Caveat 5.12.22
Ep 125 | 5.12.22

Let's talk about data privacy compliance fatigue.

Transcript

Bill Tolson: It is a massive, massive liability that countries still need to get their arms around, and what is this going to do to the cost of running a business?

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben covers a settlement between the ACLU and Clearview AI. I discuss some tech giants rallying behind a proposed New York privacy bill. And later in the show, my conversation with Bill Tolson - he's VP of eDiscovery at Archive360. We're discussing compliance fatigue. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, we got some good stories to share this week. Why don't you start things off for us? 

Ben Yelin: Sure. So I got the big one this week. I'm using a New York Times article entitled "Clearview AI Settles Suit And Agrees To Limit Sales Of Facial Recognition Database." So we've talked about Clearview AI. It is the facial recognition software maker. They sell their services to law enforcement agencies across the country - but also, prior to the settlement, to private entities. They scrape people's profiles from social media sites and have a searchable database where you can recognize people by their faces. 

Dave Bittner: Right. 

Ben Yelin: So there is a biometric privacy law in the state of Illinois. It is the only such law across the country. And the ACLU filed suit in Illinois State Court to stop Clearview AI from selling this facial recognition data. This lawsuit had been pending for a couple of years, and they agreed just recently on a settlement as long as the judge in Illinois agrees to sign off on it, which once there's a settlement, that is generally a formality. The judge almost always signs off. 

Dave Bittner: OK. 

Ben Yelin: And as a result of the settlement, Clearview AI will no longer be selling its data to private entities. It will still be able to make - to give the data to law enforcement at both the state and federal level - local, state and federal level, actually. So it's still going to be available to governments. But with only minor exceptions, it is no longer going to be available to the private sector. 

Ben Yelin: So this is a major blow to, of course, the bottom line of this company and its CEO. It's a New York-based company. They have obviously a very significant financial interest in being able to sell this software to private organizations who can use it for advertising purposes... 

Dave Bittner: Oh. 

Ben Yelin: ...Or any other type of purpose to help identify particular users, to document trends on the social media sites and match them up with facial recognition technology. 

Ben Yelin: But it's not just Illinois where this type of software was being - was problematic in a legal sense. So there's a U.K. law that prohibits this type of data collection. There is a law in Canada, Australia, parts of the European Union where you can pay fines for selling this type of biometric data because it would violate privacy laws. So it was getting more and more untenable for Clearview AI to have a business model where they were selling this data to private organizations. And because of the settlement, even though technically, it's only effective in the state of Illinois because the state of Illinois is the only one with this biometric data privacy law... 

Dave Bittner: Right. 

Ben Yelin: ...It will apply across the country. I mean... 

Dave Bittner: Oh, OK. 

Ben Yelin: ...They've agreed as part of this settlement to stop selling data to private companies across the country as to not run afoul of the Illinois law, but also, as a side effect of that, to have a 50-state ban on this type of data brokerage, I suppose. 

Ben Yelin: So Clearview AI - there are still a couple of ways for them to make money beyond selling their services to law enforcement departments. There's an exception in the Illinois law for financial institutions, so they'll still be able to sell to those. But they're certainly going to be more limited than they would have been. So I think this is a major win for the civil liberties advocates at the ACLU, and this is why you file this type of lawsuit, is you hope to pressure a company like Clearview AI into settling, and that's what they've done here. 

Dave Bittner: Now, I've seen recently that Clearview said in their own press releases and so on that they were pivoting towards trying to get most of their revenue from these government sales anyway. Is that - do you - I mean, I suppose you could read that as being maybe trying to get ahead of this? 

Ben Yelin: Yeah. I mean, I think that's where they're going to have to make most of their money. Now, I would guess that there's still a lot of money in it from these public sector organizations. Local police departments - I mean, there are thousands of them across the country - selling them to federal government agencies - not just the FBI and law enforcement agencies, but immigration services, potentially the IRS - organizations that could make use of facial recognition data. And then you have state police departments for things like traffic enforcement, interstate criminal activity, those types of things. So it's still going to be of great use to these governmental organizations. I don't think Clearview is going to go out of business just because they will have this market in the public sector. I just think they're going to be severely limited in their ceiling, in terms of how much money they can ultimately make because they are now being shut out of the private sector. 

