The Pig Around the Corner: Privacy and Trade with Constantine Karbaliotis of nNovation LLP    

[00:00:00] Constantine: the reality is that, you know, again, we do not govern data well or properly, and this is going to lead to a host of problems I often tell people a, a data subject access request a penetration test of your privacy program. 

[00:00:39] Arlo: Well, welcome to the Privacy Insider podcast in the US Trade is in the news on our mind right now. Even those who never think about trade at all. Raw materials, manufactured goods, and yes, tariffs on both of those things. But trade involves data too.

[00:00:55] Arlo: Products, data transfers, and adherence to privacy. And now AI laws around the globe. Following those privacy laws can make international business and trade deals easier. Ignoring them could spell disaster for a business wanting to do business in the EU or elsewhere. What are the best practices? How do businesses use privacy as a strategic advantage in trade and how does this current global situation change things?

[00:01:21] Arlo: Constantine Karbaliotis is a lawyer and expert in privacy, international trade, and a Canadian. That last one is important because we, Americans benefit from another outside perspective and Canada is also a thriving global trade partner, counsel at Innovation, LLCA boutique privacy firm in Canada. He was the privacy leader at two large multinational companies, Mercer and Symantec, and frequently writes and lectures about international privacy and data protection. And he's the only person to ever do standup comedy at the IAPP Global Privacy Summit, which means that he's not only the funniest man in privacy, but he's also the biggest name in privacy.

[00:02:07] Arlo: Constantine, welcome to the show. 

[00:02:10] Constantine: Thank you so much for having me. 

[00:02:12] Arlo: It's a real delight to have you, and you know, we're just gonna dive right into the most important topic, which is comedy. because I know that it is incredibly unusual to do standup. and I'm really, really excited to learn a little bit how you ended up in here. So, I just wanna hear more about this comedy show and,what happened and how you ended up there.

[00:02:33] Constantine: Well, the IPP had introduced this, thing, which I'm sure you're familiar with, a little big stage. And when they had first done it, they didn't have every slot, filled up. So they foolishly said to me, we have a 20 minute slot that is open. Would you like to use it to talk? I said, of course I do. Now, of course, they didn't actually ask me what I was gonna talk about. So I went up and I started telling jokes it started with, I don't know what's funnier, that you paid to come here to listen to me tell jokes, or that I paid to come and tell you jokes, and it went downhill from there.

[00:03:10] Constantine: So they've never actually repeated the exercise because clearly they learned their lesson. in general, I think that the audience was amused, with, you know, the comments, a lot of just stories from, the practice of, you know, just trying to manage a privacy program in large companies, shared pain is less painful. 

[00:03:28] Constantine: If you don't laugh, you cry. They say, I got people laughing. I.Over what they were crying over. So it's again, you know, it's a cathartic kind of approach to dealing with the stresses of privacy. 

[00:03:40] Arlo: Well, not, not having been fortunate enough to attend that show, and I certainly won't ask you to repeat them. Like, what do you exactly joke about when you get, I mean, this is a very serious crowd.

[00:03:51] Constantine: Well, yeah. one of the things I always love telling Americans is, the Europeans think we're adequate and maybe that it's actually damning with me. Praise, but, it then ties into the topic we're gonna talk about, which is trade. so, you know,there are so many different things, and I mean, of course, just telling stories from the various and sundry exciting things that employees have done with personal information. like, why on earth would you use, real data in a training class situation of your ex-boyfriend and his current new girlfriend to demonstrate to the class how to access the system.

[00:04:25] Constantine: It's really, you know, like, again, you know, you can only laugh at these things because otherwise you cry, and we all have these stories. I mean, and this is where I think you have to be careful, of course, to keep it relatively anonymous, protect the, reputation of the guilty. But at the same time, these Are always the stories. I mean, people learn from stories. And, anecdotal funny stories are often the best ones. my favorite way of leading in often, especially to people who are non privacy, to tell the story of the pig. So,

[00:04:57] Arlo: are you gonna tell us the story of the pig now because I'm dying to hear it?

[00:05:00] Constantine: It's a very important compliance story. this guy was having this really bad day he decided to take a drive in his convertible through the hills. You can imagine this, you know, maybe in California, Road. And he's beginning to relax and feel better about life until a car goes in the other direction and a woman her head out the car of her car and yells pig as she goes by and he gets all mad and upset and he's going, why is she calling me a pig?

[00:05:27] Constantine: She doesn't even know me. He puts his foot on the accelerator. Goes around the next curve, runs back into a pig, and that's our job is to tell people about the pig around the corner. They often hear that their systems are piggish or that their processes are piggish and they're not really listening to the message which we're trying to deliver, is that there's a pig around the corner and unfortunately, most of the time our job seems to be cleaning up the bacon. 

[00:05:51] Arlo: I love that you're able to take such a,often dry topic and make it so entertaining. was comedy always something that was a piece of you? Was it a way to deflect? Was it something you did because you were a standup comedian? Like, how does this.

[00:06:06] Constantine: I don't know. I think most lawyers are frustrated. comedians of some form or another, you know? And, I've always said, you know, the reason I didn't go into standup comedy was because everyone kept telling me to sit down. so, I don't know.

[00:06:19] Constantine: I think it's a way of softening messages. It's a way of, you know, like communicating to get a message across so that yeah. You know, sort of backhanded compliment was. You know, in various trainings, I never thought privacy could be so interesting. And I'm going, oh, thank you. I've just devoted my life to this, you know, but Okay. and, you know, but that's exactly the kind of point we always have to reach is, to get the message across to persuade people. 'cause we're always selling, right? We're always selling this.

[00:06:50] Constantine: thing called privacy. We're educating and selling. And, in my experience where privacy people fall down is We haven't taught them that soft skill, right? They think that, you know, these rational, logical arguments should work well. You don't know people then, right? Because that obviously is clearly not as a winning strategy.

