Part 2
What does your country see as the most significant challenge or challenges facing organizations seeking to transfer personal data to third countries?
OK, the most significant challenges when it comes to transferring data to third countries is, are they protecting it? Do they have the cybersecurity regime in place to protect the kind of data they’re working with? We see that a lot with the European clients asking us that. And we’re also seeing a lot of information governance type of questions coming in from European finance. I think that’s going to be the most significant challenge because there are regulatory regimes everywhere in the world. And the No.1 complaint here in the US, and I’m sure that that the European attorneys, my counterparts in Europe, face the same thing, is how do we meet all these regulatory requirements when there’s so many of them and there are so many opportunities to get it wrong?
The fortunate thing about it, from my perspective, putting on my technology hat and putting aside my life being an attorney for a moment, is that many of these regimes overlap. So where you have GDPR or HIPAA, they all have that special category data that the Europeans call it, or we call it, healthcare information. We can all agree that there’s certain processes and protocols to protect that data, transferring that data, limiting a liability around that data. And the nice thing about it is all three of those aligning over top of that. So if you could build towards the most stringent model, that’s the direction to go to because then all the other models fall. And I think that’s the most significant challenge is getting all of those regulatory requirements to align and then create a vertical for it.
Considering all of the regulatory diversity, what should we focus at to stay compliant globally?
Stay compliant globally is a constantly moving target. Definitely stay proactive, definitely get involved with vendors that are putting on seminars or learning seminars or classes about privacy and privacy regimes and what’s coming up on the horizon. For instance, one of the things that I see and I’ve read about the Europeans who have already published is they’re planning to regulate AI models. And I’ve started reaching that topic with many of my clients. And the answer I get is, no way that’s never going to happen, we’re never going to see that day. Well, that day is coming. Unfortunately, that day is coming and being proactive towards it is a much better position to find yourself in than being reactive, because when it does get here, it’s going to be quite shocking. The things that I have read in the proposed legislation are things like you have to disclose your algorithms, your inputs in your outputs, as well as your algorithms and what it’s doing. That’s very shocking to a lot of American companies because that’s sort of data considered the trade secret. If we reveal that, then we don’t have a trade secret anymore. Our company is no longer valuable because anybody else can go and copy it.
The other thing that I see is certification requirements, where you have to certify with a state regulator before you can market your product in a year. We just don’t have that here in the US. If you have an AI model, I can put out an AI model today, whether it works or not. Totally different story is how it works. Never have to tell you that unless we go to court and I definitely don’t need a license from a regulatory body to advertise it. So it’s a little bit shocking when I bring that up to many of my clients who are in AI technologies and they say, “well, wait for a second, this is nothing like what we’re dealing with here”, and I have to remind them, well, welcome to Europe. That’s how they’re doing it. That’s the direction they’re going in. So being very proactive and at least looking at some of the legislation coming down through the regulatory bodies and what they’re talking about is the best way to stay compliant on a global scale. You’re never going to be 100%. But at least like I mentioned, with the policies and the processes, if you can get the most stringent, everything else seems to align underneath it.
How do you see US regulations developing?
Great question! So what I see is a very great difference in the way the Europeans view data and the way the US views data. So the Europeans have almost what the Americans would refer to as “intellectual property right” for the data subject. Here in the United States, the data subject is considered to be abandoning that property. So the difference is, I’m still creating data, I’m under both models, no matter what I do, whether it’s the Internet searches or walking around with my cell phone or texting or using an app or whatever it happens to be, that’s collecting my data, I’m still generating that data. But under the European model, I have a right in how that data is used, transferred or processed beyond that point. Here in the United States, our view is it’s sort of like putting your trash on the curb. You don’t want it anymore. Anybody can pull up, take it, sift through it and do whatever they want to do with it. So that’s the big difference between the two countries. Here in the US we have a couple of models that are trying to catch up to the European model. And most prevalent is going to be CCPA. We have a couple of other states that come in there as well and try to protect consumer data. We’ve never done it nationally. Not really. Not to the extent that the Europeans have. And I think there’s a lot of tension between private industry and Congress to come up with that. So on the private industry side, you have people who are doing targeted advertising or some kind of data processing, and they’re running into all of these very local rules like CCPA in other states and they want Congress to take action.
On the other side of that, you have people who are data brokers whose sole business model is to go out and collect consumer data and sell it to anyone who can buy it. And do whatever they want with it. They don’t want Congress to act because that would ruin their business model that pretty much put them out of business. The problem from the consumer side is as long as that person who bought your data isn’t doing something illegal with it, like trying to open up credit accounts or cyberstalking or anything like that, there’s absolutely zero regulation on what they can do with that data, who they can transfer it to or anything, any kind of processing right. We just don’t have that here outside of CCPA and a couple of the local regulations. So I think in the future we’re going to see a tension kind of break because we’re going to start seeing more push from the consumer side, teaming up with the stateside to try to regulate this activity. And I think we’re going to see a lot more industries asking for clarity from Congress. I don’t think it’s going to look very much like GDPR in the sense that I don’t think the data subjects are going to have that intellectual property right. I think what it’s going to be is it’s going to be regulated on that. Again, the data broker, the client and the market side, so the business side and I don’t think we, the consumer, are going to have as many rights as we do in Europe.
It was a great pleasure to have a chat with Neguiel Hicks. If you would like to continue the discussion, get in touch with Mr Hicks on Linkedin.
Would you like to be our next interviewee? Get in touch with us via email: [email protected]