GDPR vs. US Data Privacy Legislations: Which is Proving More Successful and Why

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] foreign good morning everybody my name is Adrian Davis I am going to be the host for this panel which is going to cover a topic oh look no please don't change the topic on me not now though that would be fun which is going to be about uh gdpr and US data protection uh privacy legislation if such thing exists so I'm I'm gonna say I'm going to be the host here I have a little bit of experience having implemented gdpr in the UK and the EU and having worked for an American company and having had to put gdpr into an American company if anybody wants to see the scars on my back that's that SATs later um I've also had to deal with uh other privacy environments around the globe as well not um most recently the Middle East as well so I'm not going to shut up and introduce you to my panelists they're going to do most of the talking today because they're far more interesting than I am so in no particular order we will start off with uh Kristen if you'd like to introduce yourself please yes yes of course my name is Christian aldenbrook I'm the CEO at Brand compliance brand compliance is a certification body specializing in information security and privacy and next to that I'm also one of the authors of the certification mechanism in relation to gdpr certification currently uh yes hello good morning everyone and thanks for having me my name is Caroline Von Bell and I am the managing partner of olinco olenko is a company of the Chronos group Chronos is in fact one of the biggest IIT groups in Belgium myself I'm working as a change manager and the data Protection Officer for several private and public organizations and I'm also developing a security awareness programs to raise user awareness a video hi everyone and thank you for this invitation I'm a video on at school I'm running a Romanian company to small family company that provides Educational Services it was focused for the years to provide the foreign languages trainings but recently we started to resell pacb trainings and certifications I'm a pacb certified data Protection Officer and trainer and I have a small experience in practice of three years of gdpr both in corporate environment in in in private as a as an advisor and I am very thankful for this this challenge to present today this interesting topic excellent thank you very much so the good news is we've all got a little bit of knowledge about gdpr we've all been through the fun and the pain now it's your turn you don't have to soil yourselves I learned the look of fear on faces there now I'm going to ask you a question first because a true panel should understand its audience so please raise your hand either your left or your right it doesn't matter if you have participated lead or been involved in a gdpr implementation in an organization please raise your hands excellent we'll be coming back and asking you lots of questions later how many of you have had to do a U.S data Marvel or even better and how many of you have done both I can say that as well excellent right so in that case we'll be looking for you to come and ask us the difficult questions as well and we may well be looking for you to share some of your insights because the more of us who speak in this the more we'll learn so I shall keep an eye out for your hands being raised and one thing by the way during this panel if you want to make a point you want to say something you violently disagree with me or us put your hand up straight away please we want to make this as interactive as we can and as I say the more we talk the more we learn right so let's do the first question that's an interesting spec uh I did not expect to see so many hands going up for both I thought it'd be one or two so I'm really pleased about it so let's um let's start off now asking our panel what they think some of the the the key differences are when you tackle a gdpr and then maybe tackle a U.S approach and as we start off with Christian we're going to work our way this way so that means that Caroline starts off now okay because Christian was first you see right so um in in is in fact a basic human right so gdpr sets the standard for data privacy of EU data subjects worldwide in America the law takes a more fragmented approach it's more bottom up coming from the states up and in Europe we have gdpr as a top uh down um so in fact in in America there is no Java Privacy Law that regulates all data or is the same for all companies so uh today we can see that there is not yet a U.S equivalent to gdpr okay first I need to to underline a thing I will I took to the theoretical approach because while I was in practice I was the man with the low in his hand for this meeting I studied the Low Project American data protection and Privacy Act and tried to make a compilation with gdpr if this American act will enter into force and in my opinion the question is that if in the actual form that was published in June in front of the Congress of the United States the U.S American data Privacy Act is suitable enough to support the European commission to release an adequate decision for the U.S or at least with the business processes and the compliance requirements between EU and U.S company I think that from here we could start not just as professionals that are looking for Effective compliance but also the two regulatory bodies if they are looking to match their interest for the individuals consumer protection businesses development and data security uh I think it's normal to look where it's a framework in place and if we look to to the requirements for another decision we see that the adppa has some gaps namely that there are no rules and mechanisms for the transfer of personal data to third countries and or International organizations and this could be easily come and say that there are no effective and then for feasible data subject rights and no effective administrative and judicial redress is for the data subject whose personal personal data should be transferred by U.S covered entities to Third Country or International Organization I would underlining not to to say everything that I wrote here I would underline something that is related to and we can compare from the perspective of the rights and the principles between adppa and gdpr the American data protection act doesn't impose a reporting mechanisms for personal data breaches and an obligation for notifying the individuals when the breach is likely to result in a high risk to individuals privacy doesn't provide explicit rules for applying the principle of accuracy and doesn't provide an explicit right for the individuals to not to be the subject or decision based only on algorith as is stated in the this act including profiling although it tries to cover the subject to the opt-out Target Optics right for targeted advertising and