As practice areas go, privacy and data security are relatively new areas of the law. How did you migrate into it? 

In 2000, I was working as an intellectual property and technology lawyer at Arthur Anderson, the former accounting and consulting firm, when one of the deputy general counsels asked me to attend a national conference about a new European law called the EU Directive on Data Protection. If my memory serves me correctly, there couldn’t have been more than 30 attendees at that conference. What the EU Directive was addressing seemed important and novel to all of us: It required all EU countries to adopt laws to protect privacy, since privacy was recognised in Europe as a fundamental human right. Flash forward 20 years, at the last privacy conference (pre-pandemic) sponsored by the International Association of Privacy Professionals, more than 5,000 people from around the world attended. And from that one European regulation, we now have more than 100 countries with data privacy laws.

In the beginning, we were like a small rural town – everybody knew everybody. The profession has grown remarkably, but there is still a real sense of community about it. It is a profession that is grounded in making ethical choices. For most of us, this sense of camaraderie, accountability and transparency defines us personally and professionally.

Sun Microsystems CEO Scott McNally famously proclaimed that "privacy is dead; get over it."  Do you believe that is true and if so, what can privacy professionals do about it?

Massive amounts of data are created, collected and processed all the time and everywhere – in obvious and obscure ways. Most people are aware that they are providing personal data when they purchase a product through an app on their device.  However, they may be less aware that their device or the app may be collecting data about how they are holding their device or how long they looked at the product before purchasing it. Further, the ability to use this information to learn about the individual, as well as to identify trends, has increased exponentially since those words were spoken more than 20 years ago.

We are using data in ways that were inconceivable two decades ago. We are trying to solve problems that we could not have imagined when the EU Directive was first adopted and we are facing a proliferation of laws whose scope and complexity only continue to grow. Privacy protection is not dead and it certainly is not going away. As long as technology continues to develop, human ingenuity in data manipulation continues to progress and the need to ensure that data is only processed in ways that don’t conflict with the rights of individuals or larger societal goals, privacy and privacy professionals will continue to play an increasingly important role.

Over the years, you have held senior privacy roles at some well-known global companies - the top privacy job at Aon (formerly Hewitt) and McKinsey, a director at Deloitte. Now you are a director of global privacy at Facebook. Tell us about the challenges you’ve seen and the progression of your career. 

As I mentioned, the challenges continue to become more complex as we face issues that did not exist before. For example, many global companies store and consolidate data in just a few locations; other companies leverage cloud solutions to support their businesses. These data infrastructure models, which are quite common, are, in certain jurisdictions, running up against some legal requirements to store data locally. We are seeing laws being discussed that target “dark patterns”, or techniques used in websites and apps that may encourage users to act in certain ways, like buying or signing up for something. We are also seeing an increased regulatory focus on protecting children’s data privacy. These same jurisdictions frequently recognise that children also must have the ability to participate in online activities, so striking the right balance and implementing the appropriate safeguards can be a nuanced and complicated set of competing considerations. 

Additionally, as more laws are being enacted, the stakes for non-compliance are becoming more severe. When I first started in privacy, we heard about European regulators imposing fines of around $25,000 for a violation of the law. The EU General Data Protection Regulation, enacted in 2018, gives regulators the right to impose fines equal to four percent of a company’s annual revenue. Other emerging laws, like the India Personal Data Protection Bill, are following suit. Under some laws, companies can be forced to suspend their processing activities for instances of non-compliance. Under other laws, company data protection officers can be held criminally liable for a company’s non-compliance. To pivot from the global environment to the US, we are seeing many states enacting data privacy legislation as well. Navigating the landscape, both global and domestic, will become more and more complex due to the fact that laws are emerging and developing at an exponential pace. The stakes are becoming greater in all respects.   

As far as my career, I view joining Facebook as a great capstone to what has been a long and interesting professional experience for me. I’ve spent much of my privacy career in-house in business-to-business environments. With B2B, much of the risk decisions have an impact on business relationships – which invite their own stresses and challenges. In contrast, in the business-to-consumer environment, companies are dealing with consumer data and are much more the target of regulatory scrutiny. But whether one operates in B2B or B2C, the privacy professional must be willing to tell truth to power. We are there to protect the company and the data subject against risk and to preserve a fundamental human right. At times it can be a difficult job since sometimes raising issues can draw fire. But what is at stake is worth it.

The in-house privacy professional seems to have a bird’s-eye view into extraordinary layers of corporate risk. What protections exist for the privacy professional? 

More and more, data privacy laws are recognising that protecting privacy professionals is tantamount to protecting the data. But legislating that a company may not retaliate against an employee who acts in furtherance of a law means little if an organisation can marginalise or terminate that individual. GDPR now contemplates whistleblower awards, which include lawyers’ fees if the privacy professional is targeted because of doing their job. This is similar to what we have in many US laws that govern corporate behaviour, such as securities and trade compliance laws. I understand that US Senator Maria Cantwell of the state of Washington has included whistleblower awards in the Consumer Online Privacy Right Act that she has sponsored. This should be a bi-partisan issue since protecting personal data requires that the individuals charged with protecting this data be protected. 

With all this talk about data privacy and the expansion of social media platforms, can you tell us about your own views on information protection? 

You might be surprised to know that I am not a big sharer on social media platforms. I will tell you about anything over a cup of coffee, but I tend to be much more circumscribed on social media.   

If there ever came a day when you were not a privacy professional, how would you spend your time? 

I’ve been so lucky to have been able to blend my desire to tack to ethical principles with my vocation. When I ultimately stop working as a privacy lawyer, I would like to focus on joining the fight against voter suppression. Just as privacy is a fundamental human right, voting is the linchpin of our democracy. I can’t imagine living without attempting to make it a better society.