Making Privacy Law

Season 5: Episode 6

The word “regulation” gets tossed around a lot. And it’s often aimed at the internet’s Big Tech companies. Some worry that the size of these companies and the power and influence they wield is too much. On the other end, there’s the argument that any regulation is overreach — leave it to the market, and everything will sort itself out. But over the last year, in the midst of this regulation debate, a funny thing happened. Tech companies got regulated. And our right to privacy got a little easier to exercise.

Gabriela Zanfir-Fortuna gives us the highlights of Europe’s sweeping GDPR privacy law, and explains how the law netted a huge fine against Spain’s National Football League. Twitter’s Data Protection Officer, Damien Kieran explains how regulation has shaped his new job and is changing how Twitter works with our personal data. Julie Brill at Microsoft says the company wants legislators to go further, and bring a federal privacy law to the U.S. And Manoush chats with Alastair MacTaggart, the California resident whose work led to the passing of the California Consumer Privacy Act.

Show Notes

The IRL production team would love your feedback. Take this 2-minute survey.

Learn more about consumer rights under the GDPR, and for a top-level look at what the GDPR does for you, check out our GDPR summary.

Here’s more about the California Consumer Privacy Act and Alistair MacTaggat.

And, get commentary and analysis on data privacy from Julie Brill, Gabriela Zanfir-Fortuna, and Damien Kieran.

Firefox has a department dedicated to open policy and advocacy. We believe that privacy is a right, not a privilege. Follow our blog for more.

Transcript

Manoush Z.: The word regulation gets tossed around a lot lately, and it’s often aimed directly at the Internet’s big tech companies. Some worry that the size of these companies, the power and influence they wield, the magnitude of their presence in our lives, it’s too much, that these companies need to be given boundaries, that they need to be regulated. U.S. Senator Elizabeth Warren, for instance, says, “Big tech is too big.” She wants to break these companies up. But on the other end, you have the classic argument that any regulation is over reach, that regulation actually stifles innovation. We should leave it to the market. Everything will sort itself out. Consumers will settle their problems with their dollars.

It’s a debate that’s ongoing. But, over the last year, in the midst of it, a funny thing happened. Tech companies did get regulated. Here’s how it all started. A little over a year ago, the General Data Protection Regulation became law across Europe. The GDPR, as it’s called, was and is a big deal. It lays out explicit rules around how companies collect, store, share and use data. It grants consumers important rights to protect their data privacy, and it imposes big fines on companies who breach these rights, like Spain’s national football league.

Gabriela Z.: Recently, the Spanish Data Protection Authority sanctioned the National Soccer League from Spain, because of their mobile app.

Manoush Z.: Gabriela Zanfir-Fortuna, is with the Future of Privacy Forum, and this story caught her eye mid-June. Spain’s top pro men’s soccer league is called La Liga, and the La Liga app is both for iOS and Android, but according to the Spanish data protection authority, the Android version comes with a bonus feature.

Gabriela Z.: What the app did was that the microphone would turn on for a couple of seconds every minute during a live football match.

Manoush Z.: Yeah. La Liga’s official soccer app can turn your microphone on to listen for a special audio signal sent out during televised matches. The human ear can’t hear it.

Gabriela Z.: The league did that because they wanted to cross reference the audio fingerprinting with location data in order to figure out what bars or restaurants were broadcasting the match without paying a license for that.

Manoush Z.: La Liga says it loses 150 million euros every year to piracy and fraud. That’s about 170 million U.S. dollars. But by combining that audio signal and knowing where the phone with the app is, they can crack down on unlicensed broadcasts. Well, that was the goal, anyway. The Data Protection Authority says La Liga didn’t seek out proper consent from its users, and under GDPR that nets you a red card.

Gabriela Z.: The Spanish Data Protection Authority had an investigation, and they decided to fine the league with 250,000 euros. That’s about $180,000, so that’s a one very recent example of GDPR enforcement.

