Episode 21: Data Without Borders: Navigating Rights, Regulations, and Sovereignty

Paul  00:20

Welcome back to the In:Confidence Podcast. I’m Paul McCormack, Vice President for Privacy Law Innovation at Privitar. I’m delighted today to be joined by Vivienne Artz OBE, an esteemed privacy professional, with many, many years of experience. And here today to talk to us about all things international transfer of data related. So Vivienne, thank you for joining.

Vivienne  00:40

Thank you, Paul. Absolutely. Delighted to be with you again.

Paul  00:42

Thank you and obviously, I think I’ve got probably more of a pleasure for you being here today. We go way back, a senior in different roles, different different capacities, both in the various committees that we’ve shared together over the years, but I think perhaps just kicking off today, the OBE, perhaps you can just before we get into your background talk to us about that. For particularly our listeners across the pond – what’s an OBE and did you meet the Queen?

Vivienne  01:10

Oh, fantastic. What a thrill it was to receive the email, I actually thought it was spam when I first received it. And I opened it in the evening. I saw it just before I was going to bed. And it was ‘Would you accept the honor of an OBE?’ And I thought well, why wouldn’t you accept. How absolutely super, so I was thrilled to be awarded an OBE – the Order of the British Empire which is given to civilians  for services, to financial services, and to gender diversity. So I was particularly thrilled with that double because the services to financial services was very much in my role as a privacy professional. So I see my OBE as being an OBE for us in the privacy profession. It’s actually almost a year since I was awarded my OBE. I was delighted to go to Windsor Castle, and I received my OBE from Princess Anne. Yeah, absolutely. Super. And yeah, so I walked, walked through Windsor Castle. And she was just incredible. Absolutely incredible. Had a great discussion. Asked me some really tough questions about privacy. Actually, I was very impressed. And so yes, I have my medal now, which is absolutely super. But it’s our medal for the privacy profession is my view.

Paul  02:28

Where do you keep the medal?

Vivienne  02:31

I have a photo of it just near me. But no, it’s actually very heavy gold. It’s supposed to be insured, so I keep it somewhere safe.

Paul  02:41

It makes it interesting. And obviously, for Vivienne, I’m sure many people will know who you are. But for those that haven’t had the pleasure of meeting yet, perhaps you can give us a bit of background as to your journey to privacy.

Vivienne  02:56

Well, I started off as a lawyer, I wanted to do intellectual property. And then I ended up doing technology because I wasn’t a pure scientist. And I didn’t want to do copyright for the rest of my life. And then I went in-house, which I think was the transformative experience for me. Because technology became digital, and data protection kept dogging me, wherever I went, there was data protection. And I always got people to do data protection. And then they always kept handing it back. I was a bit miffed about that, I’ll be perfectly honest. But then I discovered and that’s where we met some of the industry bodies. So London Investment Banking Association, British Bankers Association, and they had policy committees looking at data protection. And that actually was where I was inspired, because suddenly I had the opportunity not to just advise and operationalize in relation to privacy. But to think about what does it mean, what does it mean to business? What does it mean to individuals? Is the legislation and the policy and the regulation heading in the right direction? Are there unintended consequences. And so that really put me on that journey with data protection. And as an opportunity, I’ll be perfectly honest, also leverage my degree, which was philosophy and theology, and what is the biggest topic in privacy ethics? So absolutely, super. So that really, that policy thought leadership piece is what really inspired me. And then I become a chief privacy officer in different organizations, I now have a portfolio career. So I sort of think it’s cherry picking the best of all worlds. So I’m a non Executive Director. I’m a board advisor. I’m a privacy policy and data strategy, expert and advisor. And so I have the opportunity to work with lots of organizations and people to help them to discover what privacy and data mean for them, how to get the most out of it, and also how to do a really good job at it.

Paul  04:48

Yeah. Obviously, it’s incredibly complex and is becoming more complex. I’m keen to pick your brain today really about thinking about the theme of moving data across borders. It has been an issue for many years, cross sector financial services has been a big burden, obviously, as you know. But I think when we think about why companies actually do this, what’s the value that companies actually are looking to deliver a drive from, from getting data across different jurisdictions? Of course, what are your perspective on the current play of international transfers of data rules to the UK? And beyond? What are you seeing? What are you experiencing in these different roles that you’re sort of now embarking upon?

