September 29th, 2021:
Ingrid Silva Pino is a Data Specialist who gave up on being a lawyer to advocate for better Data Visualization, since a pie chart stole her lunch money. She eventually reconciled her Law background and nine years of experience working with data, assumed the role of Data Protection Manager at Dentsu International in the Netherlands, where she helps the company with GDPR compliance.
Privacy survey - Digital Analytics & Governance Report
LGPD & GDPR - What is the LGPD? Brazil’s version of the GDPR
Threefold Perspective - The future of data protection: a threefold perspective on GDPR
Guardian Article - UK to overhaul privacy rules in post-Brexit departure from GDPR
The First Public Civil Action - LGPD: Judicial Decision with a Retroactive Enforcement of the Law
LinkedIn - Ingrid Silva Pino
LinkedIn - Mike Fong
Subscribe to future episodes here!
Welcome back to our fourth episode of DataChat Live, where data lovers talk governance, validation, decision-making, and today - Privacy. We are excited to have a couple experts join us on this podcast today, Mike Fong, who is with us with ObservePoint in EMEA based out of London and then Ingrid Pinot. And I will pass it over to Mike to introduce himself and Ingrid. Thanks Chris. Yeah, so it's great to be on to join you today. Just a bit about me, I started my career as a data analyst and then, I get itchy feet, so I just moved around. So in that time I've had digital analyst, customer success, CSM, sales, solutions engineering, and now somehow landed in the product team. But I think really just approaching anything you deal with that positivity has always been what I've tried to contribute more than anything else. That's a bit about me about me, so Ingrid I'll hand over to you. Thanks, Mike. I'm really excited to be here today. Thank you all for inviting me. I'm Ingrid Pino, I'm a Brazilian living in the Netherlands and I work as a data protection manager. So, talking about data protection, privacy, LGPD, GDPR, that's part of my work. I have a background in law, but for the last nine years I've been building a career in data and marketing intelligence. So that's a perfect fit to talk about data privacy. We were very excited when Mike met you and we made the connection there. We already had on our agenda talking about some of the privacy laws across the world, having you join us as an expert and something that you work on every day, that's great. One of the articles that actually sourced from that article was a study that was done by eMarketer that was talking about this advertising sentiment and ROI. That sentiment on different channels was at an all time low. And some of the things that I picked out from that, were essentially what Facebook is working on, which is a leader in the space for a lot of digital advertising, they've been working on a new program. And let me, let me see if I can find it here. It's called Private Lift Measurement. So Facebook's testing a solution called Private Lift Measurement with some of its partners, which employs secure multi-party computation, which allows advertisers to understand how their companies are performing, excuse me, how their campaigns are performing while limiting data sharing. So they're essentially trying to come up with a workaround here. I thought that was super interesting. You're having these third-party vendors and these large advertisers start to build out solutions to get around some of these privacy laws that are being created. Yeah, and I think what you're seeing is, especially I'm hearing it a lot with our customers that are using Facebook, is for so long that was done in the third party context. And now a lot of that's going away with the way browsers are handling third-party data and Facebook's got to have a solution. They can't just say, well, now our ads and all of the investment you're profitable and the ROI has been drastically reduced. They just can't have that in maintain the model they have. So, by offering their own kind of secret sauce, I think that's one of the ways they're doing it. I'm also hearing that Facebook is being a big driver in pushing towards server-side solutions. We've talked about that on past episodes. So there, it's not just the analytics companies that are pushing for server-side implementation, also some of the bigger ad platforms that know they need that in order to do better ROI measurement. And that's a good point. And it's something that I think we're going to continue to keep our eye on. There's another article I think we talked about in the pre-game show here, how companies are trying to leverage TikTok. Ingrid, do you want to talk a little bit about what's going on over there and what you're seeing? Yes. That's an article from Dutch News, and what's happening here is that TikTok is facing their second Dutch mass claim and it's about children's privacy. TikTok essentially has been investigated by the Dutch Data Protection Authority, and that makes a lot of difference for companies that don't reputation with companies like TikTok that might not be processing people's data correctly, but also that's really complicated in the media world because we also cannot ignore TikTok as a social media force anymore. So clients want to advertise on TikTok, they want to be present, but we also need to make sure that we're being GDPR compliant, or that we're being compliant with any of the data protection regulations around the world. Yeah. So talk to us about how you moved actually, that is interesting to me in general, how you moved from the legal world into the digital analytics world. And now you're having to balance the complexities of dealing with platforms like TikTok and getting pressure from your clients from your world to take advantage of these platforms. So talk to us about that transition. Throughout the years I've