Manoush Z.: La Liga is crying foul. It insists everything that its app does is legal and that it does get user consent. It says the regulator doesn’t understand how the tech works, so it’s appealing the fine, but for now, they have deactivated the feature. Complaints, investigations, fines and appeals, that is the name of the game for GDPR’s first year, and it means that Europe is leading the global privacy conversation. Around the world, GDPR has sparked something. Similar legislation is spreading to places like Brazil and Japan. India is considering it too. In the U.S., no federal privacy law exists yet, but the state of California has passed its own privacy law, which kicks in next year. Not to mention the record $5 billion fine levied against Facebook in July by the U.S. Federal Trade Commission, which by the way, is the biggest fine ever levied, and yet small compared to the tens of billions of dollars Facebook makes every year.

Financial penalties are getting bigger and privacy regulation has arrived, and it’s upending the relationship between tech companies and us, their users. Today, you’ll hear from Twitter’s new Data Protection Officer and how he says the company is rethinking how it handles our information. Then, Microsoft explains why they claim they’re eager for even more regulation, and you’ll meet the Californian responsible for the passage of his state’s powerful new data law. It’s true. One person can actually change the world. I’m Manoush Zomorodi, this is IRL, an original podcast from Firefox.

Firefox products have always stood for privacy. When GDPR passed, Firefox didn’t need to overhaul its business practices. The company’s data privacy principles mirror those of the GDPR, and even exceed them. In some ways, it feels like the rest of the world is catching up to where the company has been all along. Learn more about how Firefox fights for you at firefox.com/join. The GDPR is a big complex and detailed set of rules. We won’t get into every bit of it, but let’s look at why it is such a game changer. So first, to clear something up, you know those annoying pop up notifications you keep getting every time you go to a new website?

Speaker 1: This website uses cookies to ensure you get the best experience on our website.

Manoush Z.: You’d be forgiven for believing that these prompts are now mandated.

Speaker 1: By continuing to use our site, you agree to our terms of service and privacy policy.

Speaker 2: We’ve used cookies to do things like remember what you’ve added to your shopping basket.

Speaker 3: By closing this banner, scrolling this page, clicking a link, or continuing to browse otherwise, you agree to the use of cookies.

Manoush Z.: And you’d also be forgiven for finding them super annoying.

Gabriela Z.: I have seen plenty of those reactions, because it might be that one of the unnecessary effects of the GDPR was that a lot of banners, a lot of pop-ups, started to clog people.

Manoush Z.: The pop-ups are not a requirement under GDPR. They’re more like a hack, an inelegant attempt by companies to get consent from consumers to collect their data. Here’s Gabriela again from the Future of Privacy Forum.

Gabriela Z.: But did GDPR is much more than that. It actually starts from the premise that, by mishandling a personal data, by unfairly collecting, unfairly using, personal data more than the privacy of people is at stake.

Manoush Z.: Protecting online privacy is difficult, and this law places the burden of responsibility on businesses, not consumers. So, for instance, companies have to show that the data they collect and use is necessary to providing their services, and if someone asks that their data be deleted, they have to comply.

Gabriela Z.: Another strong privacy protection that the GDPR provides for is that it allows individuals to actually have some control over their personal data. The GDPR also provides for an individual right of action, which means that people can go to court and ask for damages if they think that any company or an organization breached their data protection rights.

Manoush Z.: And, in fact, a lot of people have been filing complaints. According to Gabriela …

Gabriela Z.: In the first nine months of the GDPR being applicable, we have about 200,000 cases that were opened with data protection authorities across Europe.

Manoush Z.: Because of GDPR companies, including Google, Facebook, Twitter, Apple and LinkedIn, have faced investigations into their data practices. But there has been some criticism of GDPR. For one, some say that the number of registered complaints have not led to enough investigations. Others believe regulators haven’t fined enough companies for enough money to really make a difference. But this is all still very new. They’re calling it a transition year. As companies and regulators alike adjust to the new privacy status quo, consumers are having to adapt too.

Gabriela Z.: I think we have a long way to go until the everyday internet consumer around the world will understand his or her rights, but certainly, the GDPR has raised awareness.

Manoush Z.: Okay, so those are the GDPR basics. If you want to learn more about consumer rights under GDPR and a company’s obligations, find a link to the official site in our show notes at irlpodcast.org. One of the more interesting requirements under the law is that any company that deals with consumer data, like, say, a social media company, now they have to hire a Data Protection Officer. So, for example, say you want to learn more about what kind of data Twitter has on you, you’d probably end up sending your request to Damien Kieran. Damien is Twitter’s Data Protection Officer.

