 I'll go ahead and introduce our moderator, Professor Halberstam. And then we will get started with our GDPR panel. Daniel Halberstam is the Eric Stein Collegiate Professor of Law and the Associate Dean for Faculty and Research at the University of Michigan Law School. He was a founding faculty director of the university's EU Center in 2000. And he continues to serve as a director in the Law School's European Legal Studies Program. Professor Halberstam lectures regularly throughout Europe, having held a position as external professor in the European Law Department at the College of Europe in Bruges from 2007 to 2016. And he delivered the general course on the European Union at the European University Institute in Florence in 2012. Professor Halberstam was a member of the legal team in the Brexit litigation in the UK Supreme Court, convened a closed-door working group in Berlin of European policy makers and officials on EU accession to the European Convention on Human Rights and serves on the Academic Steering Committee of the Luxembourg Forum, which brings together the justices of the US Supreme Court and the Court of Justice in the European Union for joint meetings. We are thrilled he's here today to be able to moderate our session. Please join me in welcoming Professor Halberstam and all of our panelists. Thank you very much. Basically, I will speak to that. Oh, there we go. And I will try to stick to that role. Let me just introduce to you who's sitting here before you. I'll just go through in the order in which they will be speaking. So you sort of know who you're looking at even as the first speaker speaks. So first we will have Gabriella Zanfir-Fortuna, who's EU Policy Council at the Future of Privacy Forum and actually just recently moved here to Michigan. She leads work on European privacy analysis. Previously, she worked for the European Data Protection Supervisor in Brussels, who actually in a former iteration was a Michigan law grad, but probably not the one you were. Oh, was it the one you were for? I was hired when Peter Hustings was in Michigan Law Grad, who was actually European Data Privacy Supervisor. And she participated in the famous and important working Article 29 working party. She holds a PhD from the University of Crayova and is associate researcher at the Free University, Free University of Brussels. Next we will hear from Florian Chau from the University of Michigan School of Information right across the street, as we like to say here. He focuses on the actual effects of managing privacy and you might say the pitfalls of trying to do so. He was previously a post-doctoral fellow at the Carnegie Mellon University in computer science and he holds a doctoral degree in computer science from the University of Olin in Germany. We will next hear from Rita, oh, yes, from Rita Himes. Yep, they're sitting out of order, which just throws me off. Rita Himes was research director, data privacy officer, and general counsel at the International Association of Privacy Professionals. She was previously a law professor and academic dean at the University of Maine School of Law, and where she directed the Center for Law and Innovation. She also spent many years in private practice in a law firm in Seattle beforehand, so she really knows what it's like out there. Finally, we will hear from Melissa Malouf, shareholder at Swilgen PLLC in Washington, DC, where she focuses on representing clients in a wide range of privacy, security, advertising, and e-commerce matters. She also works with developing compliance strategies. She was recently named as DC Area Legal Rising Star and was also recognized by the Global Data Review as Global Top 40 Under 40 Data Lawyer. So please join me in welcoming our panel. We'll do opening presentations of 15 minutes, and then we'll take questions at the end. So first we will hear from Gabriela, who will be setting the stage for us by giving you a basic introduction to the GDPR, a little bit about its history, and the role of the rights of the data subject in EU data protection. Thank you very much. And good morning, all of you, and thank you very much, Sophie, and colleagues for your invitation. Indeed, I will talk to you today about the GDPR and what makes the GDPR tick. I will start by showing you an incredible statistic. So apparently, around 25 May last year, GDPR was more googled than Beyonce and Kim Kardashian. Can you imagine that? I mean, we are talking about a regulation of the European Union, right? It's a legal act of this international organization. Why would it be more popular than Beyonce and Kim Kardashian? And what happened is also that a lot of the GDPR became a meme, well, multiple memes around that time as well. Well, we can forgive the fact that we have a lot of people that were talking about the GDPR, but really not knowing what it is about. So for instance, we have here in a title how Europe's GDPR regulations became a meme. That's from Wired. But the GDPR stands for the general data protection regulation. So then you see it doesn't make a lot of sense to say the general data protection regulation regulations. But I'm sure you all remember how around that time, you were flooded with notices from companies from maybe even your schools that they have updated their privacy policies. You just could not escape it. And there were memes everywhere over the internet. Some of them had inside jokes. So for instance, this one with GDPR compliant companies asking whether we have information relating to an identified or identifiable natural person or not. It's probably not going to be understood by your regular internet user. But it certainly makes sense for people like us that have been into the weeds of the GDPR. But what made the GDPR so popular, you might ask? So what does the GDPR apply? Well, it just permeated so much of the public discourse for many reasons. But one of those reasons is that the GDPR is the law that applies to everything. Because it applies to processing of personal data, all your partly processed by automated means. And personal data has a very, very wide definition. It really means any information related to an identified or identifiable natural person. And that can be like your shoe size. So if your shoe size is somehow linked to a unique identifier that's unique to you, that is personal information. Your IP address, most of the time, is personal information. So it applies to any information related to an identified or identifiable natural person. Whereas processing also means technically anything. If you look at the definition of processing in the GDPR, it technically means any use of personal data. Even erasing data counts as processing. Storing data counts as processing. So you don't necessarily have to do something now complex to personal data for the GDPR to be applicable. But what's actually remarkable is that, and this is as compared to you as law, is that the GDPR applies to absolutely every industries and even to public administrations. It applies, for instance, to processing of patient and staff data by a public hospital, processing of student data by a private school, or by a public school, processing of user data and metadata by an online gaming website. It really doesn't matter, the industry, the sector, it just applies to everything. So that's why all sorts of services were actually suddenly interested in this law. But why would people from the US care about the GDPR? Well, that is because it actually has a wide-reaching extra-territorial rule for its application. And this rule says that if a company, if an organization is providing services, selling goods, or monitoring behavior of people in the European Union, even if that organization does not set foot in the European Union, and it's based elsewhere, in the US, in China, anywhere, then that organization needs to comply with the GDPR. And there are some mechanisms in the law that regulators thought would make this happen. I will tell you some key elements about the GDPR. One key element is that whenever an entity processes personal data, that entity needs to have a lawful ground for that processing. So you can only process personal data if one of six lawful grounds applies, and consent is one of those lawful grounds. That's why a lot of companies reached out to you and asked, do you give your consent for us to process this data? But sometimes, you know, not in the most lawful way, I would say, but there are other lawful grounds as well. However, the rule is that you can only process personal data if you have a lawful ground. Then another key element of the GDPR is that it provides a set of rights to the individual, the rights of the data subject. These rights are meant to give control to the person over how their personal information is used by different types of companies or organizations, as I mentioned before. There's a right to information, which means that you have the right to know what's happening to your personal data. This is why you have all those privacy policies. Now, there are rules around the privacy policies that they should be much shorter than they are right now, but Florian is going to touch on that, I think, in his talk. Part of this right to information, it's also actually your right to know what's the logic involved in automated data processing, in decisions that are based on automated data processing. And this is so important in the age of machine learning right now, I would say. There is a right to access personal data, to obtain copies of the data that is being processed about you. There's a right of erasure, a right of objection, a right of restriction, but this is a bit technical. There's a right not to be subject to solely automated decision making. So decision making without any sort of human intervention that have an impact, a significant impact on you. And there's a right to portability, and this is why we're here today, to discuss portability. Other key elements of the GDPR, it has a lot of accountability provisions, and this means that just to give you an example, there's an obligation to conduct data protection impact assessments. So think of environmental impact assessments, right? Now the GDPR introduces this DPIA obligation. There's an obligation to appoint a data protection officer, so a person within an organization that actually knows of all these rules and can advise the management how to lawfully and fairly process personal data. Then there's a very interesting provision that the GDPR made into an obligation, and that's data protection by design and by default. And we have been hearing about privacy by design for many years as a very nice policy goal, but actually the GDPR puts it into law. Then of course there are significant fines that the GDPR provides for. This almost became like a poster child of the GDPR because we have those fines that can go up to 20 million euro or 4% of the global annual turnover. And very importantly, as I've come to know, the GDPR provides for a private right of action, and this is important because in the US right now, we don't have a law, a privacy law, that provides for a private right of action as far as I know, but maybe, so for instance, this is one of the big debates right now with the California Consumer Privacy Act, the fact that it has a very, very limited private right of action. But how did this all start? I know for a fact I will not have time to go through the entire history, but I'd just like to point out to a couple of things. So there is this provision that says that every data subject, so a data subject, it's actually the person whose personal data is processed. Every data subject has the right to obtain erasure of stored data concerning him, where the storage was inadmissible, or the original requirements for storage no longer apply. So you see a right of erasure, or how it's being called now more nicely, I don't know, a right to be forgotten. Well, this provision, it's actually from 1977, from the Bundesdatenschutzgesetz, the German Federal Data Protection Law. So we already have a right of erasure in 77. I'll tell you about another provision. It says that a data subject has the right to know and to challenge the information and the reasoning used by automated processing whose results concern them. So a person had the right to know and to challenge the logic involved in automated decision making. You'd think this is, you know, wow, this is UGPR is cool. It's actually Article III from the French Data Protection Law from 1978. So we have a history