The world of data privacy is constantly changing. In this episode with Justine Kasznica and Ashleigh Krick of Babst Calland’s Emerging Technologies Group, the duo will discuss:
Plus get insight on the FTC's investigation of Twitter. Read more on this topic at Babst Calland's EmTech Blog.
You are listening to the Babst Calland Emerging Tech Law Podcast Series. And I'm your host, Jonathan Kersting with the Pittsburgh Technology Council and Techvibe Radio really pumped to get this series off the ground. So we're talking about some really kind of cool, crucial stuff when it comes to every any business out there, especially on the tech side of things. And I've got two fabulous people hanging out with me today from Babst Calland's Emerging Tech Practice. We have Justine Kasznica and Ashleigh Krick hanging out with us today, guys. So excited to talk to you. Welcome to the show. Glad to have you here.
Great. Glad to be here. Thanks, Jonathan.
Thanks, Jonathan. Looking forward to our talk. We love starting off with backgrounds here because you guys are pretty freakin smart. And you know your stuff inside. Now I want to I and our listeners will know a little bit more about you guys. So just you real fast. What's your background? And what do you do at Babst Calland.
Yeah, well, first off, thanks so much for having us. And we're thrilled to be here on our first installment of the Babst Calland Emerging Tech Podcast series and many more fun things to come. But today we're here to discuss data privacy with you. I'm a shareholder at Babst Calland and the chair of the emerging technologies and mobility, safety and transport groups. And I support our clients in connection with corporate tech transactional data privacy needs, as well as regulatory matters. And people may know me in town, doing regulatory work related to autonomous vehicles, unmanned aircraft systems and commercial space.
That is definitely your jam for sure. So I could say you probably get to have the most fun of anybody at Babs count, especially leading up your new emerging tech area, which I think is just so cool, because you guys are so focused on what's happening.
Jonathan, it's otherworldly.
I love it. I love it. I love it. So Ashleigj, you're out of the DC area. Thanks for joining us today. Really appreciate it. So what's your background? And what do you do with that?
Yeah, thanks, Jonathan. So as you said, I'm an Associate in our Washington DC office, and I work with Justine and others in our m tech practice group, which has been a lot of fun. For the most part, I support the regulatory needs of clients in autonomous mobility industries. So with Justine autonomous vehicles, and unmanned aircraft systems and other robotics. I also work with a wide range of tech groups outside of our tech group on IP. And as we're going to discuss today, privacy and cybersecurity topics, definitely. So you could have the second most amount of fun at bat, I think it's interesting to say a little bit about the emerging tech practice at best I get excited when when firms like have these specializations because they see like, that's where the actions happening. And so you put the resources behind it.
We're very excited about the work that we're doing. I think we have some of the most dedicated, energized and dynamic practitioners in our group. We have a cross disciplinary group of about 20, shareholders and Associates, and we all support, you know, high growth tech companies, tech startups, their investors, but we also work with mature companies and organizations. And that might include government contractors, manufacturers, suppliers, that have a technology interest either, you know, acquiring technology companies or spinning out a technology platform, or even growing technology capabilities within their existing organizations. And we support them across the board with corporate finance matters, you know, venture convertible debt, etc. Technology transactions, IP, regulatory compliance and government contracting work, as well as employment and litigation. And so, as Ashley and you heard for myself, and Ashley, while we work with, you know, broad tech companies, including SAS and software and embedded hardware, companies, we specialize in mobility, transport, safety, AI, machine learning, IoT Internet of Things, as well as we we love robotics and automation, where your robot lawyer is here. I love it, man. That's what Pittsburgh is known for. So know that is in Pittsburgh doing what it does represent our industry here. Super cool stuff. So today's topic, as we mentioned before, it's ensuring data privacy, are you compliant? And I'm thinking most people are not they think they are, but they're not. We're going to show them that today, most likely. But before we get into that topic, we're gonna really talk about what are some of the updates that are kind of happening? I mean, we all heard about what went on with Twitter. Back in August, I believe it was early Sunday, August, September, the days are just blurring in my mind because of this whole COVID thing. As we talked about before, hit the record button. It's like I can't keep track of the weeks anymore. So let's just start off with this. What is what is happening now? What are some of the latest updates that are going on?
Yeah, Jonathan. So 2020 has been quite the year and data privacy. So we have a couple items that Justine I wanted to run through just to give you and the listeners an update. So yeah, with no surprise We're gonna start with California.
Let's go there, man.
