European Data Privacy and New Regulations Governing Transfer of Data to the U.S.

Show Notes

The U.S. and European economies collectively represent a third of global trade in goods and services, and close to a third of the world’s GDP. It follows that a staggering amount of personal data is exchanged between U.S. and European-based companies. The collection and use of data of EU citizens raises significant regulatory and consumer litigation concerns. In this episode, Dorsey Partner/Podcast Host Kent Schmidt and London-based Dorsey Partner Ron Moscona explore how the GDPR regulatory scheme differs from the emerging U.S. standards on consumer data privacy protection, and recent developments governing data transfer.

This podcast is not legal advice and does not establish an attorney-client relationship or create any duty of Dorsey & Whitney LLP or those appearing in this podcast to anyone. Although we try to assure that the content of this podcast is accurate, comprehensive, and reflects current legal developments, we do not warrant or guarantee those things. The opinions expressed in this podcast are the opinions of those appearing in the podcast only and not those of Dorsey & Whitney. This podcast is considered attorney advertising under the applicable rules of certain states.

Transcript

Schmidt
Well, today is a big day. As of today, SharkCast is going international. This is the first and what is certain to be many episodes involving perspectives on pertinent legal topics from around the globe. Joining us today and kicking off our international series of episodes, we are having a guest from Dorsey’s London offices, my partner Ron Moscona. Ron, welcome to SharkCast.

Moscona
Thank you very much. Pleasure to be here.

Schmidt
Well, thanks also for being our first international guest. It’s great to have you join us for a discussion today. We’re going to tackle today an issue that’s been around for decades. We’ve talked about it to some extent on this podcast in the past, but it’s only increasing in the attention and complexity of the topic, and that is consumer data privacy. Now data privacy is complicated as a topic and a challenge for a company that’s only operating in a single jurisdiction, or in the case of the US, 50 separate states. It’s infinitely more challenging for companies with an international presence and client base around the globe. So Ron, you’ve had an international practice that focuses on technology, intellectual property, and data privacy, and without getting too far into the weeds today, I’d like you to kick us off by telling us in rather broad strokes how data privacy differs in Europe compared to the US regimes that most of our listeners are more accustomed to.

Moscona
Yes. And I have to start by admitting that I’m not an expert on the US regimes, but I am familiar with them a fair amount, and I would say that as the US legislation progresses, it does seem to focus quite a lot on specific issues, or at least to be quite focused. So US legislation started with legislation around health and children and then state legislation focuses quite a lot of, on consumer data. The European data protection legislation is very much principle based, and it, as a result it has a very, very broad scope and outlook. It tends not to deal very much with specific issues and it draws out very general principles of data privacy and data protection. And that’s the main difference between the cultures of the two regions, I will say.

Schmidt
Does European Union legislation on data privacy draw distinction between commercial data and consumer data, or do they, is that part of the holistic approach?

Moscona
No, it doesn’t draw any distinctions like that. The only distinction it draws is that it treats certain types of data, including health data, as a special category that needs to comply with more stringent rules. But apart from having more stringent rules to certain types of data there are no distinctions between health data, employee data, commercial data, consumer data, as long as it’s personal data, it’s data that relates to an identifiable or identified person, then it comes under the same broad global principles.

Schmidt
Now here in the US, it’s commonly understood that California’s data privacy laws, particularly those enacted in the last few years, the CCPA and so forth, most closely mirror the European model. Do you agree with that assessment? That’s certainly my understanding.

Moscona
It’s definitely, when it emerged it looked very much like another GDPR, and there are an awful lot of similarities in terms of the compliance burdens and what you need to do and a lot of the actual requirements are similar or very similar. But it goes back to the same point as before where you see quite significant differences is that the California legislation is about consumer data specifically, it’s not holistic. It is, it has probably one of the most burdensome and difficult aspects to deal with is it’s very, very specific or requirement to allow consumers to lodge their objection to their data being sold. It’s a very worthy and sensible piece of legislation and deals with a very specific issue. You don’t have these things in GDPR. In GDPR, everything is distilled down from general principles. GDPR doesn’t say anything about selling data. You have to take it from general principles that you’re not allowed to do that in normal circumstances.

