PODCAST TRANSCRIPT

[00:00:00] - Adam Aft
I think there's really an important distinction between employee data, and so that's my name, my identification information, my salary, all of those types of things that are really personal to me, and data that is produced by employees. So that would be if my company wanted me the trial something or give feedback on a new product or service, which is data that I am generating and I'm an employee...

[00:00:32] - Doug Foulkes
Hello, and welcome to Episode 65 of Chaos & Rocketfuel, the Future of Work podcast. This is the podcast that looks at every aspect of work in the future. It's brought to you by WNDYR and Pattyrn.

[00:00:46] - Doug Foulkes
On this podcast, we speak to industry experts and thought leaders discussing how work is changing and evolving. I'm Doug Foulkes, and I'm here with CEO of WNDYR and Pattyrn. Claire Haidar. Claire, how are you today?

[00:00:59] - Claire Haidar
Hey, Doug, so good to be here with you. I'm particularly excited to have Adam on with us today. But before we get to that, I'm good. We celebrated little Cedar's third birthday this weekend. So it's been a party fold weekend, which has been good.

[00:01:13] - Doug Foulkes
Well, I was out with my father in-law's 82nd birthday, so both ends of the spectrum.

[00:01:19] - Claire Haidar
I love what you and Tracy did, by the way, taking your your 80 something father-in-law backpacking. Now that's something.

[00:01:26] - Doug Foulkes
It had to be done. Claire, let's move on with today's episode. It's the first time that we're having chance to chat to Adam Aft he's a partner at Baker & McKenzie LLP. Tell me a little bit about Adam and why he's on the podcast.

[00:01:42] - Claire Haidar
So I was very fortunate to actually be able to lead a panel that a company asked me to be a speaker for them last year, specifically regarding the future of work. The way they structured the conversation was they had my keynote, but then they had a whole group of experts sitting on a panel talking about the future of work and how it was impacting different companies, et cetera, and Adam was one of the people on that panel.

[00:02:09] - Claire Haidar
I came away from leading that panel with such a profound respect for him. He has a very, very real ability to look at the big picture, which is something rare in lawyers because they tend to go down into the weeds immediately. He really does take it from the big picture, look at the business principle and then bring it down to the legal context. I just found his perspective on that panel really refreshing and which is why I wanted to bring him onto the podcast.

[00:02:37] - Doug Foulkes
Tell me briefly. We're talking about data, is that right?

[00:02:40] - Claire Haidar
If you think about it, Doug, the future of work is like being redefined literally minute by minute right now, because of what we've just all lived through in the past two years. Data is a very, very big part of that, because you have employee data that belongs to actual employees, so like names, social security numbers, ID numbers, those type of things. But then at the other end of the spectrum, you have the actual work data that's being produced by employees in a work environment. So there's a lot to be explored here today, which is really relevant to the future of work.

[00:03:15] - Doug Foulkes
Excellent. Let's join Adam.

[00:03:18] - Claire Haidar
Adam, hello. It's so good to have you here on the show with us today. Thank you for making the time. I know that you're manically busy, and so we really do appreciate you carving out this hour to spend with us.

[00:03:31] - Adam Aft
Wonderful. Thanks so much for having me. Great to speak with you again, and really looking forward to our discussion.

[00:03:36] - Claire Haidar
So Adam, we're going to dive straight in. What I'd like to do for our listeners is really just lay a big picture view of the data privacy landscape as it exists today.

[00:03:48] - Claire Haidar
Naturally, data privacy is very often spoken about topic. It's very hot, but it's broad, and it's vast. I'd like us to just provide that context for our listeners, because I know that it is a big question that's really very pertinent in boardroom discussions right now, and also within leadership sessions.

[00:04:06] - Claire Haidar
Data is becoming more and more critical to business operations, but also more contentious from a legal perspective than ever before. It's the equivalent of operating in the wild West, so to speak. Can you lay out that current landscape for us and also expand on why you're seeing such a difference, for example, in terms of how the EU is approaching this, rather than how the USA is approaching it? And even, if you look at like Asia and other territories, there's vast differences. Just just give us some context.

[00:04:34] - Adam Aft
Sure. I guess not to be too cute, I would probably not quite go wild West, which implies the day of days of completely lawlessness. We certainly are in a world of a relatively high degree of laws around personal data, privacy and security, but certainly an area of a constant state of evolution, and so maybe this is more the 49ers gold rush. It's the West has been established, there's some law, but everyone's looking to do better to capitalize on the value of data and they're wondering how do they navigate this constantly evolving regulatory environment. So maybe more that than otherwise.

