Rohan Massey Provides a Deep Dive on Data Privacy Framework & Cross Borders

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and certified informational privacy professional, providing practical privacy advice to overwhelmed companies. Hello,

Justin Daniels  0:37  

Justin Daniels here. I am a corporate M&A and transactional attorney, equity partner at the law firm Baker Donelson, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:59  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there is greater trust between companies and consumers to learn more, and check out our best selling book Data Reimagined: Building Trust One Byte at a Time, go to redcloveradvisors.com Well, today is going to be super fun, because we are Why are you laughing at me? I haven’t even gotten started.

Justin Daniels  1:41  

Because you’re extremely chatty today. Have you had a lot of coffee?

Jodi Daniels  1:44  

I only had my one little coffee mug. It’s because I got up really, really early. Okay. Okay, if you say so. Yeah, it’s Friday, that it is, well might not be Friday to when you’re listening. But we’re going to get started because we have a lot to cover. Apparently we do. So we have Rohan Massey, who is the leader of the privacy and cybersecurity practice at ropes and gray based in London. Rohan specializes in advising on complex global data protection and security compliance programs. His expertise is on the intersection of the extraterritorial scope of national data protection laws and data transfer issues for multinational organizations, which is exactly what we’re going to talk about today.

Justin Daniels  2:29  

And I might have to pull an audible and ask a little bit about the EU AI Act.

Jodi Daniels  2:34  

Oh, no, we’re gonna keep it focused, you can have a different conversation. Okay. But you can get a start.

Justin Daniels  2:43  

So, Rohan, welcome to the mayhem here on a Friday with the espresso shot over here myself. Could you give us a little background about yourself and your career journey and how you got to where you are at this point?

Rohan Massey  2:59  

Yeah, well, good to be here. Thank you very much for inviting me on the show today. Yes, so I started off as an English teacher in Japan in the mid 90s. So I don’t quite know how I ended up here. But it was, it has been a long and fun journey. I when I was over in Japan, I started using a thing called email, it was very new, then, on a very slow dial up internet connection. I came back to the UK talking about more and more about the internet. And people looked at me blankly. And then sort of moving into law as putting the technology group and asked to deal with all things related to the internet, which included at the time, a very dry area of data protection notices. So I started drafting those notices, and more and more of them came in. And it was pretty soul destroying work, to be honest. But then something happened in 2007. I think changed world which was the invention of the iPhone, data went crazy. My practice exploded in the data space, regulation of data, personal data and security of data has taken in variable leaps in the last 10 years. And that’s where I’ve ended up today practicing in both data and cybersecurity.

Jodi Daniels  4:02  

Well, speaking of interesting hops and journeys, the ability to try and move data between the EU and other countries has taken a lot of interesting twists and turns. And we’re gonna really focus on the movement between the EU and the US because we now have kind of a third iteration called the data privacy framework or the DPF. And many people listening will understand what that is, but let’s kind of do a level set. Can you explain what is the data privacy framework? And what does it mean for companies?

Rohan Massey  4:38  

You’re probably best to start with the data protection regime in Europe. So personal data in Europe is governed by the General Data Protection Regulation, which basically says you can pre flow personal data around Europe quite easily and with no, no barriers, but if you take it outside of the EU, it has to have the same protection as being on the inside. So that’s what we’re looking for in a sort of global basis. And the fact that data now does move seamlessly through borders. So we’re looking for it to be protected. Yeah, there are certain ways of doing that. One of the ways is by putting in contracts where two organizations, and agree to meet the requirements of the data protection GDPR. Another way of doing it is that the European Commission looks at a state or a jurisdiction, and says, actually, the laws that you have in place reflect what we have in Europe. So we will whitelist you and give you what is called an adequacy decision, meaning that data can flow freely to state as well. And then we have sort of other models for organizations called binding corporate rules, which basically was a group of companies has the same ability to protect the data flowing within the group. So when we look across the Atlantic, there was never an adequacy decision at for the US model, one of the main reasons being the US does not have an omnibus approach to data protection, as we do in Europe, Europe has this very broad regulation that covers any data that identifies an individual, the US doesn’t have that it has quite a sectoral a fote approach. So it may be financial data, it may be health data, it doesn’t have the omnibus general approach. But obviously, transatlantic data flows are critical to the digital economy, we saw the growth in the last 2030 years of tech businesses on the West Coast of the US, we have to have a means of getting data across the Atlantic. So a political decision and engagement was involved, whereby we’ve created a is what was initially a safe harbor, where organizations in the US could represent and certify to the US government that they would meet the European requirements, they went on a public list, and then anybody from Europe could transfer data that within scope of their certification freely to them without having to take other steps. So that’s basically where we end up now with exactly that same principle framework that started off with the safe harbor went to the Privacy Shield and is now in the framework, whereby US organizations certify that they will meet the data protection requirements under European law, and go certifies be on the list. Once they’re on the list, personal data can be transferred to them.