touched on some topics like intellectual property for dashboards or data privacy. And so there were intersections here and there. But the topic that I specialized the most working with data was data visualization. And that was the topic that becoming a specialist in data visualization. I got a job in the Netherlands, so I moved from Brazil to the Netherlands to work with data visualization. And I was really lucky because I moved around the time that GDPR was coming into force. So I was able because I had the law background and because I already had a few years of experience working with data, I was able to help my company as a translator because I could understand what the data people were saying and what the lawyers were saying. So that was the beginning of GDPR. And the beginning of this transition, I'm not going to say transitioned fully back to working with law because I still work mainly with data. But beginning of the transition back to working also a little bit with, with the legal topics. And since beginning of this year, I also have a role as Data Protection Manager, so I work with privacy and all the GDPR topics on our company. So that's how the transitions happen. So you try to get out of the legal world and now you just get pulled right back in. I was going to say, Ingrid, do you feel like law has pulled you back and your work life balance is getting worse? Not really. Well for a few years, I was really against the idea of going back and working. I expected that not to happen. But the opportunity came and I grabbed it and because it was on something that interested me more, I think I also had more maturity in what I was working, feeling more confident in being a data specialist as well. So that's why the first move wasn't really planned, was a bit by chance. It was just meeting people that worked with this and deciding to give it a try and making it work. But then the movement to work again with law related subjects, more specifically data that was deliberate. Like I saw the opportunity and I had the expertise and this was needed at the company. I had been seeing the changes that were happening in the world and seeing that this was an important topic and this was something that was becoming more interesting to me. So it had like all the good chances for this to happen for me to work with this again. So yeah, before we talk and outlined the differences between GDPR and LGPD we just want to highlight, I just want to find out from you, did you, when you were starting to work in your translation and you saw the convergence of these two worlds, legal and digital, what were your thoughts initially and how did you see these two worlds coming together again. Not just for you personally, but at an industry level? Well, for me I was just very lucky to have some experience in both of those worlds. Because I saw that it was hard for the lawyers even when they were already studying data protection for a bit, it was hard to understand the technical parts and it was hard for the data people to understand the legal terms. So it was really great. It felt really great to be able to help with that. But nowadays instead of two worlds, I see more like a triple thing. And I even used the expression a three-fold perspective, because I see that we have to have three perspectives when we're working with data protection. First one is legal, you need to understand what GDPR is or LGPD, what are the legal concepts behind that? You have to have a technical perspective because you need to understand how exactly you're doing that data processing. And how can you stop the data processing if needed, and all of that. What are the types of data? What are the categories? And then there's the business side, because as we were commenting when we talked about the TikTok article, like there's a business side of understanding what's on the game there, because it's not just a matter of stopping the data processing or knowing how the data processing should happen, but why the data processing should happen, and understanding the business reasons for this to happen. The goals for it, for the data to be processed, because it would be really easier, at least from a legal perspective to just say, well, don't process any personal data. Easier said than done. Exactly, so there are those three perspectives, and I think it's really difficult to have them all in one professional. We try, but it's really difficult. So you should at least have people taking care of each of those at the company and making sure that this people are talking to each other. Yeah. In a recent survey we did, I think it was actually mid 2020, we administered a survey and we'll link to it here, but there were a surprising number of enterprises that had not identified a clear owner of privacy inside of their organization. And I think a lot of people, like you're saying, they're wearing different hats and they're sharing that responsibility. But in a lot of cases, there's no clear owner because the the responsibilities of the owner are just that. They're business, they're understanding the technology and then they're understanding of the legal implications. So talk to us about GDPR and LGPD and the differences there. I think that LGPD has been enforceable technically for a year. We'll clarify that exactly what that means, but talk to us first about the differences between the two different laws. All right. Well I think the main thing to say is that there are more similarities than differences. That's a really important thing for us to say because the LGPD was inspired by the GDPR, like the text of the GDPR really informed how they were going to build the LGPD. But the other important thing here is that being GDPR compliant does not guarantee compliance with the LGPD. And you really need to understand which one is applicable. So both