Vivienne  05:33

Absolutely, I mean, it was truly the topic du jour. And one of the roles I’m absolutely thrilled is on the UK Export Council advising UK Government on their international data transfer strategies, which is a tremendous privilege and also to be with really amazing thought leaders from across the globe. But data is our lifeblood, we are digitizing and undergoing digital transformation, we are having so many businesses that are born digital, and digital data tends to be borderless. And if you think about the blockchain, and so on, it is borderless by default. And so we have to not only accept but work out how do we live with the reality of data crossing borders, and are those borders, ones that should be there. Because let’s face it, most of them are geographical and jurisdictional borders. And we are throwing up lots of barriers. There’s a real move toward data localization, and lots of challenges around sharing data, we need to share data, to innovate, to learn to connect with our families, to enable government to enable business, all of these things. And in order to do that, effectively, we also have to have trust and to safeguard that data. So I think in the UK, we have a very clear international data transfer strategy, UK Government wants to make more adequacy findings and decisions. But they’re slow, they’re very, very slow. And it’s great that we have adequacy now with the EU. But on average, it takes about two years for these adequacy decisions to come through thinking that there’s 190 plus countries in the world. That is a very, very slow process. And so I think we need to think more creatively about how we address international transfers. So I think there’s a bit of concern that’s been expressed, because the UK is also updating its data legislation, we’ve got the DPDI, the data protection and digital information bill that is being re looked at. Lots of companies have have submitted comments to it. There’s a concern that if we change too much, maybe we’ll lose adequacy. I’m much more optimistic, you know, I think we should be looking at outcomes, not the process. And I think the UK is very focused on building trust and making sure that we have a trusted environment where we really use data in an innovative and responsible way and in an accountable way. And that’s reflected in the DPDI provision. So I’m optimistic, I think it’s, I think it’s going to be fine. But what we really need to do is think more broadly beyond UK and EU, and actually, to the international transfers that we need with the rest of the world.

Paul  08:27

I think on that note, it’s interesting to see the way that the UK and the EU have, I guess, particularly the UK are looking at this, you know, post Brexit and everything else. But I guess part of the challenge is in what do you think is the reason for this localization, data sovereignty sort of driven agenda across different jurisdictions? Is it politically charged? Is it economically charged? Is it a genuine desire to actually protect the rights and freedoms?

Vivienne  08:56

You’re absolutely spot on! Actually, we did a paper at international regulatory strategy group, which is available on our website, looking at the phenomenon of data localization, because I think often people think it’s a privacy issue. It’s partly a privacy issue, but not solely, and that isn’t the only driver. Outsourcing restrictions, you and I know this banking secrecy rules requiring, you know, hard copies to be kept in situ. Why? In a digital world where you can copy things many times or you don’t actually have to hold a hard copy where we’re trying to get away from paper because of environmental concerns, and so on and so forth. Why do we still have to keep a copy in a particular jurisdiction? I think a lot of it is also driven by a desire to encourage jobs to stay at home to foster talent to foster skills. But is that really the right mechanism to do it? And yes, it’s protecting data. Sometimes regulators feel that if they have physical access, they can have more control. But I’m not so sure. So we did explore the phenomenon of data localization and there’s definitely an element of it, which is political as well. So it’s multifaceted and complex. But I think we should be in a solution focused mindset, which is, well, let’s look at what those individual concerns are, and actually find a way to address them. Which doesn’t mean localization, because the studies are showing that localization is not good for the economic health, the social development, the innovation, and for businesses to thrive in those jurisdictions that pursue it.

Paul  10:39

Absolutely. I’d like to explore that a bit more. But before I do, what I mentioned, to sort of perhaps move to taking sort of a more detailed step into is transfer investments and generally getting data out of the EU in the UK. I’d like to come back to perhaps on talking more about are good practices actually out there of actually looking at getting data across border, other jurisdictions are actually pioneering the openness to share data, rather than seeing it as a, perhaps a sovereign asset to sort of preserve economic growth and other things, trade aspects are sort of, I suppose, go behind why they may want to restrict movement of data. But I guess, when we think about the direction of the UK, the EU post-SCHREMs to transfer impact assessments it’s been talking to that what’s what’s been happening potions to with TAs and supplementary measures for those that may not be incredibly familiar with it right now. And what do you think is the current status quo, I guess, of the potions to era?