Yeah, so California's consumer Privacy Act, or ccpa, as we'll refer to it when it is on January 1 2020, this year, and then the California Attorney General recently began enforcement under the ccpa on July 1. And while we don't have enough time to go through specifics, because this was quite the comprehensive privacy law, very in depth,
Right. Generally speaking, it applies to certain businesses that collect the personal information of California residents. And it provides California residents with certain rights regarding their information, such as requesting what a business is collecting on them and asking for a business to delete it. I think for Pittsburgh, Pennsylvania companies, it's important to note that even though obviously, we're not in California, the ccpa can reach a company in Pennsylvania, if you're interacting with California,
Through your website or through other business operation. So it's definitely something to be aware of. And as we're talking later, decide whether you need to update your practices and policies to address definitely, and I think I think a lot of the ccpa was was in reaction to a lot of the general data protection regulations that were adopted in the EU a few years back, and we see all that spreading. So what's happening in California is gonna start happening in other states and across the country in the near future. So that's why it's important that we keep our eyes on that for sure. Hmm.
Yeah, definitely. And I think Justin is going to touch on GDPR. And that's exactly what CCP came after.
It's like the it's the cool California version of it, right.
Justine, tell us about that. What's going on?
Sure. But since you raised it, I'm going to jump to how important it is to understand what personal data a company is collecting from individuals, and where those individuals are located. Location is going to drive whether you're going to need to be compliant with California laws or the EU laws. GDPR. And as you pointed out, Jonathan, many states are either enacting have enacted or in the process of introducing data privacy legislation, states are viewing themselves as being the thought leaders on data privacy in the United States, it's creating a lot of regulatory obligations and compliance discussions for companies that serve a broad national market. And so in particular, states to watch for are Nevada and Maine have enacted data privacy regulations. Illinois has a biometric law that has been notable. But we're seeing Oregon, Massachusetts and New York, coming up with their versions of gold standard data, privacy laws, and regulations. We're tracking those, but it's very important for companies that have a online and national presence to follow those laws as well, most. But jumping to GDPR. So GDPR, since May 25 2018, which is when the GDPR became effective. That became Europe essentially took the seat as the gold standard for data privacy, internationally. And what's really important about GDPR now we're to about two years in is the extraterritorial reach of the legislation. So even though it's a European law, any company that processes or intakes personal data from European residents, so folks located individuals located in the EU are going to need to be GDPR compliant today. GDPR essentially establishes and codifies certain rights of data subjects which are individuals whose data is to be protected. And these include rights such as what what's on everyone's mind the right to be forgotten, meaning that you know, if I say delete my information from your website, you will do it and gone delete, not like Haha, fake delete, but real delete
Exactly. And as corollaries to that there is the rights of consent, we it's incredibly important that individuals are able to demonstrate that they've shown their voluntary consent for a company to use their data, as well as rates of access at any point in time I as a European located individual should be able to locate where a company has information, whether and how the company stores that information. And then of course, you know, deleted if I want it to be deleted, and to make sure that it's accurate. And then transparency is going to be a critical part of GDPR compliance and that is that a company has an obligation to be Incredibly transparent with the individuals from whom they're collecting personal data, to tell them how they're using that data, the legitimate purposes for which that data is being used, including, you know, if they're looking to sell that data elsewhere to third parties, etc. And then that consent is able to be done in a thoughtful way. GDPR the teeth on GDPR, as I mentioned as the extraterritorial reach, and the penalties and fines that may be levied for violations of GDPR. So data compliance agents, or data compliance commissioners from every European nation state has the ability to investigate and levy fines, on violation violators of the GDPR. This affects American companies, as you might imagine, within the first two years of GDPR enactment, we saw some of the household names in tech, Google, Facebook, the big one was Marriott, hotels, Microsoft, there, they've all had fines levied. And the real key to remember is that under GDPR, the fines can be either 20 million euro, or 4%, of a company's annual total global revenue, which is, as you might imagine, Google is no joke that the courts that have administered GDPR have, you know, tried to strike a balance. So we haven't seen a ton of cases where, you know, the full 4% has been triggered, but there have been some, so companies in the US that are doing business are collecting data from European residents need to be mindful of compliance obligations. And then just as an quick update on July 16 2020, the Court of Justice of the European Union, we call them the CJ EU, and essentially publishes decision in what's called the srams two case, which completely invalidated the US EU Privacy Shield. For those that don't know, the Privacy Shield was a framework that regulated the transatlantic exchanges of personal data for commercial purposes between the EU and the US. schrems is an activist who believes that in the post Edward Snowden world, the US has undue essentially oversight over EU in personal information. And in his fight against US government snooping or his perceived view of US government snooping. He got the court to overturn the Privacy Shield, the US and EU are trying to come up with something in its place. But for now, GDPR is all the more important because there's no real safe harbor type mechanism to transfer data from Europe to the US.