in the European Union where people cared about data protection and about the impact of using personal data since the 1970. We have a lot of national laws that have been harmonized in 1995 into Directive 95 per 46. And I would like to point out here also that in 1981 we also had the Convention 108 on the Pricing of Personal Data adopted by the Council of Europe. This is a very important moment because it's an intergovernmental treaty that provides for very, very robust safeguards. And that's already 1981. My original plan was to talk to you about how the German Constitutional Court in 83 was already finding a right to informational self-determination, saying that the general personality rights includes the authority of the individual to decide for himself on the basis of the idea of self-determination when and within what limits, facts about his personal life shall be disclosed. So this entire thought of the person being in control of how personal information is used by the outside world has been in the legal thought for many years in Europe. So the GDPR is the result of a very slow evolution. And that's not just because it was proposed in 2012 and it took four years for it to get legislated. Apparently it was the most lobbied piece of legislation in the history of the European Union. And this was said by Commissioner Vivian Redding. So she must know this sort of things. But I would say that the GDPR does not draw its strength necessarily from this long history of the Europeans caring about these things. But it draws its strength from the fact that data protection is actually protected as a fundamental right in the European Union. And what might be surprising for many to know is that the EU Charter of Fundamental Rights actually provides for two different rights. In article seven we have the right to privacy, the right to the protection of personal data, of private life and communication. And we have article eight which talks about the right to the protection of personal data. So there are two different fundamental rights. They have two different mechanisms. But what's important is that personal data is in our Bill of Rights in the European Union. And this is why over there, authorities care so much about this. I have very little time left. Just to, yes, just, I will not go through all of this, but just to let you know that whenever you hear about a very big case from the Court of Justice of the European Union that has data protection implications, well, be assured that the court always tips the balance in favor of the individual because of or thanks to this fundamental right protection that data protection enjoys. So in all of the landmark cases in Google Spain, in the Digital Rights Ireland case, in the Shrems case, all of the landmark data protection cases, articles, article eight and article seven of the Charter were very important. This is just to point out that in article eight of the Charter, in the second paragraph, if you look at the second to last line there, we can read that everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. This is just to point out that the rights of the data subject, so these rights to control how your personal data is being used, is also protected at constitutional level. To sum up, the GDPR took the world by storm in 2018. There are many reasons for that. It didn't appear out of nowhere. It's just the result of a very long history. It's an evolution of a complex system of rules. It gives expression to a fundamental right protected at constitutional level in the European Union, which is distinct in the right to respect for private life. The rights of the data subject are a building block of the fundamental right to the protection of personal data, going back to notions of informational self-determination, and undoubtedly substantiating the idea that control of the data subject over his or her personal data is fundamental for EU data protection law. Thank you. Thank you so much, Gabriella, and thank you. I did not even have to use my red card, and I suppose everybody can imagine what that means. Good. Next we'll hear from Florian Chow, who's done an empirical study on the impact on the GDPR. On privacy, and this comes from a wonderful piece entitled We Value Your Privacy, Something, and then Now Take Some Cookies. So, here we go. Yeah, it's a pleasure to be here. Thank you, Gabriella, for this awesome history lesson. As Gabriella pointed out, the different data subject rights in the GDPR, and the purpose of the GDPR in this regard is really to reduce the power asymmetry between consumers and companies, and kind of turn this more into a bi-directional dialogue where you actually, as a consumer, have a say in how your data is used. Now, what I'm interested in, in my research, is how policies like the GDPR or laws in general affect consumers in practice, and do they actually help consumers better exert or express consent, or are consumers making more informed decisions? And today I'm gonna be talking about a study that Daniel already teased with a title, which I conducted together with colleagues from the Royal University Bochum in Germany, and what we've been doing is we analyzed the practical impact of the GDPR on websites in particular. And this paper will be presented next week at the Network and Distributed Systems Security Symposium in San Diego, so I'm gonna give you a preview today. It's a sneak peek. So, what we did for this study is we monitored the top 500 websites in each of the 25 European member states. So that means, what are the top most visited websites in each of those countries? And then there, of course, some duplicates. But in total, we looked at 6,759 websites. And for those websites, we monitored them on a monthly basis between January 2018 to October 2018. And we looked for some specific GDPR-related factors. So the first thing we were interested in is, does the website have a privacy policy? GDPR has strict transparency requirements. The de facto way of how transparency is provided at the moment are privacy policies. Then we also did some rudimentary analysis of what's the content of these privacy policies. I'm gonna be talking about some of the challenges in doing that analysis in a moment. And in addition to that, we also looked at whether these websites have cookie banners and whether that actually impacts how they set cookies on these websites. And to a large extent, this was an automated data collection, but then we did extensive manual work to verify our results as well as annotate some information, for example, regarding the cookie banners. So let's first talk about privacy policies. I already mentioned that privacy policies are kind of the standard way for providing transparency. At the same time, it's an open secret that no one reads privacy policies. So typically at this point in my talks, I ask people who have you has read a privacy policy in the last month? Yeah, I'm not surprised in this room. So it's good to see that people here are actually reading privacy policies. You're not the norm though. You're aware of this. Typically people, yeah, no one reads privacy policies. Even my privacy class, no one reads privacy policies. Okay, so that aside, when we started our measurements, we saw that actually the adoption of privacy policies was already quite high in Europe, and that is largely due to the EU directive from 95 that Gabriella mentioned. So what we saw is in January of 2018, already 79.6% of the websites had privacy policies. And then until May 2018, after the GDPR went into effect, that's slightly increased by about 5% to 84.5%. And then since then, we haven't seen any increase. So these 5% are most likely can be attributed to the GDPR going into effect. However, what we did find is big differences between countries. So in terms of countries with the most adoption of privacy policies, Great Britain has an adoption of 97%, so 97% of the British websites we looked at had a privacy policy. We see similarly high rates in Denmark and Slovenia where more than 95% of websites had privacy policies. And then their whole range of countries that have more than 90% adoption rate. But then at the bottom of the ladder, we have the Baltic states, Latvia, Estonia and Lithuania, which kind of ranged between 76 to 78% after GDPR adoption. Which means that there's still almost a quarter of websites in these countries of the most visited websites that don't have a privacy policy. And while it sounds somewhat bad, those countries actually also saw the largest increase of privacy policies. Over 10 percentage point more websites had privacy policies after the GDPR went into effect compared to before. Something that surprised us a little bit is we also found 10 websites that removed the privacy policy. We don't think that is necessarily stipulated by the GDPR. What we saw often is that the policy might still be reachable because we've been monitoring these websites. We had the links where the policies were, but you couldn't actually find them anymore from the website directly. And likely because there was a redesign of the website and someone just forgot to put a link to the privacy policy in. If you're responsible for the website of your company, make sure to check whether there's actually a link to your terms of service and privacy policies. We also looked at the changes over time. So we looked at the measurement data we collected live, but then we also went to the Internet Archive, which is a great resource for research. And we tracked back for the websites that were kind of archived in the Internet Archive, we looked at data from 2016 to 2018 to kind of see like, oh, have they maybe changed their privacy policies since the GDPR was ratified in 2016? So first what we found is that 50% of the most visited websites in Europe changed their privacy policy in May 2018. So when the GDPR went into effect. And that's good news on one hand, okay, companies are updating their websites, but they're also doing it all at the same time, which means that as Gabriella pointed out earlier, consumers are just getting bombarded with like our privacy policy has updated. Why don't you read it? And you get that for every website you look at. So that's probably not very effective. What we also saw is that despite the two-year grace period of the GDPR, over 60% of the websites had not updated their privacy policy in 2016 or 2017. The majority really just updated their policy in 2018. We also found 118 websites that seemingly missed the deadline. So they had not updated their policy since 2016, but then in June, when the GDPR was already in effect, they realized, oh, we should really update our privacy policy. So they just didn't get the memo, I guess. All right, so far the statistics, right? What we then looked a little bit closer at what actually happened with the policies. And what we see is that privacy policies are getting longer and substantially longer. So the average tax length of the privacy policies, when we looked at the 2016 policies, the average tax length was around 2,100 words in the privacy policies. This grew to over 3,000 words by March, 2018. That's before the GDPR goes into effect, right? March, 2018. But that means just in two years, since the GDPR had been ratified, the lengths of privacy policies has increased by 40%, right? That's a lot more tax to read for people. And then between March, 2018 and May, 2018, we saw another 18% increase to now in May, the average length of a privacy policy was 3,600 words. That's a lot of text for people to read. That means really privacy policies got over 1,500 words longer because of, potentially because of the GDPR. And I think a lot of that has to do with companies also overcorrecting a little bit and rather putting a little bit more explanation in their policies than too little. But it also demonstrates a really big tension between the GDPR's goals of transparency and having very specific disclosure requirements. But then also saying like, oh, actually these notices need to be concise and intelligible, right? 