Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

June 2019
Prepare for a bumpy road ahead as we motor into 2020 and beyond.
When Eric Goldman was an undergraduate thinking about a legal career, he had no inkling that in time it would involve teaching, and that a major focus would be privacy. “When I was an undergrad,” he recalls, “everyone wanted to be Michael Milken. We all had dreams of going into investment banking and making $550 million in one year,” as Milken did in 1987, a few years before he went to prison. Goldman earned a J.D. and an MBA in a joint program at UCLA, and his plan was to become a real estate developer. But that plan was upended in a funny way. It wasn’t a fascination with a legal course that changed his mind. It was something he was given at business school that everyone has long since taken for granted, but back then was new: an email account. It was 1991, and for Goldman it was love at first sight: “Email was something that I had always wanted but never knew it until I had my first account.” The internet quickly reordered his priorities, he says. “I became so interested in internet law, as we now call it, that I decided that that’s what I wanted to do instead of real estate.”  
     There were zigs and zags before he found his way to Santa Clara University School of Law, where he has burnished a program and his reputation over the past dozen years. There was a stint at Cooley Godward, followed by a job as general counsel of an online consumer review startup. He hadn’t plotted an academic career, but he began teaching internet law as an adjunct in 1996. He loved it. Six years later, he and his wife moved to Milwaukee, where he taught at Marquette University Law School for four years before they returned to Silicon Valley. It turned out to be the right place and the right time for a law professor who loved internet law. And a year after the General Data Protection Regulation went into effect and the California Consumer Privacy Act passed seemed to be a perfect time to talk to him about the bustling world of privacy and cybersecurity.

CyberInsecurity News: Would there have been a California Consumer Privacy Act without the EU’s General Data Protection Regulation?
Eric Goldman: My view is that the CCPA could have come into existence without the GDPR—that the CCPA was really the barometer about consumer fears and anger toward internet companies abusing privacy.

CIN: Would there have been a CCPA without California’s ballot initiative law?
EG: No. Absolutely not. The only reason the CCPA is on the books is because of the fact that California had a procedural workaround to the legislature.

CIN: Would there have been a CCPA without the Cambridge Analytica scandal?
EG: Possibly. I mentioned the fear and anger among consumers about internet company privacy practices. There have been so many mistakes, many of them coming from Facebook, that Cambridge Analytica is just the one that went viral. One of the other ones could have gone viral instead.

CIN: What should in-house lawyers be doing to prepare for January 2020, when the CCPA goes into effect?
EG: I hope they’re already working on the answer to that question. Whatever privacy programs that companies already had in place before the CCPA, they’re still going to have to do a substantial amount of work to adapt those privacy programs to the CCPA. That challenge is exacerbated by the fact that we don’t know the full scope of responsibility to comply with the CCPA. We’re still waiting for the California Attorney General’s Office to tell us the pieces that they’re responsible for. We’re not going to get that before January 1, 2020. So companies are in the awkward position of making adjustments to a CCPA compliance program without knowing what the CCPA is actually going to require of them. I don’t have any easy solution for companies to navigate that challenge. Clearly the No. 1 thing they need to do is keep track of the legislative developments and the attorney general rules as they come online. But companies can’t wait to get started. They should be starting now and keeping track of the rules that are changing on them.

CIN: When will the AG’s enforcement get started?
EG: The statute says that it goes into effect January 1, 2020. The statute also says that the AG’s office can begin enforcement of the law no earlier than six months after it completes its rulemaking procedures or by July 1, 2020, whichever comes first. What’s going to happen is that the AG’s office will not complete its rulemaking procedures until after January 1, which means that the law will be eligible to be enforced on July 1, even if the office hasn’t completed its regulations.

CIN: Can lawyers whose companies have already been through the GDPR preparations relax?
EG: No. In fact, they need to be even more vigilant to find all the ways that the GDPR and the CCPA diverge from each other, and then adapt [Office3] their program and their infrastructure accordingly.

Prospects for a Federal Privacy Law
CIN: What are the odds that federal privacy legislation is adopted in 2019?
EG: I would say that the odds are virtually zero.

CIN: How about in 2020?
EG: The longer we go, the harder it is to see the future. But let’s say the odds are 10 to 20 percent for 2020. There’s a lot of energy inside the Beltway on developing a federal privacy law. But I don’t know how much horse trading is going to have to take place to build a coalition of legislators and lobbyists to agree on a solution, and that might take more time than 2020.

CIN: Think it’s going to be a campaign issue that year?
EG: In some ways, it already is. All the techlash efforts that are being rolled out by the politicians signal to voters that legislators are prepared to be tough on technology, and that definitely includes privacy. Whether privacy gets singled out as a campaign issue is a little less clear, but whenever candidates are talking about technology, voters are hearing privacy.

CIN: Realistically, do you think a federal law can pass that does not pre-empt state laws?
EG: No. That would make no sense. It has to pre-empt state laws, or else all of the opponents to privacy laws will swamp the effort. And from my discussions, I think everyone gets that.