Wow, that's interesting, did not know that. That's why I'm glad we're talking about this. People need to know, they need to this practice if you're collecting data from European citizens, see if you can use cloud providers that have servers in Europe, that is probably the easiest rule of thumb to follow if you can make sure the servers are on the EU.
Make it a little less complicated. Good work. So let's talk about what happened with Twitter. I mean, that was a big deal with the FTC. Actually, what's the update on that?
what you're doing? Yeah, absolutely. This is what I feel like. I mean, if you do not have the right law firm on your side, people come through this stuff where you could be in a lot of trouble. It's like I say, I have 4%. Okay, and this is like, Whoa, well, with your investment to be talking to the pros, and make sure your T's are crossed, and i's are dotted. As far as that is crazy stuff. So what's going on with state with the state regulatory stuff in this day and age with what's the latest and greatest going on there? that's changing a lot.
So we briefly mentioned a lot of the state regulations that are being either enacted or introduced. A couple of things to just note that if we didn't give you enough information, another thing that companies need to be paying attention to in the back of their mind is case law. And so we are in a common law system, obviously, and we're seeing a state and federal courts start passing decisions that are changing how we do civil litigation around data privacy issues, including expanding theories of economic damages, causes of action around negligence and tort law, as it relates to what a company needs to do to ensure the security of information that it contains. Just a quick note, because we're in Pennsylvania, the dittmann versus UPMC decision was rendered by the Pennsylvania Supreme Court, two years back, or you know, half ago. And what that decision did was essentially put the burden on employers, ie companies to actually protect the cut of the information, the personal and financial information of its employees, that broke open, the opportunity for employees who have their information, somehow pass into unauthorized use, use and have some recourse in courts. And we're going to see more and more of that, I think the trends that we're that Ashley and I are seeing very clearly is a move towards more protection for data privacy for individuals across the country. And that's done either by state regulation by case law, or at the federal level to we didn't even touch on some of the federal laws that are specific to certain types of information that's being collected. Like we all know, HIPAA collects, you know, deals with personal health information, COPPA, children's online privacy protection act deals with information that's being shared with children under 13 years old. FERPA is a law, federal law that deals with student records. And we're not even going to touch on all the myriad of federal laws that deal with human processing banking, and financial information that that may be collected.
Yeah, I mean, with, with all this activity that goes on, again, it goes back to my point just a second ago, the fact that like, you got to have people checking this out for you. That's why I'm excited to get into our best practices. Part of this because I think this is just so fundamental for people to kind of realize he got to do things like have a privacy impact assessment. Like, if you're not doing that, you're just opening yourself to massive amounts of liability. Tell us like how you guys work with this? And how do you work with your clients when it comes to providing these assessments?
So almost seems like it's a cultural change to me that a company has to take, because now you got to put privacy first, I'm sure all you mostly see clients coming to you because something's happened. So it becomes a reactive thing. So to make it proactive, it's like you put that front and foremost. And so being able to work with a team like yours, I feel like that's where you get these blocks lined up properly, and everything kind of rolls from there.
It's no it's no longer a question of, you know, if I'm going to have a data breach, it's going to be a question of when you have a data breach, especially if you're a tech company, making sure you're aware of the obligations and best practice industry best practices that you can employ within your organization, to be mindful of that is going to be critically important as part of your privacy assessment.
Absolutely. Like you said, there's so much to talk about, we can't possibly get it all into a within under like, like five hours. Which is why I tell everybody, like seriously, you guys have some great content on your website. And some stuff we've been posting on the Pittsburgh tech Council's website detailing this stuff. And we just posted something from, from Ashley all about the whole thing with the FTC and Twitter. And there's just so much to go on there. So if you want to nerd out more, go over to Babs website and check it out. We got that contact in the liner notes of this, of this podcast. And I'm looking forward to more conversations with you guys because like I said, there's so much to explore. And we're gonna pick it apart bit by bit and really give you guys the knowledge that you need that you got to be thinking about as you build your company. So much fun hanging out with you guys today.
Just because you said and of course, Ashleigh Krick fromBabst Calland, so much fun hanging out with you guys today. Can't wait to do this. Again. This has been Jonathan Kersting with the Pittsburgh Tech Council andTechVibe Radio.
Transcribed by https://otter.ai