Damien Kieran: We get on average about 1,500 inquiries a month.

Manoush Z.: Hmm, that seems like a lot.

Damien Kieran: Yeah, it is and it isn’t, because there’s a fair amount of noise in there too, right?

It’s people who got locked out of their account or they forgot their password and they think the right approach is to go a privacy forum. Some of it is triaging that and making sure it goes to the right places. But then there’s the important stuff. There’s people who have questions or concerns about what Twitter is doing, and they want information. We have two ways that we satisfy those. We have a self-service tool, and then we also have the ability to write in and request your data. You functionally get the same data, but we make both of those options available. In terms of write-in requests over the last year, I think the number is approximately 3,500 write-in requests, but the much more interesting number is the amount of people that have downloaded their data. Globally, over the last year, we’ve had just under 2 million people download 2.381 petabytes of data.

Manoush Z.: Wow.

Damien: Right? Since May 25th. Yeah, it’s a huge volume of data. To be clear that it’s not just Europeans. That’s people all around the world. So there’s obviously demand for these sorts of tools and features, and it’s something that we’re spending a lot of time thinking about.

Manoush Z.: Can you describe what changes there have been to the platform when it comes to privacy?

Damien: A lot of them are not very visible, right? They’re sort of things to make the experience easier and smoother, default settings to be opt in versus opt out, and then things that are less visible but really important are things that my office is directly involved in. They sound a little bit lawyer-y but actually… From my perspective, they’re really important. My office actually operates entirely independently within the company. A consumer can reach out to the Office of Data Protection at Twitter. The goal is that the only people that have access to that web form and the communications between the consumer and the Office of Data Protection of Twitter are the Office of Data Protection team. Then we’ll investigate, we’ll take a look at what the concerns are, we’ll get the independent responses, we’ll respond, and sort of make sure that we’re guarding against people’s rights.

Manoush Z.: That’s so interesting that you kind of exist in this… not in the company, not in the government, but, it sounds like, in your own little sphere. My producer who I work with was like, “I wonder if he’s sort of like an internal affairs cop,” like the cop in the movies who’s always cast as the bad guy who’s investigating the cops themselves. Are people at Twitter like, “Great, here comes Damien. Awesome. Now it’s time to talk compliance.”

Damien: I’ve been called lots of names, Manoush. No. No. No, but it’s funny because at the start of May last year, it was like, “It’s the GDPR guy.” Right? Because that’s what it was associated with. GDPR didn’t have a great connotation, as you can imagine. But I think active efforts that we’ve actually tried to move away from the compliance of GDPR is we don’t talk about GDPR. We actually talk about PDP or privacy and data protection because we view it as a global initiative. That’s where the focus of the team is global in nature and not just for the GDPR.

Manoush Z.: I want to circle back to, how a person - confession here. I’m a big Twitter user. Also, I want to definitely let you know that we spoke to one user who told us that he has an ongoing complaint and that there’s now an investigation happening in Europe into Twitter’s refusal to hand over information about how it tracks him when he clicks on links in tweets, if you could tell us about that.

Damien: I can’t speak about the specific investigation. I know which one it is. To be clear, I think that it’s an interesting investigation. Leaving aside the investigation that you mentioned, if we break it down a little bit, and we’ll say that Twitter provides you all of the data that it can reasonably and feasibly provide to you. Now, put a pin in what reasonably and feasibly means for a moment. But what happens if Twitter systems collect a variety of signals that in theory could be made to provide you additional information, but because of the way they’re stored, it’s nigh on impossible without significant engineering work to reconstitute that data. Moreover, if you did reconstitute it, you would be defeating the very point of having divided it up when you collected it, which was to keep the data separated, aggregated, and difficult to put back together. Should Twitter go through that process of like literally almost creating a security and privacy risk to reconstitute it so that you can have it in your download? I think that’s the wrong outcome.

Manoush Z.: I want to go back to where we started for my last question, which is… I’m grateful to you because you went there right from the beginning, the sort of human part of this. We’re talking about laws, which are really granular. We’re talking about data, which is really ephemeral, but we are talking mostly about people and relationships. That’s something that the CEO of Twitter, Jack Dorsey, has been talking a lot about recently, “How do we begin to make Twitter a platform that connects people and fosters healthy conversation?” Where is your head at with all of these? You have an important role that no one would’ve predicted would have existed a decade ago.