3,600 word privacy policies, not intelligible, not readable. Like it's gonna be very difficult to find the information that is actually relevant to a consumer at a specific moment. We then also looked whether the websites offered an email contact in their privacy policy. So if you have a complaint, if you have a question, who can you turn to? And we saw that there was a 9% increase in websites that had email contacts, but it's still less than half of the websites that give an email address for people to quickly ask a question about privacy policies or about the privacy policy. Instead you have to call, send a letter, other things like that. Then we wanted to see whether privacy policies are starting to integrate more GDPR-specific terminology. So Gabriella talked earlier about the different legal basis for processing. We also looked at transparency requirements and some of the consumer rights in the GDPR. Now this is really challenging to do if you're looking at such a big data set because we had privacy policies in 31 different languages, right? I speak English, I speak German, very little French, very little Spanish, but it's difficult to do an analysis like that at scale. What helped us there is that the EU actually provides all of their legal texts in what provides official translations of all of their legal texts into the 24 official languages of the member countries. And then we used that to create word lists in the different languages and then validated those with native speakers in the different countries. So this is of course a crude measure, right? But I'm not saying that the statistics that I'm gonna give you tell you anything about the compliance of websites with the GDPR. We're just talking about mention of certain GDPR-related terms in the privacy policies. They might be using other wording, other phrases that were not represented in our word list. But I think it gives us a good indication of the adoption of some of these terminologies. So what we saw is that terminology related to user rights actually increased quite a bit. So Eurasia was mentioned 8% more than before. Rectification went up by 6%. Websites talking about complaints, 11%. So how do you actually post complaints? And then data portability also increased by 7% in terms of mentions. Looking at the legal basis for processing, which companies should be transparent about under which legal basis are you processing certain personal information, we found that mention of consent actually remains stable. So it's about 30% of privacy policies talk about consent. And before GDPR consent has already been a pretty popular way of legitimizing data processing that has remained the same. Legitimate interests though, basically companies collecting data and claiming that they need this data for legitimate business interests, that rose from 7% to almost 20%. So that's a really popular, I don't wanna say loophole in the GDPR, but I think it's an easy way for companies to justify the data practices they are doing without necessarily additional work. And yet still, right? 20% of mention of these terms is still relatively low. There's still many websites that don't seem to be describing the legitimate basis for the data processing. Now for web users in Europe, one of the most visible changes brought on by the GDPR is actually the increase in cookie consent notices. They're seeing who knows what a cookie consent notices or cookie banner, okay, a couple of people. So it's, you go to a website and there's a banner that says, we may place cookies on your computer. And you're like, oh yeah, I could use a cookie. But really they're tracking you. That's what they're saying, right? And often it's not just the first party tracking you, but they also have advertising partners and other partners that place cookies. And what we found is that the number of cookie banners from January in 2018 to May 2018 after the GDPR went into effect increased from 16%, increased by 16%. So now 62% of websites in the European Union show you a cookie banner when you go through their websites. However, what we also found, and for this we actually did manual annotation of all of our websites to see what the cookie banners look like. What we found that most of them are informational banners that don't give you any kind of choice or they're confirmatory banners. So they have a confirm button, but they don't actually have a deny or reject button. And so it's questionable whether that actually constitutes consent in any kind of form, right? And then, okay, I'm almost at the end here. What we also saw is that the cookie practices didn't really change. So while there are more cookie banners, the number of cookies websites are placing remains stable about five to six cookies per website on average. And that's really a problem, right? So yes, there are now these banners that tell you that there are cookies, but you still don't have a choice about it. Another interesting implication that we found in our study is that the GDPR is really not just impacting European websites, but also other countries. So in our sample, we actually found that the websites we analyzed included also 53% of the most popular websites in the US and 48% of the top 500 websites in Russia. All right, so that explains also why companies in the US and all across the world are really paying attention to the GDPR. And what we're seeing is that the GDPR clearly spurred an increase in privacy policies and transparency efforts, but there's not necessarily increase in actual, this two-way interaction, this dialogue, right? There's just more information being thrown at consumers without helping them necessarily make better decisions. And this demonstrates the challenge of translating the GDPR requirements into more effective notices and controls. And what we've been looking at in other research I've been doing is how can we improve this really for the consumer? And I think an important realization is that privacy policies are important. They serve a really important function for companies and for regulators. But we're lying to ourselves when we think that they're informing consumers. And what we really need to do is we need to think about the privacy policy as the base layer on which we can then layer consumer-centric, consumer-focused notices that are actually integrated into how you interact with the service. When I go to a news website, I don't need to know what that website does with my financial information if I sign up for a subscription or what happens with my contact information when I enter into a sweepstakes, right? Instead, you should give me that information when I'm actually doing those actions, when it's relevant to me. And then you should give me also an option to say, no, I don't want you to share my data with marketers while you do that, right? And that's really where we need to move if we want to inform consumers, right? And that's it. Thank you very much, Florian. Well, next we'll hear from Rita who will discuss data, I should explain what data portability is under the GDPR. Thank you. And then also do a comparison with the California Consumer Privacy Act. Yeah, we'll see what we can do in 15 minutes. Thank you. That was a fascinating research study. I just can't help myself, but explain a little bit to those of you who are students and what the real world is like when you are working in a company that is attempting to become GDPR compliant because you have customers or in our case members, we're a membership association in the EU. It takes a while to build up enough information and knowledge about your own enterprise to be able to disclose your data processing practices in your privacy notice. So even if the GDPR is hinted at, it couldn't take up to two years to May of 2018 to be able to effectively describe what your processing activities are. And it's also very important that you define, we've talked about this, but I want to get really into it because it's super important for the portability discussion. The GDPR requires controllers. The controller is the party that collects the information, typically is the collecting body from the data subject who makes decisions about what to do with that data. And that's as opposed to the processor, which is maybe your cloud service provider where you store your data, your customer relations management sales force, for example, is a quintessential data processor. It just holds the data. It's agnostic to what it is, but you are the one who's delivering the goods and services. You're the data controller. You make decisions about what to do with that data and you process it in a myriad ways, not just always for delivering what was purchased, but for other things. So every time you make a processing decision, maybe you get a new cloud services provider for storing the data or you enter into a relationship with a new partner or you have a marketing basis, you have to assign a lawful basis for that processing activity. And consent is just one of the options that you have at your disposal. And in many ways, it's the least attractive option, believe it or not. And I'll tell you why in a second. You can also look to do I as an enterprise have a legitimate interest in processing the data for the purposes of the company. Maybe it's in the public interest that I process the data. Very unlikely it's in the vital interests of the data subject. Let's say I'm a healthcare institution. Very popular. Look, this person has come to me to buy goods and services and in order to give them what they purchased, I need their data, right? So you can imagine in the financial services industry where you cannot give someone bank account unless you know who they are. And you also need to verify and authenticate them. So you may need information from them that helps you know truly who they are so that when they log in, for example, it is who they say they may be or any other fintech where they're using biometrics because you're using a mobile device to connect and that's the most efficient way to find out and identify your identity. That, your reasons for collecting that information are in part to benefit the individual themselves to prevent fraud, all sorts of other reasons. And you need to think that through as an attorney, as someone who works inside a company because assigning that basis will have an impact, big impact on what their rights may be as a data subject and what your obligations are as a data controller, including with regard to profiling. So are you the controller or are you a processor and who are you all along the chain is absolutely crucial to understand as a lawyer or even in public policy when you're thinking about the relationships and the GDPR tries to take all of this into account and put it in one complicated but intense regulation. All right, so consent as a basis. The other issue to understand with regard to data profiling, which I'm gonna get to in a second or I'm sorry with portability is the definition of personal data. So we've gone over this at Gabriella did a brilliant job of explaining that personal data is any data that relates to an identifiable individual, extremely broad definition. All of this matters because portability rights under the GDPR, which are just one of many data subject rights and we've begun to talk about them. If you are a data subject, in other words, you are in the European Union and you have given your data to a controller, you have the right to get to know what data they have about you to get access to that information. You can submit a data subject access request and they need to tell you what personal information they have about you. You also have a right to have that data deleted under certain circumstances but here's where the legislative drafting gets interesting. There are exceptions to the deletion requirement as there are under the California Consumer Privacy Act as well. You have a right to correct the data to have it rectified if it's not accurate to object to processing. You have a right if you've given consent to processing to withdraw the consent at any time. So that's one of the reasons why consent is not always the best basis to use for data processing because it can be taken away and then what do you do as a controller? That said, there are certain things where consent is simply the only option. One is cookies. You need to get consent before you drop cookies and the other is in many ways direct marketing although there is an opportunity to use legitimate interest for that. Okay, on to portability. So one of the other rights that individuals have under the GDPR is the right to port their data, to take their data or require the controller to give it back to them in a machine readable format so that they can port it to another entity or to ask the data controller to send it to another controller, potentially a competitor on their behalf. Let's get specific. The right to receive personal data concerning him or her, i.e. the data subject, which he or she