Skip to content

Emerging Tech Law Podcast Series: Ensuring Data Privacy – Are You Compliant?

Interview by Jonathan Kersting


The world of data privacy is constantly changing. In this episode with Justine Kasznica and Ashleigh Krick of Babst Calland’s Emerging Technologies Group, the duo will discuss:

  • Overview of the General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), and California Consumer Privacy Act (CCPA)
  • Common elements among GDPR, PIPEDA, and CCPA; including: privacy policy notice requirements, business obligations, and consumer rights
  • Overview of U.S. Regulatory Landscape: proposed state legislation and thoughts on federal action
  • Practice pointers and best practices for compliance with existing privacy laws and preparing for the future

Plus get insight on the FTC's investigation of Twitter. Read more on this topic at Babst Calland's EmTech Blog.




You are listening to the Babst Calland Emerging Tech Law Podcast Series. And I'm your host, Jonathan Kersting with the Pittsburgh Technology Council and Techvibe Radio really pumped to get this series off the ground. So we're talking about some really kind of cool, crucial stuff when it comes to every any business out there, especially on the tech side of things. And I've got two fabulous people hanging out with me today from Babst Calland's Emerging Tech Practice. We have Justine Kasznica and Ashleigh Krick  hanging out with us today, guys. So excited to talk to you. Welcome to the show. Glad to have you here.

Great. Glad to be here. Thanks, Jonathan.

Thanks, Jonathan. Looking forward to our talk. We love starting off with backgrounds here because you guys are pretty freakin smart. And you know your stuff inside. Now I want to I and our listeners will know a little bit more about you guys. So just you real fast. What's your background? And what do you do at Babst Calland.

Yeah, well, first off, thanks so much for having us. And we're thrilled to be here on our first installment of the Babst Calland Emerging Tech Podcast series and many more fun things to come. But today we're here to discuss data privacy with you. I'm a shareholder at Babst Calland and the chair of the emerging technologies and mobility, safety and transport groups. And I support our clients in connection with corporate tech transactional data privacy needs, as well as regulatory matters. And people may know me in town, doing regulatory work related to autonomous vehicles, unmanned aircraft systems and commercial space.

That is definitely your jam for sure. So I could say you probably get to have the most fun of anybody at Babs count, especially leading up your new emerging tech area, which I think is just so cool, because you guys are so focused on what's happening.

Jonathan, it's otherworldly.

I love it. I love it. I love it. So Ashleigj, you're out of the DC area. Thanks for joining us today. Really appreciate it. So what's your background? And what do you do with that?

Yeah, thanks, Jonathan. So as you said, I'm an Associate in our Washington DC office, and I work with Justine and others in our m tech practice group, which has been a lot of fun. For the most part, I support the regulatory needs of clients in autonomous mobility industries. So with Justine autonomous vehicles, and unmanned aircraft systems and other robotics. I also work with a wide range of tech groups outside of our tech group on IP. And as we're going to discuss today, privacy and cybersecurity topics, definitely. So you could have the second most amount of fun at bat, I think it's interesting to say a little bit about the emerging tech practice at best I get excited when when firms like have these specializations because they see like, that's where the actions happening. And so you put the resources behind it.

We're very excited about the work that we're doing. I think we have some of the most dedicated, energized and dynamic practitioners in our group. We have a cross disciplinary group of about 20, shareholders and Associates, and we all support, you know, high growth tech companies, tech startups, their investors, but we also work with mature companies and organizations. And that might include government contractors, manufacturers, suppliers, that have a technology interest either, you know, acquiring technology companies or spinning out a technology platform, or even growing technology capabilities within their existing organizations. And we support them across the board with corporate finance matters, you know, venture convertible debt, etc. Technology transactions, IP, regulatory compliance and government contracting work, as well as employment and litigation. And so, as Ashley and you heard for myself, and Ashley, while we work with, you know, broad tech companies, including SAS and software and embedded hardware, companies, we specialize in mobility, transport, safety, AI, machine learning, IoT Internet of Things, as well as we we love robotics and automation, where your robot lawyer is here. I love it, man. That's what Pittsburgh is known for. So know that is in Pittsburgh doing what it does represent our industry here. Super cool stuff. So today's topic, as we mentioned before, it's ensuring data privacy, are you compliant? And I'm thinking most people are not they think they are, but they're not. We're going to show them that today, most likely. But before we get into that topic, we're gonna really talk about what are some of the updates that are kind of happening? I mean, we all heard about what went on with Twitter. Back in August, I believe it was early Sunday, August, September, the days are just blurring in my mind because of this whole COVID thing. As we talked about before, hit the record button. It's like I can't keep track of the weeks anymore. So let's just start off with this. What is what is happening now? What are some of the latest updates that are going on?