Dave Bittner: Hmm. What do you make of Illinois carving out an exception for financial companies? Is that - do we suspect that's so that financial companies can use these tools to try to track down people who are, you know, deadbeats (laughter)? 

Ben Yelin: Yeah. I mean, I think that's exactly what it is. I don't know what the reasons are that Illinois or their state legislature has introduced this carve out. I suspect it's for collecting on debts. If there is a financial organization that's, you know, trying to collect something from an individual who has not paid a bill or is delinquent on a loan, hasn't paid a mortgage, and they are unable to find or identify this person, you could certainly use facial recognition to try and catch them, either at a branch or anywhere else where there is some type of video surveillance. I don't know - you know, in terms of the policy behind it, I don't know why it's such a great idea to exempt financial organizations. 

Dave Bittner: (Laughter). 

Ben Yelin: My guess is that this is the... 

Dave Bittner: 'Cause they have the money to pay the lobbyists (laughter). 

Ben Yelin: Right. I mean, I think that's exactly what happened... 

Dave Bittner: Right. Right (laughter). 

Ben Yelin: ...Is they wanted a tool to catch people who are delinquent or behind on payments. 

Dave Bittner: Right. 

Ben Yelin: And lobbyists are powerful enough that, if you can get money in their pockets and get in their ear, they can effectuate some of these changes to legislation. And certainly, that's going to be a help to Clearview AI's bottom line. I mean, to be shut out of the private sector but to still have a potential market among financial institutions - not a bad place to be. There are a lot of financial institutions in this country. They have a lot of money, and they have a lot of incentive to identify people who are delinquent on payments. So there's certainly going to be no shortage of opportunity for Clearview AI. They've probably determined, as part of whatever business analysis they've done under the CEO, that they can survive as a company selling to these financial institutions and selling to public sector agencies. If they tried to continue to sell to other entities in the private sector, they'd risk being held civilly liable, and that could take away a huge chunk of their profits. Because they came to the settlement with the ACLU, they will not be held liable for any of their previous activity, so they're not admitting liability in this case. 

Dave Bittner: Oh, interesting. 

Ben Yelin: All they have to do is pay the attorney's fees, which to them is pocket change. 

Dave Bittner: (Laughter). 

Ben Yelin: I mean, it's an amount that's just very insignificant to them in the grand scheme of things. So I think they come out of this with a really clear path to being a profitable company. It certainly hurts that they're losing out on a lot of these private sector markets, but I think they've made the calculation that they can survive and thrive and not subject themselves to civil liability in Illinois or anywhere else where there's going to be legal restrictions on the sale of biometric data. 

Dave Bittner: Hmm. Now, is the ACLU crowing about this getting everything that they wanted? 

Ben Yelin: They are. They are saying this is a win for the most vulnerable people in Illinois and across the country. I think they - particularly the immigration branches of the ACLU are particularly proud of this decision. They have a lot of clients. They mention a lot of Latina clients who are undocumented. They have low levels of IT or social media literacy. They don't understand how technology can be used against them. And even though this is still going to be available to public sector entities, this will limit the profligation of this data across the internet, so it's going to be advantageous to people who will ultimately be hurt by biometric data being out there. 

Dave Bittner: Right. Right. 

Ben Yelin: So they... 

Dave Bittner: So you've got stalkers and domestic violence victims and things like that who have an interest in not having this readily available to anybody. 

Ben Yelin: Exactly. And I should also mention - they say in this article that even though Clearview AI still has the ability, legally, to sell or to market their database to U.S. banks and financial institutions, their CEO has stated that they're not going to do that, at least in the short term. So that's kind of one caveat - not to throw in the name of our podcast add to this discussion. The other one is that Clearview, while they can't sell data now to these private organizations, they will be able to sell their facial recognition algorithm without the database of images. So the algorithm itself helps match people's faces to any database that the customer, so whether that's a private organization or an agency, provides. 