has provided to the controller. Those of you who are law students and lawyers know each of these words matters because you may need to parse them some day to decide whether or not you have to comply with a portability request or if you're arguing with a regulator about why you didn't particularly comply with a request, here is why. You also need to provide it in a structured, commonly used, machine readable format and the data subject has the right to transmit that data to another controller without hindrance. Importantly though, for purposes of our conversation, this applies only when the processing is based on consent or fulfillment of a contract. If you have another basis, potentially you have data on someone to prevent fraud, so your legitimate interest is to authenticate for fraud prevention, maybe that data is not subject to portability in that context. So consent is one basis or contract fulfillment, so just to deliver the goods and services to the data subject. Also, it only applies when the processing is carried out by automated means, probably typically the circumstance in most of the situations we're talking about at this event. As well, you need to be able to send it directly to the competitor or another controller. So what is personal data provided to the controller? Most of the things that you would imagine, right? The name, the email address, other account-based information, potentially also their activity on your website, so because they're taking the action of visiting your website and you may track their behavior on your website, that's their data provided to you. But what about the analytics? What about your algorithms that you might run on their data? What about data you've acquired about them from other parties, all of which you can combine together to create some sort of a profile or to evaluate whether or not this is a credit-worthy applicant or what they might want to purchase in the future? That data, that inference data under the GDPR is not personal data provided to the controller by the data subject. So once again, figuring out what data you have on people, where it comes from and how to characterize it, it's super hard work, it takes a long time, it's why being GDPR compliant is never a day in the, you know, like okay, on this date we were GDPR compliant, it's an ongoing exercise for enterprises that are subject to the GDPR. All right, so that's basically my biggest point here is you're gonna need to know why you have the data, where it came from and what your basis is so that you can even decide whether or not the enterprise falls under the portability responsibility. I'm gonna quickly talk about the California Consumer Privacy Act, but I wanna make one more point. Why does this matter? Well, the GDPR does have private rights of action for data subjects. It does empower NGOs to take action on behalf of large groups of data subjects. There are all sorts of little startups that are beginning to submit mass data subject access request forms and then use those as a basis for litigation. I mean, hopefully the worst case scenario will not happen, but it's quite possible we could see class action style litigation out of Europe for enterprises that aren't equipped to actually comply with these rights requests and portability falls under one of the rights of the data subject for which the higher fines apply. So up to 4% of global turnover, up to 20 million euros. So this is real issues that need to be addressed. All right, the California Consumer Privacy Act, as was mentioned, passed in haste this past summer following a citizen referendum defines personal information much like the GDPR does. It's incredibly broad, any data relating to a person, but it also includes household data. So not just about the person themselves, but maybe about their household. This is something that may or may not fall out with some of the revisions that are taking place. And importantly for our discussion of portability, personal information under the CCPA includes inferences drawn from the personal information of the data subject. It could be their biometrics, their geolocation, their internet activity taken all into account. If you're going to make inferences on that data, it's their personal data. So it doesn't have that magic language of provided to the controller that excludes inferences data. And this is where there will be lawyers involved in helping clients decide the differences between personal information and what falls outside that. The CCPA like the GDPR gives data subjects California consumers, California residents, rights of deletion, rights of access, and rights of portability. The portability language isn't quite as crisp as it is under the GDPR. It's kind of slipped in the language of the right to gain access and to be able to use portability to go to another entity or competitor. I think the language is that shall be provided to the consumer in a portable and to the extent technically feasible in a readily usable format that allows the consumer to transmit that information to another entity without hindrance. So it contemplates not exactly the GDPR's very clear language that if the data subject tells you to send it to someone else you have to, but that the data subject gets the data back in a way that they can personally port somewhere else. It's a little clunkier if you will from a consumer perspective than the GDPR, but you can tell that that's what they mean, right? They want data to be able to be exchanged at the consumer's direction from one competitor to another. So I know we have lots of time for Q&A. I don't wanna keep going on. I just wanna make one more mention of the technical requirements here. They're very similar and GDPR and CCPA are only a couple of them. So you may have structured, commonly used machine readable formats. If you read, by the way, one of the best resources out there for GDPR is the UK's Information Commissioner Officer website. So if you just want a way to consume the GDPR in a super friendly way, ICO.uk.org or maybe I have a backwards, great resource. I actually use it a lot to help myself gain access to information quickly. Structured, commonly used machine readable way. The ICO website says, this could be XML, it could be CVS, it could be those sorts of formats. But there's no technical specificity as to what exactly it has to be. So there's room for interpretation there. The CCPA requires a readily usable format that allows the consumer to transmit to another entity without hindrance. Brazil's law allows data subjects to request an entire copy of their data in an interoperable format. And India requires that the data be, again, in a structured, commonly used and machine readable format. So all this attempt at legal language that is broad enough to be modified over time as technology evolves, but it also is really difficult, I just have to tell you, to work with your IT departments, and, because you can't do this without IT, and get their help trying to figure out if anyone should ever ask for their data in a way that they can port to someone else. Do we have the capacity to give it to them? Is it stored by us in a way that we could export it to them in a portable way? It's complicated and fun, and I hope you enjoy this legal field because it's not going away. Thanks for having me. Thank you very much, Rita. We'll hear next from Melissa, who will be giving us sort of a stepping back, the big picture discussion of how the portability rules actually affect clients. Yeah, absolutely. So as somebody who works in private practice, I have clients of all shapes and sizes in the financial sector in particular, some of the smallest fintech startups, to some of the largest, most institutionalized financial institutions. Some of my clients had to comply with GDPR, some of them didn't. So as we think about data portability, particularly as we're seeing some laws develop in the US that either mimic or compliment the GDPR, depending on the size of the shape of the company and what other regulations are applicable, what they may or may not have had to do with the GDPR, there are very, very different considerations that they are dealing with in terms of thinking about portability. So there are three things that I would like to do. I would like to talk about what are clients practically doing to comply with portability? Is there a lot of portability, are there a lot of portability requests being sent to companies? How are they actually in practice implementing them? I'd also like to take a deeper look at the potential pros and cons of data portability and to some extent, whether something is a pro or con, probably also depends on what type of financial institution you are and what your footprint is in the market. And then I would like to leave you with one additional layer of complexity on the whole portability debate, which is the concept of data transfer and the rules that apply to the transfer of data from the EU to the US. So if you are a US FinTech company or a US financial institution and you're maybe trying to get EU consumers to port their data to you in the US, there may be some additional considerations that you need to take into account. And one thing that I think I also just wanted to mention at the outset is in addition to GDPR and the data portability requirement, which is really focused on the idea as we heard from Professor Barr's speech and as we heard from what Gabriella was saying is this concept of data ownership and the individual's ability to control their own data. At the same time, there's a whole separate movement that's been happening in Europe for many, many years now, which is that of open banking. And there was a payment services directive that was most recently amended in 2007 that allowed, in theory, and has been allowing for third-party financial services providers, such as account providers and payment service processors to get access to consumers' accounts when consumers provide consent to do that. Now, that is more on a competition level and coming from that angle rather than from a data ownership and data privacy perspective. But I think it's a really important thing to note because I think both of these things work together and are really framing the debate. And I think one thing that is really interesting is that there has been, I think the GDPR provides an additional basis to help with this competition angle in 2017 under the payment service directive. There were actually a lot of banks that were pushing back on consumers' requests to allow access by third parties to their bank accounts because the banks were saying, sorry, I can't give you access third-party providers. You may have this right under the payment services directive, but I think that giving you access to this data is actually a problem from a privacy perspective. Maybe I don't think you have great security procedures in place. Maybe I don't think you're gonna protect the data in the same way that we do. So I'm not going to give you that data, but there was actually a crackdown by the EU financial regulators. They did a raid of companies in the Netherlands and Poland and a whole bunch of other locations and they said, no, no, you can't use privacy controls as a basis to push back on these requests that the consumers have a right to make under the payment services directive because you're directly impacting competition. So all of that to say that it's a little bit of background into all of the very complex considerations on the European side that go into the aspect of data portability. So we've already heard some of the main benefits of data portability, right? Why is this potentially a great idea, particularly in the FinTech startup space? As we heard Professor Barr say, one of the greatest benefits of large financial institutions in the past has been the ability to keep their consumers. It's very, very hard for consumers to leave one, or traditionally it's been very hard for consumers to leave one bank to go to another. Banks impose fees, they make it difficult to access their data. If consumers only have access to their very limited recent financial history and they port that or give that data to a new financial institution, that may not give enough history about that consumer to make that data particularly useful to the new financial institution. So with data portability and the theory that you have to give a consumer access to all of the personal data about them that you hold as a bank, that gives consumers and FinTech startups