Naїm: Thank you everyone for joining our podcast today. My name is Naїm Antaki. I'm partner at Gowling WLG in Montreal, in business and tech law, and privacy is something that I always have to deal with, with my colleagues, as part of our global tech team. Today we are so blessed and lucky to have two wonderful people to speak with us about this important topic, Luigi Bruno and Sherry Truong. Luigi, would you like to introduce yourself, just to give the audience a little bit of an idea of the very interesting path that you've had in privacy and tech generally?
Luigi: Yes, absolutely. So first of all, thanks for the invite, Naїm:. It's a pleasure to be here with you today. As Naїm: said my name is Luigi Bruno. I'm originally Italian but a little bit of everywhere around the world. I'm a Senior Engineer and privacy technology leader in the Group Privacy Operations team at IKEA in Sweden and I'm also doing a Doctorate in AI and law at McGill University in Montreal. I have a bit of an unusual background because I studied both law in computer science. When I'm not very busy doing other things I also try to publish research papers. So I'm recently publishing a research paper on the post-quantum encryption and how it affects privacy law and how regulators should actually try and mitigate its effects. In my previous life before joining IKEA and before doing a PhD, I've advised several larger multi-national organizations on the protection, privacy and a lot of information security, as a freelancer and as a consultant while working for Deloitte Switzerland in its cyber risk team.
Naїm: Thank you so much, Luigi. Sherry, it would be wonderful to hear also your very interesting path so far.
Sherry: Hi. Thank you for having me. I'm very excited to be part of this amazing podcast with everyone here. So a little bit about me. I graduated from UC Hastings in California and I went in-house doing a lot of privacy work. I started off at a digital media conglomerate doing their pre-GPR work and then moved onto an open source platform that was acquired Microsoft. So I was handling the M&A privacy integration for them and then recently, previous to my current job, I joined Twilio which is a telecommunications platform doing a lot of their sort of global risk and remediation and privacy work. Just recently joined Asana, which is sort of like this project management platform, and looking forward to seeing how this company will continue to grow and privacy is a very interesting industry to be in nowadays with all the changes. So I find that at any place that I go the challenges are always new and so we'll see what the future holds.
Naїm: Wonderful, and Sherry, even though this is a technology podcast it would be great to hear where are you speaking to us from today?
Sherry: I'm in San Francisco, California. We just returned to office which is very exciting. First week in and I love being on this podcast with everybody. It's such a great international community and privacy is very, very much rooted in international law so it's always great to get interesting perspectives from everyone.
Naїm: Thank you so much, Sherry, and Luigi, where are you based today?
Luigi: At my home base at the moment. It's a bit less famous then the Bay Area. I'm in Malmo, Sweden. It's exactly on the other side of a tiny strait called the Oresund Strait from Copenhagen. So that's where we are. It's a very international place. I think in Malmo over 200 different languages are spoken and it's home to several companies. Obviously IKEA but nearby you have Volvo, you have several larger and very novelty companies. So privacy is certainly a crucial aspect of the business life around here.
Naїm: Wonderful. I'm actually in Montreal which also is a wonderful platform for different languages and cultures. So I think I will start, if it's okay with you, because this is such an international panel before delving in maybe some legal aspects of privacy. Let's start with cultural approaches to privacy based on your path and I'll start with Sherry if it's okay with you. How do you feel people look at privacy, generally, and do you feel like this is something that has changed since you started in the field a number of years ago?