Dave Bittner: Oh, interesting. 

Ben Yelin: So the algorithm itself could be very profitable. 

Dave Bittner: Right. Right. 

Ben Yelin: So I think from Clearview AI's perspective, when you combine the algorithm - you combine the public sector agencies and then potentially, at least in the longer term, these financial institutions - that's a lot of money that can still go into your coffers, and it's just not worth it to pursue sales to private organizations any longer when you can disclaim liability as part of the settlement. 

Dave Bittner: Interesting. All right. Well, we will have a link to that story in the show notes. My story this week comes from TechCrunch. This is an article written by Zack Whittaker. It's titled "Silicon Valley Rallies Behind New York Ban On Geofence And Keyword Search Warrants." So this story is about a coalition of some of the big names in tech, including Google, Microsoft and Yahoo, and they have thrown their support behind a bill that is making its way through the New York legislature. This is New York Assembly Bill A84A, the Reverse Location Search Prohibition Act, which prohibits the use of reverse location and reverse keyword searches. This is something we've talked about before, Ben. 

Ben Yelin: Yeah. So we've done an analysis of these keyword search warrants and these geofence warrants. They've become more ubiquitous over the past several years. So for a geofence warrant, you're trying to get information on all of the devices that were in a particular area at the time a crime was committed, or an incident took place. And this runs afoul at least to the principles of the Fourth Amendment because there isn't any particularity to these searches. You don't have probable cause that a single person committed a crime. You're really getting a dragnet of devices and then doing investigative work from there. So even though there's not clarity in our court system as to the constitutionality of these geofence searches, I think clearly this is a thematic offence or an offence against the values of our Fourth Amendment. The same can be said for these keyword search warrants. So anybody who's searched for a particular term within some timeframe related to a crime - so anybody who searched for how to stab somebody in the back in a particular... 

Dave Bittner: Right (laughter). 

Ben Yelin: ...Geographic location... 

Dave Bittner: Right. 

Ben Yelin: ...Right before a stabbing... 

Dave Bittner: Right. 

Ben Yelin: ...You can get information on all of the users who use that keyword search term. And again, there's a lack of particularity there. You don't have any possible inkling or information that a particular individual did that search. So you are collecting an undue amount of data from people who are completely innocent, who you have no evidence have participated in any criminal activity. So there are currently no state laws on the book in any of our 50 states banning geofence warrants or keyword search warrants. So New York state would be the first. So it's interesting that these tech companies, probably not entirely for altruistic reasons, are getting behind this piece of legislation. I'll note that this piece of legislation has not moved. So it was introduced at the beginning of this calendar year, and it's still stuck in the New York Assembly Committee. So... 

Dave Bittner: You think this is an attempt to maybe nudge it, give it a little oomph? 

Ben Yelin: Yeah. And that certainly might help. Knowing what I know about state legislatures, it generally takes two or three years for these types of controversial bills to pass. You kind of have to throw an idea out there. It's not going to be refined or perfected. You kind of want to test the waters, see what the organized opposition is going to be, see whether there's the political will for it. My guess is that's what's happening here. This is the first time this legislation has been proposed. Maybe we'll see no bite at the apple this year, but over the next couple of years, legislators will be more eager to take action, especially now that you have so many geofence warrants and keyword search warrants. And from the perspective of these big tech companies - and they're a part of this group called Reform Government Surveillance, a group that was set up in Silicon Valley in response to the Snowden disclosures, actually, in 2013. The reason it's of interest to them is they don't want to have to go on these fishing expeditions all of the time to get geofence data or keyword search data. It is burdensome to them. 

Dave Bittner: Right. 

Ben Yelin: And it also potentially can have reputational effects among its users. If users know that by using Google Maps they're going to subject themselves to geofence warrants, that might lead them to not use Google Maps... 