Jodi Daniels  7:22  

It was the big party over here when that news broke. So many companies very, very excited that this is back in motion. Did you so

Justin Daniels  7:35  

the DPF impacts companies whether they certify or not? Can you talk to the audience a little bit more about the details of some of these impacts? Sure.

Rohan Massey  7:48  

So the reason that we’re at the DPF now on the data protection framework is because there was a challenge under the previous two models, so under Safe Harbor, and under the Privacy Shield, European individual called Max Schrems challenge the validity of of the actual Safe Harbor because he was saying, actually in the US, we know from the Snowden leaks, that there was sort of massive screw, inception of data by the US intelligence services. And that certain rights of redress for individuals who are not being adequately met when the data was in the US, therefore, no matter what was said, it wasn’t being given the protection. That was that was sought. And the European Court agreed with it, which is why we found the Privacy Shield and safe harbor both invalid. So in the negotiation and development of the data privacy framework, these specific areas have been looked at and addressed. So there has been an executive order signed by President Biden that came into force to put in place certain limitations both on national surveillance to ensure that there wasn’t the sort of mass indiscriminate surveillance that was being used previously, and also to create a court of ability and mechanism for redress for individuals. So these two areas are really important, because they’re important, not just for the framework, which they now support, but also because when the framework went down, one of the other mechanisms for international data transfers, the standard contractual clauses was found to be valid, provided you did an assessment of the jurisdiction to which the data was being transferred to where the other recipient entity was, and you had to look at their jurisdiction say, is it still adequate? Is it safe? Does it have mechanisms in it for all these sort of things? Now that we’ve got the US position under the framework saying, Yes, we do have a redress system? No, we do not have indiscriminate mass surveillance, that actually covers everything, not just those on the framework. It will also support those using SCCs so they can look and say, Actually, when I look at the risk for the data going to the US now, it’s not as high risk because we know that there is the executive replaced with regard with regard to minimization of surveillance, there’s also the adjustments to be placed that I can use as well. And that will support all organizations. So that’s a real benefit. Yeah, we will have to see how far this is. This goes, we haven’t yet seen it in practice. But I think that’s going to be really important, it will make reliance on clauses a lot easier, which in some cases is necessary.

Jodi Daniels  10:24  

A lot of companies that I have seen, they have been asked by their clients to house the data locally in the EU, do you think you will? I don’t know if you’re either hearing from companies that this will still be a practice? Or do you think that there will be a little bit of a shift away from that, given these new frameworks that we have?