also is imposing some requirements for an algorithm impact uh I'll finish with this in the American project it's a big segregation between the covered entities because between the large data holders and small businesses that in my opinion I think to that the standards should be lowered a little bit to to provide effective protection for the consumers in this U.S case okay we'll come back to that a minute but we'll go to Christian yes my point of view is from a more business point of view where I think that's within within gdpr the the consumers rights and and that that was a starting point for for privacy while in in the US you have more freedom for for exploration for Innovation for for setting up new new businesses new Ventures um and and I think that there should be a balance between the the the the privacy of the individual versus the the Innovation and and business uh businesses it's uh it's it's uh it's well known that most most big tech for example starts in the US for a reason that they have more freedom more um more Innova innovative solutions to things that's more my point so do you think that as it currently stands the lack of overall American law despite the American protection act project coming through do you think that the American approach to data privacy is better for Innovation and the EU one isn't exactly it's worth Innovation yeah make it really clay really clear yeah um is that because because you've got to answer the question now you can't just say yes is that because gdpr puts too many obligations on companies also startups but it's also the starting point where right uh where in in Europe for example people tend to think different about privacy and I I see that uh from if you look at the world depending on where you are uh considerations regarding privacy differ yeah and that's uh that's also one one element in this difference yeah uh so someone said in India I apologize Indians in the audience they went we care about our cows our gold and our families privacy that's Western stuff so I understand exactly there's a cultural thing here as well yes and when we talk about data protection we must always remember it sits within the culture of organizations and culture of the social economic fabric of the Enviro the country or the region or whatever exactly and going back to again just to make sure we get this really clear and feel free if you think we're wrong wrong or we've missed something here do tell us put your hands up um gdpr because it comes from a certain cultural Viewpoint reinforces certain things that have to be done and may not encourage out of the ordinary exactly my feeling is that within the gdpr they have raised at the level to to accommodate all the countries within Europe even within Europe within different countries you have a different perspective on on privacy so what they did is they they raised the bar to to accommodate everyone everyone within the European community in the European Union so that's why it has become a little bit more difficult currently in your data Protection Officer what do you think and I was thinking because okay we're now speaking about U.S but you'll also have China and the whole tiktok discussion whatsoever there's also no privacy rules uh or valid very little uh privacy uh rules so um yes indeed but I'm uh yeah certainly in favor of gdpr because it gives you certain rights also as a data subject over your uh over your data so and these rights you do not have in countries like other countries outside outside Europe so oh can we have the microphone please thank you very much hi go for it good morning everyone my name is Benjamin cornhauser uh I have a question regarding it's I guess it's a question it's more for Caroline but uh uh other people can answer too uh it's a it's a question that keep being asked to me and I don't have the answer it's how easy is it with the GPR gdpr low or regulation to be removed from uh searches on search engines as in I understand that you can place requests in different companies if you want to know what data they hold Etc but how about the search engines can you can you easily act uh against that because I don't have the answer and the question keeps being asked to me thank you yes good question uh the right to be forgotten as a data subjective you're all that of subjects in gdpr and so uh in Belgium in fact Google got fined for that and they got a fine of 600 000 Euros because they didn't respect the right to be forgotten from a data subject who asked not to be found anymore in in Google and Google was fine for that so there are fines because this right is not respected thank you Carolyn I think you have to you have to write to the company as the data subject tell them you want to be forgotten under article article it is now whatever it is under the article and then if you appear in the search engine or whatever it may be you can then report that to your information commissioner or equivalent yes in fact uh as an independent data protection authority where you can file uh complaints or report things yeah just so we know the process so everyone if you don't know it you understand how it's how it's meant to work gentlemen next to you oh hello Tony thank you for years yeah correct me for not mistaken in the U.S there is the California Privacy Act which is very stringent and we protect a lot so uh because it was mentioned that they don't have a privacy I think they do have and it's very stringent because I have been there and they are very meticulous about few things that even more than gdpr to be honest on that uh yes sorry but but the question is about that if it's a federal law to cover all the states and this is not in America they don't have for the moment of federal law to enforce the Privacy rights on all the U.S states so our only five states in U.S that have privacy that manage to take by themselves and put in place private laws and congratulations to them probably they are good but for all United States there are no no such law there are sectorial laws in different fields like Health financial yeah the design is uh it's HIPAA which is the data protection act for the health industry and that but that's a federal law but there isn't a federal data protection act yet there is fisma as well which is that only applies to governments remember correctly yeah it I've been doing American telecoms recently and that's just even more horrendous yet the Americans have a the problem is the EU has gdpr which is it's the same across Europe the Americans have state laws which are there's 50 states which means there's always 51 laws because I always disagree and then there's the federal level above that and at the moment there's you're right California has a very good very good data proceeds act but it only works if you're in California you work or buy things from a California organization I can't really take you know what I'm saying it's only very quite