Vivienne  11:46

Gosh, it’s like GDPR 2.0 isn’t it in terms of the papering so there’s been so much activity post-SCHREMs to to do the transfer impact assessments, so to assess, you know, what is being transferred, to whom, in which jurisdiction, and the real challenge there is, is not assessing the risk and mapping the data flows, which is really tough, actually. But it’s how do you do an assessment against another jurisdiction as to whether or not their laws are sufficiently suitable for you to transfer data there, and I don’t know about you, but I’ve actually looked this up. And, you know, if you look at some of the websites, and they direct you to, you know, treaties and MOUs, there’s not enough detail in there to make this decision. And what really concerns me is that if large, sophisticated organizations with mega compliance departments and legal departments are truly struggling in this regard, where does that leave SMEs, which a 99% of businesses, just without a chance at all? So I think, you know, the, the diligence around data mapping, understanding where your data is flowing, and making sure you’ve got proper governance in place is great. But do we need to be doing the sort of case by case manual TIAs, particularly for transfers at scale? How does that work for smaller or less complex and less sophisticated organizations? And what benefit is it delivering other than an enormous amount of paperwork that you’re going to have to keep up to date day in and day out all the time? And is that leading to technical compliance? Or is it actually leading to practical compliance. And I’m a real passionate believer in, you know, it’s not about the process, it really is about the outcome. I feel very passionately about privacy. You know, personal identity is important. Protecting your data is hugely important. But we need to be thinking about what are we protecting the process or the people. So I think that where we are with that mechanism is it’s going to reach a breaking point of it hasn’t done already. And it’s going to force us to start looking at the bigger picture. And that’s where we’re coming to, I did another paper actually, in conjunction with KPMG actually, looking at the future of international data transfers, and recognizing adequacy is great, but too slow. There are other mechanisms or cross border privacy rules, real potential there, but still a long way to go. And that’s and that’s very business to business. We’ve also got MOUs and umbrella agreements between governments, which are helpful, but again, they’re quite specific, you know, government to government, court to court, regulator to regulator. There’s nothing really holistic. And I think that’s where we need to get to is this new sort of Bretton Woods on data, this new international standard? And the question is, and for me is this an international standard or a rule that feels like law? Or should we be actually looking at something that is not law? That is a standard, like an ISO standard? And or is a technology solution as well, because I think we’ve tied ourselves up in knots with the legal piece. It’s important. We’ve learnt a lot on that journey. But I think we’ve also learnt that it leads to inconsistency, potential conflict, difficulties and implementation, huge amounts of liability, de-risking real concerns over what it’s gonna cost in terms of reputation as well, maybe it’s not the best solution, maybe it’s part of the solution, but not the sole solution.

Paul  15:45

Incredibly interesting. I think you mentioned a few things there about initiatives like the cross border privacy rules, other perhaps MOUs and other agreements have potentially could be important in the future. Have you seen any good examples now?

Vivienne  16:08

Yeah. I mean, wasn’t that groundbreaking when the OECD issued their principles in December on government access to data, absolutely unique for a number of reasons. And I know a lot of people say, “Oh, well, it’s only 38 countries”. And it was good that the EU was involved. But you know, it’s not everybody. But the important thing is it’s a starting point, they’ve actually put a line in the sand. And they have been transparent about why government accesses data, and the basis on which they access it and setting out what are the rules that they should follow in order to access data in a fair and trusted way. And some of that has been available on a country by country basis. But it’s the first time that governments have come together to talk about that issue as between themselves. So for me, I think that that is just an enormous step in the right direction. All of this is a journey. And it’s a brilliant line in the sand that we can start from and to build on and to do more with. The other one, of course, is the data free flow with trust, which has been championed by the Japanese in the G7 and the G20. Again, really getting leaders, politicians, policymakers to think hard about we need data to flow, how do we get it to flow with trust, let’s start working together on a solution, as opposed to comparing yours and mine, which is better, which is different, which covers more, which covers less. That conversation, I think, is unhelpful because we will always find differences. We have different cultures, we have different legal systems, we have different ways of doing things. And I think what we should be doing is focusing on what are the shared values? What are the shared objectives? We will all get to it in a slightly different way. But how do we get there together?

Paul  18:10

Yeah, that’s absolutely key and I guess, thinking about the spirit of collaboration, and generally, where we’re going with international movements, I mean, what about the UK and EU discussion with the US? I mean, how, what are you seeing there? How’s it going? Are we seeing Privacy Shield 3? We’ve seen the relevant agreement coming through? I mean, what’s the current state of play there? And do you think it’s going to be a viable, long term solution?