[00:05:13] - Claire Haidar
Good. Okay, I like that.

[00:05:16] - Adam Aft
There you go. One step further? If we had had this conversation right a while back, maybe I'd agree on the wild West. Your question about the perception of EU is a great place to start because it helps give a little bit of framework in terms of where we are.

[00:05:29] - Adam Aft
I think the EU is viewed as a little bit further along because they do actually have an omnibus privacy framework in the GDPR, unlike a number of jurisdictions such as the US, which doesn't have a federal omnibus privacy law. It has privacy laws in a number of areas, state breach notice laws, the California privacy law, specific industries like health, financial and education, but doesn't have the omnibus type of privacy law that Europe has, and that's just evolving all around the world.

[00:06:00] - Adam Aft
So you have China having recently come online with the PIPL. The GDPR in Europe that I've just referenced came into effect in 2018. There's constant state laws that are being passed and evolving in the US, with Virginia coming online, Colorado, and otherwise. It's an area that more and more jurisdiction are looking to have some level of omnibus privacy regulation across the various areas that are impacted.

[00:06:28] - Adam Aft
I think that will continue to evolve in a number of different ways. The most interesting of which may be around those jurisdictions that add a data residency element, an obligation to keep the data resident or copy of the data resident within their jurisdiction versus those that just regulate how companies use and process the data, but don't go that extra step further around requiring that the data stay resident.

[00:06:52] - Adam Aft
The ton of issues we could talk extensively about. I know we'll have a little bit of focus, so for purpose of this discussion, I hope. But that's the overarching where we are in the world is there are a number of privacy frameworks they are constantly evolving and everyone that is aiming to use data is doing their best to keep up with the constant evolution.

[00:07:13] - Claire Haidar
Just a quick question before we move off of that. So I like the term that you use there, the omnibus, is like the global, the whole package. Can you briefly share with us why the EU chose to go the way it did versus the US who have done it in pockets across different states? Why didn't the US take a federal omnibus approach?

[00:07:35] - Adam Aft
Yeah. I mean, and it is still possible, the US may at some point, there's not anything that I can tell you is live and eminently passing. I think in part it's due to the fact that the European Union views personal data privacy as a fundamental human right, and so under the data privacy directive, where there were differing approaches, there was a push in the continent and to say, "This is the fundamental human right, there should be some uniformity in the applicability of the rules around personal data. There should be some predictability around those that are using personal data. Let us try to take what has evolved under the data privacy director and apply a lot of that, but in a slightly more uniform approach."

[00:08:18] - Adam Aft
I think from a US perspective, data privacy is viewed as importantly, but the intel there is some political movement or support behind the type of omnibus federal legislation, which there is, but you know how it goes for US policymaking, it just will depend when the moment is right to arrive at such a similar type of legislation here in the US. So a little bit of a difference in the view, fundamentally, about the importance of personal data privacy from a political perspective I think it drove that.

[00:08:48] - Adam Aft
I should note, even in the EU, there are still the ability for member states to add their own implementation under the GDPR. So for example, issues around how criminal background is used in employee background checks, that can differ by member states. So even in the harmonized omnibus world, there are still differences. It's important not to oversell just exactly how harmonized Europe has become, but certainly much further along than the US from a federal perspective.

[00:09:18] - Doug Foulkes
So I'm going to jump in, Adam. Nice to meet you. Welcome, as Claire said, to the podcast.

[00:09:23] - Adam Aft
Nice to meet you, too. Thanks for having me on.

[00:09:26] - Doug Foulkes
My initial question is really back to basics. Definitions are important. You've given as an overview, but just like you if you wouldn't mind to define what the current ownership definitions are around data. The past few years, data has been called the new currency. If it's a currency, it's valuable. That adds a level of complexity to it. Who owns what in the data space?

[00:09:52] - Adam Aft
Sure. For purposes of the discussion, given that we're on the Future of Work podcast, I think it may help to focus a little bit on employee data, otherwise we could go on and on and it would be fun and exciting. But I think this will help focus our discussion.

[00:10:07] - Adam Aft
From an employee data perspective, employees do own their own data, which I'm sure you could have reason to challenge. But under the law, the employees own their data. There's a number of ways that privacy laws actually empower the employees with respect to their own data.