focused on that yeah that's yeah thank you cool right so um we've kind of just just we've talked about a few bits and pieces already let's just see if we can summarize this first question what do you think is the biggest difference in achieving compliance against gdpr and we've kind of answered the question but to make sure we answer it properly what is the key difference between compliance achieving compliance with gdpr and trying to meet the American multi-layered approach what's the one big difference in your experience foreign [Laughter] [Laughter] of your annual turnover or 20 million euros whichever it's it's highest so it's something to uh bear in mind or otherwise if you're not compliant yeah it's simple you cannot do business with you then excellent uh Christian my point is that uh within gdpr if you want to be compliant it's it's um it is such a high level that you totally need to reorganize your organization from a business point of view okay that makes it very important but also very heavy I think that uh there are a lot of ISO standards that are can cover business activities across the globe and these can match the business requirements from one side or another and as a key difference as I mentioned uh in U.S we don't have a mechanism for Trans International transfers to protect the data we have in Europe and from Europe to outside is protected but another way around not so to to make a complete framework to match these regulations there there are some gaps needs to be to be covered okay super right and from my viewpoint R Kelly the biggest difference between achieving compliance between the EU and and America there's a lot less lawyers in the in the EU to talk to right I saw two hands go up um ladies first we'll we'll do ladies first and then we'll do we'll do Ken hi I'm Michael Redmond I'm from New York uh working in Louisville uh we my question is being in the states and a practitioner working for firms in the past that have had we have to comply with gdpr so we have to know it I had to be GPR certified we also have to comply if we are working throughout the whole United States with the five state laws in it HIPAA is not a federal law just to correct but it's it is only industry and then unfortunately about it the HIPAA requirements for privacy were changed during covet so that was very confusing for people what's the new HIPAA requirements what's the new change just on that what's what's out what are they allowing that's no longer they're going to be a little loosey-goosey about to put it you know because they had to because they weren't technology wasn't up to speed to deal with many of the privacy laws when people were working remotely when people had to be treated out to get their inoculations out in a parking lot and you know they didn't have tablets so it was a a wildness so my question is we're having a hard time in the U.S very hard time because we have to comply with all the different states I happen to currently be the ciso for Louisville Kentucky and I have responsibility for the health care Department and all of our privacy now granted we're in New York we're only in Louisville right now I'm originally from New York but I also have a consulting firm on the side in that consulting firm I have to deal with all of these issues with my clients so the question is we're having a hard time and we know them I even wrote the article that for uh pecd Insight Magazine on this topic so and I did all the research and I'm still having like okay I know what all the laws are I don't know what it is okay writing the article was hard enough that's okay I'm like my seat my question is um how do people in other countries who are dealing with the US who have to meet the same requirements deal with some of these issues with the multiple regulations we have reference privacy and we say because it's it's looking at uh and the changing they're changing their updating and every state through every State's privacy this was like a thesis so but I went through every State's privacy laid them out they're different yeah yeah there's not a commonality among them and some are better and some are missing things California used to be the best and others said well we have that as its template let's bring it higher but we don't like that let's throw that out oh that's good let's keep this so it is so piecemeal that you have to have an Excel spreadsheet spread out literally and mapping all your controls it's easier to map ISO 22301 2701 you know going through that than it is to do this my question is we're having a hard time and we're used to it how do you do other people from other countries deal with this when they have U.S clients so that's my question they also use Excel spreadsheets and to to make it a little bit more advanced there is software on the market where you can where you have already the different standards and schemes already set up and then the mapping is done automatically so you need to question so you need to answer all the questions that are in the software to become compliant with all the different regulations in the different states but in essence it's the same as an Express Excel spreadsheet only a little bit more fancy to run the different yeah twice anything familiar with achievement is to support the Christian decision there are there are tools there are applications that are supporting the compliance and mapping the data and having all the videos registered at our required in the automatization for this but dealing with us we probably would have to ask them to to respect gdpr and while while we're doing this we you we use that part with the international transfers of data and they have to comply with this and at the middle as mentioned there are standards like and for privacy and so on that can bring together the the requirements help the U.S to to respect the requirements and if the company is small and cannot afford to to implement a full standard can take from each standard what is needed to comply with with different regulations maybe some of the applicabilities of that desires of Standards can cover more low requirements I saw three hands go I'm just gonna can I just ask the audience here how many of you have had to deal with data protection from this side of the pond going to that side of the pond now you're from Europe to the us apart from our American frontier good um so let's do the hands thank you you might want to talk to these gentlemen afterwards apart from spreadsheet um I really do wish I'd invented Excel so first and foremost uh it was Kern your hand went up I saw Tony your hang up and I saw Johanna Mr sir I don't know your name I will find out I apologize good morning everyone compliance um yeah I've been working in privacy for I think 10 years now and um from my point of view one of the main discussion points is just the basics what is personal data if we go to have a look on gdpr WE stated personal