[00:07:11] Arlo: We are not a rational species many times.

[00:07:13] Constantine: Yeah, yeah. No, I'm fully convinced. The really reason we haven't made contact with Alien intelligence is that they're staying well away from us. again, the bane of our existence is that we have to, you know, deal with human beings. But if we understand them and we understand how to get them on board, then I think we're just more successful in our roles and we're probably less frustrated. But, like to think that I'm funny.

[00:07:36] Constantine: my wife and children beg to differ frequently. I also have this, audience in the background. but it doesn't stop me clearly. 

[00:07:46] Arlo: Well, you and me both, I can commiserate on. My wife does not enjoy my jokes nearly as much as I do. this is so fun. I'm really enjoying the conversation already. so tell me a little bit about your background. I mean, so you're Canadian, you're funny, you're in privacy.

[00:08:01] Arlo: You've held a lot of really important roles, but I'd love to know more about you as a person. where'd you grow up? what got you into, privacy? tell me about you because I find that that's. One of the things about privacy is there's no linear path. Nobody ever woke up and said, I wanna be a privacy attorney someday.

[00:08:21] Arlo: everybody ends up there through some unique set of circumstances, and I'm just dying to know what yours are.

[00:08:27] Constantine: Well, mine's pretty circuitous path and it's kind of interesting how when, when I started it, I helped me end up where I am, if that makes any sense. so I grew up in Edmonton, in Alberta, Western Canada, and that, you know, your listeners is one of the places in the world where we know that minus 40 Celsius, SN minus 40 Fahrenheit are.

[00:08:48] Constantine: the same, because that's where the scales coincide and it frequently reaches that temperature.

[00:08:53] Constantine: So we're very hardy group, by the way. and so I grew up there and I, went to, I was very keen on sciences and computing science, you know, in my teens and, early years. but I decided that we had more than enough technology people. And what we needed was, you know, more law, in fact law that governed nations. Because I was convinced at that point in time, it was still the Cold War dating myself, that, again, we needed to govern countries. so I decided I wanted to go into international law. So I went to Queens University at Kingston in Ontario. And you know, it was a great school and I was doing transporter data flows in 1981. went to a conference on it and it was like, the intersection of law and technology really fascinated me because I was, you know, really technology inclined. And so, but it's very difficult to find roles at that time in Canada, in international law. so I started practicing law of big focus.

[00:09:53] Constantine: Actually, my first job was not practicing law. After my call to the bar, I was working, doing expert system development for a software, publisher. And that was automating legal documents and processes. So I got early on a very heavy experience in technology at a time that most lawyers were just terrified of, you know, it didn't even have a computer on their desk. I was better known for that than I was, what I was doing in law. I was invited to join a consulting firm, a large consulting firm, and to join their practice advising law firms in legal departments on automation. So I was an IT consultant for eight years and one day, you know, it's dangerous to be, you know, between projects on the bench as they say, because I was walking by and this project manager said, you, you can read a law, you're my privacy manager. And that's how it started. 

[00:10:47] Arlo: That tracks. That tracks just somebody handed it to you.

[00:10:50] Constantine: Yeah, exactly. And so I led, what turned out to be a massive sort of exercise to do PIA in Ontario for the Ontario government. got four ministries to agree to something, which apparently was somewhat remarkable at the time. and that's where it started.

[00:11:05] Constantine: I ultimately led the security and privacy practice for this company in Toronto. I went to Symantec, I ran their global privacy program, went to Mercer, became the Chief Privacy Officer. I did actually also return to my roots I worked for Ity, leading their sales group 

[00:11:23] Arlo: Yes, Nim and they, they were acquired. Right? 

[00:11:26] Constantine: Trust arc. 

[00:11:26] Arlo: Trust. That's right.

[00:11:28] Constantine: uh, but it was acquired, it was acquired after I had left. But you know, I know things from your side because I actually, you know, and it, and in a sense it was just coming back to where I started, which was practice automation, right? but what I experienced going through, you know, semantic and working at Mercer was I realized, oh my God, I'm doing international law. It was the thing that I had started out to do and now I was doing it in the area of privacy, but I was doing it. And, I was helping to negotiate international agreements, dealing with international data flows, dealing with breaches that cut cross borders. I was doing international law and I still am. it was the goal at the beginning, and it was just, again, a very strange roundabout route of getting there.

[00:12:14] Arlo: I love that. And it, and it completely maps to how we hear about most people who end up in privacy roles, which is somebody at some point in time went, you're smart and you seem like you're willing to do it. So here you can take this. I have so many questions. one of the things you mentioned, which was this idea that we needed to have laws that governed countries.

[00:12:36] Arlo: the thing that pops into my head when I hear that is Star Trek, right? Because if you look, star Trek had the federation and it was extraordinarily well-oiled machine. There was very minimal conflict on earth. is that where you were thinking we would go?

[00:12:53] Constantine: Listen, I was a science fiction fan. I was like the geekiest, right of geeks in my early years. 'cause I was like all into science fiction. I loved Star Trek I love the 

[00:13:04] Arlo: Are you a new Star Trek? Are you are? Are you, are you a Jean-Luc, or a Captain Kirk? 

[00:13:07] Constantine: I watch it all the way through. 

[00:13:09] Arlo: Wow.

[00:13:10] Constantine: Okay. So, you know, and I also, I'll tell you, one of the things I, found very influential, especially in the eighties, was the cyberpunk genre, I think unfortunately we're now creating in real life. We'll come back to that. I think that colored a lot of my views about why I chose to do what I did, which was that, it portrayed a world where we made it. We survived. We actually, figured out a way to get along with one another, and we were having new adventures. I do think that was very influential for a generation of people who thought that is possible that we can do that.

[00:13:46] Arlo: Ray Bradbury, I mean, when you look at the things that he conceived of as being pure fiction, right? I mean, the tri-quarter, you know, we're all walking around with a tri-quarter in our hands now. know, it can tell me the temperature, it can tell me the air quality on the land that I'm about to go down to.

