What you'll learn on this podcast episode
How are data privacy laws like GDPR impacting business? What can we learn from Amazon’s $850M fine last year, and Facebook’s recent posture about leaving Europe altogether? In this episode of Principled Podcast, LRN Chief Legal Officer Aitken Thompson, talks about data privacy regulation with Donovan Burke, Partner at VGC LLP and General Counsel at DWELLoptimal Inc. Listen in as the two discuss what’s happening now in the regulatory space when it comes to data privacy and protection, and what steps organizations can take to stay ahead.
Principled Podcast shownotes
- [1:16] The current stance of GDPR, CCPA and developing regulations in the U.S. and Europe.
- [2:24] What trends in data privacy and security should CCOs, GCs and CTOs be considering in 2022 and beyond?
- [3:33] What actions can be taken to protect a company and educate employees?
- [4:45] Other laws and regulations aside from GDPR and CCPA.
- [5:55] How seriously are organizations taking these regulations?
- [8:49] How are companies handling this multiple geographic and jurisdiction?
- [12:08] Are there actually conflicting requirements?
- [13:58] What are the positives of complying to these regulations?
Where to stream
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.
Guest: Donovan Burke
Donovan Burke is a dynamic and visionary legal advisor and thought leader focusing on Emerging Companies, Corporate Structure and Governance, Mergers & Acquisitions, Seed and Venture Capital, Initial Public Offerings, Corporate & Securities, and expertise in Data Privacy. He is a proven legal counselor and executive as a Partner in premier global law firms and General Counsel of major technology ventures.
Host: Aitken Thompson
Aitken Thompson became interested in the then-nascent field of educational technology after starting his legal career at Kirkland & Ellis. He left law firm life and co-founded Thompson Educational Consultants and, subsequently, Taskstream, LLC. Taskstream quickly became a leading company in assessment and accreditation for higher education. Aitken served as Chief Operating Officer, leading the legal, human resources and finance functions of the business. Beginning in 2016, Taskstream underwent a rapid expansion, merging with five other ed-tech companies in a span on 18 months and, in the process, becoming Watermark, LLC, and creating the “Educational Information System” category of ed-tech. During this period, Aitken’s legal and HR focus expanded to encompass private equity investment and the transition between primary sponsors, cultural and process integration amongst the various merged entities, and the management and harmonization of legacy client and vendor contracts.
Aitken is a graduate of Columbia College and Columbia Law School. He is a life-long New Yorker, but spends as much time as he can sailing off the East End of Long Island.
Principled Podcast transcription
Intro: Welcome to The Principled Podcast, brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change makers.
Aitken Thompson: How are data privacy laws like GDPR impacting business? What can we learn from Amazon's $850 million fine last year, and Facebook's recent posture about leaving Europe altogether?
Hello and welcome to another episode of LRN's Principled Podcast. I'm your host Aitken Thompson, chief legal officer at LRN. And today I'm joined by Donovan Burke partner at VGC LLP and general counsel at Dwell Optimal incorporated. We're going to be talking about data privacy regulation, what's happening now, and how organizations can stay ahead. Donovan Burke is a real expert in this space. He's also proven legal counselor and executive as a partner in premier global law firms and general counsel of major technology ventures. Donovan thanks for joining me on the Principled podcast.
Donovan Burke: Thanks for having me Aitken, a pleasure to be here.
Aitken Thompson: Great. Let's just jump right in by this time I think it's safe to say that most, if not all, CCO's and GC's are at least aware of GDPR and the California equivalent CCPA, they are also aware it's a very fast developing area of regulation here and in Europe. Can you just give us a lay of the land for those who don't know, or not as aware as they would want to be about these privacy and data regulations?
Donovan Burke: Absolutely. In the United States, these regulations were more of a secular variety in the recent history, laws applying to health or financial services. All had elements of them that are data privacy elements. But for several decades, Europe, in particular, has developed very sophisticated, comprehensive data privacy laws. The most well-known of which is the GDPR and GDPR like laws are the laws that are proliferating presently, and they're comprehensive privacy laws that govern specifically information relating to an identifiable person, and protect that person's rights with respect to that information.
Aitken Thompson: So what are the trends in data privacy and security that you think that CCO's and GC's and CTO's for that matter should be thinking about in 22 and beyond?