data in the US we talk about the pii or personal identify information and there is really a big difference between and maybe a question to you guys from the panel um is it not the easiest solution to talk the same language and to have it about the same data because personal data is really another topic than personal identifying information very different okay well can we just hold that thought because I want to capture the the two you have something right we'll come back to I want to capture the two comments because they seem to be a bit of a thread going on I hope you get a shoe allowance for the amount of walking you're doing correct me if I'm not mistaken in the cissp course it mentioned clearly that if you have us Shield if you comply with that then you have a you know to have a problem with the this is what was mentioned um correct me if I'm mistaken this is what it was mentioned because I'm giving that course every time and it's mentioned clearly that if you have if you comply with that then you shouldn't have a problem didn't privacy Shield collapse yeah 2020. yeah yeah previously sealed just collapsed went a couple of years ago oh three years ago I think it's time for ic's career to update their teaching material I used to work for Icy Squad I'm allowed to say that but yeah that's that's one of the things and I think actually um when we come on to one of our questions and we talk about Max schremes we'll probably touch on privacy Shield as well so the gentleman with the nice tie in the waistcoat on yeah Don't Wear Ties [Laughter] I'd like to add a comment I'm right from society Security Group 600 cyber experts and we're talking on stage at 1 30. so um when we talk about gdpr and you mentioned it in the first sentence you know we have reached gdpr in in the European area in the European Union area and there's quite a big big success also for young Philip Albrecht who put a lot of efforts in this in this story but if you look at the history if you watch the history also in European countries the First Act we have had in in European was he hasn't data Privacy Act and this was raised in 1970 and by this many of the Germans saying say hey yeah we have eaten gdpr inside you know and we are the best out of it no we are not yeah we have a lot of work to do in every country but this was a starting point with the acts all over the world 1970 and we just celebrated the 50th anniversary in hessen and Germany due to this first act ever on the world and this was one region and this is a little bit like the story in the U.S when I talked to the US clients it's a little bit like this we talk about CCPA crpa we talk about New York State acknowledges other stuff with HIPAA and so on but this is a starting point in the U.S so it's a little bit like a status like the story we have also already have had in the European Union and by this we have had different acts in the different European countries and finally the guys in the European Union recognize hey we need a common common level and by this they decided to work on a regulation and this has was a tough work between 2000 2016 and 2018 I guess and it was really a hard time for for risings this kind of Regulation so it's a little bit the same story in the US We rise we see we watch it and we see they have different local acts more and more coming aware more and more people are asking for privacy it's not about only gdpr it's also about the The Carter of the human rights we're talking about and of course GPS one out of it and from my perspective gdpr is a USP it's not the barrier to the companies it's not the barrier to the people it supports the people to keep a con stay in control on their own data and to rise awareness and by this we can focus this and bring this also into business perspective to a huge global companies who recognize more and more gdpr's gold standard to keep control on every kind of data and this is this is quite a cool story and finally I would like to add the first man on planet who talked in public about privacy was not a European guy it was Kennedy in the 60s when they started with the count of the property of the population when he recognized that privacy is really was to think about things thank you very much and yes we forget that data protection has been going for a good 50 60 years it always feels like it's something quite new and exciting um I will come back to you about personal data versus pii but I can see Hands coming up so I want to keep going please oh so this is Benjamin again uh I do have a question regarding the true protection of uh European europe-based citizens uh when they subscribe to American hosted services are we truly protected by gdpr if for instance you I don't know I mean look at the gaffem you purchase on Amazon you surf uh you navigate on Google you use Facebook are you truly protected because I mean the the problem is the system itself the very system sits across the Atlantic so it's it's it sounds a bit difficult it sounds a bit challenging to be protected right so I've written that question down and we'll answer it after we've done the personal data pii one okay yes okay so I have already done so I will remember I promise right so let's go back to the question about can we all talk the same language uh having written standards for ISO yes you can blame me for some of the 27 000 series um the answer is no however when I say I'm I'm going to ask you the audience as a show of hands and I'll come to you and we'll talk about for a second if I said personal data to you in the audience do you do you think I am talking exactly in the same language as you believe I'm talking in other words if I say personal data you're thinking dates of birth place of birth name children are you thinking like that when I say personal data to you if you agree with me raise your hand so if you think when I talk about personal data I'm talking about dates of birth children's names like raise your hand if that's what you think when I talk about interesting somebody who didn't raise your hand what do you think I'm talking about when I say personal data what do you think it is right now with uh people have to you have to enable Google Maps to know where you're at you have to enable this it gives us that a variety but we didn't have that a few years ago and not all the apps have it where they're tracking you and they're and also when you're going online where you're buying where you're purchasing from if I decide that I want to have a chocolate cookie at 6am is that anybody's business no but yet they're going to know and if I buy it online and so all that information it says you know we'll allow you what you have to have but they consider that have to have so no I think the answer is there's quite a lot more would you mind just passing the microphone down to this young lady at the front thank you sorry guys she just put her hand up and you didn't see it that's all hi DPR it is