What type of work is keeping you busy at the moment?
A rapidly evolving regulatory landscape, and particularly the EU General Data Protection Regulation (GDPR), keeps me and my colleagues in Morrison & Foerster's Privacy and Data Security Group–whether in Europe, the United States, or Asia–fully occupied at the moment. The uncertainties stemming from the GDPR, coupled with a lack of clear regulatory guidance, have left our clients with more questions than answers, and we are thus constantly working to find pragmatic solutions that fit within the client's business model and ensure an adequate level of compliance.
I am able to assist with most privacy and data protection issues impacting various industry sectors worldwide: international data transfers, cloud computing, direct marketing, social media, customer profiling, Big Data, blacklisting, data anonymization and pseudonymization, e-discovery, the use of email and the Internet in the workplace, bring-your-own-device/bring-your-own-computer projects, the use of dashboard cameras and other surveillance tools in the employment context, the use of medical data of sick employees by employers, insurance companies, and brokers, employee monitoring and whistleblowing procedures, internal investigations, and dealings with regulators.
The GDPR and other global regulatory regimes touch upon virtually all of these areas, so privacy and data protection specialists in today's marketplace must be able to do it all. However, the issues a company faces can be local and limited to one country, or they can be global and affect 50 or 100 countries. In each and every case, though, the lawyer's advice must be customized and strike a harmonious balance between legal compliance, cost-efficiency, and business-friendly results.
What drew you to a career in law?
I have always believed that if you need to work to earn your living, you should try to find something that you also count as a hobby. Then, try to find a group of people that feel the same way. Luckily for me, I have found all of this and more in my legal career, and especially in my current role in MoFo's Privacy and Data Security Group.
In this digital age, personal data is the new gold. It is many companies' most valuable asset, and organizations are increasingly trying to capitalize on this and structure their business operations accordingly. Getting there is often a struggle, however, especially for multinational companies operating against a backdrop of complex European and global privacy rules. Finding workable solutions for such companies is something that makes my work not only interesting, but also fun. It never gets boring.
What has been your career highlight so far?
Lately, every day feels like a career highlight. I get to work with global companies whose products and services I actually use as a consumer. I get to advise a client whose clothes I wear, another whose app I use, and another that insures me. Sometimes I even get to read about my matters in the media. Can it get any better than this? I don't think so.
To take just one example, for the past year and a half, I have been assisting a client with its GDPR compliance project. We started from almost nothing, and I had to explain basic privacy principles to the client team at the outset, but the end result was a sophisticated compliance program. At some point several months ago, the project lead, who did not even know what GDPR was at the start of the project, started brainstorming with me on the difficult issue of GDPR applicability and even analyzed one of the most complicated data sharing projects between various parties. When I realized how far he had come, I knew that I had done my job well. I enabled him and his team to implement a robust compliance program without having to engage me on each and every issue. Over a span of a year and a half, I made my role as an external counsel redundant for the most part, because my client's in-house team became competent, confident, and capable in dealing with the company's privacy and data protection matters.
What is the biggest challenge in your current role?
Interpreting unclear or conflicting laws and then translating them into understandable language and practical solutions is probably every privacy lawyer's biggest challenge. How can you marry your client's ideas and goals with myriad laws in various countries worldwide that may even conflict with each other? At the same time, it is essential to work with many of your clients' internal stakeholders across departments–for instance, ensuring that the legal and compliance teams understand the risks and implications of any proposed action, and collaborating and compromising with project managers who are often eager to implement their ideas in an unchanged form.
To do this, you have to able to read the laws carefully and understand their practical implications, of course. You also have to be knowledgeable and current, remaining connected to the latest developments in as many jurisdictions as possible. Finally, when societal norms evolve and new laws are passed, it is particularly important for data protection lawyers to be inventive and imaginative. The ability to put all of this into workable advice and build consensus around your proposed solutions is another skill entirely, however, and in my experience is equally if not more important than the subject matter expertise.
If you could change one piece of legislation, what would it be?
In my opinion, the GDPR could have used a bit more work, patience, and careful thought. Not only could the regulation be clearer and more practical on many points, but it could also be more user-friendly for the individuals it seeks to protect.
For example, looking back to May 25 when the GDPR came into force, I think the number of emails that individuals received with information about new privacy policies and various consent requests did little good. I likewise do not appreciate the many pop-ups and banners seeking my consent for cookies under the current ePrivacy rules. I value my privacy, and I value the EU legislators' wish to protect my data, but I think we can achieve both of these goals in a way that does not destroy the user experience.
Additionally, there are a number of instances of unclear drafting in the GDPR, which subsequently led to confusion about its very purpose. For example, should organizations be able to do their due diligence to combat bribery and corruption in their ranks? Or shouldn't they, because the GDPR essentially forbids them from processing criminal data? I think most would agree that combating bribery and corruption is a noble goal, and that hindering this process was an unintended consequence of the GDPR.
I wish I could travel back in time and point out all of these inconsistencies, but we must now look to the future and hope that the EU regulators will provide useful and practical guidance to ease the compliance burden and mitigate the current confusion. Coupled with a little bit of help from MoFo and our clients, I am hopeful that we might get to a place where things start making more sense.
What do you find most rewarding about working in law?
A satisfied client is the most rewarding aspect of my work. Many times during the course of our projects, clients get so involved in the details of various issues that they can no longer see the forest through the trees. As an outsider, I get to listen to all of their ideas with fresh ears and then help them achieve clarity, translating issues into practical options that will work from both the business and compliance perspectives. It is the best feeling in the world when a client has a "light bulb moment" because of my guidance and no longer feels the pressure to focus so much on the trees.
What are your plans for the future?
My goal is to become one of the best privacy and data protection specialists in the world. I am fortunate to work with a group that includes a number of such outstanding, renowned specialists. They are not only great lawyers, but also great people who are kind enough to continuously support me in achieving this goal. So my plan is simple: to continue on this path.