Rohan Massey  10:50  

Yeah, I think it’s kind of a commercial answer. Because I think, through some jurisdictions, we saw when the Privacy Shield was found invalid, basically, well, there’s no real way you can transfer data safely to the US now, even if you’re using standard contractual clauses. So for that reason, the data should stay in Europe. I don’t think that’s actually right. Yeah, it is quite clear under the GDPR, that we will, there is an intention to allow data to be shared internationally, and to travel internationally, provided that it’s protected. So I think that the fact that we now have a system in place that hopefully will be robust enough to ensure that that, that sort of long life to the, to the adequate levels of protection under the frame, but it should allow for much greater to data flows and the organization actually, commercially, it’s sensible for us or efficient for us to host this in the US. And we can now host it in here adequately. And with that sort of confidence. One of the troubles that organizations have faced for the last five years now is the constant change and threat of not knowing, yeah, we’ve used the privacy, we went from Safe Harbor, we use the Privacy Shield, then we had to use standard contractual clauses, then a new set of standard contractual clauses were brought in because of most of the the old clauses predated the GDPR. So we’ve had to change again. And all of that is cost and administrative time. And I think that’s commercially a frustration. So where organizations can sort of think, actually, we now have a robust mechanism in place, we will benefit from this, it will be efficient, and it will be cost effective for us because we won’t be having to change it, then they’ll use it. And I think, yeah, that will allow for data to be housed in the US or should allow for it.

Jodi Daniels  12:30  

You bring up a really good point, ask them very tired clients, and I, I hear the frustration all the time and confusion. Which one is it? What am I supposed to be doing? I’m excited to see how this will play out as well? Hmm.

Justin Daniels  12:44  

Well, you know, Rohan and Jodi, I kind of have a different follow up question. And it’s this. So GDPR came out, what was it 2017? It was affected 2018.

Jodi Daniels  12:59  

So not have your coffee today?

Justin Daniels  13:01  

Clearly, I need some coffee. And all of these laws are predicated upon the EU ability to enforce these laws. So Rohan, I was wondering if you could talk a little bit from your perspective in London, about the history so far about enforcement, some of the fines because you know what, if I’m Facebook or Google, that seems to be one thing, but let’s say I’m a mid market company that is multinational. And I say, well, Rohan, I appreciate what you’re saying, Jodi, I appreciate what you’re saying. But, you know, what’s my real risk here in terms of

Rohan Massey  13:36  

enforcement? Yeah, great question. And look, I think we’ve seen over the last five years, certain trends developing within the enforcement actions taken by the DPS. Now, we know that if there’s 1.2 billion, I think in fines issued under the GDPR, at the moment, maybe a bit more, sounds like a huge figure that’s 1.2 billion in five years, but then you do the breakdown of that. And it’s made up mainly of like 99%. There’s three major fines, Amazon, Google and Meta. This is kind of thematic there of where those organizations originated from and the sector in which they are right. And also the size and scale of those businesses. Below that there has been far less financially sanctioned or sort of headline figure enforcement actions. There have been some we’ve sort of seen, you know, 40, odd million for H&M, we’ve seen a data security fine for a BA that was in 20 million, so they’re not insubstantial figures. But in in relation to the amount of data being processed and bank data being transferred. We’ve seen very little at the high end of the potential sanctions. What we’re seeing far more up from the regulators now is actually focusing not so much on these big fines, but on taking what we call the sort of additional measures they can actually say, right you have to stop processing because, for example, your international transfers are not valid. Therefore, you can’t make that you can’t implement that process. So you have a stop processing order. I think that’s far harder for an organization to deal with. Yeah, if you, if you have, you get a big fine, it probably makes for a bad week, bad quarter, possibly a bad year, depending on the level of fine. If you get a stop processing order, you will probably be given three months in which to rectify, which is an incredibly short time. And if your entire business model has been constructed over a long period, with certain mechanisms in place to pivot those in such a short time, is, you know, incredibly challenging and could actually be fatal to the business in a way that a fine is. And we’ve certainly seen regulators going more and more down this additional measures route. The road, I want to

Justin Daniels  15:55  

kind of reinforce what you’re saying there, because as you know, in the US, we’re now up to 12 privacy laws that have been passed. And usually the big road to here is is there a private right of action or not? And that’s an imperfect solution, because normally, the only people who benefit from a private right of action are the class action lawyers, not the three of us who might get $2.97, for whatever happened. But you bring up a really interesting point, which I think you’re saying is if the regulators say, You know what, we’re not going to fine you, but we’re going to make it so that if in three months, you don’t figure out how to process this data differently, or do it properly, you’re just not going to process it. And then that’s a potential huge issue for the company. But as part of that is do you think that there are enough resources that the EU has to enforce the law? And if not, where did they get the money in really constrained budgets across pick your country, including the US to have the necessary resources to make all the rules we’re talking about today and more broadly, on our show, really have