or other financial institutions an amazing ability to get access to data that they weren't able to have before so that they can offer competing products and services. And so this is obviously great for competition. We've been seeing tons of FinTech startups. I mean, imagine you could be on the train in the morning on your way to work. You have your money in one bank. You see an advertisement pop up that says, hey, this other bank has a great rate today, transfer your money, your new accounts will have 3% interest. Great, terrific. At the click of a button on your mobile phone, you might be able to port that information over to that new provider and take advantage of that new rate. Great, right? Well, there are some potential problems here. So first of all, when a consumer does get access to their data, and as we heard Rita say, you don't necessarily automatically get access to all of the data for portability. There are some legal theories and ways that banks can push back against it or financial institutions can push back by saying, oh, well, this data doesn't fall under the portability requirement because we don't process it based on consent. We don't process it for our contract. It's not technically feasible for us to do this. And okay, yes, we'll give you the basic data, but we're not gonna give you all of that other data that we had in the profile about you to give to another provider. So in that context, when you do port the data to a new provider, will the data that the consumer actually gets from the financial institution and ports to the other provider really be useful? Will that data give the new financial institution the full picture of that consumer so that the products and services can be offered? What will the data look like? There's no interoperability requirement in the GDPR. You just have to provide the data in a common format. But if you're talking about data that's been stored at one financial institution for possibly decades, in the case of some consumers, and they've been using their sort of special sauce and algorithms behind the scenes to figure out information about this consumer, their credit worthiness, what types of products to offer them, will that data really be useful to the next financial institution? What algorithms will they apply to it? How does the consumer know that they can trust what those algorithms are that the new financial institution is going to apply to their data? No, obviously this could go both ways. The second thing is just this concept of what actually needs to be ported. If banks in Europe are able to only provide a smaller picture of the data, that's probably not gonna be particularly useful to the new financial institution either. And while it will allow the consumer the ability to easily switch the data back and forth, again it may not be the full picture. And then of course we can't talk about data portability without talking about the security concerns that come potentially with data portability. I think the context that most people point to when they talk about how great data portability is is in the phone number context. And when all the rules came out of the FCC that said you have to be able to easily port your phone number from one provider to another. Which is great, it's allowed consumers to keep their phone numbers, they can switch providers that help with competition. However, there was a major security issue that happened here. It is actually very easy to call a phone company and say I wanna port my number to you and here's what my number is. And to figure out just by looking on the internet a person's name, their email address, possibly even their address and what their mobile phone number is. And to have enough information to call a new phone company, pretend to be that person, get access, actually take over their phone number and then be able to log in to some of their accounts like their Twitter accounts or their Instagram accounts. This is where we saw this happen most frequently. Well, what's that going to mean in the financial context? We've been hearing a lot about all of the different data subject rights under the GDPR and companies of all shapes and sizes have been grappling with, well, what do I actually have to do to verify consumers when they make these requests? And it's anything from some companies have self-service portals on their websites where consumers actually have to authenticate and go in and request their data. Sometimes companies simply ask, what's the email address that you use for this account and I'm gonna send you the data to that email address. Some companies are more sophisticated and ask for driver's licenses or other information that can more directly identify the consumer. But there's also a little bit of attention there because the GDPR has data minimization as a main principle and companies that are asking for too much information to verify a consumer who is making a request might get in trouble for collecting too much in that instance. But how do we trust that the person who's actually making the access request or making the portability request is the consumer to whom that data actually belongs? And more importantly, how does the financial institution who's obtaining the data in response to a portability request verify that this download of information that came from one financial institution from this particular consumer really does in fact belong to that consumer. And these are problems that eventually can get solved and I think are going to keep working themselves out but I do think it's a very interesting concept that we just don't know how this is all going to happen. Similarly, if multiple data subjects have access to the same financial account who gets the portability right? Is it that both members or multiple members of the account have to all agree to the portability right? Is it just one person has the right to do this? How is that going to work? And so as I mentioned, I think that we're seeing a whole bunch of different approaches to portability requests. There are some bigger banks, for example, Barclays and Santander, who have portability portals on their websites where they ask for very, very detailed information and will actually effectuate portability requests directly to other providers. Other companies that maybe aren't as technologically savvy will provide access to the data and will provide it in the format required by the portability requirement but won't actually do the porting directly. They'll say it's technically infeasible and I think that's partly because it is technologically infeasible for them or very resource intensive. And then on the other side, they also don't want to be liable for if they directly port the information to another provider. And it turns out that other provider uses that data in a various way or there's a security issue or something like that that they don't want to get drawn into that. So I said I'd add one additional layer of complexity onto this whole conversation. And that's the issue of data transfer. So in addition to the GDPR, there are also rules in the EU regarding what happens when you want to transfer personal data outside of the EU. And the EU only allows for the free transfer of data outside of the EU to jurisdictions that they consider to have adequate privacy protections and security protections. The US is not one of those jurisdictions. The US does not believe that, I mean sorry, the EU does not believe that the US has adequate privacy and security standards in place that would allow the transfer of data directly from the EU to the US. So what's happened is over the years and starting with the 1995 EU directive that predated the GDPR, there were four main mechanisms for transfer of data from the EU to the US. The first was if the data subject gave clear consent to the transfer. Sounds easy, but we've heard why consent is actually very, very difficult to get in the EU. The second is if you enter into these standard contractual agreements that were created by the European Commission called the Standard Contractual Clauses and you have an entity in the EU and an entity in the US and they agree to these clauses that have a variety of privacy protections and liability allocation and other information in them. Then if you have that in place between those two entities, you can transfer data. There's also binding corporate rules which really only work in an intra-company context if an organization globally decides to adhere to this very stringent privacy and security review and adopt principles along with the help of the regulators and put those in place, they will be able to transfer information but again, only in intra-company. And then there was also the safe harbor that developed that's now been replaced by what's called Privacy Shield and the safe harbor was a self-certification mechanism in the US that US companies could go to the Department of Commerce and say, okay, I agree that I'm going to be transparent with data, I'm going to be careful in how I collect data, I'm gonna provide some data subject rights, I'm gonna secure the data in some ways and I'm going to generally protect data. And if the US companies came and said that they did this on their own and that they were Privacy Shield certified, they could click a box, they could become Privacy Shield certified, put it in their privacy policy and that would also serve as a mechanism for transfer. So you can imagine that if you were a US financial institution or fintech company and you want to try to attract EU customers, there has to be some sort of mechanism in place to get that data. And particularly when we're talking about portability directly from one entity to another, I can absolutely see a situation in which US, I mean, sorry, EU banks would push back importing data to the US because they would say, even though the data subject has requested it, I don't think that the consent can ever be valid in this situation because I don't actually know what that other bank in the US or that other financial institution is going to do with the data and I don't know that the data subject gave valid consent. And hey, I don't want to sign the standard clause with this company that also, I don't know if I want to give them my consumer data, I don't want to transfer it. So then you're left with the consumer having to transfer the data directly. And I'm running out of time, but in addition to that creating complexity just in and of itself, Privacy Shield and standard contractual clauses are both under scrutiny in the EU right now due to a series of cases instituted by this individual, Max Shrems, who is having concerns about Facebook's privacy practices. And basically his argument is that it's never safe to transfer data from the EU to the US because even if the US company says that it's going to protect the privacy and security of the individual's data, that doesn't end up getting to US government access to the data. And US government has very broad rights to access the data. So there is a debate within the EU right now in the courts and this is currently sitting at the, it's Gabriella, what is it, the court of justice, right? I always forget the court of justice of the European Union trying to decide whether you can really ever have a valid transfer of data from the EU to the US under these mechanisms when the US government still has very broad rights to access that data once it's in the US. So thank you. Thank you, Melissa. Thank you all very much. This was an incredibly rich panel. I will say the most fascinating one I've ever attended on the GDPR. So I'm a constitutional lawyer, so I don't know about this stuff and I'll open it up to questions, but I will ask, I just wanna ask one round of questions and you don't have to actually answer them right or you can just make a note of it and then we can go to the audience and you can choose to either incorporate my questions or dismiss them as foolish as however you wish. So one is just to pick up on something that Gabriella said and that Rita then said or picked up on in a slightly different way. One was the access to the reasoning, which you said came from the French law originally, access to the reasoning and how it is actually processed. I was sort of fascinated to hear about that and I was actually thinking about does that mean you get the algorithm? And Rita was saying, well, you don't actually get this sort of inference reasoning and the other stuff. So I kind of wanna dig down a little bit in here. Well, what