Damien: Yeah. Nor I. Yeah. Look, I think I play a small piece of furthering the mission of the company. Obviously, I try to think about the things that I can do to make sure the consumers that use our services are protected and that we are doing the right things when we build our products. That’s fundamentally the goal of my team every day. I want to make sure that we don’t either inadvertently or deliberately ship something or build something that has unintended consequences for people’s privacy. I want people to understand that when they come to Twitter, they know what data we’re getting from them or about them, how we’re using it, and then when we might share it. I want them to have meaningful controls over those things.

Manoush Z.: GDPR is European-born, but the law was crafted so that it affects just about every company everywhere because basically if a company services deal with the data of a European citizen in any way, then that company must be GDPR compliant. But some companies say even that isn’t enough.

Julie Brill: Microsoft has been calling for a federal law here in the United States, a robust federal privacy law since 2005.

Manoush Z.: Julie Brill is a vice president and general counsel for privacy at Microsoft.

Julie Brill: There is a lot of conversation in Washington D.C. about developing a comprehensive federal privacy law. There are different committees within the Senate and the House that have held hearings. They are drafting bills. Most of the bills that have already appeared focus on pieces of what could be part of a comprehensive law. I think that probably over the next couple of months we will see an actual either draft or bill that will be surfaced publicly that will be an attempt to try to develop a comprehensive law.

Manoush Z.: Microsoft says it’s long supported privacy rights and was one of the first big companies to back GDPR.

Julie Brill: The reason we’ve done so is because Microsoft has believed for a very long time that privacy is a fundamental human right. We think that privacy is a real competitive differentiator. We have been driving that message on behalf of Microsoft for months, if actually for years.

Manoush Z.: I’m curious, though. It’s been a little over a year since GDPR went into effect. What’s the biggest thing that you’d say Microsoft has learned about privacy as a result?

Julie Brill: I think one of the biggest lessons I think that Microsoft has learned over the past year is that this is just beginning and you’ll have many jurisdictions looking at all sorts of laws and rules about how data can be collected, used, and shared and that we all need to be agile as democracies around the world focus on these issues.

Manoush Z.: Julie, do you think, I don’t know, 20 years from now we’ll look back and be like, “Do you remember that, 2018, 2019, 2020, when people didn’t really know what privacy was and no one had control over their data? Is that what’s going to happen maybe?” I do think in 20 years we will have a really different system. I think advertising will still exist. I think advertisers will still want to know about their consumers, but I think that users will be the ones in control and in the driver’s seat, and they will be able to select who they want to share data with and under what circumstances. I don’t think it’ll look anything like it looks today

Julie Brill: Microsoft and Twitter have both embraced privacy regulation and adapted their companies to a new data privacy reality. They get full marks for that, but these companies also continue to profit from user data. The Microsoft ad network offers marketers access to search and user data to tailor their ads. Over on Twitter, some settings are still set to track you across the web by default. The GDPR, like Julie says, is just the start. While it offers consumers strong rights and protections, there is still plenty of room within the rules for companies to continue gathering data.

Microsoft is pushing for a national American privacy law. Alastair Mactaggart has already forced the issue in his home state of California. Thanks to him, the California Consumer Privacy Act becomes law on January 1st, and his story is rather extraordinary. Alastair is no legislator, just a guy who decided something needed doing, and so he did it.

Alastair M.: I am a real estate developer or sort of was. I haven’t had a lot of time for that recently. I’ve recently become, I guess, an activist. I never really thought of myself that way, but I’ve become involved in privacy the last, I guess, almost four years of my life now.

Manoush Z.: Four years? Okay. I believe this privacy journey that you’ve been on began at a dinner party, is that right?

Alastair M.: Yeah. Very serendipitously, I had a conversation that day or I’d seen something in the newspaper that day about privacy. That night at dinner, I was talking to a Google engineer. It was over drinks. I think I asked him, “What’s the big deal?”, expecting to get the answer of, “Nothing to see here.” Instead he went on and on about how worried we would all be if we knew how much Google knew about us. I remember thinkingthat’s a really odd thing to come from someone who works for Google. And so then I started thinking about it and looking into it.

