With over thirty years’ experience as an international employment and data protection attorney, she is considered one of the world’s leading experts in data privacy laws. On a recent visit to Australia, Fitzpatrick sat down with ARN to discuss her role, what she is doing in Australia, the impact of the Cloud phenomenon and the Trans Pacific Partnership.
Why have a data privacy officer?
NetApp has always taken data privacy extremely seriously because we are a data management company. You can’t be a data management provider and not understand that data is your greatest asset, and if that data is breached, you have substantial problems.
Eight years ago I built the data privacy program at NetApp and we took a conservative approach which was unique in the industry. We looked at each country in which we operate and comply with the data privacy laws in those countries. We took an aggressive, proactive and unpopular stance that has proven to be very successful. Privacy has been an afterthought but now it is moving up front.
What brings you to Australia?
I was invited to meet with customers whose greatest concern right now is data privacy and data sovereignty especially as they are moving to the Cloud. We have been talking about some of the issues involved in cross-border transfer flow.
Do you think the Cloud movement in general has brought the privacy debate to the forefront?
Absolutely, the Cloud is the direction of the future but any technology moves faster than the law and because of the virtual nature of where that data might be, privacy has become a critical issue.
Traditionally, companies only thought about security and even though they should have addressed privacy, they never did, the Cloud is making it more critical now. Primarily they are concerned about where their data will live. There are a lot of issues that are not security related, they are privacy and sovereignty issues that customers are starting to question.
Can encryption solve any of these data privacy issues?
Not entirely. If you think about a wheel, data privacy is the wheel and security is one spoke on that wheel. Encryption addresses the issue of security but from a data privacy point of view, it doesn’t address the whole problem.
The issue is where the data is being stored and who owns and processes the data. That is something encryption can’t help with as it doesn’t address the cross border issues of where that data is going to and when it gets to another jurisdiction, what laws will apply that protect that data.
How can channel partners navigate this minefield?
First and foremost, they need to understand what the laws are. They need to understand data privacy at least at a fundamental level. Then they need to understand what data people are talking about so if they are selling a solution that is enterprise wide and includes personal data. Healthcare, Finance and Government are three industries that data privacy affects the most. The customer is going to look to the channel partner not the vendor to answer those questions.
It’s a matter of asking the right questions before moving to that Cloud environment. It’s not only about where that data lives but also getting the flow of the data, what third party will have access to that data. These are all questions that come before the security questions.
You need to classify the data as well on you know exactly what type of data you hold. If you are managing a service then you need to understand what obligations you have as a data processor.
Even though data privacy is not a new field, it is a fairly evolving field and still niche. Very few companies have that ability in-house so they are engaging law firms for assistance. It is about finding that trusted advisor who can help you.
Will the Trans-Pacific partnership affect these issues?
It is going to have an impact because it will affect the free movement of data. The TPP is going to be related more to company information than personal information.
The privacy laws in many ways are not looking favourably on the TPP agreement. The biggest fear right now is non-compliance, especially when you look at the countries that are part of the TPP and have very restrictive privacy laws and considering the US has the least restrictive privacy laws.
We have not heard a lot in terms of what the outcome will be but certainly the Australian privacy commissioner is looking at it based on the new APP’s (Australian Privacy Principles) that came out in 2014. Europe is also looking at it and its impact on the new global data protection regulation.
These negotiations are done this way on purpose so if a country likes the deal they get on beef imports but not privacy they will still sign, is this a bad way of getting privacy laws across?
It is a very bad way because when they put in the context of free trade and the benefits involved, privacy laws are always the ones that get tossed aside. Due to increasing discontent from the amount of data breaches and privacy violations that have occurred and the nature of technology moving faster than the law and the proliferation of Big Data, privacy is starting to move up.
Certain jurisdictions are saying ‘if you want this, we need more privacy’. A perfect example is the negotiation going on between the EU and US on the Privacy Shield. Right now the leverage is not in the US’ hands, it is in the hands of the European court of Justice and the EU Data Commission. They are telling the US if they want that data, they will have to put laws in place to protect it.
I think privacy is getting a little more leverage than it had before, but when push comes to shove, it will be the one tossed aside.