Schmidt
Alright. Well, let’s go back and make sure we haven’t lost any of our listeners with some of the alphabet soup that you’ve now introduced in that section, into the discussion. You’ve talked about GDPR, which most of our listeners will understand is the general data privacy law. Can you, can you tell us a little bit more about what the GDPR is?

Moscona
First of all, it is a Paneuropean, or Paneuropean Union legislation. It’s one regulation that applies as a single piece of law across the European Union to all countries equally, so they don’t have to implement independent laws. It’s one general law for the European Union. And it applies both to private companies and private organizations, as well as public organizations and to governments. I mean to a large extent, GDPR is there to regulate the handling of personal data by governments, by police forces, by security agencies, not just by companies, by universities, by healthcare, and by everyone. It’s very, as I said before, it’s very much principle-based and it targets public institutions just as much as it targets private companies in the same way and without really making a distinction between them. The, to your question, the big highlights of GDPR, because of its principled approach, I would say first and foremost the requirement of lawful basis for processing and the starting point here is that any processing of personal data has to have some kind of legal justification, if only that legal justification might be something like legitimate interest, which does not overly impinge on privacy rights. But there has to be a legal basis for any processing of data. Secondly, there’s a whole list of principles, which are quite similar to the principles that you would see under California, for example, in terms of protecting the data, respecting it, and so forth. And thirdly, again, similar to California law, there’s a whole host of data subject rights. And when we’re talking about data subjects, these are the individuals who are the subjects of the data. So the combination of data subject rights, the data processing, data protection principles and the lawful basis are probably the biggest highlights of what the GDPR is all about.

Schmidt
Okay, I want to back up and ask you a sort of structural question, with GDPR being enacted at the EU level, Paneuropean as you say, does it, is it a two tier system where the laws of the member states might apply to a different area of data privacy in addition to the GDPR? So the analogy from the states is with federal law and state law, and on a lot of matters, you have to analyze an issue under federal law and state law. Is it that type of approach also in the European Union?

Moscona
It’s a very good question. Before the GDPR was put forward in 2016 and became law a bit later, there was a directive, a data protection directive that existed for about 20 years before that, or something like that. And at that, under the directive, it was very much a very, very broadly sketched out European legislation which was implemented quite independently in different member states separately. So there was very much a two-tier system. One of the main reasons for introducing GDPR in 2016 was in order to have much more uniformity. So the starting point of GDPR is that it seeks to minimize divergence between different European Union Member States. But I don’t, I wouldn’t say that they completely achieve that because certain things, I would say are a minority, but certain things were still subsidized to national level. I would say that the biggest area is probably exceptions. So if you’re looking for exceptions, you might want to look at the national level rather than what GDPR actually says. But GDPR dictates to what extent you can legislate exceptions. So there are levels and also the procedural level like enforcement, where there’s divergence from one Member State to another. So at the procedural level, regulatory enforcement that is a Member State by Member State regulation, but most of the fundamental principles and rules on how to deal with personal data are embedded in GDPR.

Schmidt
So you’re sitting in London, we’re talking about the European Union, and so, you know, I have to ask you a Brexit related question. Right?

Moscona
Of course.

Schmidt
So how does all of this impact, in a post-Brexit era, data privacy in the UK?

Moscona
So far, almost not at all because, generally speaking, the UK adopted all of the European legislation into its law on Brexit, so there’s continuity. The UK didn’t overnight shed a lot of legislation, although that was part of the plan maybe of some of the Brexiters. But GDPR now exists as UK GDPR exactly as it exists in Europe, and between the UK and Europe, there is a recognition of adequacy in the, which means that there’s a free flows of information or data between the UK and the EU. That might change in the future because there have been noises in Parliament about watering down GDPR for the UK. I mean, they don’t say watering down, but that’s what they mean.

Schmidt
That’s your, that’s your contribution to the discussion.