[00:14:02] Constantine: C. Clark had a brilliant book called, I think it was Empire Earth. And he had these, again, portable computers that everybody would use to connect, pay each other with, it was like 

[00:14:13] Arlo: Wow.

[00:14:13] Constantine: He also had a brilliant idea that solved the political problem. And I wanna repeat it to you because I think it might still be a good, a valid one. Anybody who wants political power is the one we should least trust with it. So in his future, he had people being drafted into the job and they would be given time off for good behavior. 

[00:14:32] Arlo: Interesting. I love that.

[00:14:35] Constantine: I think that's actually maybe, you know, sensible. But again, they portrayed world that.

[00:14:42] Constantine: they could see coming. And science fiction is always just about possibilities. and when you get a little bit further forward into the cyberpunk genre, William Gibson, the Blade Runner kind of, it's dystopian. It's not meant as a blueprint unfortunately. I think we've gone there.

[00:14:59] Arlo: It's more of a cautionary tale in those cyberpunk ones, you walk away feeling a little icky.

[00:15:05] Constantine: You know, like what I think captured people's attention and imagination was this idea of delving into data, that interaction directly with information. But then there was all the other stuff, really wasn't that good. And I think that, one of the reasons why I think still law and regulation is important is precisely because I see this, challenge in, the, distribution of power, not now between states, but between the individual and, large organizations. So we need to have that balance restored in some fashion. and I think that ultimately, it's rules, it's rulemaking that's important. And it sort of leads to something that always like to tell people about, which was a little factoid. I love collecting little stupid facts and repeating them to people. Unfortunately, 1898, there were two cars in the entire state of Ohio. They ran into each other. We do need rules. We do need to have rules because even though it might seem like some things would be common sense, let's all agree to drive on one side of the road, apparently that's not as obvious as one would hope. So, you know, we need rules and we need them to be sensible. We need them to support, you know, doing business.

[00:16:27] Constantine: And of course you can't transact anything without exchanging information. But still there should be rules, 

[00:16:33] Arlo: Yeah, 

[00:16:34] Constantine: you know? 

[00:16:34] Arlo: I love the two cars in Ohio that bump into each other. there used to be a contest where they would try to see who could write the shortest science fiction story. the entire story was one sentence, and it was the last man on earth sat alone in a room.

[00:16:51] Arlo: There was a knock on the door. and your,story of these two cars. It's like the only two cars in the whole state. How is that possible that.

[00:17:01] Constantine: There. Yeah. You know. Exactly. and I read a lot of those, one story ones, like one line, very short ones. I remember reading actually a collection of those. It was like, some of them were very disturbing like that. But it stretches your mind to, you know, when you reading science fiction, writing science fiction, it makes you think about possibilities. and again, we really need that kind of thinking to it's scenario playing. When we do reach, you know, tabletops or we look at, you know, and analyzing whether, a particular technology, what harms it could, you know, create, doing scenarios right? And this requires us to have imagination to extend what we're thinking, and play them out, play out those scenarios. so I think that.

[00:17:49] Constantine: like, you know, science fiction fantasy is really good at like stretching your mind to contemplate possibilities. 

[00:17:58] Arlo: Absolutely. so I do have a couple other questions on this topic before we jump on to a little bit more topic about privacy. But on the science fiction side, I don't get a lot of science fiction fans. I also am a big science fiction fan. So, you know, Isaac Mov was a, I, you know, read everything he ever wrote and 

[00:18:15] Constantine: Timeline. 

[00:18:16] Arlo: Yes.

[00:18:16] Constantine: I read Rocket Ship Galileo. 

[00:18:19] Arlo: Oh, that was a classic.

[00:18:20] Constantine: from that point I was done. that was it. 

[00:18:23] Arlo: So, so you're clearly a science fiction fan. you know, whether it's 1984 Minority Report or you know,the books that we're talking about, are there any of these stories that you look back on now and you feel were particularly, foreshadowing?

[00:18:39] Constantine: William Gibson's trilogy. 

[00:18:41] Constantine: You know, I think that And, and for, for those who don't know, this is Blade Runner, no. Romancer and what was the other one?

[00:18:50] Constantine: overdrive, I think there was, I can't remember the other one. and it was set in a very dystopian future, which was, you either worked for one of these large corporations, or you were, left by the wayside, or potentially you were one of these cowboys. Who were the hackers? Who were the Go-Betweens? Living basically on the periphery of the law in actual mortal danger because hacking could actually be fatal because of, ice, you know, the, you know,anti intrusion measures could actually kill you because you were engaged with the data so deeply. so it was a very interesting sort of world.

[00:19:28] Constantine: It really, I think, rocked science fiction when this started coming out. I think that the reason it was so engaging was this vision of interacting with data in this way. and it really presaged a lot of, I think, where we're going with ai, where we're going with, the power that analytics has. and definitely with the concentration of power in relation to large organizations over data. I wanna make a t-shirt about that says it's the data dummy. It's the data 'cause it's only the data that we need to really be thinking about these days.

[00:20:06] Arlo: and I assume this is a reference to the line from American politics, it's the economy, stupid.

[00:20:11] Constantine: the data is the economy. that's what people have missed. Right. You know, and this is again, circles back to what we're gonna be talking about in relation to trade and, you know, so I do think that, not the failure to understand how significant the fourth industrial revolution is, that this is a databased, change in our underlying economic system understanding the control over that is really the fundamental issue that we're facing today. And again, why rules are so important. 

[00:20:41] Arlo: So are you gonna let Elon put a neural link in your brain?

[00:20:45] Constantine: Heck no. 

[00:20:47] Arlo: let's talk about privacy. 

[00:20:49] Constantine: Okay. 