Dave Bittner: Right. Right. 

Ben Yelin: ...Or to try and find a service that - where that data would not be available, where you get the same type of functionality. So this isn't altruistic. There is interest in these big tech companies in cutting down on the number of these warrants. But it's certainly interesting to see. I mean, these are the biggest of the big, big tech companies - Amazon, Apple, Dropbox, Evernote, Google, Meta, Microsoft, Snap, Twitter, Yahoo! and Zoom... 

Dave Bittner: Oh, yeah. 

Ben Yelin: ...So a who's who of the major players in Silicon Valley. 

Dave Bittner: Right. Help me understand the pecking order here. So if something like this makes its way through the New York assembly - right? - so let's say New York makes this a law, what does that do to the feds' ability to ask for this sort of stuff? 

Ben Yelin: So federal law could preempt state law if the federal government chooses to occupy the field. So if they pass a regulation that occupies this very specific space in our legal landscape - so it's related to geofence warrants or related to keyword search warrants - the federal law would generally preempt that state law because the federal constitution is the supreme law of the land. 

Dave Bittner: OK. 

Ben Yelin: It's unlikely that the federal government will pass a law banning this type of this type of data collection any time soon. One, because it's Congress, and they're largely dysfunctional. 

Dave Bittner: Right. 

Ben Yelin: Two, I don't know if there's a political appetite for nationwide legislation of this scope, particularly when the federal agencies will come to Congress and say, we want to be able to have access to geofence warrants because if there's an event like the Boston Marathon bombing where there's a terrorist attack and it's under federal jurisdiction, it would be very helpful for them to figure out which cell phones were in the proximity during that particular time. 

Dave Bittner: OK. 

Ben Yelin: Even something like the Jan. 6 insurrection... 

Dave Bittner: Yeah. 

Ben Yelin: ...They used Geofence warrants there. It's extreme - it's a very helpful tool for federal law enforcement... 

Dave Bittner: OK. 

Ben Yelin: ...Agencies. 

Dave Bittner: But just for my own understanding here, would the feds need some sort of enabling legislation or are they enabled by default? Does their ability to override the state legislation exist by default or would they need enabling legislation that specifically says, hey, we're overriding this state legislation? 

Ben Yelin: So that's a great question. It depends on where the search is taking place. So if the geofence - this New York state law would ban geofence warrants within the boundaries of New York state and as it relates to keyword searches of IP addresses located in New York State. 

Dave Bittner: OK. 

Ben Yelin: So without an explicit bill preempting that, the federal government would not be able to stop New York from taking this action. 

Dave Bittner: OK. 

Ben Yelin: So within the boundaries of New York state, we know if this law were to be enacted, there would be a ban, at least among New York state agencies or federal agencies operating within the state of New York, on obtaining these warrants from judges. 

Dave Bittner: OK. So New York would be out of bounds. 

Ben Yelin: Would be out of bounds. 

Dave Bittner: OK. 

Ben Yelin: The remaining 49 states, unless they enacted their own version of this legislation, it would be completely inbounds... 

Dave Bittner: I see. 

Ben Yelin: ...Unless the federal government passed legislation. 

Dave Bittner: OK. 

Ben Yelin: Then there's the more complicated question about - if there's not a direct conflict, but there's some intersection as to what the state has done and what the federal government has done, which law applies in which given a situation? That's way into the legal weeds, and... 

Dave Bittner: (Laughter) Oh, goody. 

Ben Yelin: ...I am not going to bore you with the minutia of that question. 

Dave Bittner: Right. All right. No, but that's helpful. That definitely helps my understanding of that. All right. Well, again, that article comes from TechCrunch written by Zack Whittaker. We'll have a link to that in the show notes. We would love to hear from you. If you have something you'd like for us to discuss on the show, you can send it to us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Bill Tolson. He is the VP of eDiscovery at an organization called Archive360. And we were discussing compliance fatigue. Here's my conversation with Bill Tolson. 