of them, and that's the similarity of both of them have a territorial scope, but with extraterritorial effects. What does that mean? It means that the GDPR has a territorial scope. That's the European union, but with extra territorial effects, because if you own a company in a different place, you're own a company in the US but you offer services for people that are in the European union, then the GDPR also applies to you. And that's the same thing will with the LGPD. So you need to understand if there's an overlap there, if both of them apply, or if just one of them will apply to your company. So some of the other similarities are things like the subject rights, so those are very similar. People have the right to consult, to correct, to erase or to revoke consent. They have similar rights about their own personal data. And also the concepts of controllers and processors are also really similar and the fact that they need to keep records of the personal data that they're processing. So those are all really like basic concepts from, from LGPD and from GDPR that are really similar. But then there are the differences as well. Is there any, any difference that you're more interested in particular that I should comment on first? Well, I would say Mike you work pretty closely with a lot of our customers over in in Europe, what are you picking up on the ground as far as some of the concerns they have between the two? At the moment the worlds aren't colliding yet in the sense that, I think there's a lot more overlap between European organizations who are our customers and US, and maybe there's a bit of overlap between US organizations and Brazil, those spheres of influence, right? But what I was going to bring as a question to Ingrid, is there any possibility of the extra territorial overlapping, is there any way that someone can be a Brazilian data subject, and a European data subject? And that would be pretty awkward for anyone involved, right? Yes. I was thinking more from the perspective of the company, because if your processed data from both subjects from Brazil and from the European union, then you need to be careful about both. And you're probably going to have to apply similar measures across your company. You're not really going to have a different system Brazilians and the data from Europeans, unless those are really being processed in different places. But then for the company, like in a more like broader and higher level of company policies, deciding how the company will process, then that's better to just consider that you should be compliant with both. Find, or have you seen any examples of organizations essentially creating subsidiaries and having a separate website, just purely to be able to separate the operations, say between US America and Europe and Brazil. So it's easier to deal with the complexity rather than have one global giant, which somehow has to meet all of the requirements together. Would it easier just to create a subsidiary? Not that I know of, not that I know of. Okay. I'm always trying to think of ways to get around. That would be really interesting if that would be a way to get around. But really, I think from the differences that we can comment on between GDPR and the LGPD, there are some things that maybe are more interesting to the lawyers. Probably some of the people that will be listening to us are also lawyers working with with data protection, and those are things like the principles. So GDPR is based on six principles and the LGPD is based on 10, and those are things like transparency and data minimization. So only processing the minimum amount of data necessary and some of them are really similar. So it's not like the LGPD just have four more besides the same ones from GDPR. So some are similar, like transparency that translates directly to transparncia in Portuguese for the LGPD. And some are just different ways to phrase or to formulate similar concepts. But there are also some different and new ones. So for example, the LGPD mentions non-discrimination as a principle for processing data. And that means that personal data can never be used to discriminate against the data subjects. So those are some differences in the basis of those, those regulations under what principles those regulations are being created. So there are some other things, for example, the controller and processor relationship. The GDPR is a bit more strict because of the DPA or Data Processing Agreement is always needed when personal data is processed on behalf of a controller. So if you're a processor and you're processing data on behalf of another company on behalf of a controller, then you need a DPA in place. You need to sign that document. But for the LGPD it only has to be that the processing by the processor only has to be under the controller's instructions, which is also a requirement for the GDPR, but you don't don't necessarily need a DPA. So the controller also needs to check the processor's compliance, but it doesn't necessarily need a data processing agreement, at least not on what's in the LGPD. There could be in the future, other guidelines from the Data Protection Authority that could change that. So let me see some of the others here. So on subject rights, I actually, I commented on this as some of the similarities because they are mostly similar the subject rights, but the LGPD also allows users to request your data to be anonymized. And that's not at least expressively right on GDPR. There are some differences in the appointment of DPOs of Data Protection Officers, because the LGPD also only demands appointing a DPO from controllers, so not from processors. And the GDPR also demands that from processors. One of the differences that I find most interested and interesting is the age of consent, and that's because the GDPR allows people to