Vivienne  18:43

We mustn’t be negative, we know it will be challenged, of course, it’s going to be challenged. But isn’t it interesting that they’ve changed the terminology around it. So leave Privacy Shield behind, never really understood Privacy Shield as a terminology, it sounds like something out of a Marvel comic. But the data privacy framework, I think, better articulates what it is, it’s when you have a framework you can build on it. When you have a framework, you can you can adjust it as you need as things evolve and develop. And there’s actually some interesting papers out there, which will show you you know, what was in the Privacy Shield and how that’s been changed by the framework. So you can see what stayed the same and then what has been changed in order to address the concerns raised by the SCHREMS II to decision. So I think they’re making great progress. Obviously, the commission has announced their view. It’s now with the European Data Protection Board, and then we’ll go to the European Parliament, and then the members council for their opinions. And then we’re hoping by q2 middle of this year, to have a final decision. So will there be detractors? Yes. Will there be promoters? Yes. Which side of the fence are you going to be on? But I think We need to be looking at alternatives and options and those, you know, holistic, broad mechanisms, I think are what we need, in order to recognize the different flavors of business different ways of doing things where everyone can find a way to comply, you can sort of join a compliance mechanism, so to speak, as opposed to having to have to fit into something that’s being imposed on you. And I think that framework is a really positive step in the right direction. I hope we don’t come up with a version four but we, what we do is we evolve version three, if we need to

Paul  20:39

know instantly how that plays out in practice in Germany, when you think about what you will see lived, the original agreement was in practice shield, nursing this direction, I think they say, clearly, there’s gonna be some naysayers who are gonna be some positive messages and adopters to it. I think, obviously, the proof will be in the pudding. For sure. And yeah, but I think hopefully, it’s a step in the right direction.

Vivienne  21:10

I think so I think so. And actually, I did take a note down from Vera drover with regards to the proposed data protection framework, and she said, it is a necessity, not a luxury in the increasing, increasingly digitalized and data driven economy. And I think that’s really important, because it’s an acknowledgement of the reality. So you can sense that, okay, we’re not going to fight against the reality, we’re going to find a way to address how our world is changing, which I think is so hugely important, because if you just look at the volume of data flows, the volume of data flows between Europe and the US are the largest in the world. So you have to find a solution, you cannot leave people, governments companies without a solution. Because in the end, what you what are you doing, you’re promoting a culture of non compliance if you do that. So, you know, I think we all need to play our part, to find those solutions in lots of different forms and formats. So that we can actually do the right thing. But it’s important to, it’s important to provide challenge, perhaps a little bit less of the endless picking, because I think the UK is very ready to follow and has been progressing discussions with the US as well. So, you know, fingers crossed that as and when the EU us arrangement is finalized, that we will hopefully see a US and UK arrangement following swiftly on.

Paul  22:41

Amazing, amazing, it’s great to hear, obviously positive steps forward. But let’s think about then it for data leaders and those in companies that are looking to actually try and digest this myriad of requirements, changing legislation, different agreements, sort of progressing to sort of hopefully, unlock the ability to move data across border, but also those restrictions that prevent the movement still in the lesson different jurisdictions around the world. What should they be thinking about when it comes to cross border transfers of data and, and this space at the moment? What are the key message? Do you think that they should be starting to consider and start to, I guess, operationalize within their businesses?

Vivienne  23:24

Well, you know, I take heart, the GDPR and other legislation generally follows a risk based approach. And I think that’s what we all have to do. We all have our own reality, our risks are not the same at all. And I think that following having a strong data governance framework is just so hugely important. You have to understand what data you have, what do you use it for? Who do you share it with? How sensitive and important is it, and then take the measures accordingly to address that. And, you know, we’ve learned a lot from the process that we’ve been in for so many years, understanding, you know, records processing, and, impact assessments, all of that has helped us to better understand actually, what are the real issues here. But I think, you know, organizations need to come to their own decision. And I think the accountability framework, the UK, for example, has issued the UK ICAO and accountability framework, central Information Policy Leadership was was first off the blocks with their accountability framework, those sorts of mechanisms, which help you to think about what are the risks? How do I address them? And how can I demonstrate that and how can I test it as well, I think are really powerful. There is no one way to do this. And if you are an organization that operates like most of us even SMEs in an increasingly globalized world, let’s face it, you can’t comply with all the laws all the time. So you’ve got to come to a conclusion about what works for me. What do I feel comfortable with talking to my board about talking to my customers about talking to my stakeholders and investors about do I feel comfortable and confident that my approach is one that will stand up to challenge and that I’ve addressed the risks appropriately. And as it’s less box ticking and more outcome focused and taking responsibility. I think that’s a lot of what the DP did in the UK is trying to do. I think there’s concern all you’re taking away some of the structures, actually you also empowering, it’s not the structure that makes you compliant. It’s what you’re doing about it, it’s the outcome. So take some responsibility and do a decent job

