privacy shield was the US would create an ombudsman and happen. So until all these are not done, it would be either Max is not happy with the agreement so you would appeal again, and the European court of justice would say same, and within the EU, there are two different politics, one is the European commission. They are the one who read with the privacy shield, but the European parliament has a different position, and they've often been against the privacy shield. At the beginning after Schrems's decision, a lot of US corporation came and said, "Well, we've got EU based server." But that doesn't mean anything because the FISA 702 allows the US government to intercept the data wherever the server would be.

Bill Tolson:

Yeah, if it's a US server, right? That's the Microsoft Ireland case, right?

Tara Taubman-Bassirian:

Yeah, Microsoft, Google, Facebook. Even though the server would be based within the EU, some say that we will have our dedicated server in the EU, but that doesn't work anything because if the US government want to intercept, they will do whatever they want. Then for the Google analytics, Google has said, "We have never received a request from the US government." However, there are cases, they have published a list of their request, but in some cases they're not allowed to even reveal that we received the request and on the Google analytic, I guess that they didn't ask access to the Google analytics data, but whenever Google analytics data is combined with other Google information, this is where they would go and not the dispatch information on the analytics separately.

Tara Taubman-Bassirian:

So it's political. It's a shame because yes, it does make the international trade very complicated. The problem exists with the US, but also with other countries, and with Russia gone, its been recommendation of not sending any more data to Russia. China is another government that creates issue with unlawful access to data. I think it's fair game. As an EU citizen, I'm very proud to have a European parliament that defend my rights and don't want to allow any foreign company to access more, right? And obviously US government has been complaining against the Chinese and the Chinese telecom that's been banned because they were accessing US.

Bill Tolson:

Yeah, Huawei. I mean you can really get into some interesting stuff and that whole idea of putting data in the cloud and then a government in this case, the US government going to that third party cloud provider saying, "Give me the data." One of the ways around that is number one to encrypt your data before it goes into the cloud, but encrypt it on PREM and keep the keys on PREM, and then you can put them up in the cloud and US intelligence agency goes to the cloud provider and says give me the data and decrypt it. Sure, you could do the data, but it's going to be useless to you unless you come to us as the company who owns the data and go through a court proceeding to have us turn over the keys. That way at least you get around the whole idea of secrecy warrants and stuff like that.

Bill Tolson:

And we've had a lot of large companies basically say that is we're moving to the cloud, but we're really afraid to put a lot of sensitive data in the cloud because then it could be hacked by other nation states, by agencies, by hackers and that kind of stuff. So if you're automatically encrypting the data, but you're keeping the encryption keys local, then at least you're slowing down the progression of that data being taken, and I think and I've talked to European law firms about this, the idea of using encryption to send the data, maybe to a cloud tendency that my company owns and keeping it encrypted gets by the GDPR or the privacy shield or the old privacy shield requirements because the data's not usable.

Bill Tolson:

But if that data is encrypted in a way where it can be used while encrypted, we get in some really interesting and I won't get into technology, but it's called homomorphic encryption, but that is one way potentially to address this idea of EU data transfers to the United States is putting all the additional technology around it so that at least, I mean and you can include these specific technology requirements in the standard contractual clauses and at least it slows down the data being taken, but that's a really complex question.

Tara Taubman-Bassirian:

It was part of what the European commission court of justice said on the shrimps to decision that you should take appropriate supplementary measures, and part of the supplementary measures were encryption. Encrypt is very interesting subject. I'm all for it. However, government are also fighting encryption because then they access the data.

Bill Tolson:

Or they want backdoor built into the applications.

Tara Taubman-Bassirian:

That's a problem and yes, you can encrypt, send the data anywhere that doesn't have an adequacy decision with the European commission and keep the key in Europe, but when they need to work on the data, obviously they need the key. It could work if the cloud provider who is doing the transfer that's not the key, then it arrives in outside the EU and then you communicate the key. So the company that would not be one of the internet communication services to whom US government can request access, then they will have the key and not the cloud provider. That's one option, but we've got the case in France with the medical health data that's been treated by Microsoft with DataHub. CNIL, the French data protection authority was asked to give their advice, and their advice was that because there is no other solution and temporary, they allowed that to happen in a short term.

Tara Taubman-Bassirian:

And they ask actually Microsoft to bring admin to their contract to make sure that the data was processed properly. The temporary measures should end soon and I don't think they have actually find a way to get around that. It's a shame that Europe has lost their digital sovereignty. We don't have really European cloud and that's the big problem. There is a project Gaia X. OVH is one of the partners. Unfortunately, OVH signed an agreement with Google. So it's kind of bringing the folks into the things of its a shame, it's all lost its meaning, but there is a lot of conversation and discussion around having European cloud and Europe getting back there, sovereignty.