[00:20:50] Arlo: you know, you talked about the early eighties and getting involved in, you know, international law and having exposure to data.

[00:20:59] Arlo: I gotta be honest, in the eighties, what kind of international data trade and transfers even existed?

[00:21:07] Constantine: Well, you know, there was already a concern from the US that privacy laws, which were being introduced, in the Nordic countries would be a non tariff barrier to trade. Because what was clearly, even though it was mainframes, there was recognition that there was going to be, a centralization of data in, countries where it had that capability. the US felt that under the guise of privacy laws, they were trying to prevent. You know, data from being housed in large data centers, principally in the us. So you see, this is the still the issue, right? This has not gone away. you know, so it started then, but it also encompassed things like, well with satellites.

[00:21:52] Constantine: You know, you could know in the based on looking at, you know, from satellites whether a third world country's crop was going to fail or not. And the notion that that information shouldn't simply be, that shouldn't be denied to them because it was their country after all. So a lot of these issues were, you know, being looked at in the early eighties, and that's when the OECD came up with a framework in order to ensure that the rules went with the data. I mean, that's my summary. The rules must go with the data, so you know that you protect information, but at the same time, of course, the OECD's role to facilitate the free flow of data. And this, has always been my perspective, is that the rules should flow with the data. We should be able to create trusted environments in which, again, you know, we can use the capabilities that are offered by tech companies or whomever, wherever they are with trust. And I think that's the principle reason that we've seen, you know, that principles based law, the, development of the internet, all of the things that we've seen since that time have been no,based on this notion of there will be a free flow of data. And I think that's being challenged right now. 

[00:23:14] Arlo: Yeah. Walled gardens, international borders. It seems like that that free flow of data, commerce and, and countries have recognized that the data is valuable and that it needs to be controlled in the same way that they control energy and oil and, you know, all the other things that countries produce.

[00:23:31] Arlo: When you think about, you mentioned that the Nordic countries were storing data in their data centers and, you know, the US ended up viewing this as being a potential trade issue. And I think that's so fascinating in the context of what we're talking about today. but before we jump into the trade topic, I'm, super interested in understanding what happened.

[00:23:53] Arlo: So the eighties, the, the Nordic countries are doing this, was there a,a, a result? I mean, did we go and enact new trade legislation to try and answer that? Or did we wise up and recognize that countries have to store their own data?

[00:24:08] Constantine: Well, it wasn't so much that they were storing their own data. They wanted, again, rules to apply to the data. And so the OECD framework was a response to this to ensure that there could be trusted transfers. And I think that that opened up a lot of trade in services. And so what we saw was an expansion over the years.

[00:24:29] Constantine: And of course in the nineties, the personal computer became much more prevalent. And then finally the internet exploded. there was, however, a reaction To the fears or concerns about how this information was going to be used because the EU passed the privacy directive in 1996.

[00:24:48] Constantine: And Canada's response, which was Pepita or their personal information protection and Electronic Documents Act was primarily to facilitate the free flow of data?

[00:25:01] Constantine: between Europe and Canada. That's, we got adequacy. That's the joke earlier, remember? So, we got an adequacy recognition.

[00:25:09] Constantine: I think, you know, partly it was also to sort of slap America upside the head and say, look, the Canadians can do it. ultimately settled on the Safe Harbor framework and we know what happened to that and it was replaced by Privacy Shields, REMS one, REMS two, privacy Shield gets knocked down, eu, US Data transfer framework. All of these were mechanisms to try to, again. Address the concerns of how data is accessible and usable its flow between countries. We want to ensure the rules flow with the data. The way everything falls down is that while this works on private sector organizations, it's never been effective against the US government, which always has the ability to look at information Under the Biden administration, they were beginning to close the, you know, sort of loopholes that would allow for mass surveillance and so on, and give redress mechanisms so that the European Commission was comfortable in, accepting the EU US data, framework. now, you know, again, we're, we're back to potentially, you know, maybe a Sremm S3 because we may not actually see that survive because there's been changes now being made to, the supports for that framework. 

[00:26:29] Arlo: Interesting. And you, you mentioned, you know,the law needs to follow the data, and I think everybody would agree with that. Now, that might have been controversial, back then, but now I think we've all arrived at the same conclusion. I'm curious how you think about,you know, when you think about legislation, it's almost always in the rear view mirror, right?

[00:26:48] Arlo: It's kind of like, well, this thing happened and now we're going to enact policy in order to prevent that from happening again and to come up with a better plan. Do you think that the law can follow data or is the law always gonna be so far behind just because of the process of establishing new law, getting consensus, getting it passed?

[00:27:10] Arlo: Do you think we have a possibility of having legislation in general broad rules that, that are well prepared to evolve? Like we've seen GDPR excellent law forward thinking in many regards, but it did not factor in the consideration of ai, right? And so then you find yourself going, well, you, you can't get consent for use with AI because nobody knows what you're gonna do with it.

[00:27:36] Arlo: Gosh, now we gotta write a new law. I'm curious whether you, whether you think there's any possibility of a brighter future when it comes to regulation and being more forward thinking.

[00:27:45] Constantine: I do. And I think that there are mechanisms that are actually set out, in, the GDPR, which does apply to ai, but you're right, there's, obviously other areas of concern that the EU AI Act has been, developed to address. The thing that I think we need to think about is how rules are actually made. of course, legislation is hard to get done. I mean, we had, a proposal to change our PRI in National Privacy Law that failed because we went to an election so it died on the order paper. That's Pepita has been in place, since 2001.

[00:28:20] Constantine: Okay? The internet really wasn't a thing then. And when it was drafted, and now we have ai. So really now it is a principles based law. It still has got some flexibility, but people want certainty. They want rules, right? To know what to follow, what side of the road to be on. And the reality is that legislation is always like that. But if you get too prescriptive, then that's the concern that you know many people have is it becomes prescriptive, it becomes inhibiting to innovation. So there is a model, and it was proposed in our legislation under Bill C 27 to create what's called codes of practice. Now, this is also a feature of GDPR, but it's very difficult to get 27 member countries to agree to a symbol code of practice.