Sherry: I think that's a great question. I think privacy is becoming more of an issue for more companies, especially in the US, as more State laws start being passed. There's talk of a US Federal law. We don't know when/if that's going to happen but it is at the forefront now, at least for a lot of people, certain things about regulations coming through. CCPA being one of them, the California laws that are coming to play, CPRA coming out as well. So I think companies especially based in Silicon Valley are very, very concerned about privacy and how it's going to affect them. I think we're starting to see a shift in the industry in hiring. There's a lot of privacy professionals out there waiting to be swooped up and I think that we're starting to really see companies take privacy seriously. Especially as fines are coming down in Europe I think it's really starting to, not put people in a panic, but they're taking it a lot more seriously then they did before. I think that for smaller companies and startups it's a bit more difficult because they lack a lot of the resources that a lot of, obviously, that big tech has but I think it's very important to kind of see that being privacy forward doesn't necessarily mean that you have to have a team of 15 privacy lawyers behind you to implement some formal privacy program. A lot of it is thinking about how you build privacy into your product by privacy by design. How you want to implement privacy values or ethos into your company culture. Thinking forward as to how technology is going to change and how your product is going to be able to keep up with those changes. I think all of that is leading to a lot of discussion about privacy being woven into the culture of every single company, that at least I've talked to, and part of that is going to be an interesting exercise in seeing will that translate into resources, into more robust privacy teams. You'll start to see privacy being marketed as part of the company brand. I've seen large tech companies with huge billboards about privacy and being privacy forward and gaining customer trust. So I think that that's probably going to be the lay of the land as more regulations are being passed and people are starting to see customers ask, "What are you doing with my data? Where is this going?" and that's really going to be a forcing function I think for privacy moving forward.
Naїm: Thank you so much, Sherry. Luigi, since you were in Montreal, you're from Italy, you're in Sweden right now, do you see some maybe differences in approaches? Again, just how people approach privacy depending on where they are, from a cross-cultural standpoint?
Luigi: Yes, so I think there is a bit of a symmetry among European countries in the first place, and also like between Europe and North America. When it comes to the European landscape, certainly I think European Countries and European companies, are a bit more mature when it comes to operationalizing privacy because Europe was obviously the first major jurisdiction to push forward for the GDPR. It was a big game changer when it comes to great ... landscape, in terms of privacy. When I worked in Switzerland I noticed that operationalizing the privacy for Swiss companies was a very natural thing to do because Switzerland is based on trust and privacy for your customers. We can go back 1,000 years with the first banks being set up there and that's the culture. You don't need to disclose what we do. You need to keep whatever your customers are doing very secret and very private. So I think that the transition towards privacy it's been very natural for Swiss companies and the same I'm noticing, here in Scandinavia, where I think the quid pluris, to use the Latin expression, is that Scandinavian companies are based on values and these values are actually the pillars of whatever companies do. So if I think about the case of IKEA, for instance, it's pretty public knowledge IKEA is based on values that have been set several years ago when living conditions in Sweden were different and now that the company's so big they can actually have a big impact over the world. So whatever they're doing it's based on these values, and I think having these values that tend to protect methodical workers but also like customers and the environment and society, it's been a very good basis for privacy. Not only to be upheld from a compliance perspective, the so called paper compliance, but also to be internalized, operationalized and then seamlessly imbed that within the organization. Then moving across the pond, I think in North America because the US has been so dominant in the North American business landscape for so long and there's so many different jurisdictions within the US, I have to build on what Sherry was saying. That only now with so many State pre-regulation we start to see a bit of a change in the scenario and I think Canada is following, right? Besides the larger international oriented companies in Canada, that obviously have to deal with California, have to deal with the major States like New York or with Europe, Asia, that inevitably needs to be compliant, right? Because if you want to cater your customers in Europe you need to be compliant with the GDPR. I think that we're going in the direction where the landscape is becoming more mature, also in Canada, and this is being reflected also in the new regulation that's coming along. If we look at Bill 64 in Quebec we see that clearly there's a phenomenal legal transplantation that comes from the GDPR.
Naїm: Thank you so much, Luigi, and if you don't mind I'd like to pick up on the very interesting, I guess balance, that you talked about. Which is the importance of values and I think, Sherry, you were talking about this also and the distinction between values versus strict compliance. In my experience I truly feel like compliance is only the very first step, and may not necessarily be enough, as is typically not enough for a company. Right? Yes, definitely you want to be compliant but at the same time there's a real emphasis being put on trust with your employees, trust with your suppliers, trust with your customers. This leads I think to trying to do more, and as you said Sherry early on, being privacy forward in a world where laws have to be drafted in a general way, if I can put it this way, being technology neutral. Turning those principles into action can sometimes be difficult. I think this is where I'd like to turn to, it it's okay, because I think that it's one thing to talk about the laws and some type of harmonization. Luigi, you were talking about Bill C-64 in Quebec, which is still in draft stage and obviously our schedule, Federal privacy legislation which is also in draft stage right now in terms of being overhauled, and there are some what I will call adaptations. Because if you're a company my understanding is that at the end of the day you need to be able to operationalize all of this and you can't do it differently State by State, Province by Province, country by country, at the end of the day you need to have some type of common denominator. I would be grateful to hear your experiences in maybe how to turn this variety of legal privacy legislations in different jurisdictions into how do we launch this project, or how do we grow this project across, from a very pragmatic standpoint. What's the best way to go about it. Thinking about, forgive me the jargon, but thinking about your stakeholders. Your board of directors. Your tech team. The other legal team, your insurance and your sales team. Maybe what have been some of the things that you have learned, or how have you learned to navigate with these different stakeholders? Sherry, I'll start with you.