Bill Tolson:

Yeah, I think that'll eventually happen and it has to happen, but this whole idea of data privacy and how it's expanding worldwide is just adding a tremendous amount of complexity and cost to companies. So for whatever reason, collect PII, I mean you have a company with a website, you write a white paper, you put up a form that says, "Well, if you want to support this white paper, give us your name and your email address and some other information, you can have it for free." And then what do you do with that data? I mean most companies will use it for direct marketing. "Hey, we have a new newsletter or we just came out with a new revision."

Bill Tolson:

But I think the biggest problem is other companies will collect that stuff and sell it, consolidate it and do all kinds of weird analytics on it that lets some mine all kinds of information that the original data subject probably wouldn't like to have happen, but they don't know this stuff. So it's going to get more complex. It's getting much more complex in the United States as well, but I think the EU was the trailblazer here and really coming up with GDPR. Do you think the GDPR is going to continue probably relatively slowly be amended over time to add new capabilities or new restrictions?

Tara Taubman-Bassirian:

I think with the GDPR since the reform, I was actually advising on the reform of the previous directive. In my opinion, what GDPR is missing is going after actually the data broker industry. That's probably something that should be added eventually along the line. Control and transparency is good for data subject, but quite often data subject don't actually realize what's behind. People say, "Oh yes, targeted marketing. I am there, offer whatever I want and not something I don't want." It's actually much more than that. The whole industry in the backside is doing far more than simply telling you what you want to know. We've seen with the Cambridge Analytica. The way that political opinions have been manipulated, the way that we are all provided. I was discussing today. Twitter has started to send me much more based on your likes, based on your whatever. They actually control what I'm reading. I'm not reading everything that all my contacts are posting. I'm reading what Twitter thinks that I should be reading.

Bill Tolson:

What they're elevating is to what you're going to see first.

Tara Taubman-Bassirian:

Yeah, but I'm thinking based on what they are saying that I like, I'm very interested to know actually in which category I am because it looks like I'm very much into data protection and human rights and all these things, but if you gave my profile to a repressive regime or if I was in China or Russia, I might go straight into jail. Why should I be profiled? Why should I have, we've left social media platforms take over a lot of power.

Bill Tolson:

No, I absolutely agree. I think social media and data brokers.

Tara Taubman-Bassirian:

It comes [crosstalk 00:47:01] the end of the United States, you like it or you don't like it, but Donald Trump was the president of the United States who is Twitter to ban Donald Trump.

Bill Tolson:

Exactly. I mean you might very much dislike the guy, but there are millions of people on Twitter and even on LinkedIn that you dislike and they're not being disappeared, that's too much power.

Tara Taubman-Bassirian:

They let Donald Trump speak and tweet and send fake news and everything for years. Why then suddenly one day they decided that he should be banned without proper judgment. We are in democracy.

Bill Tolson:

Or why should you be banned? I mean if it's a free and open platform, then people should be intelligent enough to discount the garbage and everything because to certain group of people, it might not be garbage. To the other people, it might be. Basically the social sites, pick a side by deciding which one they're going to delete. That's scary, that's very scary. So Tara, I know we've used up almost an entire hour here and it was a lot of fun. I really enjoyed it.

Tara Taubman-Bassirian:

My pleasure.

Bill Tolson:

For our listeners here, we're going to end the Information Management 360 podcast. I really want to thank Tara for this really enjoyable and educational discussion today on very important subject of data privacy and regulatory environment in the EU, and like we talked about the US. If anybody has any questions on this topic or would like to talk to a subject matter expert, please send an email mentioning this specific podcast to info, I-N-F-O @archive360.com and we'll get right back to you as soon as possible.

Bill Tolson:

You can also email me directly bill.tolson, T-O-L-S-O-N @archive360.com and you can also contact Tara to speak with her or to converse with her. Tara's email address is datarainbow.uk. And also check back on the Archive 360 resources page for new podcasts with leading industry experts like Tara and legislators. In fact, I'm recording a podcast next week with the co-author of the Utah Consumer Privacy Act, Utah state Senator Cullimore to talk about his experiences around the Privacy Act specifically in Utah. So look for that and I have several others on the resource page with other state senators, but again Tara, I really want to thank you for taking the time. It was fantastic information. I learned a lot and thank you.

Tara Taubman-Bassirian:

My pleasure, thank you very much.