give consent at 16 years. And this there's a slight difference in some countries because this is one of the few rules that the GDPR allows other countries to rule otherwise. So let's say I cannot remember now an example, but another country could define that it's actually 18 and not 16. And in the LGPD that minimum age for our consent is actually 18. So those are some of the differences, especially if you're working with things like, like TikTok or any services that you're providing for our children, or for people younger than 18 years old, you need to take this kind of things into consideration because you might need to to write different consent requests for different markets. And if your market was primarily say teenagers or children then 16 or 18, that can be a large proportion of your customer base. So that's something that, because certain organizations really have to pay attention to, right? Yes, exactly. Really well observed. And I was wondering in terms of the rights, is LGPD opt-in or opt-out? So what's the default position if I didn't do anything, and I landed on a website for the first time. No, that's the same as GDPR. Like the need for consent. That's the same. So it's not just because CCPA is they assume consent, and then you've got the right to opt out. I think that's the biggest change that we'll probably see in all kinds of regulations for privacy since the GDPR, is that now you cannot just assume that people are giving you consent to process their data. At least no regulations that I know of take that for granted. Like the big change is exactly that we're being more careful now, more and more countries are being more careful with data protection and making sure that people don't have their privacy violated. So it wouldn't, I mean there could be an exception, but for me it wouldn't make much sense for this new privacy regulations to have an opt-out system. Most of them will have opt in systems, which is when you need to provide consent for for your personal data to be processed. Ingrid, do you anticipate some of these articles being included, or GDPR being modified to include some of these articles that are differences in LGPD? Do you mean for the GDPR to get inspired by the LGPD? Exactly? Yeah. Draw some inspiration on some of these newer articles that are included. I think that would be really interesting if it happened, but I don't really expect it to happen. So let's talk about enforcement now. Have there been, I know it's only been a few weeks, well it's been a year technically. Mike, do you want to clarify, it sounds like there's a little bit of ambiguity here. So I've been reading about this and trying to get my head around it. It's not as complicated as I first thought. Essentially LGPD came into enforcement last year. So that's 2020. If anyone's watching this many years in the future I think it was September the 18th is the dates that LGPD became active, but at the time it was stated that enforcement actions and the relevant teams and authorities, and the government machinery to actually execute on the enforcement only came into effect in August, 2021. So organizations had essentially 11 months where the police wouldn't be following them, or wouldn't be after them, but they still have a follow the law, which is fine, right? I think that that's pretty fair. But one thing that I thought was pretty unfair is that, my understanding from some articles that I read, was that an organization or at least an individual in an organization had actually been infringing on people's rights, but before the law came into effect. But they got charged essentially. A civil suit was filed against them on the 21st of September, 2020. So three days after the law came into effect. Someone was, going for breaking a law which didn't exist at the time that they did it. Now, Ingrid, I just want to look at you as a legal principle, isn't it a bit unfair to be charged after the fact or something that was not illegal at the time you took the action? But indeed, seems quite unfair. I would have to look into this case to understand better what exactly happened there. And if this is really enforceable, because if the law didn't exist, you cannot like retroactive apply it, or at least if it wasn't enforceable, but that's a really interesting case to research more about. Yeah. Maybe they were simply trying to find someone to make an example of straight away and then they would quietly let it disappear and then be more reasonable. But then there's the trust in the legal system, right? So you cannot just go persecuting people just to make them an example of how you should follow this new regulation that we created now. This is why those dates of when it becomes enforceable and when you could start applying fines, that's why those dates are so important so that you really have the mechanisms to apply the fines and to really enforce the regulation. So formally, they said they would start enforcing it on the 1st of August, 2021. Do you know what the progress is? Or Cameron, do you know what progress, or anybody know what the progress is on the actual setting up the relevant teams to do the enforcement? That is really confusing because they've changed that date so many times, and they delayed the enforcement. And I remembered that in August last year all of a sudden it was considered enforceable, and no one was expecting it because everyone was expecting it to be delayed again. I wouldn't say everyone, but a lot of people that I had contacted that were working with data privacy at the time, they were quite surprised because people were expecting that to be delayed again. Yeah. I'd read an article three weeks into August that they were still trying to form the enforcement board and figure out who on that board was responsible for which activities in order to actually put this in