[00:29:08] Constantine: It's only been a couple that have been successful. Okay. Putting that aside for a moment, codes of practice are subordinate, rulemaking. They can be more flexible. You could change it on a yearly basis.

[00:29:21] Arlo: This is true. 

[00:29:22] Constantine: So 

[00:29:23] Arlo: So a good principles based law 

[00:29:25] Constantine: yes, 

[00:29:26] Arlo: level of autonomy by the agencies.

[00:29:29] Constantine: right? Or even industry developed codes, co-regulation could work to be much more flexible in terms of how, organizations, you know, have to comply with the law, but Do so in a much more, agile basis. I think is gonna have to be the way we're gonna have to move. We have to think about rulemaking. This is the start of the conversation, was that we need more rules, but we need the right kind of rulemaking in order for us to have that, agility, but at the same time do the right things vis-a-vis consumers, individuals, and so on.

[00:30:07] Arlo: Do the right thing. That's our mantra. I love that. yeah, I think that that's, ultimately something that a lot of people forget is that these laws are there to serve us as citizens of the world, or citizens of our country or state. I really, really love that mindset. let's talk about privacy.

[00:30:23] Arlo: Let's talk about trade because this is your area of expertise. I'm really interested to think about how privacy and trade intersect, and where they conflict, but also really fascinated to understand your views on this new, you know. Tariff laden world. And do you imagine that there are any challenges coming or any, or perhaps any, silver linings, here that we're not expecting?

[00:30:51] Arlo: I would love to hear your thoughts on trade and privacy in general.

[00:30:56] Constantine: Well, as I said, data goes with trade even if you're just getting contact information from a European company, you still have to comply with GDPR, but it's rarely just that, right? what's changed I think, in the last five years for most North American companies is they've realized that in order to make the revenue targets. They have to actually do the right thing vis-a-vis privacy. And I think that's a big mindset change that's very important. It's been very difficult to persuade management around compliance. You know, they don't get really excited about that. When you talk about revenue though, boy, do they get interested?

[00:31:33] Constantine: And what's happening is that their customers are demanding that they don't drag them into a nightmare situation, right? Don't make privacy problems for us. So you'll see that every agreement now has a data protection addendum. Well, you've gotta actually live up to those promises, don't you? That's when you make your way to the privacy office and say, oh, we've been ignoring you the last five years, but now we need your help. How fast can you fix this? Right? Our privacy law in Canada is the responsibility of innovation, science, and economic development it's a trade issue. it supports trade. there's the Cross-Border Privacy Rules, which is the global Privacy rules forum has been initiated to take the apex CBPR and expand it. And why? Because it facilitates trade. So again, we need to know that we're dealing with trusted parties. This is now a B2B issue, and that, again, brings us back to revenue. You've gotta show you've got the right controls in place and you can live up to them. and so that's the connection. It's very simple.

[00:32:42] Constantine: you will have to actually do these things now if you wanna make your revenue targets. so how there is impacts with what's been happening? Well, you know, a lot of the focus in the trade war at the stage has been on goods and it sort of is missing that a lot of that in, supportive for the, you know, trading goods still requires data to go back and forth, right? And so if you want to expand your markets, and that is something that the Canadian government, for instance, is encouraging Canadian companies to do right now because of the concerns about, the tariff barriers that they may be facing with the us They're now encouraging companies to think about cross-border privacy rules and how to, align with these requirements so that we can expand our business, that simple. and for us companies, it's going to become a little bit more challenging because as these other changes in your administration is bringing in. In terms of, undermining some of the EU US data privacy framework, it's gonna get harder for US companies to, demonstrate that they're able to honor the commitments that they're making. it is a very much a concern for every European. I once in one of my roles was being raked over the coals by an English solicitor because of the NSA. And I was going, I'm a Canadian, I don't know why you're giving me trouble about it. And we were able to work it out because, 

[00:34:11] Arlo: Did he think that stood for North American Security?

[00:34:15] Constantine: don't really think he was tweaking into like, you know, we're not America anyway.

[00:34:20] Constantine: we have this continuing problem with multiple parties now. the thing that, we managed to get him over was, okay, if we don't really need the names of the individuals, we can just simply assign a random number. And suddenly we've anonymized it in our hands and then everything was better. So I think what organizations have gotta do, if they want to find new, preserve their business, but also increase it is find ways to address these concerns using technology administrative measures, all the, you know, what's GDPR? Technical organizational administrative measures, because REMS two is very clear in the decision that contract alone is not enough. The standard contractual clauses are not enough. You need to have those other mechanisms to demonstrate that you've got the right controls in place, that you can honor your commitments. So this is where privacy people are really essential. We are the glue between law and technology. We have to help make those controls meaningful so that we can give the confidence to our business partners that the right controls are in place, we can honor our agreements. So I think that is the real challenge now for US businesses, to be creative in thinking about how to, offset or augment the privacy protections. It may mean it's encrypted, I can't see it. it's zero knowledge. and that may be the satisfactory way to solve, some problems. in other situations it may be, de-identification, tokenization, other strategies can be applied, to minimize, the risk, but to mitigate it so that again, your business partners are comfortable. and I think that's gonna be generally the direction we're gonna have to go. While earlier it was about the free flow of, data. increasingly now it's about assuring again, our business partners that the rules actually flow with the data. 

[00:36:17] Arlo: When you think it's interesting. So, you know, when I look at the technology ecosystem, as it's evolved over the last, call it 30 years, right? I think of that window as being the real commercial internet that we are all familiar with, right? Kind of started mid nineties ish.