Moscona
Exactly. So whether it’s going to happen or not is a political question, and no one knows. But there is definitely workings in government about redrafting bits of GDPR so as to make it a little bit more business friendly, really, and a little bit less onerous. But that hasn’t happened yet, and the and the concern is that if the UK diverges from the EU legislation, the EU might take away the recognition of the adequacy of the UK laws. So there’s a tension there. At the moment we live in a situation where, as far as personal data is concerned, the UK, as if it never left the EU.

Schmidt
I want to turn the discussion here to a pragmatic question, and that is understanding what triggers GDPR compliance requirements. So I’m thinking of perhaps a listener hearing all this discussion, in-house counsel sitting here in the US that’s thinking about data privacy, of course, as almost all in-house counsel are, and this company doesn’t have a subsidiary in Europe, they don’t have employees in Europe, but from time to time they have interactions and business and they get orders and have vendors and so forth in Europe. What are the signs of a potential GDPR issue or the best practices to determine whether compliance with GDPR is required?

Moscona
So the way to think about it, there are two reasons why GDPR, why a US company would, that doesn’t have any presence in the EU, would have to comply with GDPR. One reason is if it’s captured by the jurisdiction rule under GDPR. The jurisdiction rule under GDPR, apart from applying to any activities happening in the EU, which is obvious, it applies to the processing of data in connection with the offering of goods and services to EU consumers. In that sense, there’s a consumer element here, which doesn’t actually exist in GDPR generally, but for the purpose of international legislation, the context of the consumer context is quite key. So if you’re operating outside the EU, but you have customers in the EU, people who, to whom you offer goods or services and you process the data in that context, then the processing of the data in that context is captured by GDPR. So, you know, if you’re an e-commerce company and you are without having a physical presence in the EU, you still have customers in the EU, then the data you collect from the customers in the context of offering them goods and services, including all of the data you collect through the website and so forth, that is covered by the GDPR jurisdiction as if you were operating in the EU. And the other leg for that jurisdiction element is if you are monitoring people’s behavior. So if you have some kind of system without offering goods or services to people, but you still have some kind of digital system that monitors people’s behavior, that collection of data is also covered by GDPR. Now that is one reason why a company might be, might have to comply with GDPR from outside of the EU. The other reason is if you are importing data from someone in the EU, not from the individual themselves, but from someone who controls the data in the EU, you import data. For example you are a travel company and you get data from another travel company in the EU, and to do that lawfully, you have to sign a data transfer agreement or enter into some other kind of commitment to comply with GDPR. Then you have to comply with GDPR or with the principles of GDPR by reason of your contractual or other commitment.

Schmidt
So taking your example, suppose I operate an e-commerce company, and like every e-commerce company I ever go to the first question they say is, or pop up on the screen is, would you like 10% off by giving us your e-mail address while you’re shopping around. And so, you know, a lot of people take the bait. Now they have the data, the e-mail address and sometimes to get even more deals you give them your whole address, even without a purchase. If I’m collecting those addresses of citizens from Europe, that’s enough to trigger GDPR. What are the consequences for failure to comply with GDPR requirements, if I’m a US company and I don’t pay attention to those issues?

Moscona
That is difficult to say, because of course, naturally, a company outside of the EU is not subject to the enforcement powers of regulators in the EU, so it might be remote from the powers of enforcement, but it might still be in in in breach of the law. So then it depends how significant that business is. I think for significant businesses it doesn’t really matter that you are outside the jurisdiction. You don’t want to be receiving fines from the EU or be the subject of investigations. The risk is really one or two things. One, if something bad happens like a data breach, there’s an investigation. An investigation can determine that you are subject to GDPR and that you might have been in breach of its rules and you might face penalties. Whether these penalties are easy or not easy to enforce is a different matter if you are sitting in the US, but that is the kind of reason. The other thing is the other risk is potential litigation. I mean, if you, sitting in the US, you might be sued in the US for breaching GDPR. Who knows what a US court might do with that. But GDPR, under its terms applies, and if you are in breach of its law, someone in the US or someone can file a claim against you in the US if their rights are affected, and that would be a complicated case that involves US and EU principles, but that is certainly a possibility.