Donovan Burke: Well, as I mentioned before, these laws are proliferating. Not only is the GDPR itself becoming more complex, there's more guidance coming out on it every day. GDPR laws are being exported and adopted in a lot of other jurisdictions, Brazil, China, India, and in the United States, starting with California and the CCPA, which will soon become the CPRA and Colorado and Virginia, and there's a handful of other states that this year are expected to adopt GDPR like laws. So, I think this is not a trend that's going away anytime soon. These laws all have extraterritorial jurisdiction, meaning it only requires usually a fairly tenuous nexus in order to be covered by these laws, and as more jurisdictions adopt them, the more likely it is that any given venture is going to run into data privacy issues, that are consistent with the GDPR like law.
Aitken Thompson: So what can GC's and CCO's do as sort of action items for protecting their companies and educating their employees on GDPR and CCPA?
Donovan Burke: Yeah, well, just taking a step back, these laws, training employees is not only a means to complying with the substantive, or the other substantive aspects of the law, because of course you need to do that. The employees are the ones that are where the rubber meets the road. They're the ones that really need to be able to identify when a privacy issue potentially arises. The average employee is not, nor could they possibly devote the time to having the expertise to solve these problems, but they need to be able to elevate them. But apart from that very critical function of knowing when to alert someone who's an expert in this area, in order to properly assess a potential privacy issue, these laws actually require the training and documentation of the training as part of the accountability and showing that they're in compliance with the law. So it's a critical, critical aspect.
Aitken Thompson: [inaudible 00:04:44] people who are aware of GDPR and CCPA, which as you mentioned, is now going to be known as CPRA. Are there other jurisdictions, nations, and for that matter inside The United States that are also promulgating similar laws that people have to be aware of and follow the action vis-a-vis those laws and regulations promulgated underneath them?
Donovan Burke: Yeah. Oh for sure. And that's obvious. Brazil came out a year or so ago. I believe it became effective with a GDPR law, very close to the GDPR. China has a law that is derived in large part from the GDPR and India also. Obviously, these are huge markets and that is going to continue to be the trend. And as we mentioned the CCPA has already, after just having been effective for a couple of years, is becoming the CPRA, and what that really is move even closer of the GDPR, adding some special considerations for sensitive data and other key GDPR concepts.
Aitken Thompson: So it's my impression that people are aware that these laws do carry some potential stiff penalties and enforcement actions are available by governments potentially, and also potentially by individual people who had their data exposed. But I get the feeling that a lot of CCO's and GC's are still not taking the enforcement mechanisms as seriously as they should. Has that been your impression, or am I off on that?
Donovan Burke: I think that has been true, although I think given that enforcement has, I believe it's trebled in the case of the European union enforcement actions and, really expensive ones like the Amazon that you mentioned that was $800 million or so ultimate hit to Amazon. So I think they're waking up and I think they should be. Let's take this in a couple of pieces. Private rights of action can get extraordinarily expensive in the United States where these GDPR like laws have been implemented, the private rights of actions are fairly limited today. They're not nearly as limited in the European Union. Although recent court cases have made it a little more difficult for folks to bring private rights of action. But I think there's been a lot of forbearance on the part of authorities that bring the enforcement actions apart from being sued by a person, the actual agencies that enforce these laws.
I think they've given people a break because they realize that these are new laws, they've been changing so rapidly. It's really hard to figure out how to comply even the authorities themselves aren't sure how to enforce the laws until there's some more guidance from the promulgating authorities. And that's certainly been the case in California, and also been the case in the European Union, where until recently most of the enforcement actions were where there was kind of an obvious and urgent issue, a breach, where there was a data breach. That would be where the authorities would step in, but now in all jurisdictions, it seems like that break is over and there's enough guidance to know how to enforce, and so you're seeing a lot more actions in the European Union, for example, where there for failure to have a proper legal purpose or a lot of other more subtle aspects, apart from there just being a massive data breach, which is an obvious problem.
Aitken Thompson: And when you say legal purpose, you mean legal purpose to have, and to share the data?
Donovan Burke: Exactly, under the GDPR you have to have a legal basis for processing the data, and there are a number of bases that you can have, including a legitimate purpose or consent. And some form of that generally finds its way into the laws of any jurisdiction that has a GDPR like law. But the point I'm making is there are a lot of, for example, there are disclosure requirements, very specific kind of what you need to cover and disclose, and what you need to do in order to get the right kind of consent. And I think all of those types of more technical issues that the authorities have been willing to overlook because they've been in a state of flux. And what does that mean, and how do you do it? But I think they're getting to a point where they feel like people ought to know it enough at this point, and there's enough guidance to where these laws are going to be enforced.