Manoush Z.: What was it that day after talking to your friend, the Google engineer, that flipped a switch for you or made you think that you got it? Why did you suddenly get it to the point where you felt the need to take action?

Alastair M.: I think it was not like the light bulb went on at that moment. I thought I’m going to do this. That took a couple of months, but I remember thinking afterwards, I should be able to find out what they know about me. And so I thought, it’s just an odd kind of thing in a democracy. And I think for me, what was appealing about this was not just that it seemed like the right thing to do, but also it seemed like you could do something. I’m kind of allergic to spending time just shouting into the wind. So I thought, you know, this is something that most Californians will get behind.

Manoush Z.: California has a system of laws that allows the state citizens to submit ballot initiatives for a vote. So, that’s what Alastair did. He proposed a ballot initiative that would create a sweeping privacy law for the state. It took a lot of work.

Alastair M.: So, I hire a lawyer, you draft a law and that took like two years of research to figure out, well first of all, my first thing was, is this something that people are going to be interested in? So you hire polling companies and find out, yeah, actually that’s … people are kind of interested. Then you’re like, okay, is there a solution? Because it might just be world hunger and I’m not sure California law would solve that, right? But, then you think, okay, actually there are things we can do.

Manoush Z.: In this telling of the story, you’ve already hired multiple levels. Years have gone by. How much money were you prepared to spend?

Alastair M.: I think that the public disclosure is about $3.5 million, but I spent more than that just because I had to spend stuff on the legal and all the rest of it.

Manoush Z.: Alastair’s initiatives started picking up momentum. It created worries on both sides. Tech companies couldn’t vote no because they risked a consumer backlash. But Alastair himself was worried that the initiative would fail at the ballot box. So, he made a deal. If lawmakers agreed to pass a strong privacy law, he’d withdraw the ballot initiative. And that’s what happened.

Alastair M.: So what did we get? We got the most far reaching laws ever been passed in this country on privacy. One, the right to find out what information companies have got about you. Two, the right to tell them to delete it. Three, is the right to, if there’s a negligent data breach, that is where there’s a consumer class action lawsuit, and then the part I like almost the best is the right to tell the companies that they can’t sell your information, to opt out of the sale of your information. And these are extraordinary rights that didn’t exist before and I’m really excited about them coming into existence next year.

Manoush Z.: When you just to take yourself back to last summer, what did you feel when this law passed and you realize that all the years and millions of dollars that you had put into this initiative had become the rule of law for the state?

Alastair M.: Actually, I felt very humble. Humbled by the whole process. I felt really lucky and grateful to be part of something like this. To live in a society where this is possible. At the height of the campaign, when companies every week were joining the opposition committee, I did the math on the market cap of the companies opposing me with $6 trillion. I’m a wealthy guy, but I’m not a billionaire. The idea that one person can … Look, it took a lot more than … it took all the people in the legislature to act as well. But the idea that I was the catalyst for this is still incredibly humbling. It certainly makes you more of a patriot and more of a believer in the system.

Manoush Z.: I got to ask you though, what did it do to you professionally? Did you still have friends at Google who would go out to dinner with you at that point?

Alastair M.: One of the times, and I was sort of most alarmed in the middle of the campaign, so to speak, and I had a meeting with a very wealthy fellow and he at the end of it said, “Look, I think you’re doing the Lord’s work, but I could never support you because it would hurt my business.” And I remember thinking, so this guy was actually a verifiable billionaire. And I thought to myself, Holy God, you’re scared about this. I should be very worried.

And here’s the funny thing about our society right now, and I really think this is actually an important thing if people think about this for a second. The amount of power that we the people have placed in these companies, there’s nothing nefarious going on. It wasn’t that we … there’s like … so the James Bond Spectre people like Hut rubbing their hands together and sort of taking over the world.