Yeah, Jonathan. So 2020 has been quite the year and data privacy. So we have a couple items that Justine I wanted to run through just to give you and the listeners an update. So yeah, with no surprise We're gonna start with California.

Let's go there, man.

Yeah, so California's consumer Privacy Act, or ccpa, as we'll refer to it when it is on January 1 2020, this year, and then the California Attorney General recently began enforcement under the ccpa on July 1. And while we don't have enough time to go through specifics, because this was quite the comprehensive privacy law, very in depth,


Right. Generally speaking, it applies to certain businesses that collect the personal information of California residents. And it provides California residents with certain rights regarding their information, such as requesting what a business is collecting on them and asking for a business to delete it. I think for Pittsburgh, Pennsylvania companies, it's important to note that even though obviously, we're not in California, the ccpa can reach a company in Pennsylvania, if you're interacting with California,


Through your website or through other business operation. So it's definitely something to be aware of. And as we're talking later, decide whether you need to update your practices and policies to address definitely, and I think I think a lot of the ccpa was was in reaction to a lot of the general data protection regulations that were adopted in the EU a few years back, and we see all that spreading. So what's happening in California is gonna start happening in other states and across the country in the near future. So that's why it's important that we keep our eyes on that for sure. Hmm.

Yeah, definitely. And I think Justin is going to touch on GDPR. And that's exactly what CCP came after.

It's like the it's the cool California version of it, right.

Justine, tell us about that. What's going on?

Sure. But since you raised it, I'm going to jump to how important it is to understand what personal data a company is collecting from individuals, and where those individuals are located. Location is going to drive whether you're going to need to be compliant with California laws or the EU laws. GDPR. And as you pointed out, Jonathan, many states are either enacting have enacted or in the process of introducing data privacy legislation, states are viewing themselves as being the thought leaders on data privacy in the United States, it's creating a lot of regulatory obligations and compliance discussions for companies that serve a broad national market. And so in particular, states to watch for are Nevada and Maine have enacted data privacy regulations. Illinois has a biometric law that has been notable. But we're seeing Oregon, Massachusetts and New York, coming up with their versions of gold standard data, privacy laws, and regulations. We're tracking those, but it's very important for companies that have a online and national presence to follow those laws as well, most. But jumping to GDPR. So GDPR, since May 25 2018, which is when the GDPR became effective. That became Europe essentially took the seat as the gold standard for data privacy, internationally. And what's really important about GDPR now we're to about two years in is the extraterritorial reach of the legislation. So even though it's a European law, any company that processes or intakes personal data from European residents, so folks located individuals located in the EU are going to need to be GDPR compliant today. GDPR essentially establishes and codifies certain rights of data subjects which are individuals whose data is to be protected. And these include rights such as what what's on everyone's mind the right to be forgotten, meaning that you know, if I say delete my information from your website, you will do it and gone delete, not like Haha, fake delete, but real delete

Exactly. And as corollaries to that there is the rights of consent, we it's incredibly important that individuals are able to demonstrate that they've shown their voluntary consent for a company to use their data, as well as rates of access at any point in time I as a European located individual should be able to locate where a company has information, whether and how the company stores that information. And then of course, you know, deleted if I want it to be deleted, and to make sure that it's accurate. And then transparency is going to be a critical part of GDPR compliance and that is that a company has an obligation to be Incredibly transparent with the individuals from whom they're collecting personal data, to tell them how they're using that data, the legitimate purposes for which that data is being used, including, you know, if they're looking to sell that data elsewhere to third parties, etc. And then that consent is able to be done in a thoughtful way. GDPR the teeth on GDPR, as I mentioned as the extraterritorial reach, and the penalties and fines that may be levied for violations of GDPR. So data compliance agents, or data compliance commissioners from every European nation state has the ability to investigate and levy fines, on violation violators of the GDPR. This affects American companies, as you might imagine, within the first two years of GDPR enactment, we saw some of the household names in tech, Google, Facebook, the big one was Marriott, hotels, Microsoft, there, they've all had fines levied. And the real key to remember is that under GDPR, the fines can be either 20 million euro, or 4%, of a company's annual total global revenue, which is, as you might imagine, Google is no joke that the courts that have administered GDPR have, you know, tried to strike a balance. So we haven't seen a ton of cases where, you know, the full 4% has been triggered, but there have been some, so companies in the US that are doing business are collecting data from European residents need to be mindful of compliance obligations. And then just as an quick update on July 16 2020, the Court of Justice of the European Union, we call them the CJ EU, and essentially publishes decision in what's called the srams two case, which completely invalidated the US EU Privacy Shield. For those that don't know, the Privacy Shield was a framework that regulated the transatlantic exchanges of personal data for commercial purposes between the EU and the US. schrems is an activist who believes that in the post Edward Snowden world, the US has undue essentially oversight over EU in personal information. And in his fight against US government snooping or his perceived view of US government snooping. He got the court to overturn the Privacy Shield, the US and EU are trying to come up with something in its place. But for now, GDPR is all the more important because there's no real safe harbor type mechanism to transfer data from Europe to the US.