Aitken Thompson: Right. And you sort of getting into sort of the aspect of best practices, or the topic of best practices, certainly as CCO's and GC's, how we react to regulatory risk is in the main reaction, prospectively is to put in some best practices in place. Make sure you're following the correct procedures. But in the complicated regulatory situation, like data privacy is. How are companies handling these multiple geographies and jurisdictions and certainly slightly different requirements in each one, although they're sort of related? Is the answer just to apply the most restrictive rules globally, or do you create redundant systems and regionalize those systems in conjunction with where you are, where your data sits? Ultimately, what are the factors that go into the decision on how to, how to handle data?
Donovan Burke: Well, the answer, is it going with the most onerous laws, the most demanding jurisdiction, or is it to really try to be more compartmental in terms of compliance? The answer to that is yes, it's both depending on your resources, and how the laws impact transacting your business. Really large scale enterprises that have a particularly heavy personal data component where it drives their revenues is critical core to their business. If the most onerous laws are antithetical to collecting and using the data that in a way that's most profitable for them, then obviously they're incentivized to try and have a different user experience for different jurisdictions, so that they can maximize the use of the data jurisdiction by jurisdiction.
Whereas other enterprises where the personal data component, isn't so important and where the data that they have to collect isn't really impacted over jurisdictions and there's less an incentive to behave differently and to have a different experience jurisdiction by jurisdiction. And at the top level of all this, is money. No matter how large the organization, there are only so many resources that can be thrown at this particular aspect of doing business. And certainly you want to try and achieve an optimal level of compliance, but at the end of the day, for a lot of people in charge of these programs and enterprises, it's figuring out how best to leverage the resources that they have.
Aitken Thompson: Absolutely. I believe that's more or less true of all compliance efforts, but certainly one as complex as this one. One follow-up question on that obviously a short podcast is a textual analysis of these very complicated laws, are sort of well beyond our scope here, but it had occurred to me, and I wanted to ask you. As between the GDPR CCPA, are there actually conflicting requirements, with either, or that we have to think there may not be? But I'd love to ask the question.
Donovan Burke: Yeah, there can be, the privacy laws themselves don't tend to be in conflict, but for example, the privacy requirements, as we mentioned at the beginning, these data privacy laws have an extended jurisdiction. So just because it's the GDPR and it's the European Union, it extends to really anyone who establishes a nexus with the European Union, which most large US corporations, for example have that nexus. And so often the conflict will come up in personal data, that's required to be disclosed in litigation and other administrative matters here, where our rules of litigation and our laws, rules, regulations, require disclosure of information that the similar laws in the European Union do not require. And so you may be required to disclose information pursuant to laws here, and disclosure of that information is in conflict with your obligations under the GDPR.
Aitken Thompson: Got it, it's interesting, we've been talking mostly in the last couple minutes about sort of the compliance end of things, but CCO's are called chief ethics and compliance officers first for a reason. And so beyond compliance and beyond the sort of fear of enforcement actions, and balance saying compliance with business objectives, what are the positive, obviously these laws were created and are being enforced to protect people, and protect their data and their identity, and all sorts of other things. So there should be some positive in terms of compliance and following these laws. What do you see as a positive for that the CCO or GC you can point to, and sort of animate the discussion with, regarding these privacy laws regarding what's to gain from complying with GDPR and CCPA and the other regulations?
Donovan Burke: Yeah, well the debate over whether data privacy and privacy generally is a good thing, was settled thousands of years ago, all these laws derived originally out of some of the original texts of the world's religions and then evolved into charters of the European Commission and the United Nations, and have found their way. So certainly there is a huge ethical component and a human rights component, to providing people with protection of their data, in addition to being perceived as a true ethical issue that it is a substantial, competitive advantage.
It's a market differentiator, consumers definitely will tend to gravitate towards a company that is perceived as taking the privacy of its data seriously. And surveys have identified it as the top ESG category for consumers. And it's also regarded by investors as a key ESG concern. And it's not just in the context of being attractive to the customers of a business, but as you well know, companies are looking at and buying and joint venturing and doing all kinds of business combination arrangements with other companies. And that is increasingly becoming a matter for diligence, and real consideration in terms of value and compatibility in doing these corporate transactions.
Aitken Thompson: Absolutely. And certainly LRN has done a fair amount of research on this, and all our research points to the fact that data privacy along with other ESG issues are becoming more and more, very, very important issue for corporate boards, both public and private boards. Well clearly this is the conversation we could be having all day, but we're out of time now, Donovan. So thank you so much for joining me for this episode.
Donovan Burke: Oh, I really appreciate you having me, the time flew.
Aitken Thompson: Great. Thank you. My name is Aitken Thompson, and I want to thank you all for listening to the principled podcast by LRN.
Outro: We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at lrn.com to learn more. And if you enjoyed this episode, subscribe to our podcasts on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen. And don't forget to leave us a review.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.