Schmidt
Well, you previewed my next question, which is the interplay between regulatory enforcement and civil actions, including class actions. Here in the US there is of course, regulatory enforcement, the FTC, states attorney generals, they’re very concerned about data privacy, very focused on it. But most of the activity, at least that I am dealing with on a day-to-day basis, is in the area of consumer class actions dealing with data privacy. What’s the current trend and status in European Union countries with respect to collective action or the equivalency of class actions in the data privacy space?

Moscona
So in Europe generally there might be exceptions, but in the class action system that is known in America has not reached Europe very much. Most countries don’t have class actions, certainly not in the American style, and enforcement of GDPR is predominantly regulatory enforcement by enforcement agencies by regulators. That is the, and they can issue penalties and carry on investigations and so forth. And I think the big ticket cases are mainly about big penalties. There can be significant penalties in the millions, or hundreds of millions, for big companies. In terms of litigation there are some countries, I think particularly Germany, where there’s a fairly developed system whereby consumer organizations or other kind of representative organizations can bring actions and particularly enforcement actions. That is very common in the consumer space in Germany and probably applies to privacy cases as well. I mean certainly, there have been high profile privacy cases in Germany that were brought by consumer organizations, so that’s not unusual. But I think still there are more cases brought by regulators. Sometimes the regulator would bring a case to a court. Sometimes the regulator would have enforcement powers itself. That depends on the Member State. But, so I think you have various ways of enforcement. And there are also private rights of action, and there have been some significant cases in Europe that were basically test cases rather than class actions. There have been cases which were brought by individuals, sometimes backed by a consumer organization, and they changed the law very significantly, and perhaps the best known of all of them is the Schrems cases, and these are cases brought by an activist who filed complaints in Ireland where Facebook sits and those cases changed the course of history if you like, in terms of GDPR.

Schmidt
With that background, I’d like to turn to some of the more recent changes in developments on the horizon in the area of data privacy and GDPR trends going forward. I’ve been reading some about the EU/US data privacy framework that was recently adopted by the European Union. Can you give us an overview of the data privacy framework? What is it and what is its significance?

Moscona
So this is based on an agreement basically between the US and the EU agencies, and it is a program that is put in place by the US Department of Commerce, and it’s enhanced by a presidential order that deals with some enforcement aspects, and it is recognized by the EU Commission under GDPR as a program by which organizations can self-certify their commitment to meet GDPR-like principles, basically. So you sign up, self-certify, commit yourself to meeting the principles which are equivalent to GDPR principles in relation to personal data that you import from the EU. The benefit of that is that once you are self-certified and meet the requirements of the program, you are free to bring any data you want from the EU and use it pretty much as you would use any other data that you hold in the US.

Schmidt
So when you say you sign up, is that a process that is available through the Department of Commerce? Is it a US company goes through the Department of Commerce website or some other portal to sign up?

Moscona
There’s nothing simpler than that. I mean, in the sense of signing up is the easy part. The Department of Commerce has a website and all you need to do is put in the name of your organization and certify that you comply. The hard bit is what you have to do in order to certify that you comply.

Schmidt
So we’ll get into the hard bit in just a moment, but let me back up and ask you retrospectively before the data privacy framework, what was the means by which this data transferred previously?

Moscona
There were two previous programs. One of them goes back to the 1990s called the Safe Harbor, and the other one came later, not that many years ago, called the Privacy Shield. So, the Privacy Shield replaced the Safe Harbor when the Safe Harbor was ruled down by the EU Court as being non-compliant with EU law, and then the EU Court again ruled that the Privacy Shield is non-compliant with EU law and pushed that one as well. These, by the way, are the cases that were brought by the activist Mr. Schrems, an Austrian activists who brought these cases in Ireland and they ended up at the European Court of Justice. So both of these previous programs, which were in many, many ways very similar to the data privacy framework were held to be non-compliant with the EU law by the court. As a result of that, the US and the EU Commission came up with the Data Privacy Framework, which hopefully improves and addresses the deficiencies of the two previous programs. That is one answer. The other answer is that these programs are not the only way by which organizations can lawfully transfer data from the EU to the US. The other, I mean there are other ways of doing that. The mainstream other way of doing that is to put in place data transfer agreements on the standard terms that have been adopted by the EU Commission, and by the way, in the UK we have now standard terms called the International Data Transfer Agreement, which were approved by the UK regulator and by the UK Parliament. They’re similar doing the same thing. Both these agreements and the programs like the Safe Harbor or the Privacy Shield or the new Data Privacy Framework, they do the same thing. They impose obligations on the recipient to basically follow the principles of GDPR when they import data from the EU. So even if you’re not signing up to any of those programs, you will always allow to import the data from the EU by using that agreement. And there are other mechanisms in place to transferring data. For example, large international organizations that operate, that collect data in the EU and want to transfer it to the US, they can have something called Binding Corporate Rules, which is an internal document which does the same thing basically.