place. So we were well past that deadline before anything was even thought of as far as being formalized. I think they're still in the process of trying to figure a lot of that out. Yes. And that's a long process because you need to consider everything that's changing. First, to create the law, You need to consider everything that's changing around the world, and at the country, in terms of privacy, what are the demands from the consumers? What are the demands from the business? What do we want to be from now on, as a nation, in terms of privacy? What do we want to do with that? So there were lots and lots of discussions. I remember these discussions from more than 10 years ago when I was studying and working with law. So those discussions were already happening on how we wanted to create this law. And then after you create it, you need to make sure that you have good mechanisms to to enforce it. So, who is going to take care of the data protection authority? How is that going to work? So there's a lot of additional rules that come after, like the main regulation that is the LGPD that need to be decided now. So there are some things, especially with enforcement that are also differences that we can that we can point out in relation to the GDPR. So, for example, with regards with data breaches. In both regulations, the GDPR and the LGDP, both controllers and processors must implement those famous organizational and technical measures, but the GDPR demands that the controller informs the data breach to the data authority in 72 hours. And the LGPD does not define a deadline for it this, just that it has to be without undue delay. But what is without undue delay? This is a part that now needs to be defined by the data protection authority. What are the rules for that? What are the guidelines about this period and also about enforcement? One of the biggest differences that people point out are the fines. So for the GDPR, the fines are up to 20 million or 4% of the annual global turnover. And the LGPD fines are up to 50 million reais, which is the Brazilian currency. And right now that's equivalent to more or less 8 million euros with the current exchange rates, or 2% of the annual global turnover excluding taxes. So that's a big difference, like 8 million euros on the LGPD equivalent to 8 million euros at the time we are recording this, you never know, And 20 million euros for the GDPR. So the percentages are also different. There's also the higher of the two numbers. I think with the Brazilian law isn't it up to the maximum of that 50 million? I think they put a cap on it, whereas within Europe, there is no cap. It could be as high as your revenues go. So there is definitely a significant difference in scope. Yes, that's a good point. So we do have some bonus coverage here, just recently in The Guardian, we'll link to the article. And by the way, just wrapping up the LGPD, we'll link to a great summary article that has a lot of these talking points at Ingrid's reviewed broken down in written form. So you can follow through them and go for a deeper dive. But I want to hand it over to Mike and Ingrid to talk about an article that just came out on The Guardian, the UK to Overhaul Privacy Rules in post-Brexit Departure. So it sounds like the UK is again going out on their own and defining their own set of privacy or working on their own set of rules for GDPR. So, Mike I know you initially brought that up, any thoughts on this? Yeah. So I'll try to leave political biases out of it. So now that the UK is no longer part of the EU, we've got the right to not follow European guidances, right? So GDPR is a European guidance or EU guidance, which each country was obliged to, I guess, legislate their own equivalent that met the guidelines. But now that the UK is no longer part of the EU, we're free to walk away from that. And so it seems, that's why they decided to do so. This article is about one fold. They're writing sort of the beginning of the process of looking what is best in the UK's interests, which parts of GDPR makes sense to keep, which parts of it makes sense to bin? And we can look over the pond, and look at CCPA. We've got a slightly different system in CCPA where by default customers have the right to opt out, but actually default opt-in is still allowable. Is that actually, is that correct? Cameron? That's right. And it's not just automatic opt-in versus opt-out, but it's also more about the right to sell that data or share it with third parties, as opposed to actually the right to collect it, which is much more of a European stance. So, yeah, I think this is my prediction, but it's too early, I would say a very, very early guess, if I were to guess, would be that we will kind of lower the bar a slightly bit and kind of walk towards more the CCPA model. But just having worked in the UK, with lots of clients on this, and spoken about, and we spend so much time and long, long hours into the night thinking about how to meet GDPR. And then they just about a month or two ago Britain and EU had the Adequacy Agreement, which meant now our data protection standards were on par with EU and so it was allowable to transfer data from EU to the UK, to immediately announce that we're kind of walking away from that, after getting the Advocacy Agreement. It's just annoying as a casual bystander. Obviously there is potential, there's lots of potential for businesses to move faster as it supporting lowering the regulation. There's so much at play here, but it's definitely going to be interesting to see, but let's hope that a lot of our implementation work few years. And I think that really ties this whole discussion together. And I think what a lot of organizations, but also a lot of countries that are thinking about enacting these new legislations, that the key component is, how do we