Rohan Massey  17:03  

have teeth? Yeah, it’s a challenge. It’s always gonna be a challenge. I don’t think any regulator will ever tell you, they’ve got sufficient resources and visual firepower to take on, you know, to take on the scale of what they’re trying to regulate. But what if we look at all of the regulators across the EU in this space, the data protection authorities, they have all grown significantly in the last five years. Now, they have all got far better resourcing they’re getting far more efficient and working together, working together on a coordinated basis. So we’re seeing, I think, far better enforcement by the regulators. Have they got the ability to do everything? No. Are they always going to pick their battles? Yes. The UK ICO, John Edwards has made very clear publicly, His target is harm, right? He is looking, yeah, if there’s a missed I don’t or Miss T cross somewhere with somebody’s record of processing, that’s not going to be his big area of focus, where he seen real harm in data protection, you know, non compliant, that’s where he’ll be focused. And where that, you know, the bigger the scale, the more people impacted, that’s probably going to be, you know, another one of the criteria for targeting, I would say,

Jodi Daniels  18:13  

a lot of the focus is often on consumer data. However, employee data is also in scope. Can you talk a little bit about how HR data is treated under the data privacy framework? Sure. So

Rohan Massey  18:31  

HR does have a specific focus and is called out under the framework. I think one of the reasons being that HR data has always been, you know, one of the sort of main streams of transatlantic data flows, because there are so many multinational organizations headquartered in the US, that for commercial efficiency and simplicity, like to centralize their HR data, it can be used for many functions, talent management, payroll, efficiencies, etc. So that data is centralized. Within that data is usually quite a lot of sensitive data. And by that I mean data relating to, to race, ethnicity, medical conditions, sex life, and sexuality. Criminal convictions, or trade union membership, religious or philosophical beliefs, because that’s what you can have in an HR file. So you’ve got quite a, a sensitive dataset from the start. And it’s a it’s one of the ones that we’ve seen historically, that organizations really for commercial purposes, rather than for necessity, yeah, they could leave it in the UK or the EU or the EU and process it there. But it’s more efficient if they can sort of coalesce it and centralize it. And so for this reason, we’ve seen a lot more focus on the HR data. When you’re making your certification. You can do it for either HR data or HR and non HR data. So it’s called out that way and it was always called out that way under the previous frameworks as well. And one of the key areas is like if you’re doing In that it’s making sure that all of your employees know what data is being centralized, why it’s being centralized, who it’s being shared with, is it being shared with local insurance and benefits companies or payroll providers, all of that information needs to be clearly communicated back. And I think that’s one of the concerns is, it’s always great to centralize your systems, but it’s because it’s not a necessary requirement. And it’s really just a commercial efficiency at position that you’ve got to begin making sure that employees are clearly aware of what’s happening with their data.

Jodi Daniels  20:35  

Thank you for clarifying. And that makes a lot of sense. Transparency notice was important.

Justin Daniels  20:44  

So some people say that because there’s been Schrems I, II we’re gonna get I guess it’ll be the trilogy, we’ll get Schrems III. And there’s no point in certifying, so what do you what do you say to companies who that’s their thinking at the moment? Yeah,

