Mister Beacon Episode #69

What you need to know about GDPR

April 24, 2018

With the European Union’s new data protection law going into effect imminently, it's driving a flurry of changes from businesses based inside and outside the EU, racing to comply and avoid new levels of financial penalties. Jarno Vanto, a cybersecurity lawyer and partner at the law firm Polsinelli, gives us insight on what The General Data Protection Regulation entails, who it applies to, and the implications of not complying. Here is what you need to know before May 25, 2018.


  • Narration 0:06

    The Mr. Beacon podcast is sponsored by Wiliot, scaling IoT with battery free Bluetooth.

    Steve Statler 0:17

    Welcome to the Mr. Beacon podcast, we're going to be talking about the general data protection regulation or GDPR, which is really, really topical. You've probably been getting a whole bunch of notices from the companies that you rely on to run your business. This goes way beyond the ecosystem, the beacon ecosystem. And this week, we are we have a return guest, Jarno Vanto, who is partner at POLSINELLI and is a real specialist in this area. We're a little biased because he wrote the chapter on privacy for the beacon technologies book that we collaborated on, which is excellent. Jana, welcome back to the Mr. Beacon podcast.

    Jarno Vanto 1:01

    Thank you. Appreciate it. Great to meet you again, Steve.

    Steve Statler 1:04

    Yeah. So last time we spoke was episode 15. This is actually episode 70. Can you explain why? Why is GDPR topical at the moment?

    Jarno Vanto 1:16

    Well, GDPR is the European Union statute that replaces the current European Data Protection Directive impacts all businesses that either have an entity in Europe or that offer goods and services to European consumers. So that captures a large chunk of, for example, US companies that provide apps or other mobile technology collect personal data. And when I say personal data, it's really understood broadly in the US. And when you compare it to the US context. So in the US, we typically talk about PII of personal and info information that's understood very narrowly, the main things like social security numbers, email addresses, those types of identifiers, where you can directly identify who that person is. But GDPR covers all processing of personal data, which is understood very broadly. And so for example, mobile device IDs, that many mobile apps collect our personal data, website, cookies, or personal data. And so you're really looking at all p IP addresses online or personal data. So you're really looking at everything that a modern company does right now. And you have to have a critical critically, you have to have a good understanding of, well, first of all, what personal data you collect, where you store it, how you can, for example, give users those rights that the GDPR gives. So for example, practical example from talk with a client a couple of days ago. They collect a lot of data online, and, and do website tracking and all that now that any company basically does these days. And imagine when a consumer comes to you and says, I want to know what personally they hold about me. And so you have to first you have to understand what is personal data, but then where you store it, you can store it in like cloud services, your own servers everywhere. And then what if the consumer then asks, I want you to delete all the personal data that you have about me. And the calculation was, if it was done in the current system, one such request would cost anywhere from 1500 to $2,000, per request. So that means that companies have to overhaul their systems reorganize their databases in order to really comply with the GDPR. So it's a huge effort. And it's not just a legal effort. It's also an A large part, it's a technical effort.

    Steve Statler 3:52

    And just to make things a little bit more fun, little bit of time pressure as well, when does this regulation go into effect?

    Jarno Vanto 3:59

    May 25 of this year? Yes.

    Steve Statler 4:03

    So this is why we've been getting this flurry of updates from all of the servers, you know, so we have a web service provider, we have sales force, I'm just talking about Wiliot the company that I work for. And you know, we don't even have our products out yet. And yet, we have three major systems that we use Salesforce marketing, website hosting, that are all impacted by this goodness knows what it's like for other companies. But yeah, we're in the States and I occasionally go to Europe, does this effect does this affect companies like ours who are based in the States?