CIN: What effect, if any, do you think the growing talk about breaking up or reducing the power of the big tech companies will have on the prospects of federal privacy legislation?
EG: When we talk about breaking up internet companies, really it’s Google and Facebook. Those are the only two targets. And most of the energy is directed toward Facebook. And in general, trying to develop regulatory efforts to target a single company is terrible policy. It never works out well. So every time Facebook makes a gaffe, that increases the odds of the federal legislators getting together and trying to punish Facebook. But it also increases the odds that we’re going to get a garbage policy at the end of that process.

CIN: But that doesn’t mean it won’t happen.
EG: Right. But if the alternative is federal garbage or state garbage, it might still be better to have federal garbage. At least we might have a single stupid rule as opposed to 51 stupid rules that are inconsistent with each other.

CIN: Has there ever been a better time—a more exciting time—to specialize in cybersecurity and privacy than right now?
EG: Looking at the past, no. I don’t know what the future holds, but privacy and cybersecurity are essential parts of our future, and I feel good telling students that they’re going to be in demand for the remainder of their careers if they invest in privacy expertise. I feel the same way about cybersecurity. Though that field is a little more nascent[Office4] , the demand for cybersecurity expertise is never going away.

When Law Schools Started Teaching Internet Law
CIN: Let’s review how we got here. You landed at Santa Clara in 2006. When would you say that this area of the law emerged as a major area of study?
EG: As far as I know, the first cyberspace/internet law course was offered in 1994. There were probably a couple of dozen courses by the time I started teaching as an adjunct in 1996. Now, I would assume that at least half of the law schools have at least one class related to internet law. The 1990s was the first push, but it became much more mainstream over time.

CIN: What about cybersecurity as a field of study?
EG: I think cybersecurity law courses are now at about the same place that the cyberspace law courses were at when I started teaching in 1996. A few dozen schools may be offering it, and over time it’s going to become such a mainstream offering that most schools will have something. Right now the challenge is that cybersecurity law courses may cover widely divergent material. Some may be primarily a national security law class, and so they’re going to focus primarily on cyber warfare, or the government’s use of online weaponization. Other courses will be very commercial in nature: What must a business do in order to build a well-functioning cybersecurity law plan, and what happens if something goes wrong?

CIN: I have spoken to cybersecurity experts who told me that there’s a language problem in this field. Different people mean different things when they use some very basic terms like “resilient” and even “data breach.” Ask five people in the field what a data breach is, and you may get five different answers. Do you agree?
EG: Yes. For example, the media called Cambridge Analytica a “data breach” when it was clearly a “data leak.” More generally, there is little consensus about what the term “cybersecurity” means or what kind of work is performed by “cybersecurity lawyers,” which can range from product counseling to incident responses. The shorthand “cyber” only compounds the semantic ambiguity.

CIN: Who should have the last word on what these terms mean? Is there an individual or an organization in charge of cybersecurity nomenclature? Should there be?
EG: I think we’ll muddle through this. We had a lot of the same semantic ambiguity in internet law [Office5] in the 1990s, and most of that got resolved organically over the past two decades. I’m sure the same things will happen with cybersecurity nomenclature.

A Separate Track for Privacy
CIN: Let’s turn to privacy. What was your role in the creation of the privacy law certificate program at Santa Clara?
EG: In the 2010s, the law school had a fairly robust program for high-tech law that included a high-tech law certificate that dozens of students a year would get. I noticed that some of the students were trying to get a high-tech law certificate, but they were pursuing a specific track related to privacy that didn’t quite fit. Our certificate is focused on intellectual property, internet law and innovation, and privacy has some commonalities with these, but privacy is its own field of study. It became clear to me when I looked more closely at the issue that we weren’t doing everything we could. These students were looking for a qualitatively different set of employment outcomes than most of the other students. And that’s what spurred us to consider creating the privacy law certificate, which was the product of me going around and talking to a number of people in the Silicon Valley privacy community about the field, and figuring out if there really was a new discipline with new career options for students that we could do a better job catering to. We started the program in 2014 and awarded the first certificates the following year.

CIN: In 2019, is it possible to fully separate privacy and cybersecurity? That is, can you study one without the other?
EG: I think that’s a great question. It’s something that’s on our minds, because we want to make sure that the students who complete the privacy law certificate are prepared for the realities of their workplace. Unquestionably, the students can’t complete all the work on privacy without making sure that the cybersecurity pieces are also nailed down. As a practical matter, at many Silicon Valley employers, the demands for expertise in privacy and cybersecurity are so great that they really are two different teams. A graduate from our privacy law certificate program is not likely to do both at the same job, because the level of expertise that is required is so great, and the amount of work required is so great, that employers have chosen to break them out and specialize.

Assessing the GDPR
CIN: Has the GDPR proved as daunting a challenge for U.S. companies that are subject to it as they’d feared?
EG: No doubt that the GDPR demanded an extraordinary amount of professional expertise to implement by U.S. companies, many of whom did not have European operations. I would say that this would have looked like a bubble, except that we don’t see the back side of the bubble. That’s partially because the GDPR imposes ongoing compliance obligations that are still requiring substantial professional time. And because of new laws like the CCPA backfilling any decrease in the demand for professional services [Office6] due to the GDPR’s going into effect. 