Wow, that's interesting, did not know that. That's why I'm glad we're talking about this. People need to know, they need to this practice if you're collecting data from European citizens, see if you can use cloud providers that have servers in Europe, that is probably the easiest rule of thumb to follow if you can make sure the servers are on the EU.

Make it a little less complicated. Good work. So let's talk about what happened with Twitter. I mean, that was a big deal with the FTC. Actually, what's the update on that?

Yeah, sure. So I'm back in August, what are disclosed in one of their sec regulatory filings that they are under investigation by the Federal Trade Commission for alleged privacy violations when they allowed user phone numbers and emails to be used for targeted advertising. So this is a violation that rose not only in violation of their own privacy policy that's on their website that users have to agree to, but also under a prior consent agreement that Twitter was under with the FTC or previous privacy violations. And so well, we're watching this case to see what happens. The SEC hasn't put anything out, we found out about it through the Twitter's regulatory filings. But you know, as we are about to start talking about best practices, I think this case really drives home that, you know, the FTC has broad general enforcement authority under under the FTC act, to hold companies accountable to what they're saying in their privacy policy, and making sure that they're actually upholding what they're telling consumers they're doing with with their personal data. So it's important to know that even if ccpa or GDPR isn't directly applicable to your business, there's still this broad federal enforcement body out there holding companies accountable to their privacy policies. You know, we we generally recommend that a company review their privacy policy is and their practices to make sure that those those two kind of facets of this align at least annually and monitor that you know what your business as you're doing in your privacy is actually being implemented?

what you're doing? Yeah, absolutely. This is what I feel like. I mean, if you do not have the right law firm on your side, people come through this stuff where you could be in a lot of trouble. It's like I say, I have 4%. Okay, and this is like, Whoa, well, with your investment to be talking to the pros, and make sure your T's are crossed, and i's are dotted. As far as that is crazy stuff. So what's going on with state with the state regulatory stuff in this day and age with what's the latest and greatest going on there? that's changing a lot.

So we briefly mentioned a lot of the state regulations that are being either enacted or introduced. A couple of things to just note that if we didn't give you enough information, another thing that companies need to be paying attention to in the back of their mind is case law. And so we are in a common law system, obviously, and we're seeing a state and federal courts start passing decisions that are changing how we do civil litigation around data privacy issues, including expanding theories of economic damages, causes of action around negligence and tort law, as it relates to what a company needs to do to ensure the security of information that it contains. Just a quick note, because we're in Pennsylvania, the dittmann versus UPMC decision was rendered by the Pennsylvania Supreme Court, two years back, or you know, half ago. And what that decision did was essentially put the burden on employers, ie companies to actually protect the cut of the information, the personal and financial information of its employees, that broke open, the opportunity for employees who have their information, somehow pass into unauthorized use, use and have some recourse in courts. And we're going to see more and more of that, I think the trends that we're that Ashley and I are seeing very clearly is a move towards more protection for data privacy for individuals across the country. And that's done either by state regulation by case law, or at the federal level to we didn't even touch on some of the federal laws that are specific to certain types of information that's being collected. Like we all know, HIPAA collects, you know, deals with personal health information, COPPA, children's online privacy protection act deals with information that's being shared with children under 13 years old. FERPA is a law, federal law that deals with student records. And we're not even going to touch on all the myriad of federal laws that deal with human processing banking, and financial information that that may be collected.

Yeah, I mean, with, with all this activity that goes on, again, it goes back to my point just a second ago, the fact that like, you got to have people checking this out for you. That's why I'm excited to get into our best practices. Part of this because I think this is just so fundamental for people to kind of realize he got to do things like have a privacy impact assessment. Like, if you're not doing that, you're just opening yourself to massive amounts of liability. Tell us like how you guys work with this? And how do you work with your clients when it comes to providing these assessments?