    Jarno Vanto 4:45

    Well, it depends. Everything is about how your company does business. So for example, if you if you have either European consumers, customers of your business, you're clearly impacted. But if For example, you're providing services to a US company. And in connection with those services, you have access to their EU customer data or employee data, you're impacted, and what your customers will have to do is to make sure that all those vendors that they use, including, for example, your company, if you are such a vendor, they have to make sure that those vendors are in compliance. So for example, vendors can subcontract the processing without authorization, vendors have to have proper data security systems in place, vendors have to notify about data breaches. All that, so it's really I mean, you know, Johnny Come Lately, lately, they're always you know, there, but, but really, given that we have a month, especially if you're in the consumer space, and you're with your products and services, you really gotta get working on this.

    Steve Statler 5:57

    So what if we're a business and we're going to get onto beacons later, but this is just the basics of any business? It seems like every business has an online website, at the moment, and it's not realistic to say, well, we're only offering this website to people in the US, you're gonna get people from Europe registering. So if I, if I have a web service that does some kind of location based service that uses GPS, so doesn't have have beacons, and some of those people are in Europe, then does it affect my business?

    Jarno Vanto 6:40

    It could question and some of these judgment calls are a little bit challenging to make right now. So if we don't have a single enforcement case yet, because the statute enters into force on May 25. But if you're not, for example, actively promoting your mobile service, for example, offering it to European app stores, or your website, you're not marketing to European consumers, it's highly unlikely that you'd be a focus of any kind of enforcement activity. So if you're just offering your service to us consumers, I'm also specifying in your terms of service that you're really just offering this service to US residents over the age of 12? Well, you're probably not going to be an obvious target for any kind of enforcement activity if you don't comply.

    Steve Statler 7:36

    Okay. But if you have, but if you're basically selling, selling to the European market, or you have going through channel partners that do, then they kind of get you through this, this web even so one of my questions is, okay, I'm over here. You happen to be in Europe at the moment, and you're based in New York, you're in Finland. You know, how one of my questions was going to be? How can the EU touch me when I'm in the United States of America? But I think part of your answer to that question is, because I have to deal with European countries, and they're under obligation for me to conform to the rules. Have I got that right, is that?

    Jarno Vanto 8:20

    Well, yeah, I mean, the the GDPR, the language of the regulation talks about offering goods or services or having an establishment in the European Union. So even if that means that basically a company, in layman's terms, if you have, for example, a subsidiary in Europe, you're clearly covered. But even if you don't have a subsidiary covered in Europe, then you'd still be covered if you have offer goods or services to Europeans. But how it really passes through the entities that are not impacted by those two major factors is that if you are a service provider to company that must comply, then you also must comply. And this is one this is one of the sort of the ideology is behind his regulation that Europe wants to make its privacy standards global. And in some ways it is doing it because right now, US companies that never thought of having to comply with the European privacy rules is suddenly facing these questions from their customers or their vendors. What are you? What are you going to do?

    Steve Statler 9:37

    It's a little bit like the California emissions car emissions regulations. It's like, if you're going to sell a car in California, then you need to meet our regulations. Well, that basically means they raise the bar for for pollution standards to get to the whole of the United States because every company wants to sell to California.

    Jarno Vanto 9:59

    Even like this to US domestic example of this could be on the data side, for example, that Massachusetts was one of the first states to impose strict data security requirements on all companies that process PII of the residents of Massachusetts. Unless you completely want to build a fence around the state of Massachusetts, you'd basically build your data security program around the strict requirements of of Massachusetts, instead of doing a piecemeal state by state approach, because that's the easiest way to comply. Right?

    Steve Statler 10:34

    All right. So I see a lot more of those annoying notices popping up saying, Hey, did you know we collect cookies? No, really, you collected it's like every website collects cookies, unless someone's coded it in HTML, and it's a, it's a high school project. So let's get into what this means. So it's very broad. It has some real teeth. It's happening now. What needs to get done in order to conform to these regulations? I think there's some kind of terminology that that we need to get to. And actually just maybe a more manageable way of coming at this is, how does this change from what the EU had in place before? Because from reading the chapter in the book and listening to Episode 15, where you describe that I felt like the bar was pretty high in Europe already. How has it changed?