do you get when you can ask for the reasoning? Is it the purposes? I don't think that's what they mean. I think it has to be a little bit more than that. It's something about how you crunch the things and then how deep can you actually get that? So that would be sort of, I guess for the two of you. One for Florian, you sort of marked and I think quite rightly so, how long these privacy policy disclosures are. Have you actually designed ever a model that would be that where you can say you can do this in 250 words and it is informative, it is relevant and it satisfies all the legal obligations. And company protective. Well, let's just say, can you, because I'm a lawyer, so I don't care too much about the sort of, of course, company protective could be a long thing, right? So that's why I don't wanna sort of let that camel's nose be under the tent fully. It just has to be relevant. So can you actually do something that's relevant that is legally compliant and that is informative in a reasonable number of words? Or, and so the question being more, have we legally created an impossible situation? Or is it that the way it's being executed is not good? Right? And then finally, for Melissa, I guess, two questions. One sort of that just sort of comes from my sort of a personal stupid question, which is we just transferred all of our retirement, stuff from Wells Fargo to another institution. It was a breeze. They sent us stuff in the mail. We signed forms. It was done within three days, everything. I had no idea what data was being transferred. I'm sure they were all sort of doing fine stuff, but in any event, it was not a problem. I had no difficulty whatsoever moving from one foundation. So is that just because I'm sort of a privileged guy and like that's sort of, that's not a problem. And for poor people, the folks that Michael was talking about earlier, those people would have a much harder time. Or is it because it was the US and nobody cares about anything so the GDPR was not providing any problems. So why was it so easy? But then a slightly second question is, a lot of what we've heard here is about the end consumer interaction with the GDPR. And I'm wondering whether there is something else also that one might focus on, which is one step behind the company that you're dealing with, namely who those people are dealing with in the subcontracting financial services. And I could well imagine that the GDPR is highly competition restrictive in competition among subcontractor services for the front bank or front institution that you're dealing with. Because that bank, if they wanna then switch out who they're dealing with, all of a sudden they need the end customer's consent. So is that something that sort of exists so I'm just sort of making something up? All right, with that, let me open it up to questions, we'll take maybe two or three others and then you can answer and then we'll go back and forth. Yeah, it's over here. Okay, I guess my question is I wanna make sure I'm understanding things because obviously it's pretty complicated. But something that was going through my head is is it accurate for me to be thinking that the GDPR and potentially other countries who are imposing different standards are in some way kind of imposing those on other countries by having such a far reach. And or at least some of the regulations or standards that they have. And could that kind of be said that they are imposing their cultural and moral beliefs around data protection onto other countries in a way? I had to write all this down while I was thinking because I'm thinking of like the, I took a class on WTO and we kind of briefly talked about IP regulations of the US kind of getting imposed on smaller countries who don't necessarily have the structural means to carry them out. Yeah, or are they like, is Google distinguishing on where people are using the website or accessing it from geographically? I find that kind of tricky or are they just saying we're gonna comply with this just overall and it's a higher, if it's a higher standard. I'm just seeing a lot of conflicts kind of coming for companies that reach across borders. That's a question for everyone I guess. Okay, why don't we go, is there one more right now? Okay, so I would just, yeah. So we could just go down the panel or yeah. I will take your first question and also weigh in a bit on that. So on this particular right to receive the information about the logic involved in an automated decision making, well, both what Rita said and what I said are equally valid because that's a separate right. That's the right to information. So the right to receive this kind of explanations are part of the right of access. So you can receive it, but you don't have to receive it in an interoperable or portable format. That's just for portability. So one other point and I made this note when Rita was speaking about this because she made a difference between inferences for portability purposes and the truth is that inferences under the GDPR are personal data. So all of the other rules of the GDPR apply to inferences and to whatever algorithms are doing, including access, including information and having a privacy policy is part of this right to information. However, portability is restricted in that sense. So this is a nuance and that's a million dollar question about having access to the algorithm. So why does logic involved in an automated decision making means and there are conferences, entire conferences about that going on right now both in Europe and in the US because that's really the essential question of this day and age. What is happening with machine learning? How much access do we have the right to have to what's going on with AI processes? What data goes there? What type of inferences are made and what's the resulting decision? Why is it impacted us in a way or another? Is that discrimination? Is it a fair decision to make? So that's a very, very important part of the discourse right now but that's in a separate part of the GDPR. So for portability purposes, it's absolutely correct. There's no right to port your inferred data. So the results of this type of decision making. And then for your question, it is a fair assessment and that assumption that indeed the data protection regime of the European Union had echoes around the world and that started to happen with Directive 95 and it was because of the rules on international data transfers that Melissa brilliantly explained. But the truth is that ultimately what the EU is doing is just they are protecting persons that live in the European Union. The truth is that if you want to do business in the European Union and if people over there have a right to personal data protection because this is how the people of the European Union thought is good to have in their bill of rights, then you have to respect those rights but it's true that an effect of that is that changes started to happen around the world and in other systems as well. However, the EU does not impose to US companies to provide those sorts of rights here in the US. That would be, but in reality, it did have this sort of effect for sure. And I'd just like to add to it, so I think that to your question, there have been a number of approaches. So there were some smaller US companies that essentially did use IP blockers and other technology and said on their website, this website is not for EU consumption, we're not aimed at EU users, they went out of their way to make that a thing, they actually installed technology blockers to make that point so that they wouldn't have to do GDPR compliance. There are other US companies that even though they might have some EU users or some traffic on their websites, they don't market to EU users directly and they're not trying to necessarily get EU users, they know they have EU users, but they made the risk assessment that we're probably not gonna get in trouble because we're not really availing ourselves of the EU law and we're not marketing to EU consumers and they've just continued to do business as they are. There are other companies that said, okay, I'm not gonna do a fully GDPR compliant program, but what I'm going to do is update my privacy policy to have some of the GDPR requirements in it, I'm going to be a little bit more transparent, I'm going to provide some consumer rights, particularly if an EU person writes to me and says I want you to delete my data, I'm going to go ahead and do that so that I don't have that risk. Then there are some companies, like really large companies who have said, you know what, I'm just gonna go ahead and treat all of my users the same, I don't see why I should treat EU users differently than California users, than New York users, and if a consumer writes in and says they want access or they want deletion, I'm going to go ahead and just give it. So I think there's been a really wide variety on the company side as to how they've grappled with this issue, so. And then I think to your first question that you raised to me, which I think sort of comes into this, so you're right, you're absolutely right, you can transfer your bank account from one provider to another. I think that the issue with data portability as a right in a law is how broad that portability right is and how much data it covers. So we've talked a little bit about how under the GDPR in the actual portability right itself, inferences may not be included. However, if you ask for access to your data, you can get access to the inference data in theory under the GDPR, although different companies have different interpretations of how far that extends. And then that's the data, that's sort of the special sauce, the proprietary algorithmic data that really is unique to a company and its users. And that's the data that if a consumer can get it and give it to another provider, might raise an additional layer of complexity there. I think also just when you do put a portability right in the law and consumers may not fully understand what that means and they do see these providers that are sending targeted ads that say, oh, send all your data to me today and I will give you this great rate, but they have no idea who this institution actually is or what their security procedures are. I just think it creates more room for problems. And then in the US, under the CCPA, inference data is absolutely covered in the portability right, at least with how the law is drafted right now. And so as you can imagine, a lot of US companies, not just financial institutions, but US companies generally are like, oh my gosh, how broad does this extend? All of this information about how I've dealt with my consumers and how I make decisions and how I determine what products to offer to who, that's something that's proprietary to me. That's something that we spend a lot of time on money and resources and data scientists to discover, why do I have to go and just give that to somebody else? And so that's where I think the difference lies. Yeah, I just wanna, I'm gonna get to your question later, I think. And I would like to make her a devil's advocate rebuttal to it. Yeah, we're gonna get there. No, but I wanna comment on something you kind of mentioned in passing, which is the you imposing their cultural and moral beliefs on the US and other countries, right? And I think that's, I have a problem with this framing, like we also heard this this morning, because when you actually looked at the history of how privacy legislation came to be, what kind of formed what we now see as user access rights, most of that started in the US. We had in the 70s a report by the HEW, I'm planking on what the acronym stands for, but it was a government commission that basically developed the first report to assess the impact of databases back then, right? Like, oh, we can now collect data about people. And many of these rights we're now seeing in the GDPR were already laid out in those very early documents and assessments of what are problems with data. As part of the OECD privacy framework, the OECD is the organization for economic development, right, which is an international organization. We see very similar rights implemented. If you look at the Federal Trade Commission's fair information practice principles, we see exactly the same principles. The only thing that's different with the GDPR now is that there's a 4% there heavy hefty fines with 4% of your annual turnover. And now people are paying attention, right? Like these, many of these