make sure what our standards are, allow us to share data and to continue to have good commerce and good relationships with all of our partners globally as well? I mean, I know we've seen that relationship between, for example, the United States and the EU be disrupted a bit over the last five plus years. And we've seen partnerships like what Japan is doing with their data privacy come more in line with EU so they can have those compliance and data share-ability. So I think you're going to see more and more people saying, this is our flavor. This is how we do it for our business, or for our country and for our data subjects. But we've got to make sure we're we're players on the global stage as well. I think in the long term, we'll have to see, and it's going to be a very long, very slow moving longterm, but ultimately, which ever attitude to data protection means that businesses can actually thrive more successfully. I think that those will be the ones that we talked about LGPD and GDPR hybridizing. I think the regulations that allow businesses to thrive and transfer data, target advertising at customers effectively, but safely, will be the ones that essentially eventually the world moves towards. Yeah. I think that's quite interesting because the Adequacy Agreement to me well has been done at least for the transition period. So just to make sure that the companies that were compliant under GDPR would also be compliant right away in the new Brexit situation, but now because of Brexit it's not applicable anymore and the UK, so they would have to create a new regulation, even if it was just a copy of the text of the GDPR, just to make it applicable for the UK. Well, the transition period, nothing needs to be done. Then there were a few months where the transition period ended, but Adequacy Agreement hadn't been announced. So the Adequacy Agreement's about four months old, and then this article is about three months old. Yes. But it makes sense now that there is a review. If the UK wants to be more strict or more lenient in some of the rules, and it could be that it will be more strict in some and less strict in others. And I just think that there would be a pushback if they go too strict or much less strict in others from both the consumers and from the companies as well. So I don't think that it would change much, but I really cannot predict how that's going to go. We tend to use, I think the GDPR as a big reference because it was the first big one to make such a shift in how we viewed privacy. And most of the regulations around the world use GDPR somehow as a reference. But I think one of the most interesting things that I've read lately about privacy was about de-colonializing the perspectives about privacy and understanding that even this concept of privacy is quite common in Western countries. And those are the countries that base most their regulations in the GDPR because they have a similar notion of privacy. And that's not, we'd think of that as universal, but that's not true. We don't really have a universal notion of privacy, and that depends a lot on your culture. So the regulations need to reflect that as well, need to reflect what privacy means to a certain culture. Love the conversation. This is probably a good place to wrap it up. And I will say that we definitely would not have been able to do this episode without the both of you Ingrid and Mike. So thank you for your contributions, any final parting thoughts or predictions about where we're going, how we'll get there over the next few years. Yeah, I think it will be interesting to see this UK piece. My prediction is that we will move towards a more US-like model. Think about the history, the EU first tried to legislate data privacy back in 2011, and it was very weak and essentially everyone ignored it. So I think they've gone perhaps on the stricter end now of GDPR, and maybe other organizations or regulatory bodies are that's something for us to take as a template, but maybe we don't need to go quite as as strict. Ingrid, any thoughts? Oh, this is really hard to make predictions about that. I just see that I would just comment on the trend that we're already seeing happening, that more and more countries are doing similar regulations and not necessarily inspired by GDPR, but more strict regulations of privacy to protect personal data. So to protect consumers, to protect people in the use of third data. Okay. Thank you for those insights. Mike, why don't you share with us some of the things that we're working on here internally at ObservePoint just as we wrap up this episode. So we've talked about LGPD, GDPR, we've also mentioned CCPA and Japan. We have, China's just gone online with the data privacy laws as well. So we've mentioned that there are more similarities than there are differences. And the great thing is that gives ObservePoint's Privacy Compliance a really good core position because it's flexible enough to help organizations handle all of the differences between the various regulations, but also very powerful features are at the corporate platform, allowing customers to ensure that they remain compliant with whichever regulation is applied to their business units. Okay. All right. Well, thank you so much again, we really appreciate it. Ingrid, if anyone wants to get a hold of you or get in touch, is email the best option, is Twitter, the best option? How can anyone get ahold of you? Well, actually the best option is connecting to me on LinkedIn. I'm quite active there, every now and then I post tips about data protection about data visualization, which is the other topic that I work with. So yeah, just feel free to reach out. Let's talk about data. Great. And we will link to your profile in the description. Well, thank you so much, everyone. We appreciate the time here and until next time.