And should I say, you know, there's one thing that folks take away from this podcast, it's three words, privacy by design, okay, privacy by design is actually a concept that's built into the European model for data privacy, but it's essentially an approach that is a best practice for sustained data privacy compliance. So as we talked about today, you know, there's we're in a very rapidly changing regulatory environment for data privacy, companies and clients come to us and say, Well, what do we need to do today to prepare so that we're not reevaluating our strategies and plans and policies internally, you know, on an annual basis, that takes a lot of time and money. So if you think about privacy by design as the North Star for governing your own data, security compliance protocols, you'll be in a good shape. What is privacy by design mean? It means that you take a proactive versus a reactive approach to data privacy, it means that you set privacy as the default of the operations within your company. It means that at the point of designing your product services and your IT systems or your websites, you're already thinking about how we embed privacy with respect for user privacy as our number one goal. We talk about end to end security, security of transferring personal data and information with In an organization, especially important now, when we're in a pandemic situation where so many companies, most of us are working in some capacity online, with a lot more opportunity for online communication services. This is becoming, you know, so important, especially now, the need for transparency, transparency, and that touches on what Ashley was talking about making sure your privacy policy actually accurately describes how you use and store and collect and delete personal data. being transparent with your users, is going to be critical to establishing a strong privacy by design strategy for your company. And we'll talk about just a few of those, what it actually means for you, as a company to implement some of this privacy by design strategy. Jonathan, you mentioned privacy impact assessments, this is probably where we start every single data privacy project that comes through our door, we want to make sure our clients understand their compliance obligations, we help them with that, making sure that, you know, we can tell them, whether GDPR or ccpa may apply to them today or in the future, or any of the other laws that we discussed today. We want companies to know and to be able to audit their own data and security policies usually starts with a data privacy impact questionnaire that we share with our clients or walk them through on a phone call, which basically make sure that they have thought through, you know, all the different touch points from where they might be collecting personal data and what their security policies are today.

So almost seems like it's a cultural change to me that a company has to take, because now you got to put privacy first, I'm sure all you mostly see clients coming to you because something's happened. So it becomes a reactive thing. So to make it proactive, it's like you put that front and foremost. And so being able to work with a team like yours, I feel like that's where you get these blocks lined up properly, and everything kind of rolls from there.

Absolutely. And it extends beyond just your own data intake policies and security policies. It also talks about your service providers. So many of our companies work routinely with AWS and a whole bunch of other cloud service providers, all of which have terms and have contractual relationships with the company, and have their own policies for storing personal data. And then client content, knowing and being able to audit your own service providers and what they've promised you is going to be critical and understanding what you can then flow down and offer to your consumers or your partners, business partners. And and obviously, when you're a b2c company, this is going to be that much more important because you're directly engaging with consumers and as end users, if you're a b2b company, equally important, but slightly different obligations, because you're dealing with business partners, in that sense. As we discussed, being constant consistently mindful of this trend, towards individual data, right data, subject rights, such as the right to be forgotten to borrow from Europe, or, you know, this need for consent and transparency and access. Knowing that that is going to be the trend, kind of curating your own practices, and understanding what they are visa v those rights is going to be important for a privacy impact assessment, understanding, do you actually as a company, delete data, do you keep it ad infinitum? You know, what, what do you do at the end? What are your retention and deletion policies, that's gonna be really important to know, and help us help you figure out how to draft the right privacy policy or be compliant with these laws. And then, of course, the big one that we don't have time to It's its own, you know, subject matter. But data breach preparation, today topic onto itself, we need to explore that with you guys in an upcoming episode.

It's no it's no longer a question of, you know, if I'm going to have a data breach, it's going to be a question of when you have a data breach, especially if you're a tech company, making sure you're aware of the obligations and best practice industry best practices that you can employ within your organization, to be mindful of that is going to be critically important as part of your privacy assessment.

Absolutely. Like you said, there's so much to talk about, we can't possibly get it all into a within under like, like five hours. Which is why I tell everybody, like seriously, you guys have some great content on your website. And some stuff we've been posting on the Pittsburgh tech Council's website detailing this stuff. And we just posted something from, from Ashley all about the whole thing with the FTC and Twitter. And there's just so much to go on there. So if you want to nerd out more, go over to Babs website and check it out. We got that contact in the liner notes of this, of this podcast. And I'm looking forward to more conversations with you guys because like I said, there's so much to explore. And we're gonna pick it apart bit by bit and really give you guys the knowledge that you need that you got to be thinking about as you build your company. So much fun hanging out with you guys today.

Um, if you guys, you know, we're obviously happy to talk to anyone, please reach out to us. We're both on our web scale and website. You can look us up. We'd love to have a conversation with you about, you know, any questions that you might have about your privacy policy updates to it. Whether you need a privacy compliance officer, you know what your security policies look like. I'm happy to have start that conversation with you guys because it is really important with a lot of with a lot at stake.

Just because you said and of course, Ashleigh Krick fromBabst Calland, so much fun hanging out with you guys today. Can't wait to do this. Again. This has been Jonathan Kersting with the Pittsburgh Tech Council andTechVibe Radio.

Transcribed by