rights and provisions are also in our US laws, just the fines are tiny. So no one cares, right? And people are not paying as much attention. Yes, there are differences in the minutia, I would say. But I think we're, it's not true that Europeans have such a stronger sense of privacy and want to be more private. In the studies we do, what I often found is that it doesn't matter where people are coming from. They don't like it when the data is being used in ways they don't expect them, the data to be used. So it's about having a sense of like, oh, what is my data actually being used for and did I agree to that beforehand? And that's one of the big challenges, I think. So I think talking about different morals and values around privacy is maybe not the right framing. We should really think more about what do consumers need and want and how can we address power symmetries between companies and consumers. Well, as a practical matter, it is difficult to segment your customer base geographically without collecting a lot more data about them. So there's the data minimization principle, once again, running up against other interests that you may have. So many enterprises, I do think, are going with what best they can do to come up with a global standard and a classic example is you really have one website, right, where most customers enter, you're gonna have a single cookie policy. There is no such thing in the United States and yet all sorts of US based companies with websites in English now have, I mean, we went to a, we don't drop any cookies, analytics or otherwise, unless you accept them. Guess what privacy pros don't like to accept tracking cookies, I don't know why. So our, you know, our consent rates on cookies went to 30% because we were following the GDPR. Does that hurt? Yes, but it's the right thing to do. We also went with the consent basis for marketing communication, even though in the United States and in Canada, we can email people for purely unopped out, but we asked all of our Americans to opt in and they do. We have almost a 70% opt in rate to marketing communication. So the global standard isn't always the worst thing. And in fact, I think it just forces you to really think about what you're doing and that's the whole point, right? What are you doing with the data? And is it something that your customers would want to expect? I'd like to talk briefly about the data ownership question and whose data is it, because this entire framework that we've been talking about today suggests that it is the consumer's data. And I think as a practical matter, most consumers are not sophisticated enough to really appreciate what their rights are and to take them to the extreme. You need to build systems that allow them to, but much more of the data exchange and is B2B, I think B2B drives GDPR compliance a lot more than consumers are. We'll see what happens if there's a US law that creates private rights of actions and we have a plaintiff's bar, which we really would need to allow consumers to empower consumers to enforce these rights. I think what you see is with the obligations that the GDPR builds into the law that you do not transfer data to anyone without making sure that they're worthy of handling it, that they're going to safeguard the data, that you yourself are responsible for everyone you give the data to. That's the kind of teeth that you need to build into a law if you really want people to feel they have to comply. And that forces compliance down the supply chain. So it's not the consumers who are driving that sort of safeguarding, it's the businesses working with each other. That's my point. Thank you. I'll just add one thing about the exoterritoriality question, sort of the hegemony question, just because that's sort of something that's much more general and not just to the GDPR. So first of all, I would say you're seeing that elsewhere. You're seeing that in emission standards regulations. You're seeing it also in First Amendment issues. And I think what's just happening lately or lately over the past 25 years is that all of a sudden the U.S. is waking up and realizing there's actually another big actor out there that we have to pay attention to that's actually making rules that are not the crazy rules we always reject, China or something like that, but actually sensible rules that are sort of within our playground, within our relative cultural shared area, but that nonetheless come from one fundamentally different aspect and that's not just minutia. And that is the role of government in enforcing these things. That I would think we do still have a quite different sensibility across the Atlantic, especially when it comes to the First Amendment. And so with all these things going up in Germany and in Europe about taking down defamatory stuff on social media within 24 hours or you get a fine, I mean Americans just look at that and they say that's just plain nuts. But of course we don't do anything. So you kind of have the two extremes going on right now. And the EU has flexed its muscle extraterritorially in recent years and I think that's just something that is going to have to be worked out. I used to work at the FTC and there we actually had lots of meetings with the European competition authorities to come out with harmonizing our merger analysis or at least the data that went into the merger analysis. So we're just gonna have to have a whole lot more of that because I think it's true that it's practically the world is not gonna work if we have a segregated internet, at least the democratically Western world is not gonna work if we have a segregated internet. And so we're going to have to have some shared understandings of the rules, at least things that we can live with. We have time for a couple more questions. Yes, why don't we take a last round and then a last round back to the panel. Yes, so here one, yeah. Let me just ask a specific question. Melissa, from your presentation, it sounds like you don't think there's a conflict and correct me if I'm wrong between GDPR and PSD2. But on the surface to a layperson like me, it just seems like, isn't there an inherent conflict in sort of the structure of the two regulations or putting it differently, how do we reconcile? How do you think about reconciling the GDPR versus PSD2? Are you talking about on the grounds that PSD2 is focused on consent whereas GDPR is sort of anti-consent? Or in what? That's one symptom or one aspect of it, yes. So I would say that there are some conflicts between the two generally, but in terms of data portability itself, I don't see as much of a conflict. I think there was a lot of initial, oh my gosh, this is gonna be a big problem because PSD2 advocates for greater access to data and sharing of the data whereas GDPR is trying to protect data and is trying to be, where is the data going, how is it being protected? But I think that ultimately what we have in the GDPR, we do have a consumer-driven portability right. So that's very consistent with when a consumer allows access to data under PSD2. And I think that the other thing that we have is that the GDPR doesn't prevent sharing data with subcontractors and third parties to your question that you raised to me. It kind of gets back to that. It just requires that if you do, you don't have to have consumer consent to each individual sub-processor or third party to which you provide access to data. Instead, if the third party can be characterized as a service provider or vendor or processor of the controller, an entity who's only going to process that data on your behalf and who's going to agree to article 28 requirements of data privacy and security and only using the data on your behalf, you're allowed to freely transfer that data without the consumer doing anything affirmatively. In contrast, if you're going to allow access to a partner or another entity that is not a processor, then you need to have a legal basis to transfer that data and that's where probably the consent piece would come into play. But so I do think that there might be some, just on a broad level, there are some conflict between the two but I think in the context of portability and then this idea of sharing with others, they're not as conflicting as the initial, like especially a few years ago, I remember there were tons of articles about this and like this is going to be a huge issue and I just don't think it has been in practice. Right, I think one of the reasons I was getting there is that I was thinking of it from an ownership perspective and a commercial perspective, in other words the B2B perspective vis-a-vis the consumer. The consumer gives some data or consents to give data and then the person or the business then commercializes that and what does that imply about ownership and who has the rights and how do you get paid for that? Right, yeah, thank you. Hi, just to tease out, Rita, your point about the B2B interaction and when we look at this really from a customer-centric perspective, you request for the data and then the company that you requested, you request the data to be moved does that, right? But we're seeing a lot of instances where I'm actually making that request to another company and in the background there are activities that are happening that the data that the company actually has doesn't even know and if it's a small company, I don't know that a big company is coming around and scraping my customer's data. Customer requested it, right? So who actually is gonna be responsible? Like when we talk about regulating the space between the B2B and thinking about the security considerations, are we actually gonna start to regulate and say, okay, things like scraping, things like reverse engineering are not going to be allowed because the security concerns Trump or are we going to say, actually the customer requested it and it is on the customer to be educated and really know what they're doing when they are going to places and requesting information, providing their credentials to be able to then scrape that data, right? Really curious to see where that space is trending. Okay, let's take two more questions and then we'll let one here and then we have one over here. All right, thank you. That was indeed a very interesting GDPR panel. I've seen my fair share of them and it was very nice. So I think my question echoes a little bit what has been discussed already, but I would like to have your opinion on what should be the rightful place of constant as let's say one of the main, if not the main basis for a lawful processing. So we've discussed a little bit what can be the issues with that, but I would like to have your take as to whether we should keep constant as something which is maybe the main basis or if we should try to move beyond constant. I don't necessarily know how that would be done but whether that would be a good or a bad option. Hi, I had three questions, but we don't have to answer all of them, I guess. So the first question is just, I mean, could you talk a little bit about the supervision regime for GDPR and does it vary by country? How does it work in countries with lower capacity, for example? I was intrigued by the research around the different websites and how they changed our practices. Has GDPR resulted in any meaningful change by users themselves? Has it changed behavior of individuals? Maybe we don't know yet, but yeah. And then the last question was, I thought it was really interesting the conversation about the different legal bases that could be provided. Do we have a sense of the rough share for that? Like, if you look at specific sectors, what are the most common legal bases they're using? Thank you very much. So we'll do a, you wanna do a last round? Sure. Okay. Why don't you start at the other end? Quickly, and then see if I can find our latest support. Push your button, please. Rita. You're gonna push your button. The IEPP policy neutral, by the way, so if I say anything about what the law should be, it's just me talking. I just wanted to, I thought the point is brilliant, which is, in some ways, if the customer has all the control and gets to tell the controller or business what to do with data, including opening up your systems to parties that you do not trust, can you say no? How much control does the consumer have to put you at risk? I think when thinking about the legal regime, and California has tried, I'll give them some credit for this, to try to parse the universe, as Melissa was saying, into different