[00:36:31] Arlo: As, as you know, if you, I don't know what you had in Canada, but in America we had all these a OL CDs that would get sent out to you, and I assume you had. Compus serve in Canada. Now 

[00:36:41] Arlo: that's a blast from the past. so, you know, one of the things that's interesting is, you know, we look at the evolution of kind of internet technology in general and how businesses tended to use it, right?

[00:36:52] Arlo: So in the beginning it was, we're gonna stand up a website and we're gonna maybe see if we can do a brochure for the products that we offer online. And they lived in usually a single server that they probably owned or leased, right? It was, there wasn't really any data there that could be exfiltrated or transferred.

[00:37:12] Arlo: and then we saw this shift towards the cloud and, the AWSs, but we saw a. Real drumbeat of, collect as much information as you can at every given moment in a customer journey. Store it forever because you just don't know when you might wanna use it. Right. Or there might be value that you're, so we did a very good, not we, but we royally did a very good job as a society of convincing businesses that they needed to store this and essentially become the hoarders of the world.

[00:37:48] Arlo: Right. but now we're going to them and going actually. Turns out not the best plan. Right. so, so there's this legal framework side of it, but there's also, I think, a, a fairly significant part of just getting the momentum that was established over the last 30 years of collect, collect, collect and convincing people that you don't need to collect, collect, collect.

[00:38:14] Arlo: You should collect what you need and you should be clear about it, and you should store it for how long you wanna store it. How, I mean, when you're out talking to clients, when you're engaging in, you know, with regulators. Does this become, is this a problem we can solve?

[00:38:31] Constantine: Yes. Okay. But the problem is we've built a house on sand. And I will say at the, I was speaking at, the, Arma New York, event at the beginning of March in New York. and I was talking about the intersection of privacy, data retention, and ai. And the reason that this was the topic that, they asked me to speak about was I. Of course they're at the forefront of managing, information management retention. We have built our house on sand because we don't know, we over collect it. You know, we got, I got your name, your mother's maiden name, your shoe size, your private color is blue, you know, this sort of thing. without any sort of notion of what, why we were collecting it. And it sort of undermines this whole notion of lawful basis, right? What it, we have to have a reason for collecting information. It's principle of Canadian law as well. Limit how much you collect to what you need to fulfill the business purpose.

[00:39:30] Constantine: Anything else you really need to either get consent or you have to have some other legal justification. So a principle that's, you know, being inarticulated in, in fact, in US state laws now is, you know, data minimization. Okay, so we've built this house on sand because we got all this data and we don't know where we got it from or what basis we got it from.

[00:39:54] Constantine: And now we're pouring it into ais and we are creating a huge information governance problem for ourselves because we still don't have that connection to why did we collect this information in the first place? What was, what was its provenance? What was its quality? Should we still have it? You know, I also get laughs at conferences sometimes inadvertently, so it's not always standup. I ask how many people have our data retention policy and everyone puts up their hand and I go, okay, how many of you're complying with it? everyone just laughed. They're not, and you know, like, why do, why are you living in, you know, this world where your, your retention policy doesn't mean anything. a German company was fined for not complying with the state of retention policy. It didn't have a breach, but access requests will expose these things. Oh, if you do have a breach, it will definitely expose that you've had information about this person for 20 years longer than you should have. you know, and then you start asking, well, should this information have now been populated into your AI training model? Maybe you didn't have a legitimate basis for doing that. I think that, you know, what I'm trying to get at is, you put your finger, on the heart of a very fundamental problem is that we are lousy at data governance and we've been doing it for 30 years, and now we're going to have to pay the piper because now it's possible to actually find out through access requests, through breaches, through, the training models themselves through, through ai, what information organizations have should they have it. also I think, raises other questions about, Is it biased? Amazon created a database, you know,an AI to vet, engineers, resumes and found that they couldn't rescue it because it was trained solely on the data of male engineers. So it discriminated against women and they could not fix it.

[00:41:53] Constantine: Okay. Bad data, you know, garbage in, garbage out kind of stuff. if the data is old, I mean, talking to people during the pandemic And the travel industry, everything that was beforehand was meaningless during the pandemic. Right. And all of your statistics during the pandemic, are they meaningful?

[00:42:09] Constantine: Now? We don't ask the question, what's the quality of the information? retention rules exist to help us get rid of the old when it's no longer valid or useful.

[00:42:21] Arlo: it's not a topic. I mean, retention is not something you see a lot of enforcement activity around. Right? We see a lot more enforcement activity around those visible things. Oh, you didn't have the right, consent banner. You put too much friction in your opt-out process.

[00:42:38] Arlo: but it doesn't feel like the regulators often go behind the scenes to ask the question of, are you doing what you say you're doing?

[00:42:46] Constantine: well, until there's a breach, every breach is multiplied by a factor of three to five by virtue of the fact that nobody got rid of anything. And then you see the consequences, then you can actually articulate what the cost is of over retention. and that's when you know, commissioners in Canada, state attorney generals do get excited about retention because they can say, why do you have this data from 20 years ago? You just, your breach multiplied by that much, and you can quantify it. So I do think that, when we start now, bringing this back into the AI world, we're going to start asking the question. Is the data that you are, you know, training, like you said, we just glommed all this information in. Is it something you legitimately should have had when your own retention policy said, you see, this is where you're gonna be hoist by your own petard

[00:43:41] Arlo: You know, you're gonna have to translate several of those words for me, by the way.

[00:43:45] Constantine: it's not a, an expression I get to use terribly often, so I jumped on the, the possibility. and so I have a vocabulary, I will use it. So the point I'm trying to make is that, you know, everyone has documented their retention policy and is just waiting there for some litigation lawyer to go, oh, so this is what you said you were going to do, but you haven't been doing it. 

[00:44:06] Arlo: Yeah.

[00:44:07] Constantine: That, that's my translation of hoist by your own petard. so the reality is that, you know, again, we do not govern data well or properly, and this is going to lead to a host of problems You know, one, I I often tell people a data subject access request a penetration test of your privacy program. 