Paul  25:39

promoting most outcomes. pragmatism, especially focusing on the key value drivers when you’re trying to suppose comply. Sounds like a really, really important way to think it’s been a challenge for a lot of companies with a gold standard. And hopefully, compliance I think, is in arguably an unachievable, unattainable target. I think it’s, I think that

Vivienne  26:04

sort of binary language is also really unhelpful. You know, I’ve worked in organizations where it’s a yes, no, yeah. And it’s, you know, it’s never a yes, no, it’s a spectrum of risks. And we need to get comfortable with that. And I think we’ve reached a stage with all the different countries in the world now, you know, over 70% of countries have data protection legislation, where we recognize the complexity, and actually, we need to start having a much more mature and sophisticated discussion around what does that mean? And how do we how do we address that in a responsible way? And, you know, I think it’s, I’ve always found it quite frustrating when people say, Oh, tell me how show me how is that? Well, you know, this Oh, much out, there are so many tools to help you do it. Now, you need to do the doing as well. There’s there’s two parts to it, the rules, the guidance, the tools, they’ll all help you. But actually, at the end of the day, it has to come down to your own decision and taking responsibility, how to be fair, how to be proportionate, and how to be responsible.

Paul  27:07

Amazing. And I guess, speaking of tools and technology, what key role do you think technology’s going to play when it comes to navigating this landscape? And suppose enabling dailies as well to unlock the value of that data? I mean, what what’s out there right now, anything can help people.

Vivienne  27:27

I think technology provides us with a challenge. But it also provides us with some extraordinary solutions. And technology, if used correctly, can actually transcend I think, some of those legal challenges we have. So I’m a real fan of the growing area of privacy enhancing technologies. It doesn’t remove privacy, you already want to remove privacy from the discussion. But what we want to do is think creatively about how can we really support privacy principles in a creative way, which can be legally neutral. I think that’s a really interesting thing about technology is that there is an element of neutrality about it. So you know, technology can help with security. It technology can help with confidentiality, technology can help with access to data, absolutely extraordinary. And it can do so without having to have to directly align with specific words in a legal text. If the outcome is the right outcome, then you can transcend those jurisdictional and legal boundaries with a solution that gives you the result that you’re looking for. So I think it’s an area that we really need to be thinking more creatively about, because in all of these policy discussions over the years, if there’s one thing we’ve realized, and I remember thinking, Oh, wouldn’t it be wonderful if most countries in the world had privacy laws years and years ago, and the now that we have most countries in the world with privacy laws? I keep thinking, oh, gosh, I don’t believe I wished for that because it is now so complex, so complicated, with so many inconsistencies, actually, it’s ghastly. So maybe what we should be thinking of is those neutral ways through and I think technology offers us a real opportunity, that

Paul  29:12

fabulous, fabulous Look, they’ve been incredibly interesting. Thank you for sharing your insights today. We’ve got a lot to take away. There’s a lot coming down the path and I just thank you for joining and sharing your insights with us on in confidence. Paul,

Vivienne  29:26

it’s been an absolute pleasure to see you and it’s so nice to speak with you again.

Paul  29:31

Thank you everyone for listening. Join us next time for The InConfidence podcast.

29:36

No matter where you are in your data journey. Privitar is here to help. Privitar empowers organizations to leverage their data to innovate faster, while protecting the privacy of individuals at massive scale. Privitar is unique in combining technology, thought leadership, and expert services to help your data operations thrive. Want to learn more? Our team of experts is ready to answer your questions and discuss how data privacy can fuel your business. Visit Privitar.com.

Thanks for listening to InConfidence brought to you by Privitar. To hear more insights and advice on how to effectively use, manage and protect your data, subscribe to the show and your favorite podcast player. If you liked the show, leave us a rating. Join us for the next data conversation.