[00:10:25] - Adam Aft
Before we get there, though, I think there's really an important distinction between employee data and so that's my name, my identification information, my salary, all of those types of things that are really personal to me, and data that is produced by employees. So that would be if my company wanted me to trial something or give feedback on a new product or service, which is data that I am generating, and I'm an employee, but it's not really employee data. I think that distinction is different. It would certainly be treated differently under the law.

[00:10:58] - Adam Aft
So just at the outset, I want to make clear when I say employee data, I'm speaking predominantly about that data identifying the individual employee, not the data that the employees themselves are generating.

[00:11:09] - Claire Haidar
Adam, I think, it's a really critical separation that you've made there. What I would like us to explore a little bit later in the conversation is actually the future of the work generated data, because that's where you can see there's a huge gray area right now. So looking forward to that conversation a little bit later.

[00:11:29] - Adam Aft
Right. Same here as well. Yes. I think with respect to the employee, the more traditional employee data—before we get into the fun, what do you do with data being generated by employees—as I mentioned that the law does give the employees certain ways to assert their ownership and control over their data so that's access, correction, deletion abilities that you guys I'm sure are well familiar with, the ability to use the number of cloud-based HR platforms for employees to actually use those types of tools, access or correction tools themselves within the HR platforms and actually meaningfully, practically rubber meets the road do something with their own data, which is what we mean when we say who owns data. In the abstract, it's an interesting discussion, but practically speaking, who owns data usually comes down to who actually has the rights and the ability to do what with data.

[00:12:24] - Doug Foulkes
If I own my data, are there any shortcomings in the current legal definitions? How would you see those evolving in the in the next couple of years?

[00:12:34] - Adam Aft
Sure, that's an area that the biggest shortcoming is clarifying under the applicable laws when they apply to employee data. This is a much more significant issue in the US, and it's something that I think will have an interesting discussion on during the course of the podcast around what happens when privacy law is driven by consumer privacy type considerations are aimed to be applied to employee data and some of the interesting challenges that can present.

[00:13:03] - Adam Aft
But just to take a concrete example, in California, under the CCPA, it's currently a requirement to provide notice to employees about processing of the employee data, but there's otherwise an exception. That exception will go away with respect to employee data under the CPRA coming into effect in 2023.

[00:13:25] - Adam Aft
But the California legislator is currently considering a number of bills to either extend or make permanent that exception with respect to employee data. That exception, again, being the limited applicability of the California privacy laws to employee data. In terms of shortcomings, I think the biggest is, to what extent do the current laws actually apply to employee data? If so, how?

[00:13:48] - Adam Aft
That's an area that will, again, continue to evolve and hopefully we get more clarity on so enterprises can have a little bit better understanding of what the law actually applies to.

[00:13:58] - Claire Haidar
You shared a practical example there of how the Californian thing is evolving because of it. Can you share a practical example that actually gave rise to that? What was like one of the cases where this became a contentious issue and the whole consideration came to the table?

[00:14:14] - Adam Aft
Sure. An example of that would be where, for example, the requirements exist for certain consents and the ability to say no to using sensitive data. One of the big challenges would be in the consumer data contact laws that say, a consumer can just say no, you can't have my social security number for any reason. That's sensitive data, I don't want to give it to you.

[00:14:39] - Adam Aft
That's a little more challenging in the employee context, because something like benefits administration is really hard to do if you don't have an employee's social security number or wage payments or otherwise. Those types of challenges of when you're applying the consumer privacy laws and some of the exceptions or abilities to ask for consent or otherwise, is much more challenging the employee context.

[00:15:02] - Adam Aft
The other concrete example to consider would be from an EU perspective, for example, there are certain circumstances where consent is not a viable means of processing personal data in the employer-employment contact just because of the nature of that relationship. There isn't really an option for the employee to say no. So you need different rules around employee data and how you process employee data just because the nature of the relationship is different.

[00:15:34] - Adam Aft
There are a number of instances in which it just is different. It's not consumer data. Using laws that generally are meant to apply to consumer to employee data, that creates a number of challenges, whether endogenous to the data privacy laws themselves or exogenous once you pull in employment laws, which are another layer on top of it. There are a number challenges to work through, for sure.

[00:15:57] - Doug Foulkes
That's the first part of our conversation with lawyer and data privacy specialist Adam Aft. Make sure you catch the next two parts of this essential deep dive into data privacy on Spotify, Google or Apple podcasts, or on WNDYR's website. W-N-D-Y-R.com. From Claire and myself, we'll see you soon.