Bill Tolson: There have been numerous, you know, privacy regulations around the world for many, many, many years. Very few people actually paid attention to them, and very few countries actually enforce them that much. Now, with the introduction of the EU's GDPR privacy regulation, that became - I mean, that was in 2018 when it became active. And that was - that is a data privacy/security law that basically includes protecting data across all 2,728 EU countries. So it's one big data security authority that protects the vast majority of Europe around data privacy and data security. And that - and the reason why that one really kind of kicked off this newest kind of environment of lots of privacy laws being introduced was - No. 1, it was across the entire EU, and it had a lot of very specific requirements in it, but it was also a global law, meaning that - so let's say I'm a citizen in France, and a company in the United States, you know, on their website, offers to let me download a white paper if I give them my name and email and, you know, some other general information. Basically, what that means is is even that EU law - even though I'm a company in the United States, I'm subject to that law. I'm subject to treating that EU citizen's data in a very specific manner. And if that data is breached or mishandled or, you know, whatever, then even if I'm sitting in the United States, that EU law can affect me as a company. And that's one of the things that many people - in fact, I was just doing another webinar on this company - I don't know - half an hour ago, and that's one of the things that every single one of these privacy bills and laws around the world, but also - and I'll give you some stats here in a minute on the United States - they're all global, meaning that, you know, if a company in South Africa collects my data here in Colorado and that - their data is breached in South Africa, they are subject to the Colorado Privacy Act. Same with all of them. So this global reach of these privacy laws is what really has surprised lots of organizations and so forth and really made - added a lot more liability to the whole idea of collecting and utilizing personally identifiable information. 

Dave Bittner: And so why did the U.S. not follow suit with something at the federal level? Why do you suppose we've seen all of the activity at the state level? 

Bill Tolson: You know, I hate to sound, you know, kind of anti-federal government, but they just can't get their act together. Unlike the EU and - you know, many other countries around the world have developed country-wide privacy laws as well. Brazil, China - India's in the point of passing one. I would say two-thirds to three-quarters of all the countries on the globe have some form of data privacy now. By the way, Canada does have some, but they're trying to upgrade it right now, and they're having a little bit of problem getting it through the Canadian Parliament, but it'll probably get through by the end of this year. But the U.S. Federal Congress has had a difficult time coming to, you know, a meeting of the minds as to what the various rights should be. Now, all of the state laws that - state bills and laws - there are actually four passed privacy laws in the United States right now - for California, Virginia, Colorado and Utah just last week. They all use versions of the GDPR rights - you know, the right to deletion; the right to - the right for me to access any personally identifiable information that a company might be holding; the right, you know, to have data deleted that you don't want to be used for special purposes. They all use versions of most of these things. So they - many of the bills are built on parts of the GDPR, but the federal government in the United States - just, you know, with what's been going on with the Senate and the House - they have not gotten - been able to get to the point for years to really agree on what those basic rights are, and we really need to agree on those basic rights. I mean, there are - boy, I think there are probably more than 10 privacy bills - no, maybe 18 privacy bills in the U.S. Congress right now. Only about two of them really approach GDPR-like capabilities. One is from Senator Gillibrand in New York and one is from Senator Moran, I think, in Kansas, but they won't make it out of committee either. So I was just talking to an expert, literally 2 hours ago, and I asked him the question - when do you think a federal superseding law is going to be in place in the United States - and it needs to be superseding so that you can not worry about, eventually, the 50 state laws - and they don't think it's going to be there for another four to six years. 

Dave Bittner: So where does that leave organizations, you know? I'm a business owner here in the U.S., and this is something I'm concerned about. I want to do my part to protect the privacy of the folks making use of my services. How do I navigate this? 