Schmidt
Like between a parent and subsidiary…

Moscona
Exactly. Exactly.

Schmidt
…you have a European subsidiary that’s collecting the data and but it wants to be, the company wants to process it in the US.

Moscona
Yes.

Schmidt
It’s an internal agreement.

Moscona
It’s an internal agreement, it’s binding and all of these agreements in order to give effect to consumer rights, or to the data subject rights, they have third party beneficiary clauses. So third, so the consumer or the data subject can enforce these rights in court against the organization if there’s a breach.

Schmidt
So again, turning the conversation from all of this complicated regulatory background and turning it to the more, the most pragmatic consequential point of the discussion, which is what types of business activities or what categories of companies should consider the options for either the framework or a, one of the agreements that you’ve summarized.

Moscona
So I would say that for companies that don’t have an extensive activity of transferring data from the EU to the, from the UK to the US, they can probably manage with entering into Data Transfer Agreement where it’s necessary to transfer personal data from an organization in the EU to the US, and that is manageable. I think this is not manageable for very large organizations that might have numerous counterparts who might send them personal data from the EU in various circumstances, whether within the organization or from outside the organization, it’s too complicated to have an agreement for each one. So very large organizations that are not, you know, operating within, only within the US, but they have sufficient reach to the EU to be involved in a lot of traffic of data back and forth, they can definitely benefit from the Data Privacy Framework, and of course all of the organizations, big and small, which are focused very much on data and dealing with data across jurisdictions, so there’s a whole host of these companies we talked about, e-commerce companies, but obviously e-commerce companies, all the social media platforms, all the AI companies, AI companies that use a lot of data in order to feed into their models, they need large amounts of data. They want to have that data from as many sources as possible for the AI to be developed properly. And that’s a good example of an organization, even if it’s not a very big one it, it really might benefit from this program in order to have the freedom to import data from the EU as much as it wants.

Schmidt
So you’ve told us what triggers the Data Privacy Framework, you’ve informed us that it’s pretty easy to sign up through the Department of Commerce, but I think you previewed that, that’s where the easy part stops and the hard part begins.

Moscona
Yes.

Schmidt
Let’s talk about what it takes to comply with the mandates of the Data Privacy Framework. Somewhat onerous, would you agree?

Moscona
I think it’s onerous, I think it’s onerous. But I think it’s onerous if you are coming from a place of non-compliance or from a place of dealing with the data in a very liberal way, because the fundamental, of course, is that if you want to comply with this program, you have to have an organization that deals with data in line with the requirements of GDPR, which means data governance, policies, data, security policies, everything that has to do with controlling how you use the data, for what purposes, who has access to it, who authorizes use of it, whether you can repurpose data that you collected for one purpose in order to deal with it for another purpose, a whole host of policies which you have to have in place. And these are not paper policies. You have to make sure that these policies are actually complied with by the organization. Now perhaps the, and you have to have the training programs and you have to have the, everything that goes along with it. Now the key points of, that would make it difficult to just go up and sign compliance on the website are two things. One is that there’s a verification requirement, which is a key requirement of the program. Verification means that you have to have an annual either internal or external audit that looks at your compliance with your policies and confirms that you are actually complying with your policies. So that that sets a pretty high standard. The other very significant element is the signature itself. I mean, some corporate officer would have to put their name down, at the risk of potentially going to prison, if you know, if they didn’t have good cause to put their name down, or being prosecuted, they have to put their name down to confirm the compliance. So if you are a GC or a compliance officer in a large company and you’re being asked to sign you’re compliant, that the organization complies, and signing that declaration means that you could be prosecuted if the organization is not in compliant, means that you would want to make sure that that audit was done really, really thoroughly.