anything related to the person as a human being yes anything you can it can be the medical history it can be the political opinion it can be anything related to the person as a person well I think well the key thing one of the key things I'm guessing here is is that actually we all know the gdpr definition but we all probably color it in with different ideas whereas photographs is geolocation whatever else so if we oh drop your pen if we Sorry just throw things at people why not um so if we all can't actually come up with a good definition of personal data despite the fact it's written down for us what's pii this is your bit this is your chance and therefore how do you how do we identify person or how can we Define back to your question personal data and pii and I'll start with a video and I know Caroline wants to say something she's looking at me back to your to your questions I just wanted to make a competition to complete you because you are right from the perspective of terminology but the things can go more deeper because in EU with that we are talking about a fundamental right to to protection of personal data while in uh in US if you let me read uh the right to privacy has been carved out of values rights as for example the right to personal security personal Liberty and private property just later in 65 was reckoned has been carved out uh was recognized recognized as emanating from the penumbras of the 14th Amendment so the Privacy right is not a fundamental right in 70s by the late 70s I read that the Federal Trade Commission was enforced with the right with the taking care of with the care of privacy in relations with the consumers so also from 70s they started to to have a view on privacy but not as is it is from in EU as a fundamental right it's just in the in the private law in the business consumer and business in where it's about reaching privacy for establishing public order or something you don't have any rules and nothing so this I want to make a comparison between fundamental rights and the notion of privacy how it is in in U.S okay currently perhaps to answer to your question uh Adrian um so what is personal data according to gdpr it's anything that can identify you as a person directly or indirectly also indirectly this is uh very important so we process personal data process personal data is basically anything you can do with personal data so gdpr says processing personal data is forbidden unless you have a lot of a lawful ground to do it and one of the six lawful grounds is consensus that is why Urban gdpr came up in 2018 Constantia we got meals from everywhere asking for our consents to be able to process our data further so today we are here in this event so we see that there are movies from us photographs from us but it's also because we've given our consent to to do that and so that those pictures can be taken so this is a very important lawful ground in gdpr this concept I I see it as a transaction that you give some of your information if you some of your data in return for some to get something for example it took me about three hours this morning to get here and I use Google Maps and it was not only my data that I sent but then I see in the in the map where where it is busy at the moment so that means that other people have given up their their information in the data as well and I I use this as a very useful tool and I know that I'm giving up something because they they make points where I'm driving at what time and at what what speed all the different things but I see it as a transaction I give something and I take something from it yeah and that's very much the American view isn't it was if I'll give you something as a certainly as we swap Etc um we need to I apologize the screen keeps flashing it's annoying me as well because I can set the corner of my eye I'll just go and hit the laptop in a minute um let's I want to go back to this question because I think actually actually one of the what you've touched on is something bigger and and our friend from New York um and Lewisville also interested is how these interact because one of the key things is is that no I'm going to say this very carefully no countries in Ireland it might be geographically but we all interconnect somehow and and I think one of the big things is is how do we uh csos as as privacy professionals how do we manage those connections and you made the point about if I buy from Amazon and I'm in the EU do I still get EU data protection right and I think that's a really good thing to touch on so going completely off the script now as usual um what are the key things do you think for magic managing the the the interactions specially between as it's on the screen there the the EU approach and the U.S approach what are the key interactions or the key touch points you've got to consider I think one very important one is the the number of organizations that are involved in in the in the transfer of the information and it might very well be that for example in the example with Amazon that there are a number of other organizations involved that you don't that you're not aware of that is I I think a very important part in in in in in keeping things uh secure or private so it's not just knowing I'm I'm buying some rammers and it's how my data gets from me exactly to Amazon who who transmits it handles it prices Etc exactly you need to pay with a payment provider and they have uh providers providing a service specifically for the payment provider and so on could be like like hundreds of organizations that are involved okay it's privacy uh first uh while U.S regulations will focus more on data security yeah and the importance of private records so privacy itself is often absent from the discussion okay as per your questions a lot of big companies move their headquarters here and their servers for for complying with with gdpr and the advantage to concurring the advantage over the gdpr implementation is that the comp compliance programs can cover the full track of data these map the data is mapped from the entrance of in the company's environment till the exit and further to where to other receivers the controllers have to ensure that the receivers in some cases are ensuring proper safe grounds and also in gdpr we have this this mechanism of reporting data breaches that is is very useful for the individuals the the it raised the the right to off to of the individual to be informed and to control these data because he's aware if a data Bridge had had happened to to a controller and and this is about about gdpr about the American act I can tell something that wasn't adopted and what they are looking for and what what is what looked interesting for me in their project is the the out privacy and marketing division that should be established or a business mentorship office that should be established they have some sections regarding digital content forgeries