Bill Tolson: Well, and this is - kind of the big point here is is that when you have - you know, I think there's 196, 197, you know, distinct countries on the globe, but then you got, you know, the - Canada has various provinces, and they have their various laws. In the United States over the next several years, you're going to have upwards of 50 specific laws. The problem is going to be the complexity of any company anywhere being able to, No. 1, follow what all of these hundreds of laws are and being able to comply with them. Because, you know, one of the things that you look at is - let's just take the United States right now. There are there are currently 33 state privacy bills in the various state legislators around - legislatures around the country in what amounts to about 18 states. So there are numerous, you know, bills in single states and those kinds of things. The problem is going to be over the next couple of years - and it already occurs, but over the next couple of years is, they are not exact carbon copies of each other. So some include these rights, others include most of those rights but some other ones. They all define things differently. What's a data controller versus a data processor? What is sensitive data versus personally identifiable information? And they slightly differ, you know? What are the exemptions, you know? What companies are subject to the laws and which ones aren't, what kind of industries are, you know? Usually, they exempt, you know, government agencies - they always exempt themselves - but, you know, colleges, nonprofits, those kinds of things. But they're not all the same. So what this means is, say, in two years, a company is going to be looking at this and saying, well, gee, like any company, we collect client data, you know? We, you know, offer a white paper to download if they, you know, give us some information and stuff. That's all personally identifiable information. So if I get a data subject access request, which is a right that they are all going to have, it means I, as a citizen, can contact any company and ask them, what of my data have you collected? And they have to respond in a certain amount of time, whether it be 15 days or 30 days, which means they have to know where all that data is, No. 1. And they can't miss any of it. But then they have to figure out, what rights do this guy have based on the state or country they live in? And how am I going to answer that? So you could be looking at variations in the hundreds of things that a company is going to have to figure out before they even respond to a data subject access request. And then, what kind of data do they have, how many data repositories? Have they found all the data on? Because, you know, one of things I was just talking about this morning with an expert is, there is personally identifiable information on my laptop, on a employee's workstation, on removable media. And, you know, most IT organizations do not sync that stuff. They don't know what's there. So they can't respond in a manner that says, yes, we found all your data and via your request, we deleted it, because they don't know. They don't know what's on my laptop. 

Dave Bittner: Right. Right. So you have a salesperson, you know, out in the field who's gathering customer information, hasn't necessarily synced it all with home base, then that's an interesting dilemma. 

Bill Tolson: Oh, it's going to be a huge liability for companies because, you know, these - this kind of stuff, it's already being used as an offensive weapon by individuals, especially around GDPR and the California law that was early on. You know, they could flood a company with requests for information. And then, you know, they can say, well, delete it all. And then later, they can come back and say, you know, prove to me you deleted it all. By the way, did you delete that stuff on backup tapes (laughter)? No law addresses that. 

Dave Bittner: You know, I recall when GDPR came online. There was a lot of thought that it was going to become kind of a global lowest common denominator, if you will, you know, that because - if you wanted to do business globally, you had to comply with this. So it would become the privacy blanket that would cover the globe. To what degree has that happened? And is there a possibility of a lowest common denominator here stateside? 

Bill Tolson: Great question. No. The hope was, like you said, that it could have acted as the template for everything. But, you know, as you probably realized, with different governments and different government employees (laughter) and different cultures and all kinds of stuff, it quickly started to diverge. So they're not - I mean, Brazil's, you know, countrywide privacy law is not like China's. It's not like Australia's. It's not like India's. You know, they have things in common. But you - what I refer to is, could we pick - even the United States, could we pick a high watermark law, like California's, and say, if we meet that one, we meet all of them? No. Again, because of the derivations of the laws - you know, one says that a data controller is this. The other one slightly differs, which means there is some slight difference. In fact, one I was just talking about - I did a podcast with the state senator in Utah who authored the new, just last week, Utah Consumer Privacy Act. And the other three state laws currently in effect - California, Colorado and Virginia - basically say that, you know, if a data - if a citizen asks you what kind of data they have on you and they want you to delete it - if there's no regulatory or e-discovery legal reason not to - then you have to delete it all. Utah's basically says, the company only has to delete that data that they got directly from that citizen. Publicly available personally identifiable information does not need to be deleted. And that is in many of the other state bills that have not made it into law yet. So you're going to be looking at what amounts to a difference in - what do I have to delete... 