Sherry: I think depending on the size of the company one of the first things that I like to do is sort of have conversations with internal stakeholders, particularly for smaller companies, about where do you want to land on the spectrum of privacy and I say that because personally I think it's important for a company to kind of have some sort of privacy mission statement in mind. It doesn't have to necessarily be written down. It's great if it's formalized but very rarely will you see a smaller company say, "This is what we're doing. We're sticking to it." because it doesn't really enable business. Like you said, operationalizing privacy and when privacy laws are constantly changing, what you operationalize on one day might not be compliant the next day which is the great thing about privacy. You always have to constantly be iterating, making things better and so baking privacy into the culture, into the product, into how you do business, is really important because that's going to inform how you face these challenges as these changes continue to grow. It's only going to become more complicated as technology becomes more complicated. You're moving into, as Luigi said like AIML, the questions are just going to become murkier. Your solutions are going to become more ad hoc and how do you prepare for that? I think one of the things that I find in companies that struggle is that they don't really take a stance on where they fall on that privacy spectrum. So if you're not willing to take a stance, wherever it is that you fall, right? I'm not here to make a judgment on how closely you align with I don't really care about privacy to I care about so much about privacy, that's the only thing that matters to me. Those are very extreme positions to take but I think that there is something to be said about being able to pinpoint where you are because that is what helps drive your decision making. We get presented with really difficult decisions that balance being maybe a little more conservative on privacy and business needs. Sometimes in order to service our customers that's a very difficult balance to keep. Those are the considerations that we always take in-house, and the values play into that, because if you don't know where you stand you're sitting there going, "I don't know if I should go and make a choice that's better for the business or better for privacy." You're making inconsistent choices and that usually equates to inconsistent policies, inconsistent frameworks, internal frameworks and it confuses internal stakeholders because why are you giving on this and not that? Why are we not taking this stance? Then there's 5 or 6 exceptions to those. It provides a sense of clarity for everyone moving forward in the right direction because, if you say we're going to be a leader in privacy in our industry, that means you're going to have to potentially be a little bit more conservative on certain things that fall on the privacy side which are going to affect your bottom line. If you're willing to do that and you're willing to say this is the plan that we're going with, we're staking our reputation on it, this is our customer trust, we're making privacy part of our brand, XY and Z, and it's consistent not only are internal stakeholders clear but you're probably more likely to get resources to support that if it's a company choice that you've socialized out. Then to your customers as well. They see a consistent stance on how you're treating their data, what your policies, your external facing policies, are like. Regulators get to see that they're really trying to be more privacy forward, privacy focused, gaining customer trust, they're understanding the balance between themselves and the customer and that might buy you some goodwill. So I think that values really play into it because it helps your decision making and it really just gives people a sense of wow, this company really fits in this section of the privacy spectrum. If I say, not to throw certain names out there, if I say Facebook, Google, Apple, people sort of have ideas of where they fall in the spectrum. It's like that for a reason. They've made consistent choices when it comes to privacy, when it comes to security, when it comes to data usage and retention and sharing. So I think that's a very real thing for a company to think about and I hope that people will take the time to really build that out, and encourage their stakeholders to really take a moment and pause and decide kind of where they want to be, because that can really, really affect what the company looks like 10 years down the road.
Naїm: Thank you, Sherry. There's lots to think about there in terms of not just thinking about privacy as a value but how it interacts with and relates to the other values of the company. Luigi, your thoughts and any thing else you'd like to add on this topic, which is the operationalization of privacy, making it real, and navigating through the different stakeholders. I'm sure you'll have a lot to say on that.