66. The Future of Work and data privacy | Adam Aft, lawyer and data privacy specialist


Adam Aft | Partner at Baker McKenzie and data privacy specialist


Our guest this week is an intellectual property, privacy, and technology partner at Baker McKenzieAdam Aft. Adam helps global companies navigate the complex issues regarding intellectual property, data, and technology in M&A, technology transactions, and new product and service development. He is the lead of the Firm's North America Technology Transactions group and co-leads the group globally. 

In Episode 66 we focus on the many grey areas that exist and the top recurring issues companies are facing. 


Adam Aft Web


Adam advises clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, joint ventures, back office transformations, new product and service initiatives, and new trends driving business such as data monetization and artificial intelligence. Adam also represents clients in structuring and drafting technology and software license agreements, telecommunication agreements, cloud agreements, supply chain agreements, outsourcing agreements, and other agreements involving data, intellectual property, and technology. 




[00:00:00] - Adam Aft
With respect to monitoring the employees themselves and how they're performing, and how those tools might be used or otherwise. I think that's an area that's really important to spend a lot of time and we are seeing enterprises spend a lot of time on.

[00:00:20] - Doug Foulkes
Welcome to episode 66 of Chaos & Rocketfuel, the future of work podcast. This is the podcast that looks at every aspect of work in the future, and it's brought to you by WNDYR & Pattyrn. I'm with the CEO of WNDYR & Pattyrn, Claire Haidar. Claire, this is our second section. We're chatting to Adam Aft, partner at Baker McKenzie. What are we talking about today?

[00:00:47] - Claire Haidar
Hi, Doug. So good to be on the show with you, and also great to have Adam on the show with us today. Adam is somebody that I really respect, just because of how he approaches law. Doesn't get lost in the weeds. Starts with the big picture, the business principles, and then brings it down to the legal side.

[00:01:05] - Claire Haidar
What we're talking about in this episode specifically is what I would almost call the most important thing to be talking about data and data privacy with regards to work right now, and that's the gray areas. With remote work and hybrid work being so prevalent right now, it's just completely opened up how companies need to actually be approaching data, and it's literally, we're back at the drawing board. We can see that from our customers. They're having to ask very basic questions like, "What data are we actually accessing? What is that data being used for?" These are questions that we didn't really have to grapple with just a few months ago. This segment is specifically related to those issues in those gray areas and how to navigate them. I think Adam will be providing us with very clear business frameworks that leaders can use to navigate this.

[00:01:58] - Doug Foulkes
Yeah, I think it was quite a practical session. Should we tuck into Adam and see what he's got to say?

[00:02:03] - Claire Haidar
What I'd like us to move on to now is really the meat of this conversation, which is the gray areas. Because this is a new area, coming back to that early metaphor that we refer to, we're not dealing with the Wild West anymore, but we definitely now in the phase of the gold rush. Companies are trying to capitalize on this. Employees are trying to find their place in this, and there is a lot of stuff that hasn't been defined yet. With remote work being the new norm, what are the top three recurring issues that you're seeing companies facing with regards to data privacy?

[00:02:40] - Adam Aft
Sure, I promise there are three. They're going to sound pretty similar. The first is cyber. The second is monitoring. The third is also monitoring. But just to draw the distinction, the first monitoring is really monitoring, such as remote access, IT systems access, and the second is monitoring more performance, employee productivity. I think that the three main issues are cyber, monitoring IT, monitoring performance.

[00:03:07] - Adam Aft
To dive into those just briefly, cyber the number one issue, I think. It's pretty prominent and obvious. Anyone who's working in this space or reading the headlines sees increase in cyber risk. As you can imagine, when there's either a remote or a hybrid work scenario, you've just added a significant number of endpoints, a significant number of additional layers, all of which present additional complications from an IT and data security perspective, so that increase cyber risk we've seen play out in the last couple years, and I think will continue to be prominent.

[00:03:41] - Adam Aft
With respect to monitoring from an IT perspective, that creates some new challenges, you can imagine. If you previously used your laptop at work, maybe you go home here and you're on your home Wi-Fi, it's pretty straightforward. Now you have employees who work from home all the time. They're connecting to printers, smart home devices, and you have to work to understand what are you as an enterprise doing from an IT data security perspective that might have data privacy implications? Are you now accessing data streams from internet things, smart home devices, cameras inside employees houses, or children's devices that have their education data, or lots of other challenges that enterprises weren't facing when people were more predominantly in the office. They're not entirely new, but they're new at a bigger scale.

[00:04:31] - Adam Aft
Then the last one is monitoring in terms of employee performance. Now that you don't have people in the office, that's changed the way that enterprises interact with their employees and how everyone checks in, how everyone monitors their own performance, how their employees monitor their performance. I'm sure that an area I know you've had extensive discussions about previously, and it does implicate certain data privacy considerations as well with respect to how are enterprises communicating about that performance monitoring and using that data that they're generating as part of performance monitoring. There are a number of other issues to consider, but, but for a top three of those would be mine.

[00:05:10] - Claire Haidar
Naturally, I'm very happy that you mentioned those three, because those are directly in our field. To corroborate what you've just said, we're seeing those exact same three issues coming up. The third one is the most relevant to this podcast and the audience styling into this podcast. Can you share with us what you see as some of the main frameworks that companies are choosing to follow? What are the trends that you're seeing are becoming the norm for companies to follow specifically to that third issue of monitoring that you're talking about there?