[00:44:26] Arlo: Ooh, I'm gonna steal that, by the way. I like that. That's a very good phrase.

[00:44:30] Constantine: You can always just give me credit, but, you know, Yeah.

[00:44:33] Constantine: Steal. but you know, it is, it is, you're going to find out these things, you know, based on the responses, if they're honest as to what you information you have about an individual, and it'll also tell you how well that they actually, you're, you're performing in terms of responding to them how accurate you are, because they often have. Lots of communications from you, and they can say, well, I know you know this about me, but why didn't you say so in your data subject request response.

[00:45:02] Arlo: Yeah.

[00:45:02] Constantine: So, you know, it is a great opportunity and there are businesses evolving around, you know, like automating these and becoming agents. you have to admire the United States. Very innovative in terms of its opportunities to use litigation, as a industry. we're not quite so litigious in Canada, but you know, there's still class 

[00:45:24] Arlo: Yeah.

[00:45:25] Constantine: but at the same time, you guys blow us away. I've often said the biggest danger to any US company is, the tactical nuclear lawyer. So I think that this is also, perhaps a way to get this across to management is to say, this is why you need good information or data governance. This limits your liability. This is going to come out. The truth will out. That's the other thing I think that people begin to fail to understand with all of the tools and things that we're putting into play, is that it's so much gonna be so much faster and better to actually find all the, smoking guns that you've got hidden back in the store room of data. you know, I do think that, there is gonna be a reckoning for all of that massive data collection. 

[00:46:12] Arlo: Yes, I would agree with you on that. and, you know, the class thing is interesting because, you know, although we have had historically weak privacy regulations in the United States and,a significant absence of federal enforcement, the majority of those, 'cause I mean, look, we have privacy laws here.

[00:46:30] Arlo: We just don't enforce them. So they may as well not exist in many, many cases. But when you look at those classes. The class actions. Right. in many ways what we see is that those class actions are a higher, they are a much bigger motivator for businesses to comply with the regulation 

[00:46:51] Arlo: than the threat of the, you know, call it one in a hundred thousand chance that a regulator comes knocking on their door because the odds are much higher that you will get sued in America.

[00:47:02] Arlo: And I think that there's another aspect of that that can't be ignored, which is shareholder actions when you mess up. Many companies fail to sort of connect, is that this is not only the subject of personal rights, consumer rights, it is also the asset of the company. if people treated money the way they treat data, a lot of people would be fired. We haven't made the connection mentally that data is an asset of the company. So you're gonna start seeing, you know, and you have seen shareholder actions, which, when companies have had data breaches or they've gotten in trouble with regulators you know, have gone right to the heart of you are mismanaging this asset you are bringing down the value of our shares because of that. 

[00:47:48] Constantine: director's liability, greater, you know, enforcement by the SEC in relation to cyber breaches. All of these things really come back to, again, governance, information governance, which ultimately has to go to the boards of directors so they don't actually ask the right questions. Right now, 90% of US public companies have InfoSec really and privacy related issues reporting to the audit committee. The audit 

[00:48:15] Arlo: Wow.

[00:48:16] Constantine: right. So they're not knowledgeable. the board's role has gotta be to ask the right questions of management. And if it's not capable of doing that, then the question is are they doing their job? I think in relation to, again, the information age and what we are experiencing today in terms of the transition to this fourth industrial revolution, suggests to me that a lot of the governance frameworks we have around data just don't exist and are inadequate. this is where I think litigation is going to be a very. Big driver for change because it's going to hold management and boards accountable for how information is being managed 

[00:48:56] Arlo: That's brilliant. By the way, share shareholder actions is not something that many people talk about and think about in privacy. You know, you think about the class litigators. You think about the regulators, but you're right, SEC level type of things, and, 

[00:49:09] Constantine: it's been very, very difficult to get harms established in many class proceedings, and it's often simply the threat and the cost associated with which causes settlements. But you, America has a long history with shareholder actions. 

[00:49:22] Arlo: Yeah, we do. and they're, they're always dramatic. so, you know, look, you are in a country that, you know, as you've described, is adequate. and, you know, the concept there is that, you know, Canada has put itself in a really nice place where you've become this trusted place that, you know, Europeans can confidently have their data stored, Americans can have their data stored.

[00:49:46] Arlo: And so in many ways, to butcher the phrase, but, you know, you've become the Switzerland of data privacy in the, in the kind of the northern north American region. so when you look at the us, you know, we think about adequate, our, Canadian take on privacy. Right.

[00:50:01] Arlo: Appropriate and reasonable, I think is, is what you mentioned at one point when you think about the US and you think about our approach to privacy, do you think it's reasonable, appropriate? I mean, what should we be doing here that we're not doing?

[00:50:16] Constantine: Well, that's an interesting question. I think that, you know. The states are doing?

[00:50:20] Constantine: a lot in terms of creating rules. The problem is that, you know, and I'm not telling Americans anything new, this patchwork is really challenging, right? So a good strong federal privacy law would be really helpful. part of my role has always been to explain America to Europeans and, you know, they don't care about privacy.

[00:50:39] Constantine: Oh, you have never met the FTC, have you? so we know it's not true, right? And, Europeans have trouble understanding the American framework because it's like a zillion laws, right? You've got sectoral laws, you don't have a central privacy commissioner or, you know, data protection authority. So it's very hard. Well, I mean, it's very hard for American companies to navigate this. Imagine what it's like for Europeans to try to figure it out. I think that, ultimately, there's a couple of things you can do from the private sector regulation side. used to have these things that I always admired in law school, which was these uniform codes, which would, or model sort of laws, which, states would model them.

[00:51:18] Constantine: And nobody's done this in privacy, which I find really frustrating it would simplify things. Everybody can have their own law, maybe with a few variations, but some, and you see that's the advantage Canadian provincial and federal laws have, is they're based on largely the same principles. We never have this kind of real fundamental challenge between how things are being done.