Rohan Massey  21:03  

interesting challenge, I think we will get Schrems III. Question is where the Schrem III will be successful as Schrems I and II. Now, the sequel? followups always challenging. Right. And so it will be I mean, I think we have seen sort of significant steps forward, looking at the executive order, looking at the new quarter address that’s been established in the US. Just taking those steps, I think is is pretty significant, because that is those two steps, were totally focused on the issues that came out as frames one and two. And the challenges that have come up before that Now, will this be the perfect solution? It’s already had its doubters and its critics in the European Parliament wasn’t fully supportive as the as the draft adequacy decision was going through. But it’s a step forward. And, you know, we’ve seen that the EU commissioner saying, Well, look, let’s give this some time, let’s see how effective the redress mechanism actually is. In practice, before, you know, we’re looking for the court to challenge or expedite any challenge that’s filed with it. Let’s see if that what we’ve got in place now. And with the changes that are made, actually worked. Now, I would be hopeful that it can be I think there is a great political desire on both sides of the Atlantic to ensure that this framework does succeed. And it’s not just the EU, because we know that the UK is going to tag on the back of this thing is we’re now no longer a member of the EU, and Switzerland will will just let me know, again, use it as a linking mechanism to leapfrog on the back of data privacy frameworks, I think it’s really important politically, that we have something in place because the uncertainty that was created both when both trims prior cases were were successful. And you know, we lost the Safe Harbor, we lost the Privacy Shield, it did throw organizations into a period of instability. And so if we can get longevity with the framework, it’s going to be helpful for businesses. And hopefully there’ll be, you know, I think, at the end of the Privacy/He, with that 5300 US organizations signed up, they’re hoping that the robust nature and the longevity of the framework will mean that far more US entity sign up to the framework to the new framework, which really, I think will be a helpful thing, because it does make data flows far easier.

Jodi Daniels  23:26  

We always like to ask all of our privacy professionals who are likely thinking about privacy all day long, just like we are when you were out what is your favorite privacy or security tip that you might offer?

Rohan Massey  23:41  

So I was thinking about this, that’s a good one. My favorite thing that I do at the moment is whenever I sign up for anything new, my username is usually linked to the service that I’m signing up to. So let’s say I’m signing up to Joe Sandwich Shop, my username might be Rollin Joe Sandwich Shop Massey. And then I get to see where my marketing emails come from, which is usually quite interesting.

Jodi Daniels  24:06  

That’s a very creative tip. I like that one. I haven’t heard that one yet. Like it.

Justin Daniels  24:10  

But what but Rowan, what email do you use? Because they’re gonna send it to that? Are you creating like a new email or?

Rohan Massey  24:17  

No, no, they send it to that, but then always address it with your username. So it comes through with Hey, bro message of a sandwich shop, but it’s for a totally different product.

Justin Daniels  24:26  

Right? Okay. So you’re able to, you’re able to trace who they’re sharing or Okay, got it? Yeah. That was a novel tip. I know. I haven’t heard that. We’re novel tip. Whoo.

Jodi Daniels  24:37  

Thank you. As we learned last week, and then we share and then everyone listening gets to learn something new. Indeed. All right.

Justin Daniels  24:46  

So, Rohan, when you’re not advising on global privacy and cybersecurity issues, what do you like to do for fun?

Rohan Massey  24:55  

In London? Yeah, maybe not as much in London but something else saved up recently, which is cold water plunging. So basically I immerse myself in freezing water like many athletes do at the end of their training sessions. I’m not an athlete, though, but I do throw myself into freezing water, which is very good for my nervous system. But it also clears the mind very quickly of anything that may be troubling me, or any privacy issues I should be thinking about and want to clear out of my mind.

Jodi Daniels  25:24  

There, I asked how long these plunges last, how long do you have to do it to get a clearer mind?

Rohan Massey  25:31  

To do it to get a clearer mind about five seconds, but I’m up to about five, five and a half minutes at the moment.

Jodi Daniels  25:37  

Wow, I don’t I’ll call this a spotter about two degrees. I think I read last about five.

Justin Daniels  25:47  

And it’s like in the winter when people will go on the plunge and rivers and whatever. And I call those polar crazy people. Okay, well, I guess they’re just polar, different people from you.

Jodi Daniels  25:59  

Well, Rowan, this has been very educational and insightful. We’re so grateful that you came if people would like to learn more and connect with you, where should they go?

Rohan Massey  26:10  

In terms of website, RopesGray.com. My bio is on there. And I’m more than happy to answer any questions that people have.

Jodi Daniels  26:17  

Wonderful. Well, thank you so much. This is definitely a fast and complex topic that will continue to evolve.

Rohan Massey  26:26  

Great, thank you very much for having me. It’s been a pleasure.

Outro  26:33  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.