Dave Bittner: Right. 

Bill Tolson: ...Based on where this data subject is sitting when they requested I do something? 

Dave Bittner: Well, and define public. 

Bill Tolson: Yes. Yes. Did you - I mean - and I was talking to that Utah senator. And I said, does that mean that data that a company bought from a data broker is not subject to those rights? And he said, absolutely. 

Dave Bittner: Wow (laughter). 

Bill Tolson: Only that data they got from that form they filled out to download that white paper. Now, that's not all the states, by the way. But that's the kind of differences you're looking at and the complexity you're looking at with these laws. 

Dave Bittner: So how are companies actually doing this? I mean, how are they making their best effort, taking their best shot, at being in compliance here, as it seems like we're heading down a path of more and more complexity? 

Bill Tolson: Well, in reality, they're not. And like the early days of the GDPR back in 2018, many companies and organizations just sat back and said, I'm not going to spend any money until I see how this is going to, you know, happen over the next several years, you know? I might go spend $3 million on some software and hardware that, you know, doesn't meet their requirements, so I'm going to see what happens. And in the first year of the GDPR, you know, the authorities were not aggressive at all. There was only, I think - I don't know - half a - you know, a couple of hundred million in actual fines. And then, the following year, it went up by 10%. And the following year, it went up about - but last year, in 2021, it jumped massively, the activity and the aggressiveness in it. Last year, they fined the companies over a billion euros for just GDPR noncompliance in various things, little things, not major things. I mean, there was one that just came out where - one legal decision just came out that said, you know, this law firm in Ireland - and I might have that country wrong. But, basically, it was, their website was not asking if they could place a cookie on the individual's laptop. They were assuming that if they were looking through the website, then they assumed a consent, so they did it. And the GDPR fined them a large amount of money. And that's the kind of aggressiveness that we're starting to see now. So in the States, companies - right now, we have four laws. California's law, the CCPA/CPRA, is actually in effect. Virginia, Colorado and Utah's don't become active until 2023, so there's a little bit of time. GDPR has been in effect in quite a while. But then you look at - you know, Canada has several privacy laws that have been active for years. Brazil's is active and China and all these other ones. So I think most companies are just standing back. I wouldn't say they're ignoring it, but they're watching it to see what happens. And I think many of them are - at least in the United States - are hoping that the federal government will, you know, get their act together. But I think we're a ways from that. But they're - you know, many companies have liability around this issue right now. And, again, when you start seeing external law firms, you know, using these laws as an offensive tactic to go after companies just to kind of ring their bell a little bit and see how they react, that is going to get lots of chief information security officers and chief privacy officers and CEOs very nervous because, you know, the fines on these bills can be massive, you know? In California, it's, like, $700 to $2,500. But that's per record. That's not per breach. That's per, you know, gee, my data was breached, as well as 1,000 other consumers. And that's 1,000 times 2,000 - or 2,500. And in Colorado, where I'm based, the minimum fine is $20,000 per record. So you could see that, you know, the liability, the risk is there. So companies have to really be looking at this. But, you know, a company, you know, somewhere that is holding 10,000 personally identifiable information records on Colorado citizens, they put them out of business overnight. 

Dave Bittner: Yeah. I think about, you know, it's just - I don't know - an unsuspecting mom-and-pop who's making their good faith best effort, you know? 

Bill Tolson: Exactly, you know? You got a website on WordPress that, you know, has the ability to, you know, or take information and sell things. All of a sudden, you're potentially subject to privacy laws around the world because you don't know who's signing onto your website to buy something until they place the order. And then all of a sudden, you got the stuff. So it is a massive liability that countries still need to get their arms around. And what this is going to do to the cost of running a business - like you say, even a small business, but even, you know, the medium-size to very large ones, you're going to have to - either a company is going to have to put things in place that say, you know, we're not going to collect any kind of personal information, period, which is going to be hard to do if you want to keep doing business, or they're going to have to take a risk. Or they're going to have to spend huge amounts of money with consultants and lawyers and all kinds of things. So it's going to cause the price of everything to go up just to protect against these privacy laws. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: I'm sympathetic when it comes to the matter of compliance fatigue because his job sounds really miserable. 

