The number of issues and events related to data privacy and data protection over the past several years are enough to inspire new Billy Joel lyrics.
In the Data Privacy and Data Protection 2019 session at Relativity Fest, moderator David Horrigan agreed that the issue is up there with climate change as one of the most important issues facing society today. I always wonder how topics so vast can be wrangled into a 50-minute discussion, but the resulting conversation at Relativity Fest was more like a debate about the necessity and the perils of striking a balance between data privacy and data protection—and it is a prickly scale.
There’s one important distinction: The panelists considered data privacy and data protection to be two different things. Data privacy is concerned with the proper handling of data. Oftentimes in the U.S., data privacy practitioners are tasked with finding all the ways an organization can use your data without breaking any rules. Data protection, on the other hand, is concerned with creating those rules and methods that keep important information safe from compromise or loss.
With that in mind, here’s what our panelists Rosemary Kuperberg, assistant general counsel and data protection officer at Ellucian, Ed McAndrew, partner at DLA Piper, and Judge Andrew Peck (ret.), Senior Counsel at DLA Piper, had to say.
Grateful for the GDPR
As Ed pointed out, there hasn’t been much of a role yet for international law in data privacy. But we live in a global economy where technology supersedes physical borders, and countries that attempt to protect the data of their own citizens will have a significant impact on the rest of the world. Consider the impact of the European Union’s General Data Protection Regulation (GDPR) on the American legal system.
“Prior to the GDPR, discovery decisions in America tended to consider the U.S. interest over the foreign interest,” Judge Peck said. “GDPR has helped level that playing field, but it’s also very difficult for American lawyers and judges to get their heads around the concept that business email in Europe is classified as personal email. It makes a litigator’s life incredibly difficult when they have data abroad.”
Since she comes from more than 10 years in the data privacy world as part of a highly regulated industry, Rosemary welcomes the GDPR into her day-to-day.
“It got a lot of attention at the board and executive level,” she said. “Leadership is finally paying attention, which is nice, and we were set up in a lot of ways to handle it because of the regulations our team already faced with the Family Educational Rights and Privacy Act (FERPA).”
While GDPR made all the news, other regions like Latin America and Japan have begun to strictly regulate and prioritize data protection for their citizens. In the U.S., the constant change gets much more complex without a consolidated federal law. And the panelists agreed, that’s where it can get fun.
The Tension Between Productivity and Security
While it feels like all the evolving regulation and case laws are getting the U.S. closer to an answer, the tension between law enforcement having access to evidence and private citizens enjoying a right to data security makes things more complex.
“Encryption is often named as a fundamental way to ensure security,” Ed said. “But it also becomes a great tool for criminals when law enforcement can’t obtain evidence that’s encrypted. There’s a growing ‘going dark’ problem, and we need to have an open dialogue in the U.S. about where we draw these lines.”
When we make it easier for law enforcement to access private information for good, we may in turn make it easier for others to access private information for bad.
“You have to think about the worst-case scenario—if it’s one case impacting one person, is it worth the privacy of many? That’s a difficult question,” Rosemary said.
What’s interesting is we’re grappling with this concept of privacy while we’re discovering even more types of private data. Biometric data is the most recent example of information that should have more protection guidelines.
“Biometric data is different,” Rosemary said. “You can’t just change your fingerprint if the information gets compromised.”
Time to Develop a Point of View
At the end of the discussion, Rosemary brought up an article published in 1890 arguing for “The Right to Privacy” in response to the invention of the camera.
"For as much activity as we've seen in the past few years, it's hard to think of it, but we're still only at the very beginning of this,” Ed said. “We're going to have a lot to do over the course of our careers.”
Now that major developments like the GDPR have made the individual consumer more aware of their own rights to privacy, data protection is top of mind.
“I think we are going to need national laws on all of this,” Judge Peck said. “And I think attitudes toward privacy—particularly youth attitudes—need to better balance the privacy cost associated with giving personal data in exchange for free apps and services.”
Throughout the course of our lifetimes, the legal community together with private citizens will continue to weigh the impact of data privacy and data protection as the landscape shifts underneath our feet.
Expect many more spirited panel discussions on the topic, especially if you plan to join Relativity’s upcoming sessions at Legaltech where another exceptional cast of experts will get together to discuss more of the progress, the tensions, and the shortcomings of data privacy versus data protection.