But, the reality is that the amount of power, if one company is 90% of the searches in our country, they kind of represent truth to our country. Right? But if you want to talk about the power that’s reposit in a democracy in these companies, which is fine, I’m a capitalist, I don’t mind that. It’s just there’s no oversight and that’s what’s a little freaky. There are no consequences. And I don’t think that’s healthy. And actually, honestly, if I were running Google or Facebook, I would put my hand up and say, “Look, there needs to be some oversight because otherwise at some point the peasants will come with pitchforks and take this away and they probably should.”

Manoush Z.: Just to pick up on that, Mark Zuckerberg has said, “I do think there should be legislation. I think there should be federal legislation,” but a lot of people are saying the only reason that some of those big tech people want federal legislation is because it’s likely to be weaker than the California law that they would have to adhere to.

Alastair M.: Yeah. You know, I’m one of those people. I spend a lot of time in Washington talking to people about the law and about what’s happening. But the idea that suddenly after all these decades of industry the tech industry saying, “Hey, look, don’t regulate us ‘cause you’re not smart enough in Washington. You don’t know what’s going on. You’re going to stifle growth. You’re going to hurt innovation. Don’t kill the golden goose.” Now, suddenly we have some effective privacy legislation. Now they’re running to DC saying, “Hey, wait, you got to preempt it and make sure, by the way, you preempt to make sure you quash California.” I think that’s a cynical. I’m an optimist, again, I believe that the fed is going to be harder to get something weak through than the tech would like to think.

Manoush Z.: Let’s say everything keeps going for the next several months. What happens on January 1, 2020? How does the world change potentially when it comes to how tech is part of our lives?

Alastair M.: So, on January 1st the law goes into effect. There is a delay until July 1st for enforcement. So, I think it’s like a training wheels time. But, theoretically starting January 1st you’re going to be able to go to these companies and say, “What information do you have on me?” And, “Delete my information,” if you want to or, “Don’t sell my information.”

Manoush Z.: I don’t live in California. Is that okay?

Alastair M.: Well, it is for Californians. But, here’s the other thing which I am convinced about. Are you telling me, AT&T, are you telling me, Comcast, that you’re going to be able to look at your customer in Kansas, in Texas, in Louisiana and say, “Well, you know those crazy Californians, gosh, we give them rights out there. We let them see their data and we let them delete it, but you, hey in Baton Rouge, it’s not going to be good enough for you. Sorry.” I mean it’s just untenable. I think, forget law, it’s going to be very, very difficult not to have the same basic rights extend across the country for these giant companies.

Manoush Z.: Compare California’s law to the GDPR and you might as well call them siblings. They share a lot of DNA, but small differences make each unique. We’re going to have to see if they play well together too. Here’s one example.

As I mentioned earlier, the GDPR applies to any company that collects data from European citizens. The California law on the other hand only applies to for profit companies that do business in California and then only if the company grosses more than $25 million a year, or makes most of its money selling personal information.

There are lots of subtle and big differences between the two laws on everything from consumer rights to business responsibilities and whether it’s about the right to be forgotten or the right to say don’t sell my data, the power of these laws is in the details.

Come January 1st the world will be watching to see how the California law plays out and what it does better or worse than Europe when it comes to protecting our privacy. Until then, Alastair is keeping an eye on this law to make sure it doesn’t get watered down, but as far as he’s concerned, it’s a done deal.

Alastair M.: Look, once you give Californians rights, no one ever takes them away. I think it’s been true that the legislators are very scared of stepping into a place where they can be criticized for appearing to do big business’ bidding at the expense of their voters.

Manoush Z.: We are writing the next chapter of privacy’s history right now. The conversation between companies and their consumers about how information, very personal information, should flow between them is happening. Julie Brill at Microsoft says, privacy is a business opportunity, and that is something that we’re going to focus on in our next episode. Big companies say they’re pivoting to privacy, but what does that actually mean? We will check the facts and we’ll find out how to run a thriving business without collecting a ton of user data.

I’m Manoush Zomorodi, and as always, thank you so much for listening. This is IRL: Online Life is Real Life, an original podcast from Firefox.

Cool. Well, I’m going to keep up with you. I can’t believe I wasn’t following you already on Twitter.

Damien: I’m a privacy person. You won’t see any tweets from me, Manoush. It’s like come on …

Manoush Z.: The privacy guy keeps it on the DL. How apt is that?

Damien: Shocking.

What do you think about IRL?

Take our short survey