they have sections for compliance guidelines and Technical compliance programs that you said the security they are focused more on security they have Regulatory and Reporting procedure procedure for algorithm and privacy impact assessments so the controllers covered entities needs to report yearly their privacy impact assessments and to make publish to some some of the the outcomes the results and also they about big process Pro cess data processor they look to regulate the third party collecting entities and the unified locked out mechanics that can answer to your question about how do you uh Retreat your data from from the internet probably they go in this Direction with with these rules that they hopefully will adopt at the moment but it is I think to go on as well with your question and I always buy everything from Amazon sarl which is based in Luxembourg so I I don't make the assumption I believe that I do 10 times check that all my data is therefore processed in accordance with EU law by Amazon and it is processed within the EU because it is everything comes through Amazon sarl um sorry uh well yeah because everything comes through the company Amazon sarl which is what which is based in Luxembourg now the problem is um as we all know cloud computing yes there's somewhere there's tin there is going to be Hardware that blinks and does stuff but with the cloud and the idea of the cloud is being flexible and elastic and it's the processing is moved around the world it is very difficult to know at any one particular time what's actually going on and where it's going on now I know Amazon and Google have got clouds the European cloud and its base in Ireland I hope you knew that right I'm not laying Secrets out am I um it's a really cool data center it's very very cool because it rains a lot um it's Island so I know that technically is where all of the European Union data for Amazon is processed well there are other sites you know what I mean but Amazon claim that all happens within this European Cloud but if it's a bad day they have an outage who knows where it goes who knows how it's rooted from my purchase point which could be in Brussels to get to the European Cloud all it takes is someone who who mistypes in or misconfigures a router and it can go through China before you know so although gdpr and although we have a lot of um legal and written safeguards I think sometimes the technology is a little bit ahead of the law and maybe a little bit ahead of our understanding of both how the technology and the law works which is an interesting Viewpoint because we're talking about the metaverse earlier on and I think there's there's some interaction here um I saw a gentleman at the back we I said we get to you you had a question yes um good morning everyone good morning so okay my question and concern is um I'm just thinking out of curiosity that probably that's a fundamental um issue even with the naming convention maybe that's why we have those disparity because when you look at gdpr it's saying General data protection regulation and there is actually a distinction between data protection and privacy you know data protection is very technical it has to do with the technical implication why privacy it's a legal issue so my question is is there a way probably because we look at the U.S the U.S thinks California consumer privacy acts is very direct to privacy but gdpr it's saying protection so the question is is gdpr really a privacy regulation or a data protection regulation so probably that's why we have those charity and some people are thinking should we adopt this should we not this is not clear I think maybe it's something we need to discuss thank you I love having a panel experts this is what we call a hospital passing Rugby this is the one you give to your mate so he gets injured over to YouTube very good question thank you I agree I agree it's more about data protection hahaha it's about our privacy but it's it's our data that is processed so so it's it's about this to protect the data that is processed of course through by processing the data you will you can reach the privacy of an individual so I think that are connected and uh gdpr can be completed from in delay regarding privacy because I there will be a regulation for electronic communication I think soon released so this will complete also the yeah it will be a new tool in processing personal data in electronic communication so together we'll build a framework for protecting the Privacy why not because your data tells everything about you if I know your hour and date of birth I can find a lot of things of you so then maybe they should change your name and make General data protection and privacy regulation for clarity I think I don't know it's something PCB and the Professionals in the EU can take up thank you actually a very good question thank you for asking um I know several of us have talked about gdpr raising a high barrier and we've talked about gdpr being applicable across all of the EU countries um maybe they couldn't get to agree on privacy so they just did data protection because that was easier and we know how difficult that was to get gdpr from its initial thoughts into the place we are now so I think maybe that we we should look at this gdpar I don't think is the final word I think it's part of a journey and you've mentioned things like the Telecommunications and the various other bits and pieces coming through I think the EU is on a journey where we will end up with a can I call it the EU Privacy Act just just as an example I think we will end up there but I think we I think the journey will will be done in small steps oh thank you very much gdpr is a journey not a destination yes uh someone else had their hand up uh right you've only got we've got 10 minutes so we need to think of some summaries so while we do with the next question start thinking of how we're going to summarize the discussion and actually answer the question because we've gone completely off our script so we have no answers now but we're looking forward to you raised your hand sir and there was another handy there yeah thank you hi my name is Helen Walters I'm a privacy manager in in the UK and I wanted to go back a little bit on the notion of consent because it's a again something very different depending on which legislation you look at and interestingly love I don't remember giving my content to being recorded um it might have been buried in the t's and T's but what I find interesting is it how can it really be consent in this scenario because well what how would we manage withdrawal of consent if one of us said actually I've changed my mind and I don't want to be recorded how is that going to be managed I think that might be quite difficult no don't take a photograph now please don't take a photograph okay and then the other thing is that we've made it quite if we are using consent in this