    Jarno Vanto 11:30

    Well, yeah, you're right. So there's been laws around us in the books in Europe since the mid 90s, basically, so we're looking at something that's been in place for 30 years, the GDPR adds new elements, things like, you know, what we've heard about right to be forgotten and, and some other elements, but really is building on an existing legacy statute, it was called the European Union Data Protection Directive, it's been enforced in 1996. But what it introduces is more stick, has asked his job, potentially gigantic fines, for non compliance, so you're potentially looking at fines of 4% of the company's global revenue, by the way, not, not profit revenue, or 20 million, whichever is higher. And so, you know, for globally, operating companies with billions in revenue, that could be a lot of money. And so companies now have a real financial incentive to to comply. And, for example, things like, you know, what the US had first, and Europe did not, there's now a data breach notification requirement. And now Europe will also have a data breach notification requirement. And the time timelines are fairly strict, 72 hours, after having after the company becomes aware of a data breach, the company has to notify the privacy law regulator in Europe. And when you think about it, that's, that's fast. But then you also think about its proper perspective of what is covered by data breach. So the US data breach laws typically only deal with from Social Security numbers and credit card numbers and driver's license numbers, things that, again, obvious direct identifiers. This covers all personal data. And as we understood, as we talked about earlier, it's understood very broadly. So losing, for example, a bunch of device IDs from an app, app server prompts a requirement to notify the regulator, and in some cases, also the consumers.

    Steve Statler 14:05

    Gosh, so what does it do as far as where the data needs to be located? Kind of I have in my mind, if you're if you're tracking the data about European citizens, the data needs to be in Europe. But is that really something that has to be?

    Jarno Vanto 14:23

    No, it didn't know the European Union doesn't have so called data localization laws, and since you would have to keep data in Europe. You can move data freely to countries that the EU considers as providing adequate privacy protection. Okay. Unfortunately, the US is not one of those countries. Europeans think that at this point, US laws provide adequate privacy protection, but we have an arrangement where US company can self certify with the Department of Commerce. For the Privacy Shield, you've probably heard of privacy shield. And and that is a legal way of moving data from Europe to the US. So the EU doesn't require you to keep the data in Europe, you can move it, but you have to have a compliance mechanism like the Privacy Shield and pray in place in order to do that.

    Steve Statler 15:27

    And remind us what the Privacy Shield is.

    Jarno Vanto 15:31

    It is a it is basically an agreement between the US government and the European Commission that as long as the company tells that it complies with so called Privacy Shield principles relating to personal data, and self certifies their compliance once a year with the Department of Commerce, then they can freely move their customer and employee data to the US.

    Steve Statler 15:57

    So tell us a little bit more about the things the US companies are having to do the changes that they're having to me to make, you've already touched on on a few of them. One was the right to be forgotten. What else? What are the other changes that you're seeing people putting into place?

    Jarno Vanto 16:23

    Yeah, yeah. So again, everything with the GDPR has to do with what the company does in practice. So there's no one size fits all solution, because you have to look at the types of data that the company collects, who is sharing the data with where it stores it? What the core business of the company. So for example, there's been a lot of talk about this thing called privacy impact assessments. privacy impact assessments are GDPR requirement. For when a company plans a new product or service that processes personal data. And that change or new product potentially has an impact on user privacy. For example, this is a big thing for companies, for example, that track people online or or location based businesses, because potentially, the changes or new products that they create will have a huge impact on user privacy, because, again, up for obvious reasons. And so they have to do what is called a privacy impact assessment when they make these changes. And before they make those changes that they got to actually document and assess, well, first, what types of impact on user privacy the change to the new product will have, but then also minimize the privacy impact by tweaking the product so that it has a minimal privacy impact. And for example, healthcare companies in health care health technology, the process with the GDPR, called sensitive or special categories of data, health information, obviously very sensitive. And so they have to appoint a data protection officer to the company. And also companies such as online tracking, ad tech companies have to appoint a data protection officers because for officer because they do, again, monitor the the online activities of of users on a large scale. Initially, almost every company in the first draft as a 2d Bureau muscle company would have had to appoint a Data Protection Officer. But during the last stages of fever lobbying activity, they limited it to those types of companies that either engage in monitoring of people on a large scale, or process sensitive personal data on a large scale.