[00:51:37] Constantine: Quebec is a little bit of a different case because it's a civil code jurisdiction, but still, we largely approach things the same way. I think that what would help would be obviously a federal law, but you've gotta satisfy California and other jurisdictions that it's not going to be less than. I'm not sure that I, you know, there's brilliant minds in the United States have tried to figure this out and, you know, it's really requires,bipartisan support in your Congress and good luck to you. 

[00:52:08] Arlo: If we had done this 10 years ago, we would have a wonderful federal privacy law, but we dragged our feet and as a result, the states had to take action and now we're in this sticky situation. 

[00:52:21] Constantine: and I will say that there is one other fundamental issue right now, and this relates to the trade war and that we haven't talked about services yet, but that's gonna get dragged in. You know, the US has a surplus in with most countries in relation to services. So that's not being accounted for in the overall, you know, deficit surplus conversation. but it is increasingly a focus of countries outside. Not just Canada, but Europe elsewhere, that this is concern now because of the storage of data within the United States. And so there's questions of data residency and data sovereignty being raised, this threatens that whole notion that I talked about earlier of the free flow of data. and I don't have an answer for you in this because fundamentally it means reestablishing trust. It all comes back to that equation of trust. 

[00:53:19] Constantine: and you know, if, instance, you know, someone says we are willing to pull the plug on, fighter jet's software, the natural next question that gets raised is, well, how far will that go? will our services that we may, we may have a data center of US company in Canada. But are we able to trust that? And the question is being raised by, Canadians and by Europeans of the trade war. so there is some really, I think, existential concerns right now to this notion of the free flow of data. and they can only be addressed by reestablishing trust. 

[00:54:00] Arlo: Which we're not in a great position to do today, unfortunately. And you know, as they, uh, was it George W. Bush had said, you know, fool me once, shame on, shame on you, fool me, and you can't get fooled again. I think that's what he said. You know, the phrase supposed to be much more eloquent, but you know, it, it does feel like, as an American looking at how the rest of the world must view us.

[00:54:25] Arlo: It's gotta feel a little bit, like working with somebody who's got, you know, schizophrenia, right? I mean, in the sense that you go, okay, great. We felt like we had some rational partners that were prepared to work forward towards a solution that would happen. And then now you've got a new administration who's got a totally different viewpoint on it and they're gonna go the opposite direction.

[00:54:46] Arlo: And then we get another administration who goes and seems normal and reasonable and wants to work and cooperate, and then we go back to another administration. I'm curious, what do you think we have to do as a nation to reestablish trust with our trade partners? Let's go ahead and just assume we're talking about four years from now, that we have that opportunity.

[00:55:07] Arlo: 'cause it doesn't look like it's gonna happen right now.

[00:55:10] Constantine: I am gonna start with where I started the rule of law. we have to have laws that govern nations and agreements between, part of the problem that Europe has had that required that, you know, privacy shield, safe harbor, the data framework has been that no agreement about what friends will do to other, friends you know, spying about, you know, surveillance. we need agreements, we need that, United Federation of Planet's approach. confirming that we can trust one another. It's, return to the rule of law. the real problem is going to be reestablishing that trust. Our prime minister, who's just recently reelected, has said, our relationship will never be the same. That's a very shocking and hard thing to hear, from our prime minister. It's hard, you know,but it's not wrong. he said what we're all feeling. and there's a real sense, I think, in Canada of a loss of a grieving over, a loss of a friend. And, I don't think that should be underestimated. but we have to move on 

[00:56:17] Arlo: Yeah.

[00:56:17] Constantine: you know, we have to survive in this new world it's going to be tough for everybody. and we can only hope that the course will be changed at some point in the future. But right now, because of these, whipsaws, it's, well, we have to move on. 

[00:56:38] Arlo: I mean, and look, if we had, if we had a corporation that, you know, one year was up and the next year was down and one year was up and the next year was down, you couldn't buy from them. You couldn't invest in their stock. and, you know, it does feel like we are, creating problems for ourselves here.

[00:56:52] Arlo: well, Constantine, this has been really wonderful. I, I'd love to understand, we always like to talk a little bit here about, you know, I'm a privacy pro, but, and you've got such, such deep interesting thoughts, you're a very funny person. Is there anything you do that you wouldn't tell other people that they should do?

[00:57:09] Constantine: I use, um,probably technology a little bit too liberally when it comes to my, Amazon devices. I love telling it to do things. Tell me, oh, I really annoy my family with, I. Tell me a dad joke, you know, because at dinner time, because they're awful, they're really awful. Amazon does not have a sense of humor I just love the scenes of pain expressed across their faces. and, you know, I listen to music and I, like automation. I love to use automation. I drive my wife crazy because I know when she's, you know, left the house 'cause I have a monitor on the door, the garage door, mostly for security reasons. But I'm going, where are you going?

[00:57:45] Arlo: And you, you have a consent notice on the door, I'm sure that says I'm collecting this data.

[00:57:50] Constantine: no, no. My my kids go, you are, you've created a survey. I said, my, my first assignment, my son just, you know, finished his degree and he wants to do some work with me. I said, okay, the first thing you can do then is a PIA of the house. So he's gonna, oh yes. Oh yeah, dad, we're definitely doing That So.

[00:58:10] Arlo: That is awesome. Well, Constantine, thank you for joining us today. This has been a really delightful conversation. and for folks who have been listening today, please go take a look at innovation. LLP. This is the law firm, where Constantine spends the bulk of his time these days. you can find them online.

[00:58:27] Arlo: it's two Ns, it's NN Ovation, and they're excellent. So if you need any help in Canada or with global trade issues related to privacy, we can't speak highly enough of you and your firm. So thank you for joining us today.

[00:58:42] Constantine: you. 

[00:58:42] 

[00:58:58] Arlo: