Navigating Privacy Landscapes: US State Privacy Laws, UK Data Protection, and Cross-Border Transfers

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies. Hello,

Justin Daniels 0:37

Justin Daniels here. I am a Corporate M&A and Tech Transaction Partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 1:03

And this episode is brought to you by Red Clover advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com.

Justin Daniels 1:47

Well, I’ve been shushed so I won’t say much more.

Jodi Daniels 1:51

I think we have a little bit of our long Thanksgiving recording break. We’re trying to remember what we do in the flurry of end of year NIS.

Justin Daniels 2:01

Yes, well, my job is to have fun at your expense.

Jodi Daniels 2:04

Oh, I see. Okay, very well. You should introduce our guests.

Justin Daniels 2:07

You want me? Alright. I’ll be happy to do so — our guest, well, we’re excited to have our guest today who is Robert Bateman who is a freelancer who provides privacy and data protection services in areas such as consulting, writing and training. After becoming unexpectedly obsessed with data protection in around 2017, Robert has not shut up about it since. That’s a pretty good metaphor for what I was told to do. He has written over 1,000 articles on the topic and interviewed important figures in the sector such as Max Schrems and Johnny Ryan. Robert, welcome to the mayhem.

Jodi Daniels 2:50

We’re gonna get you some bigger reading glasses. Holiday Gift,

Justin Daniels 2:57

After what you did to our holiday card, really?

Robert Bateman 2:59

Great intro. Love the banter. Really good to be here. Thanks for the invite.

Jodi Daniels 3:06

Well, absolutely. Well, Robert, we learned a little bit about how you got into data protection. But we’d love to learn how you unexpectedly became obsessed with it and how you got to where you are today.

Robert Bateman 3:20

So I was doing a lot of green. So not a particularly unconventional introduction to the topic. And I decided to do my research project on something called the immigration exemption in the UK. And this is a very ugly piece of law that has since been overturned, which allowed controllers, so anyone from the government to people working on behalf of the government in this case, to basically ditch the whole GDPR and the Data Protection Act, if it would interfere with the management of immigration to for example, answer someone’s subject access request or, you know, honor the right to erasure. So this was my entry point into the law. And I considered whether this horrible provision works in scope of the European Convention on Human Rights. It turns out, someone did take this to court and they won on a different argument, but I was partly vindicated there. So I started writing freelance as a side job about GDPR. This was 2017 2018. So everyone was talking about the CCPA and the GDPR. And they wanted articles about pretty much everything to do with these two laws. And so that was really my baptism into the sector. Just writing, writing, writing about every article of the law or the recitals, all surrounding laws in Canada and in Singapore. So I was pretty much learning on the job, and eventually took it full time. And I worked for a media company until earlier this year, interviewing people doing panels, running events related to data protection. And since going solo, for the second time this year, I’ve been doing some advice and training in the area as well.

Jodi Daniels 5:28

It’s always fun to see, I imagine if you wanted to keep writing, there is no shortage of laws to keep you busy on writing, we just are on a growth trajectory, if you will, of privacy laws and interpretations of them around the world.

Robert Bateman 5:43

Sure, I mean, the woman, I don’t know about my main area, but a big area for me now is the US where privacy law is, you know, since since the CCPA, is, I think it’s more complicated than Europe. Now. There’s just so much going on so many different exemptions, and, you know, application thresholds. And it’s advising on this stuff, I kind of put it into life as to how complicated this stuff is in practice. So there’s no shortage of new developments. So you say, and the writing, I still do a lot of writing. And it’s a tricky topic to write about, because there’s a million people waiting to jump on any mistakes or misinterpretations, which really keeps me on my toes. And it’s quite niche. AI content generators do not understand it well, yet. The outputs are always hideous and bland and contain many errors. So I’m not out of a job yet in that regard, and could change quite soon they are getting better. But like you say, still developing very quickly, every single week, there’s new stuff to write about. So a lot

Justin Daniels 7:08

is happening on the UK Data Protection scene, particularly with the EU AI Act, just to name one. What are the hot stories of the day that maybe people are not focused on?

Robert Bateman 7:19

In the UK, we are still obsessing about Brexit, which happened in the first instance, what is it seven years ago, the consequences are still being dealt with. And so the UK is trying to balance going his own way with regard to data protection law, and AI regulation, like you say, with trying to maintain a good relationship with the EU and keep people trading with Europe. So I suppose the most significant story right now is that the government is reforming the GDPR and the privacy law. And the amendments are quite controversial, quite complicated. And UK data protection and privacy professionals have been sitting in uncertainty for a very long time, we had the government constantly deriving the GPR is, you know, a waste of time bureaucratic red tape, and so on that they were going to strip away. We had a consultation that went on for a long time, we’ve had two versions of this reform bill, everyone’s trying to get their heads around it. And then last week, a week before the bill was due to progress to the second chamber, the Government published 124 pages of amendments for everyone to to understand and negotiate in time for, for that progression. So that’s the most significant thing that’s happening. I can talk a bit about the reforms themselves. But there’s a very difficult balancing act for the UK to maintain it adequacy decision with the EU, which means our standards are high enough to receive personal data from EU companies basically, and also trying to adapt the law to a more kind of English style legal system, which I think I agree with. While I didn’t vote for Brexit, I do agree that our legal system is quite different. It’s kind of more similar to yours in the US than to most European countries. So there’s only so much they can do only so far they can go the government. The present government is not crazy about privacy. They are not really interested in that area of human rights or other areas, indeed. So there has been a bit of outrage about what they’re trying to do. Some of that’s misplaced, I think, because a lot of these reforms are quite moderate. But there are some worrying things in there about monitoring bank accounts and so on and identity verification that most privacy professionals are a little bit cautious about. There are some interesting ideas, it’s just a question of how far they will help companies or benefits. Anyone.

Jodi Daniels 10:27

Robert, can you share a little bit more details about some of those you mentioned some of the reforms are being suggested or moderate. And then identity verification and monitoring bank accounts has maybe two examples. Can you help us a little bit further and what those reforms are, and maybe what that might mean for a UK individual?

Robert Bateman 10:46

Well, for the privacy pros, listening who wants to who understand the GPR, and want to compare what the UK might have next year, to what it has now, the UK GDPR, as it’s called, is the same still as the EU one effectively, there’s some syntactical amendments, you know, replacing references to the EU with references to the UK and so on. The main changes are around data subjects rights. So they were thinking about charging, allowing controllers to charge people every time they wanted to see their data or delete their data, so on, they didn’t go through with that in the end. But they have changed the threshold at which you can reject or charge for subject access requests. So now, businesses or other organizations will be able to say that the request is vexatious, rather than the EU wording, which is manifestly unfounded, which I was thought was a bit of a strange phrase anyway, Other changes include in the area of legitimate interests, the government’s going to come up with a list of things that are automatically allowed under that legal bases. So for example, sharing data in emergencies, those sorts of things, cooperating with the police, there’s quite a lot in there about public authorities, government bodies, being able to do what they want to do without the law kind of getting in a way and giving organizations a green green light to cooperate with those authorities, the most controversial bits have, well, there’s quite worrying bit, the no one has quite digested yet, I think, in the amendments, which will allow the government to order banks to monitor the accounts of people who may or may not be receiving benefit payments or welfare, and report back to the government about their spending activity. So I think that’s mostly to try to reduce welfare fraud. But there’s some concern that it might also lead to the government saying, Well, you know, why, what are you doing buying lottery tickets or a bottle of wine, on the benefits that we give you? I don’t know, I haven’t examined those clauses in detail. But there is some concern that they might need to that sort of thing. The identity verification stuff, there are a lot of startups and new players in the market for electronic identity verification in the UK. And some of the stuff around that is I think the government tried to boost that sort of sector of the economy. So in England, and and the rest of the UK, we don’t have like an ID card, like you get in most European countries, or is the same as in the US, you know, you kind of you have some choices about how official your identity is, you know, you’ve got a driving license or whatever. But there’s no centralized ID system. So I think that that could be what is in the works here in the UK. And there’s other stuff about maybe training AI models might be a little easier under this law, and doing scientific research, which I think that there should be some flexibility. Perhaps it should be clear in the GDPR, whether that kind of thing is allowed and under what circumstances. It’s got the privacy campaign groups very upset, which there’s, you know, I’m glad they’re, they’re scrutinizing it very closely, but some of the ideas in there and not bad. It’s just a question of how much it will help UK organizations. Given that we still have to deal so closely with the EU, we very much have the, the size and the power of that, of that union means that they can pretty much dictate the terms of business you know the UK is quite a small country compared to the whole of the EU. So whether it changes much in practice is not entirely clear.

Jodi Daniels 15:10

I appreciate the additional explanation, it will be fascinating to see what transpires, I feel like I’m just gonna continue doing what I always am when it comes to these kinds of things I wait.

Robert Bateman 15:20

yeah, yeah, the many, many companies I think will not have to change much if they don’t want to. And many won’t be able to because, you know, they have to, they have to meet the EU rules, the UK only companies, they’re getting rid of the Data Protection Officer, for example, that will now become the senior responsible individual. And that has to be someone on the board of the company or director level. And they don’t have to have any data protection expertise. So you might have the CEO thinking I could do what EPO has been doing for the last five years, I’ll give that a go. And taking on that task for themselves to those issues there with independence and conflict of interest, they can delegate those jobs to a data protection officer. I think companies that are doing the right thing already will continue to do the right thing. After the changes, there might be some areas where they could leverage some of those changes. But companies that are already doing the wrong thing or not doing what they should be doing will probably continue not doing what they should be doing. And this won’t change their approach.

Justin Daniels 16:35

Well, it sounds like a lot of companies are still trying to figure out this cross border thing. You know, what, what should they know when they’re trying to figure that out between standard contract clauses, data protection frameworks, it can be quite intimidating. If you’re a US company or whoever looking to do business in the EU, and the UK very —

Robert Bateman 16:55

It’s very intimidating. And the rules are technically the same in the UK, still, those will be loosened up a bit with the reform. And we’re going to see the government’s approving quite a lot of adequacy decisions, I think. But the Schrems II case caused a lot of chaos. And that technically applies in the UK, because we haven’t fully left the EU at that point. So when working with Well, I do some training on data protection, international data transfers. And the European interpretation of this case is so strict, that is really quite disheartening. Because technically, if you wanted to comply with the rules strictly, until quite recently, when the US and the EU and the EU, you know negotiated this new framework, you wouldn’t technically be able to use Gmail, or, you know, as your or Google Analytics, all these things were really considered to be too high risk for the European data protection boards interpretation of the rules. Now, the UK regulator is a lot less strict than most of those European counterparts. So as always had a slightly looser interpretation of those rules than the EU is. Now I happen to think if you read the law, the European interpretation is probably the right one. But if we just suddenly, you know, in those Schrems II years, if we suddenly flipped a switch and made everyone 100% compliant with the data transfer rules, I think that society would collapse into chaos and planes would fall out of the sky, because the the transfer of data is so integral to our economy. And so, so important, and so the US companies are so heavily integrated into European and UK systems, that really it was impractical the strict interpretation of the rules. So in the UK, we’re likely to see adequacy decisions in respect of UK in their thinking, India, Brazil, Singapore. And of course, we have the US deal. Lots of other Kenya, lots of countries with fairly decent data protection rules that might not pass muster with the EU. So that is a big thing. And I do think that needs fixing, you know, the data transfer problem. If the trans takes down the new framework, then the UK will actually be in quite a good position because it won’t affect the UK’s deal with the US only the US. So then we’ll have one jurisdiction next door where things are really difficult again, and people will become very discouraged with that with the adequacy process. And what about the UK where you can just work with US companies, you know, as you like. There are privacy implications, of course. But from a pragmatic perspective, most organizations will be happier with the UK is arrangement, I think, which is still, you know, it’s still the US rules, just a slightly looser interpretation of them.

Jodi Daniels 20:22

Robert, you mentioned that some view, the ICO regulator is being a little bit looser, more forgiving than some of the EU counterparts. And when it comes to cookies, though, that they’ve recently come forward and really are trying to get organizations to realize no, no, no, you actually have to take our cookie requirements seriously. And there might be some type of sweep and review. Can you share a little bit more about that and what companies should be doing?

Robert Bateman 20:54

Yeah, sure. So I’ll talk a bit about the ICO. In general, the UK is a regulator and then what they’re doing on cookies. So I’ll try not to be too cynical about the ICO because there’s a huge caseload. They do have a big budget for for a data protection regulator, but I’m sure it’s not big enough to do everything they really should be doing. So like all regulators in Europe, I think they are the highest funded, but they do have a huge backlog of complaints to get through. And then some people are very aggrieved that they haven’t dealt with their complaint in the way that the data subject would like. But they do have a lot of discretion. And this was confirmed in court the other week to deal with complaints as they see fit. So we have a new commissioner come in a couple of years ago, John Edwards. And there has been a lot of criticism about Edwards leadership with the ICAO, the previous Commissioner wasn’t strict either. Elizabeth Denham and Edwards has probably done less enforcement still. So he came up with a policy whereby public authorities don’t get fines they might get where they get reprimands generally. So these are non-binding recommendations for how to improve data protection compliance, but that is not enforcement, per se. Now, that was announced as a public sector policy, because it just makes some kind of sense to say, What’s the point in moving money around and, you know, from government bodies to the ICO. But it also seems to apply in the private sector, because I think we’ve had one GDPR phone this year, I think we’ve had about 12, since the GDPR came in, there have been fairly large and high profile decisions. But other regulators like in Spain, for example, take the exact opposite approach, we get 1015 fines a week, or really small, you know, a couple of 100 euros, couple of 1000 euros, small businesses, individuals, just slamming out these tiny penalties, whereas the ICO lights to make a bit more of a show of bigger enforcement cases on the cookies. So we know now, people have been urging the ICAO to do something about cookies for a long time. They do enforce on the privacy stuff, but only with regards to nuisance calls, you know, spam phone calls, which is really important because we get, you know, old ladies getting conned out of 1000s of pounds. So that is an important area. But they’ve never done anything on cookies until quite recently. Now what they have made clear is that they want to see acceptable and reject all on the cookie banner and the first layer. So you have a clear, easy choice: acceptable or reject all when you go to a website should be just as easy to reject as it is to to accept. So I think that’s a fair interpretation of the law. It’s not the only interpretation. But the ICAO doesn’t like to take clear positions. So I’m glad they have in that regard. And what they’ve done is they’ve written to, I think the wording was, some of the UK is most visited websites to remind them of their obligations under the law and give them 30 days to put that type of cookie batter in place. So accept or reject or if they don’t comply within 30 days, then all we know is that the ICO is going to publish the names of these companies. So I’d like to contrast this actually with some regulatory activity in the US, where you may have heard out the joint letter from the FTC, and the Office of Civil Rights, they wrote to I think 130 healthcare companies about the use of Google Analytics and the meta pixel on their websites. And this letter was very stern. And they named the companies actually, you know, as they sent the letter, so we know which they are. The Ico hasn’t unfortunately published the letter it’s sent to controllers in the UK would be really good to see it, I think, and it hasn’t named them. I think that’s okay. Because maybe it’s a bargaining position. You know, if you don’t do what we say we’ll publish your name, but it is, I would hesitate to call it enforcement at this point, because it’s, it’s, I suppose it’s a warning. I’m not sure that GDPR mentions warnings per se, or at least, the ICAO itself doesn’t consider a warning to be an enforcement notice. So it’s something and it’s good to see something in that area, because I think cookies are cooking appliances is actually going a bit better on those websites. That are I still don’t like having to go to the menu and choose all the opt outs and everything. So hopefully, that will have some sort of impact. It is hard to say until we know what the ICO does next. If it’s nothing, then that will be disappointing.

Jodi Daniels 26:31

Indeed, and we certainly have a long way to go and what cookie compliance could look like, but at least we should be meeting at the current state right now. And I’ve never understood sites that have accept with no reject, because it’s not accepting if there’s no other option for me, managing my settings, in my opinion is not the, the opposite of accept. So I’m excited to see accept and reject. I’ve kind of been on accept and reject missing mission.

Robert Bateman 26:57

One thing I mean, they could, I guess maybe they do so in the letter. But the most important thing is that the buttons work, you know, and you’re not having cookies sets before you make a choice. Yes. Which is very common, you know, they set the cookies, and then you can kind of opt out with them. Which is

Jodi Daniels 27:17

no, that’s the US approach. educate everyone. That’s how it works here. Yeah. UK is different. Well, yes, that’s right. It’s opt in what Robert just said, you have that. Okay, so could you summarize for everyone in the US, you can drop the cookie, and then let me opt out, I still think you should have accept and reject. California law also says something very similar about symmetry in the setting. And then our friends overseas are more of an opt in approach. Don’t set the cookie until you have me hit the Accept button. And in your option I should have accept or reject. So one click reject. And then nothing happens. And everyone should be doing cookie audits and cookie reviews and cookie categorizations. And maybe there’s a whole long list we can do an entire episode on cookies not to be confused with yesterday when it was national cookie day.

Robert Bateman 28:12

Oh, it was?

Jodi Daniels 28:13

It was national cookie day. I have a poll going on LinkedIn. By the time this airs, it might be closed. But for anyone interested you can go and you where’s your favorite cookie falling on the pole. And these are actual real cookies, not the digital. Oh, chocolate chip chocolate chip cookies.

Robert Bateman 28:30

UK chocolate chip cookies as cookies, everything else is a biscuit. So yeah, which is something else completely in the US.

Jodi Daniels 28:40

So we’re gonna convince everyone that a chocolate chip us cookie is the way to go.

Robert Bateman 28:45

I’ll go for chocolate chip. Now the UK I should mention actually is going opt-out for analytics cookies. This is another one of the reforms. So marketing cookies will still be locked in. The analytics cookies will be locked out. I personally don’t think I think that’s okay — personally. But a lot of people who are more I don’t. I will just say puritanical about these things are very worried about that. I think analytics cookies. And there are guardrails, you know, first-party or this kind of stuff. So I think that’s probably quite a sensible change. So we will be closer to the US position after these laws, paths, but marketing is still the opt in. Alright, Justin, you’re all clear now.

Justin Daniels 29:36

I guess my question for the two of you is how many people do you think who are just out there either UK residents or US residents go to a website and consciously think about, oh, I have choices here when it comes to what data they collect for privacy. I think most people are just oblivious to it, which is why the big tech companies just vacuum up data.

Jodi Daniels 29:57

Most people don’t know and they do hit the reject button, which is why you need a reject button because a regular person doesn’t understand the difference and going to manage my settings, they’re just gonna get overwhelmed and find the easiest button to hit reject. Anyways, now they are just annoyed at the process.

Robert Bateman 30:16

Yeah, what do you think about this? Jodi and Justin, Cookie banners? Have you been to Europe and seen European cookie banners in action in the wild, because they are very annoying. But that’s kind of not the laws fault, in a way, because as you know, they should be unobtrusive. They should sit there in the corner. If for some reason you want cookies, then you can click on it. But if you don’t, then you can go about your day. It shouldn’t be blocking the website. It shouldn’t be forcing you to pay, like many news publications or started doing as a whole other kettle of fish. But I think if the law were applied in that area in the way it should be, the internet and the digital economy will be quite different. And people wouldn’t — cookies wouldn’t have such a bad reputation. I didn’t think because people would, you know, those who wanted them be like personalized ads would opt in, and those who didn’t would barely notice that the cookie banner.

Justin Daniels 31:20

So Robert, as we always like to ask, what is your best privacy or security tip that our viewers might benefit from?

Robert Bateman 31:28

So do you mean for professional practitioner or for consumer, as they’re known?

Justin Daniels 31:38

Why don’t we go with the professional this time?

Robert Bateman 31:42

Agenda is a really well, well worn piece of advice, learn how to read statutes, is my number one tip, because I’ve read so many privacy and data protection laws, that when a new one is published, like happens in the us all the time at the moment, I kind of know where to how to navigate it, you know, I do a lot of Ctrl+F, looking for the important bits that I want to think about and see what it says about and the US laws are very hard to read for Europeans, I think because there’s a lot of, you know, they’re all part of some civil code or general statutes. And there’s a lot of scrolling up and down looking at the previous section. And the cross referencing other laws and quite arcane language, the GPR is complicated in its own way. But if you get to grips with how to read them, what sorts of things normally appear in them, that’s the best thing you can do. Because of course, the statutes, and the court decisions around them are the most important source of rules and principles. So I’m sure many people have said this, but get to grips with the primary law. And that’s always going to be the starting point once you can do that.

Jodi Daniels 33:06

And when you are not. Oh, I’m so sorry. Were you going to say something extra? Well, I was going to ask when you are not studying privacy law statutes, or writing about them, or producing really great videos what you do all the time, everyone should be following or having a biscuit or having a biscuit. What do you like to do for fun?

Robert Bateman 33:27

So I’m not very well, at the moment. I’ve had some health issues, but I love going to the gym. That’s a really annoying answer. But I like weightlifting. I like AI. Apart from a select few, including your own, I tend not to listen to privacy-related podcasts because I love podcasts. And I kind of want to separate that off from my professional life. So listen to loads of podcasts. I have a daughter, who I love looking after seven years old. So she’s great fun. And she wasn’t as a baby. I think I might have hated her for a very short period early in her life. But since then she has been an absolute dream. And reading. I hate sports, unfortunately. So I can’t I don’t know how to watch sports. But apart from weightlifting, which I enjoy doing. That makes me sad because I can’t do it at the moment. So going into restaurants, of course is a great thing. All quite generic stuff. I’ve just realized that ego, an everyman.

Jodi Daniels 34:46

I don’t think they’re generic. I think they’re things that you find joy in and that’s what’s most important. Now, what’s also very important is how can people connect with you and follow all your great content? Where should we send them?

Robert Bateman 35:00

LinkedIn is my main platform right now. And I think my handle is protection of data. But you can search up Robert Bateman. And I bet I, the first result, if you’re listening to this, and Twitter, I used to love that. No, not anymore. It’s really got very bad recently, I can’t handle it. I still Tweet from time to time. But I put a lot of effort into LinkedIn. And people are so nice on LinkedIn, so clever, I get so many great responses. If you’re not into LinkedIn, then I strongly recommend getting involved because there’s so many great people on there. I’ve learned so much from everyone. You can bounce ideas off each other. And yeah, LinkedIn is the place.

Jodi Daniels 35:50

Well, Robert, thank you so much for sharing all your expertise. I’ve really enjoyed listening and reading from you on LinkedIn. So to all of our listeners, I highly encourage following Robert as well.

Robert Bateman 35:59

Great. And same goes for Red Clover Advisors and I’m sure you’re constantly very good to Justin. I recommend that too.

Jodi Daniels 36:10

Thank you.

Outro 36:16

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.