    Steve Statler 18:56

    Okay, what about size of company? If you're a startup, you're you're a 10, person B. Startup. I mean, that potentially is very personal information about where people are spending time. Does that mean you need to appoint a data privacy officer?

    Jarno Vanto 19:19

    Again, the the challenge is because it's using the language large scale. Okay. When do you reach that scale is still a little bit unclear. Got it. But if you're tracking locations, you know of individuals, and it's relatively, you can confidently almost very confidently state that you're doing it on a large scale if you're, for example, tracking a number of apps or or, or locations. But um, I don't want to you know, terrorize everyone listening to podcasts, but there's also the privacy right valuation coming down the pike. Oh, there is. Yeah, there has tell us about the privacy regulation. What GDPR is sort of a general statute relating to all things personal data, ie privacy regulation regulates mobile communications. So the thinking that the Europeans had behind this E privacy regulation is that they want to bring, you know, back when now there's this thing called the privacy directive, which basically just regulated telcos. And then Europeans thought that doesn't make sense anymore that have only telcos here, because everyone is providing communication services. Now, all these apps where you can talk and, and message and all that. So they want to bring those under the same kind of regulatory umbrella. So telcos, though that regulation has a lot of, for example, relevant to beacons. So So for example, first of all, that requires opt in consent for for location based tracking, of basically all types, including beacon technology, but then it has, because the text hasn't been finalized yet. There's a draft. And again, like with the GDPR, there's a lot of lobbying activity going on right now in Brussels, for example, the drafts language test at any location where user communications are tracked, whether it's beacon technology, or Wi Fi, or they would actually need to be things like warning signs that people actually are aware of that tracking going on.

    Steve Statler 21:46

    Okay. That's funny. So I don't want to turn this into a massive advert for our book. But But that's something that we do suggest in our kind of Beacon deployment guide is think about that same way as you have warning signs, if there's surveillance cameras and that sort of thing. Yeah. Not unreasonable, actually, in my opinion.

    Jarno Vanto 22:04

    But yeah, but so say everyone in this kind of business areas should also keep an eye on that the privacy regulation, because it will have an impact on all companies that rely on location based services.

    Steve Statler 22:19

    Very good. So any other beacon related pieces that you've come across, because as as a lawyer, I think I don't know anyone who's spent. I mean, you've spent a lot of time looking at this, you work with some of the guys that are building beacon networks, and using GPS, and so forth to create new models, new business models, so any other things that we could be thinking about with relate to these regulations and, and beacons and location services?

    Jarno Vanto 22:52

    Yeah, I think that one of the biggest beacons in and of themselves, as we know, they don't really collect any type of data, but but the mobile device that interacts with those devices, collects a lot of data. And companies that are providing support services, technology support services, for example, mobile apps, and other technologies that rely on beacons or other, you know, local support networks, they, they're a little bit of a tough position right now, because one of the GDPR main, the core legal basis for processing of personal data is consent. Right? If you're there in the background, then in order to get that consent you get are reliant on on those publishers, apps or websites, or to collect the consent on your behalf, potentially, we're going to see, you know, again, more of those pop up screens with disclosures about who they're sharing data with, and all that. So it won't be those support type vendors are going to be put in the spotlight much more than they have been in the past until now.

    Steve Statler 24:18

    So if I'm a beacon startup, I'm creating this three sided network. I'm bringing together venues that have beacons and people that are developing apps and brands that want to engage with people who are in certain places at certain times doing certain things. I as you say, I'm working through third parties who have apps, and I need to make sure that they're getting consent. Do I? Is it enough that I just have a contractual relationship with them? Or do I need to actually have a record of the fact that someone has actually specifically Then can I just put it on the app vendor and have it in my contract and say, Hey, I insisted they did that. And if they didn't do it, then it's not my fault.