CIN: Has the GDPR inspired many companies that are not subject to it to choose to comply, even though they didn’t have to?
EG: Saying that the companies were “inspired” to comply would not be the right characterization. Some companies might feel coerced to comply with it, for fear that they will be subject to enforcement action, despite the fact that they have no European operations, no people on the ground, no assets on the ground and no legal ties to Europe. I do think that a number of U.S.-only companies have “chosen” to comply with the GDPR because of the amorphous nature of the GDPR’s obligations.

CIN: Some outside lawyers we’ve interviewed have talked about their clients’ decisions to try to comply with the most stringent privacy laws because the number of them was mounting in all these different locations. So they decided, “If we comply with the most stringent, that will be safer. And maybe we’ll be offering the best service to our customers.”
EG: Some companies have been pretty foresighted about the likelihood that additional privacy regulations could be coming online and that the GDPR was not the last stop, therefore investments should be made in building a more adaptable or more comprehensive privacy program than simply checking the boxes for GDPR. The problem is that it’s not really possible to comply with the most restrictive privacy laws and still feel like you can check off all the boxes on some of the less restrictive laws, just because they’re different. A classic example is the fact that the CCPA defines personal information to include household information, which is not covered by the GDPR. Complying with both of them at the same time will at a minimum require building new infrastructure. Even if you thought you had complied with everything that the GDPR required, you now have to redo the work, and it’s possible that you cannot allow personal information to include household information under the GDPR, because that would have conflicts with other parts of the GDPR. The real problem is that the laws are inconsistent with each other, so complying with the most restrictive doesn’t actually fix the problem.

CIN: Do you think the GDPR has been good for the European Union and beyond?
EG: The GDPR has certainly given Europe a moral and administrative leadership on privacy. Because the EU is such a big market, because they’ve come up with a comprehensive approach to privacy concerns, their law is viewed as the privacy law that everyone looks to. Whether it’s been good for Europeans as a policy matter is unclear, and that’s a question we should all be asking. Whether it’s been good for anyone outside of Europe to be caught in a web of compliance efforts built to deal with the GDPR is also unclear. Some people are being given privacy rights for the first time that are not required by local law, just because a company complies with the GDPR across the entire enterprise. Others might be losing benefits or being restricted from services because of the GDPR in ways that they have no control over. They don’t even get a vote, because they’re not European citizens. I don’t know that we have a single, definitive view on whether the GDPR has been successful for anyone, including whether it’s been successful for Europe or European residents. I think that’s still a question that we need to answer.

The Role of Privacy Officers
CIN: Some companies subject to the GDPR had to hire data protection officers. Is the subject of hiring data protection officers or privacy officers something that you and your students talk about?
EG: When I first saw the DPO requirement, I thought that was going to be a huge win for our students. But it’s not clear that it will be, because I don’t know how many American lawyers are going to end up acting as DPOs for their enterprises. I was hoping that we were going to see some extra activity from that. We haven’t seen it yet, at least not here in Santa Clara. As for the broader phenomenon of companies recognizing the value of privacy and appointing experienced executives to lead that function in the organization, unquestionably things have gotten better for privacy professionals in the last few years. Even when we had CPOs a few years ago, often they weren’t viewed as part of the core executive management team. They had a “chief” title, but they weren’t really viewed as part of the C-suite. And I think that at many companies—especially here in Silicon Valley—somebody in the C-suite has to own privacy. I don’t think that companies are being deluded about that anymore.

CIN: And do you think the person in the C-suite who owns privacy should have a job title with privacy in it, or could a general counsel own that role?
EG: That’s an interesting question, and one we’re still seeing an evolution on. Certainly we could have a chief privacy officer who could be his or her own stand-alone head of a department that deserves access to the C-suite. Or they could report to somebody who then acts as the executive in charge of privacy in the C-suite. I think we’re seeing experimentation on that front. Different companies are handling that differently today. I think over time most companies that call themselves technology companies are going to have somebody in the C-suite who views privacy as an essential part of their job, not just one of several.

CIN: That’s a good place to stop and wrap up. What three points would you like to leave with our readers?
EG: First, congratulations for making wise career choices in getting to the place where you’re at, because you should have full employment for the rest of your career. And many of my students wish they could be in your shoes! Second, state privacy and cybersecurity laws are a problem. They create inconsistent obligations across the nation that only impose entry barriers and often do nothing to improve outcomes for consumers. So I encourage all of your readers to support federal pre-emptive legislation, so that we can get past state-by-state variances that really don’t improve outcomes for anyone. Third, we at Santa Clara University are manufacturing [Office7] students who have a surprising degree of specialization and expertise before they walk out the door. Things are getting better in law schools as we to try to meet the needs of the profession, and I’m hoping that this will create opportunities for your readers to find good entry-level talent straight out of law school who can help them.