entities and different parties, and I think that's the more sophisticated way to approach the issue. There are going to be multiple players in any data transaction, especially in financial services. So the ultimate liability, where it is at RETS, the ultimate responsibility, a lot of work is done on liability shifting through contract, but ultimately, if you're facing a regulator saying you didn't respond purposely to a consumer who wanted something from you, there have to be ways that you can justify that for grounds that are other than just obstinance. So I think that goes to the crafting of this ultimately beautiful omnibus law that we will someday have that is consumer protective, but builds in rational reasons for businesses to say, I had to say no, I had to deny this access, I had to prevent this because it was otherwise gonna compromise my own business and maybe other people's data. And so the other piece of this that the GDPR does is it has an allowance for the rights and freedoms of others. So you don't just have to say yes to every request you get, if in fact, other people's privacy or other people's rights and freedoms would be harmed. And that is the case when you're storing a lot of data in the same place or you have a database that has multiple different data subjects information in it. So this is legislation that it's most complicated. How do you be tech neutral? How do you allow for exceptions? And then I think ultimately, you're just gonna have to make your case and document your decision making if the consumer isn't always right when they ask something of you. So to answer a couple of the points that you raised in terms of what legal bases we're seeing used in different sectors, I don't think it's really a sector specific approach. I would say that most companies rely on all the legal bases for different processing activities. So for the internal uses of data to run the business, for fraud prevention, for internal marketing, these types of things knowing your customer, those are probably legitimate interests. The information, the base information you need to simply provide a product that's for service. So the user's name, maybe their address, their payment information, if it's a paid product, you can use contract. It's the things that are more like third party marketing or behavioral analytics or profiling, the activities that you can't justify on the other bases that consent is typically used. But right now there is a lot of debate, particularly at the Canill, who's the French regulator about what the consent requirement is and how granular the consent requirement needs to be. So for example, if you have ad tech on your website, it may not be enough to just say, you agree that we have third party behavioral advertising cookies on our website. Instead, the Canill is saying you have to list every single one of those providers and the consumer has to consent to each one. Now that may be pro-consumer, I don't know how that's going to work out business-wise, but it'll be interesting to see how that happens. In terms of the GDPR impact on the individual, I can definitely say that my clients across the board have been seeing a huge amount of data subject requests coming in, that they are dealing with every day. Some of my clients are getting hundreds of these a day. You can imagine that's a very, very resource-intensive. They've had to hire additional people and have whole departments in order to handle the deletion requests and the access requests. So that's the area that I've seen the most. And then just one last thing that I wanted to say on enforcement, GDPR definitely made a splash in 2018. The threat of 4% of your annual turnover fines was huge. However, the US plaintiff's class action bar on privacy issues is actually pretty strong. There have been some major, major lawsuits in the data security and the data privacy space that have caused companies in the US hundreds of millions of dollars in fines or in settlements. And so far, we have definitely seen the EU regulators, they issued a $50 million fine against Google, which for Google is sort of a cost of doing business, a little bit of a slap on the wrist. There have been a couple of others that have been in the $1,000 to $50,000 range again sort of slap on the wrist. But I do think that in the US as a US company that is thinking about your global compliance strategy, the risk of a class action in the US is still potentially more problematic than your risk of an EU GDPR enforcement, which is why I agree that ultimately we need to have privacy policies or an alternative to privacy policies that's a lot more pro-consumer. So consumers understand what's happening with their data. However, currently for me as somebody who represents companies, the reason why those privacy policies have gotten longer is because if you're a company who's been subject to a privacy class action, guess what the document is that the court's going to be looking to decide whether you disclose your practices and whether you are going to get out of this lawsuit at the most into dismissal level or whether you're gonna end up in a settlement. It's a privacy policy. It's the class action lawyers and it's the judges who read the privacy policies. And so I agree something else needs to be done for consumers, we need to be more transparent with consumers, but that's the reason why those documents are super long. Thank you for the segue. Yeah, so I fully agree with that actually and I wanna make that point really clear. I'm not arguing for getting rid of the privacy policies and doing something else. We need to have the privacy policies because they serve that really important purpose. I think it's also a good, so I talked with people at the FTC and they always talk about privacy policies. It's a way that forces companies to basically present their privacy practices and data practices in a consistent manner, which many don't manage to achieve actually. If you read privacy policies, they're often inconsistent. But that's a good function, right? And it's important for the companies to demonstrate their liability or their compliance, not the liability, limit their liability. And it's important for regulators and judges and others to assess that. But we often stop there and we kind of conflate this legal compliance with, oh, we informed the consumer. And I think that's the big problem, right? So the privacy policy should be the starting point to then think about, okay, now how do we get this information to the consumer in the way that they can actually understand and that it makes sense to them? And that goes back to your question, but also to your question whether we should move beyond consent, right? I think the GDPR's framework of having different legal basis for processing is actually a good model because you shouldn't have to ask me whether you can use every little piece of information you collect about me as part of a contract if I already agreed to that contract. And the same way, if there are legitimate business purposes that don't violate my privacy and have been within the same context of which the data was provided initially, then you shouldn't have to ask me for every little thing that happens, right? Consent becomes important. When data is being used in unanticipated ways, and I would actually see that as an opportunity for companies to also better communicate why are we doing this? Why are we using data in a certain way? A lot of the online business, particularly the ad business, only works the way it works right now because consumers have no idea what's happening with their data, right? If you go to cnn.com or any other news website at the moment and you don't have an ad blocker, there are probably 20 other parties that are recording that you are reading this particular article, and then they're gonna follow you to what you're looking at Amazon, and they're gonna follow you to who you're talking to on Twitter, right? And they collate all this information about you in profiles. Is that really a business model we need to protect, right? Like I think in terms of people's privacy, I think the question is like, consumers should have a say in what data, how data about them is used, and I think there's a question of responsibility, and at the moment I think data's often treated as a commodity rather than something you need to protect and value. So that's kind of my overarching spiel. Now in terms of informing consumers, I think if you look at privacy policies, they desperately fail at that, right? If you go to Amazon's privacy policy or Google's privacy policy, from reading that privacy policy, you will not understand what information Google is actually collecting about you when you're watching a YouTube video. It doesn't tell you that, right? It tells you, oh, we may collect this type of information. We need to complete the function you're using. I just extremely abstract on obtuse and it's difficult for people to understand. So in order to get to notices that are actually more meaningful and useful, we need to think about when, what information do consumers actually need to know when in order to make decisions? So that means really thinking about throughout the user experience and the interaction with a particular service or company, what's the information they need and then we need to present it in a way that they can actually understand and it also needs to be actionable. If you just give people privacy policies of 3,500 words, but there are no choices associated to that and a provision that says we may change that tomorrow, why should they read that, right? Like that's sunk opportunity cost. They can't do anything about it. So I think there are lots of ways we can do it and we need to think about also putting these privacy policies in front of real people and seeing whether they understand what they're bringing to you. Thank you, Gabriella, you have the last word. Thank you. Just a very brief point. So on the privacy policies, I think one of the reasons why we see now such long privacy policies is actually the FTC doctrine, you know the unfairness or fairness doctrine because here in the US FTC enforces the law if a company has lied or misrepresented to a person while they're doing. So then they try to describe in very long ways sort of to cover everything that they might be doing or not. But the GDPR is not about that and there's actually a provision in the GDPR that mandates the European Commission to come up with standardized icons, like little tags, image tags, to be able to cover information about the processing. So everybody's waiting for that. Then on consent, we will never give up on consent in the EU framework because of that informational self-determination I was talking about, that's at the core of things, right? But the truth is that, and I'm actually a researcher that wrote a chapter called Forgetting About Consent, why suitable safeguards should be the focus in data protection law because consent should be just one part of this entire framework and this is actually the reality of the GDPR. As Melissa pointed out, you have so many other local grounds for processes, for processing depending on the purposes of why you use the data and how do you use the data and finally on enforcement, because we didn't touch on that, I see a big shift in Europe that it's going to actually be more visible in perhaps in a year or two, which is thanks to the European Data Protection Board. This is a new body of the European Union, a new institution that was created by the GDPR and which elevated the Article 29 Working Party to a permanent office, permanent body in Brussels and we have data protection authorities from all of the EU countries meeting regularly, having a permanent secretariat and they are working on cross border cases and the results are incredible. On Monday, there is a hearing in the European Parliament with the chair, the head, the chair of the European Data Protection Board giving an account of the past nine months. From what I've heard, there are about 200,000 complaints overall in the EU that they have been dealing with in the past nine months and it's just things are starting to work that way and this also brings up the low resources, there are protection authorities that you were mentioning also, thank you. We'll say the reminds of the ending of the Indiana Jones movie, we have our top people working on it, our top people. So what everybody's really waiting for is lunch, so please join me in thanking the panel.