Dave Bittner: (Laughter). 

Ben Yelin: I've done compliance work, and it's tedious. There are a lot of sources of law in the world that we live in - federal law, state law, local regulation and international law, international treaties. 

Dave Bittner: Right. 

Ben Yelin: And if you have responsibility for your organization avoiding legal liability, that's a lot of work. And I completely understand that. From the public's perspective, it's interesting - and he mentioned this - how these laws, even though they're limited in their effect to the specific geographic areas to which they apply, end up having broader application because if you have to change your practices to comply with GDPR and you have to change your practices to comply with CCPA, you're going to change your practices generally. You're generally not going to have separate regimes in terms of privacy protection for the other 49 states in the United States... 

Dave Bittner: Right. 

Ben Yelin: ...Or for the other countries in which you sell that data. So I am certainly sympathetic to compliance officers, the poor attorneys who actually have to do this work at these organizations. But I think from a public policy perspective, it's interesting that the reach of these laws extends beyond jurisdictional boundaries. 

Dave Bittner: So with something like GDPR, it extends the reach beyond the EU just almost as a matter of convenience. 

Ben Yelin: Right, exactly. I mean, if they're going to have to comply with the GDPR regulations, they'd rather not have separate regulatory regimes for U.S. customers and European customers. That's why, in 2018 and 2019, we all got a million emails saying our terms and conditions have been revised... 

Dave Bittner: Right. 

Ben Yelin: ...To comply with GDPR. 

Dave Bittner: We have to have agree to cookies. 

Ben Yelin: Yeah, exactly. 

Dave Bittner: (Laughter) But, I mean, the case could be made that that's not fair, that the EU shouldn't be able to have that global reach, you know, because of - just because it's easier that that's not the way it should work for those of us who are outside of the EU, right? 

Ben Yelin: I mean, it really isn't fair because we have no democratic recourse - small-D democratic. 

Dave Bittner: Yeah. 

Ben Yelin: If we didn't like what the EU does, unfortunately, unless you have some citizenship arrangement I don't know about, we can't vote for members of the EU Parliament... 

Dave Bittner: Right. 

Ben Yelin: ...Which means we have no impact on these changes. You and I live in Maryland. We can't vote for California state legislators. So we have no impact in what happens to the CCPA. 

Dave Bittner: Yeah. 

Ben Yelin: But that's the nature of how this legal field is evolving. What would help solve this problem in the U.S. is federal legislation. But I think our interviewee expressed... 

Dave Bittner: Right. 

Ben Yelin: ...The general frustration... 

Dave Bittner: Right. 

Ben Yelin: ...As to the fact that that's not happening and gave some insight into why that's not happening. 

Dave Bittner: Yeah. 

Ben Yelin: So I don't know how many times we can say on this episode and every other that it is incumbent upon our federal legislators to make things uniform, help your fellow compliance officers, and just have one set of data privacy rules and regulations that apply across the country. 

Dave Bittner: Right. 

Ben Yelin: I feel like once that happens, we can quit our day jobs. 

Dave Bittner: Yeah. Yeah. 

Ben Yelin: We've been banging that drum for a long time now. 

Dave Bittner: The idea of a functioning Congress is just adorable, isn't it? 

Ben Yelin: It sure is. It sure is. Yeah. It would be really nice if we had... 

Dave Bittner: Right. 

Ben Yelin: ...A functional... 

Dave Bittner: Right. 

Ben Yelin: ...National legislature, but... 

Dave Bittner: Yeah. 

Ben Yelin: You know. 

Dave Bittner: Yeah. Well, all right. Well, again, our thanks to Bill Tolson. He's from Archive360. We do appreciate him taking the time for us. 

Dave Bittner: And that is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.