    Jarno Vanto 25:10

    Well, first of all, the first party that collects the consent actually needs to maintain a record of it, okay. And then they need to pass it on to you if you rely on it. And then on the other hand, when someone then withdraws their consent, since no more this data collection business for me, then they also have to communicate that withdrawal.

    Steve Statler 25:35

    The right to be forgotten, correct?

    Jarno Vanto 25:37

    Yeah, yeah. Yeah. And so so so then that means that you Well, on the one hand, you know, you have to have a contractual language in place with your publisher partner. But then there also needs to be again, like, because the whole GDPR is religious, also technical effort, alongside the legal efforts, that you then build a technical feature into the platform that enables almost automated connection, communications.

    Steve Statler 26:09

    Fantastic. Well, that's all fantastic. It's daunting. But you know, last question is, do you think the net of this is going to be helpful or a hindrance to the kind of businesses that we're talking about? It's a huge amount of work, isn't it?

    Jarno Vanto 26:25

    It is a lot of work. And lawyers are busy, but I think engineers are busy or, in some ways, trying to come up with the technical solutions to enable this compliance. But there are arguments and I think many of these arguments are valid, that, you know, when companies, they have to clean house as a part of this process, and for example, identify where they store personal data, what they do with it, all that stuff that's been kind of going on, for a long time, without anyone really checking into what the company is doing. It's good. Well, first of all, you know, the, when you get consent, that data, it's good data, you can build better data products based on it. And then this cleaning house also means that, you know, you have updated current data, and you don't have people in your database that that are that are don't want to be there. And so really, I think, in the longer term, this will enable business opportunities that that were not there before. And I think that overall, that's a good thing.

    Steve Statler 27:39

    I agree. I think you got to take the high road, what we're doing is pretty awesome. But with awesomeness comes responsibility. And we've seen with Zuckerberg situation, it's such a distraction when you don't manage it correctly. And arguably, they actually did quite a lot of good things in terms of offering these options, but communicating clearly is a key part of it as well. Correct. That's true. Well, Jana, thanks so much, you guys. I know you're super busy given the timetable that we talked about. So Jana vento of POLSINELLI. Thank you so much for your looking through this.

    Jarno Vanto 28:24

    Thank you so much. All right, you have a good rest of the week. Thank you.

    Steve Statler 28:34

    So you get three extra songs. Last time it was Pink Floyd and Guns and Roses. And so the you know, the one good thing about other than fact we get more of your time on this show your back you get three more songs, so six songs to on your trip to Mars. Do you have any thoughts on what those are? The three would be?

    Jarno Vanto 28:56

    Well, actually, it's funny. I was in a train earlier today. And I was singing to the first ever pop song made with a synthesizer called popcorn.

    Steve Statler 29:07

    Oh, I remember that.

    Jarno Vanto 29:10

    I hadn't heard that song a long time. So that was like the second one. I haven't heard this, like 15 years. But so that's definitely one of the songs.

    Steve Statler 29:17

    So does it bring back memories? Popcorn? Is there a time when you first heard?

    Jarno Vanto 29:22

    When I was in high school? I was a DJ in school dances and one of the songs I played so that's fantastic. Good memory there. Yeah.

    Steve Statler 29:34

    Yeah. The DJ was an exalted position. That absolutely and I think it still is but you know, you're a teenager and so so many problems. You don't have to think about what's talked to people about you just kind of sort of at the center of the attention and you're in control. So popcorns one and the others.

    Jarno Vanto 29:54

    Blue Oyster Cult don't fear the Reaper,

    Steve Statler 29:57

    Another classic Have your third?

    Jarno Vanto 30:03

    This one needs a second, I think oh yeah. Off the more recent vintage Khalid, the young, odd dumb and what's the name of the title of that song? I just loved it because I was listening to it on repeat. young, dumb and broke. I think it's the song. Okay. It's artists called Khalid.

    Steve Statler 30:26

    Okay, I don't know that one. I'll check that out. But I remember listening to popcorn on a school trip to France when I was a kid so it brings back memories for me as well. Very good. Thanks very much.