scenario it's quite conditional well you know the other option I have is not to come and under gdpr we can't make consent conditional so but it's interesting because it's a challenge daily income companies we want to do initiatives where we want to record people and and it's great you know we want to push Employee Engagement Etc but consent is is a notion that I find very difficult to work with um and to gdpr and I'd love to hear your thoughts you mentioned consent um check the box on beforehand you it you should do an action for that and you give your consent and read for what you give your concerns and this is why also you have a lot of times also a privacy statement with concerned because there they explain okay what they will do with your data how long they will keep it for what destination so that is this is why worthwhile when you give your concern to also have a look at the Privacy statement and the Privacy statement that doesn't need to be uh incomprehensible language it needs to be to the point and really clear what they are doing uh with your data but consent is in gdpr a very very important action and it should be always it's true to require an action from from you with a well-informed what they are doing uh with the data yeah consent we all gave consultant we um [Laughter] then they blur you on the camera now pixelate you know um that this is a I mean it's a very specific example um but there is there is a big thing about informed consent and everything else and having worked with an American company where we had half a million EU am emails and they wanted to keep sending out um information and that's um that's the shut up Adrian alarm they actually had um we actually had to go through all of those half million emails at the time and get consent and say you know do you still want to get our email address and we had to do it every six months just to keep it flowing um informed consent or consent of any type is huge and I don't think we've cracked it yet properly with all the Automation and with all the other bits and pieces we have and talk about things like Facebook and everything else everyone knows that you should actively give consent but I think it's sort of slipped down whereby if you're there you're giving your consent it's not as informed or as active as perhaps it should be just could be the fact that we focus on other bits of gdpr first to get those bits right and that could be something we see more evidence and more Focus being put on from the EU that's again a suggestion rather than a factual comment right um okay we've got enough time for two questions and summaries so we'll do the gentleman at the front please and then we'll do our American friend don't worry hello good morning everybody from Algeria okay north of Africa then I have two or two questions if possible uh another outside of comparison on gdpr and the U.S data privacy digitization is uh I think uh we should I don't think a large large the approach then we applicated Africa Asia then it's not isn't the problem of of uh of religion particularly Europe or or uh or uh or U.S data is universal then when we speak about two regions I think is not to is not uh uh for for us is not a pertinent then uh or other Asiatic person and another question is possible then about a bad con sentiment when uh when uh I I serve in an internet we have cookies accept please and and is this please if you are please accept you he's but his obligation to ask to to to access to to see Trump to to accept School season I should I think it's not uh it's not it's not a solution about uh about uh uh it's the form of obligation to to uh to giving a consentment and uh thanks for uh no problem any thoughts about cookies and and so on I want to reflect on the first question that you had about the sort of universal uh privacy approach yeah that's that's um I think in long term is going to be there part of my job is that I'm a chair of a working group within Nanda it's dutch standardization Institute and within that within privacy I see a lot of ISO standards regarding elements of privacy and um I I think ultimately there will be like Universal Universal level of of privacy that is that is that is incorporated by by ISO yes I think also that there are two big camps of privacy or data protection legislation so many countries have adopted like an eu-like model globally um and I'm thinking I'm thinking here South Africa and Australia are quite good example to remember correctly and others have gone either a U.S or a Chinese so there are some big camps and I think eventually they'll they'll meet somewhere in the middle exactly um but yes there is it's a confirmation yeah as a compromise um yes about the cookies um indeed that's an interesting one because in fact cookies should be made easy to refuse and that's a lot of companies do errors against data because it's all checked in the box that you accept all it's It's Made Easy it should it should be the other side as it's difficult to to accept a lot of companies also get fines for data so Facebook got a fine for that in France 60 million Euros because they made their cookies not easy uh to refuse the same with Google a good fight for that also in France it was the same Google Facebook because they made their cookies too easy to accept all a lot of mistakes are made against that yeah there are only two Regulators in the world who scare me the first is the monetary authority of Singapore yeah you know if you know you know the other one is Camille Canal are awesome at data protection and they really do go for it anyway sorry you're going to say something the things have been changed in the last two years because on many sites I see that uh pop-up that leaves you the options as it should be like the cookie shouldn't be set it up accepted by default you can choose for each cookie which cookie you accept there are some cookies that are necessary technical cookies but otherwise there are advertising cookies marketing cookies and so on that by default should be not accepted and as a user you should have see the list and the reviews on but if you click OK the site shouldn't activate all the cookies should go without them so you should have the options and also the opt-out options which all the browser had but we all now develop a developers are lazy right it's easy to program the website with all the cookies working it is without the cookies not working there is a right panel um time to think of your one-line summary but we'll go and we'll have our American Friends final question I have a question so do the question right now okay the uh Michael Redmond again uh they uh Mike we just finished taking a number of us just finished taking the data um uh the digitation transformation course here we finished yesterday and part of our main course was about how can we get new and better data to use so we do know who took that cookie at six a.m in the morning it's