Schmidt
Sounds like some echoes of Sarbanes-Oxley in this framework here…

Moscona
Yes.

Schmidt
…where the officers have to verify all of this.

Moscona
Absolutely. And officers will probably have, you know, the indemnities and their officers and directors, indemnity insurance and everything, but it doesn’t protect you against prosecution. Right? So definitely, that is a barrier. That means that, you know, any organization that wants to self-certify has to do it very seriously. But of course it’s not in the skies, it’s not beyond the reach of organizations to do that. And you know of course, you will never seek to be perfect when you deal with these kind of things, but if you have the proper policies in place and if the organization deals with data in accordance with these policies and that can be verified with an audit, then, you know, as a reasonable corporate officer you can certify this compliance.

Schmidt
Well, look, I have two observations from this. One is it seems like it’s a cost benefit analysis. If you have a lot of data transfers going back and forth from various entities, maybe it’s better just to undertake all of this in the Data Privacy Framework one time and then that’s how we accomplished this as opposed to a whole framework of lots of different agreements. And the second observed is many of these requirements not identical to, but very similar to, data privacy laws that are popping up everywhere. And so maybe this is the impetus that gets you ahead of the game for data privacy laws that either exist now or will be coming online very soon. If you’re compliant with the CCPA, you’re gonna check all of these boxes right off the bat. And with respect to others on corporate governance, it’s probably a good idea regardless.

Moscona
Absolutely. I think that is the key. It is a very good program to sign up for if you are going to comply with general data governance and data protection principles as they emerge across the world. If you start from a place of non-compliance, then it’s going to be difficult.

Schmidt
So rounding out our discussion on data privacy, I’d like to look forward with you. Where do you see all of this going in the next decade, particularly with the exponential growth that we are seeing in the use of data, the managing of data, AI spurring, all of the analysis and creating further incentives for the collection of data. What do you see on the horizon from a European perspective?

Moscona
I think first of all, I would say that it’s exactly what you said before. There’s increasingly, data privacy legislation is being put forward across the United States on a state-by-state basis, maybe at some point at the federal level. It’s being introduced across the world in Asia, in other parts of the world, it’s been taken seriously in Europe for quite a while. So looking into the future, there’s more and more regulation. And I think that means that if we started when the digital revolution started happening 25 years ago, we started from a place of free for all. There was no regulation, people thought they could collect data and sell it to whoever they want and do with it whatever they like to, and the mantra was data is gold, the data is power, and all of that, and it might still be the case that data is valuable. But eventually companies will have to understand that it comes with responsibilities and there’s legislation everywhere and it’s time to start complying and dealing with this data in a more structured, more organized, more compliant way, and there’s no getting away from that. So I think the way at which things are going is towards more legislation, more regulation and probably more enforcement. And in the case specifically with Europe, I would I would mention that there’s a new legislate in Europe on AI, and although that legislation doesn’t deal directly with the data protection issues, there’s no doubt that the data protection issues relating to the collection and use of personal data in AI is going to be a massive issue, and I imagine that over time there will be not just court cases dealing with that big issue, but also new legislation that deals with this issue. And it’s a very difficult one. It’s again one of those situations where the law has to catch up very, very fast with very, very fast-moving technology, which gobbles up data like no digital technology before. So it’s a big challenge.