[00:05:42] - Adam Aft
Sure. It really comes down to, at least with respect to how enterprises are implementing the employee monitoring performance type processes. It really is coming down to what are the controls that they're implementing, whether from an IT restricting access to that performance data or otherwise. So what are the controls they're putting in place? I think enterprises realize, we're generating a lot more data that maybe previously was anecdotal or back in the napkin, or however you want to view it, you know, manager just walking around the hallways, that wasn't really captured in the same way it's being captured now. So how are we thinking about the controls that we're implementing? Are they just simply access control? Do we have controls on what we can use that for? Are we siloing that performance data from certain aspects of employment decisions? Are we just using it for team improvement? How are we using it?

[00:06:36] - Adam Aft
Once the enterprises have thought through that, which takes a lot of careful planning, a lot of work with external parties to think about, how are others in my industry doing this, and how should I be thinking about it.

[00:06:48] - Adam Aft
Once they've gone through and implemented those controls or planned out those control, then the other key side of that coin is notice. How are you communicating clearly to employees where you're implementing that type of performance monitoring and just saying, this is what we're doing. Here's what we are using the data for, here's what we're not using the data for, and are we communicating that clearly such that an employee wouldn't say, "If I had only known you were doing that, I may have change my behavior, or we would have found ourselves in a different situation from this employment dispute perspective." or whatever the case may be. Those are really the two sides of the coin where we've seen enterprises using those types of tools and doing so effectively.

[00:07:32] - Doug Foulkes
Adam, you've mentioned that consumer marketing's set the trend in a lot of data privacy best practices around the world. With that in mind, where do you see employees and employers possibly in conflict with each other and maybe due to the immaturity of the privacy laws?

[00:07:49] - Adam Aft
With respect to what you identified that's exactly right that a lot of these privacy laws have some of their origins in consumer and marketing, and when applied to a different set of circumstances, a different category of data in employee data—the data about individual employee—there can be some conflicts and some areas where enterprises have to think through, or even policymakers will have to think through some of the differences in application.

[00:08:18] - Adam Aft
Just to give two examples. One is from a European perspective, there are certain circumstances, in which a consent really isn't a valid basis for processing personal data. The employer-employment relationship is one of those, because an employee just isn't situated the same way that a consumer would be. A consumer could just say, "No thanks, I don't want that product a service." An employee really isn't in the same position to say, "No. No, thanks. I don't want to work at this job anymore to the same extent."

[00:08:47] - Adam Aft
The other example is under the CPRA that California privacy law coming into effect January 1st, 2023. There is an ability of a data subject to say, "Please don't process my sensitive information." For example, a social security number or otherwise. That's really difficult when you're looking to be an employee, who wants to get paid or receive benefits, and it's not clear exactly how you would reconcile the two obligations. One, to actually pay or provide benefits to employee and the other the employee potentially able to say, "I don't want to share that sensitive personal information with you." Applying these types of consumer protection framework to employee data can work, but also can certainly create some conflicts and frictions to be resolved.

[00:09:34] - Claire Haidar
My mind is going into too many different directions yet, but I want to come back to that one of, not the employee private data. Like the social security number, all the identifiers and everything like that, the work product data. Do you see a scenario in the future where a bulk group that's big enough or large enough of employees across multiple organizations will reach a point to say that companies are using that work data in a way that's not good? Do you see it coming to that point? Because that's essentially what happened with the consumer side of things, is that people were just using it, but because there was no like framework or boundary around it, some companies took it too far, and a large enough subset of consumers just got fed up and said, "Enough is enough." Do you see a movement submit to that happening in the work environment?

[00:10:33] - Adam Aft
Yeah, I think with respect to that data being generated by employees, they're different than that data about them themselves, but they participate in a study about a new product or service for the company or otherwise. I'm not quite sure that we're right around the corner from that type of movement, as you're describing, in part because in the employee contact. The existing legal regimes already provide for greater degrees of notice, so the employees have a better understanding of how that data is being used than maybe consumers did in the earlier stage, where they're with that movement that consumers said, "Wait a second, we don't have a clue how you're using this data. All we know is you're capturing huge volumes of data."

[00:11:13] - Adam Aft
In the employee context, there's a little bit more context given, whether by notice or if it's not about true employee data, if it's not about the employee themselves, even potentially obtaining consents, where it would be valid if it's just data being generated by employees and their ability to say, "Okay, I actually don't want to go trial that new product or service, because I don't want to give you that level of data. I can still keep my job. That was just something you're asking me to do optionally". There's a little bit more flexibility and also transparency already built-in to that context.

[00:11:46] - Adam Aft
If it gets to a point where that transparency is challenged, then I could see a movement starting to say, we need additional protection. But given that the context, or starting point, I should say, is a little bit different in the employee context, I don't think we'll see quite the same movement that we saw from a consumer protection privacy perspective.

[00:12:05] - Claire Haidar
I think also to your point there to those differences that you're laying out between a consumer subset, like a consumer set of data versus an employee set of data, is that unlike on the consumer side, where people were just like signing up to Facebook, signing up to Twitter, and it was all free, there actually is a commercial transaction happening between an employer and employee in that salary is being paid, so the whole concept of free is not as big a issue is what it is on the consumer side as well.

[00:12:38] - Adam Aft
Correct. That's exactly right. There is already that transaction. There is already some basis, on which, "Hey, the two of us have to communicate about what each of us are doing.", which is different than it was on the consumer side for sure.

[00:12:52] - Doug Foulkes
Now you know the differences between consumer and employee data laws. If you've missed the first part of our conversation with Adam, check it out on Spotify, Google, or Apple Podcasts, or on WNDYR's website, wndyr.com. We'll conclude our chat with Adam shortly. But for now from Claire and myself, we'll see you soon.


Similar posts

Get notified on new Chaos & Rocketfuel episodes

Be the first to learn about WNDYR’s latest work and productivity insights to drive a successful enterprise digital transformation