different if I'm finding it or having it so uh you know and this was and the new technology that's come up my question is ISO 27701 that ties in with ISO 2701 which deals with the security aspects and such is dealing with the security aspects as current 2701 was just updated but 27701 was not updated that deals with the Privacy aspects so my question is um how do we even when the iso world you know dealing with that since PCB is predominantly ISO classes uh how do we deal with the digitization which we want to do we want to get bigger and better we want to be able to uh eventually you know have Siri just call us and say by the way so-and-so needs cookies just send them they have they don't know it yet you know we want to get to that point where you know all the refrigerator calls and says I'm almost out of milk tell them to send it you know that's we want to be if in the class we took that's that's our goal on the other side is a privacy how do we deal with the iso 2701 and Implement that and do you think obviously you know 160 countries agreed on it based on the technology now how often knowing how I so often doesn't update for seven years you know how often do you think it's going to be updated or five well there have been some that have not been done since 2000 whatever sometimes seven years old supposed to be we know it sooner but it's not been happening so my question is how does the iso World deal with that aspect with all of these new changes coming up considering the security aspects of it and the Privacy aspect and how do they tie that closer together could I answer that yes because we met a lot of working groups regarding this um what they do is they they take a specific very specific element and then they try to gather experts from all around the world to just cover that specific aspect so they were about hundreds of new Azure standards coming up all dealing with a different very very specific element that's the that's the way that they do it but they don't have like a global uh they have a global overview of all the different standards but they don't have one standard that that covers it all they don't and they probably never will uh don't say no don't say anything okay uh so obviously from my ISO Viewpoint um I don't think we'll ever be able to write an ISO standard that covers privacy or data protection inverted commas um I think a lot of it will focus more on trying to solve particular problems like iot cyber security and iot or protection of information or protection of data in the iot environment it's just the nature of the Beast I don't think we'll ever get in front of it laws regulations and standards never ever really get in front of the technology or the pace of change just by their very nature so I think we're going to go through Cycles whereby we'll have digital transformation and it's a free-for-all where it's a little bit like the wild west where some companies just oh whatever if we get fined we get fined we'll live and other companies will be quite sensible and event eventually we'll come to a point where those that do the right thing by the consumer and the consumer thinks they're getting value and they're not getting they're not getting their data ripped off they're the ones that will survive but that doesn't mean that the data protection that we now recognize may be enforced in 20 years time I think this going back to your comment which wasn't flippant at all which is this is going to be a journey there will never actually be a point where we can say we've solved this problem um I think I think it's a job for life maybe quite a few lives but we'll we'll cross that bridge when we come to it so um thank you very much for your participation I'm gonna let I have I have five points that I've kind of got out of the conversation today would you like to start off your quick summary and then we'll close um I think that if we can all work towards a universal uh standard that is somewhat lowering the bar compared to what we have now but we can all in the world make use of it that would be a great benefit brilliant yeah I wanted to say something about the Privacy Fields privacy Shield of data protection Shields so that was effective framework between the EU and the us until 2020 yeah because there was a case against it it was Max Schram's who is a lawyer an Austrian lawyer and the other privacy activist and what was the problem so why doesn't that exist now anymore because in America authorities could get access to the data whenever they wanted so that was a big problem and the second thing is that in in the US there is no independent Institute uh one EU citizen has a complaint that was a second problem and the third problem because you have now the standard actual Clauses between EU and the US so they can be used only if Technical and organizational measures can be taken to protected data so still now we we use this but you have to know that in now in 2022 so the leaders of the US under Biden and uh you um announced that a new data transfer framework had been agreed to in principle so we expect this I hope very soon so it will be I hope a new uh privacy Shield not a sharam's tree because I hope that it will be it will be okay so that is coming up thank you thank you your quick summary please summary quick summary I think that the U.S and EU as you probably some of you mentioned has different legislative experience different history different view point of view from in particular for data protection in general for privacy I think that in Europe if we we have this great experience for protecting the personal data which should we should help our business partners from us to to implement the effective compliance programs and uh at the public level I think that the U.S should be supported to to take our federal to adopt a federal act that cover on the U.S uh they have to learn they can learn from you from UK and a lot of States across the globe and they should do something to prevent the risk that can occur in the future because they have a lot of practice available excellent so I'm going to say simple I don't think either of them is better I don't think there's any there's any real thing about success or not here I just think they're different and actually the best thing we can do is Embrace those differences work out where the interactions and where the connections are and work to make those as strong as possible because that is how actually we'll get to what we've been talking about here which is better understanding globally better ways forward globally and better data protection um please join me in thanking the panel thank you very much and thank you very much for voicing your opinions and joining in really appreciate it thank you [Applause] [Music]

Info

Channel: PECB

Views: 2,252

Rating: undefined out of 5

Keywords:

Id: 6095PAw12D8

Channel Id: undefined

Length: 65min 48sec (3948 seconds)

Published: Tue Dec 20 2022