Schmidt
Certainly. Well, that’s about all the time we have to discuss data privacy and the future of GDPR and related topics. In the time that we have left, we are now to the point in our episode we call The Deeper Dive, and we’d like to ask you some questions on some unrelated topics, some personal topics, but hopefully not too personal. Ron, you’ve had a very fascinating career. You were educated at Tel Aviv University, and then you attended a place that most of us have heard of, Oxford University, not far from where you sit today. You’re fluent in Hebrew and English. I understand you speak some French as well. And before qualifying in England some 23 years ago, you were practicing as a member of the Israeli bar. What are the challenges and benefits that you have experienced in having what is truly an international practice? And I haven’t even mentioned all of your work in advising US companies here in the US, which is where our paths have crossed. But how, how have you experienced navigated the challenges but enjoyed the benefits of international practice?

Moscona
First of all thank you very much for the compliment. But it’s true that I, I think my practice in law has always had a very strong international aspect to it, and it remains so. And to be honest, it’s the only perspective I’ve ever known. I mean, it’s always been like that for me. So it’s not necessarily something I can comment on as a novelty, because this is my world in a way. Definitely, I think there’s a huge advantage in that, whether we like it or not the world is a global village, and although there’s definitely elements of the economy which are very domestic, very localized, there’s particularly in the world of technology the, there’s nothing like domestic. There’s nothing which is domestic, it’s all very international in every respect. It’s not just cross-border transactions, but not cross-border workers and cross-border technology and everything. So there’s a huge advantage, of course, in having an international practice. And the challenge, the true challenge definitely is bridging the cultural differences between different parts of the world, and these are very real and very significant and that’s what makes it so much fun.

Schmidt
I can see that. I haven’t experienced nearly as much of the international practice as you have, but that’s definitely been my experience as well. That’s a great answer. I’d like to, if I can ask you one bonus question on a personal level. What do you do in your free time to help manage the stress of the day-to-day practice?

Moscona
Well, I’ll have to say that it probably took me 15 or 20 years to learn how to do that. But these days, when I’m not that young anymore, I find some ways, and I do spend a lot of time with my family. We’ve got two girls, teenagers, one of them, the older one studying engineering in Oxford. So I’m very proud of that. And I think for me, sports is terribly important. I cycle to work every day. I play tennis all the time. I do active holidays whenever I can.

Schmidt
How far is your commute? To work?

Moscona
It’s about half an hour. It’s a downhill coming to the city of London and uphill going back to Highgate, where I live. So Highgate is high on the hill. So going back home you huff and puff and sweat, so it takes longer going back actually.

Schmidt
You’re reminded on the commute to home why it’s called Highgate.

Moscona
Exactly, every day, every evening. Well, every night, really, to be honest.

Schmidt
Well, that’s wonderful. A number of years ago my family and I did a house swap with one of our former colleagues who lives, who at the time at least, lived in Highgate.

Moscona
Oh, brilliant.

Schmidt
Yeah, we were over there for about a week enjoying London, and while she and her family were enjoying Disneyland. So I’m familiar with the area, and that must be a bit of a challenge navigating London traffic to and from work as well.

Moscona
You learn not to be afraid of cars.

Schmidt
For sure. Well, stay safe out there.

Moscona
Thank you very much.

Schmidt
So our time is up today, but turning back just momentarily to data transfer, international regulation in this area, what’s the one take away you’d like to leave for our listeners on this topic?

Moscona
It goes back to what I said before. Data privacy is not going anywhere. There’s more and more countries putting in place regulations in this area and organizations need to understand that they are going to have to be accountable to how they use data, that they have to respect data, and to remember that at the end of the day there are real people behind that data, and that’s why there is legislation and regulation in this area. And that the age of free for all when it comes to handling personal data of people is fast vanishing. In a word, data privacy is not going anywhere. This can be a daunting and difficult area to deal with sometimes, and companies need to recognize that they’re going to be accountable to how they deal with personal data. Having said that, with the proper consideration and advice, these challenges can be met and the data privacy compliance is something that organizations can deal with and the task is manageable at the end of the day.

Schmidt
That’s all the time we have for today. Thank you for listening. I’m indebted to the extraordinary team at Dorsey for making this podcast and episode possible. For more resources on this and other litigation risks, go to litigationrisk.com, where more information can be found, including a book on managing litigation risk written by yours truly. Until next time, my friends, this is yet another reminder that there are a lot of sharks swimming out there in the murky waters, so swim safely.