**Jonathan:** Alysa, good morning.
**Alysa:** Hey. Good morning.
**Jonathan:** How are you?
**Alysa:** Just lovely, living the dream as the privacy lawyer.
**Jonathan:** Tell me about it. I loved our session last week on the California laws and the delay on the enforcement of the regulations. Thank you for that. I wanted to ask you about my favorite topic — the European-US privacy framework. It seems to just be coming up over years and just not really quite getting to a point where we're like, okay, great. What's happening now? So there's a privacy framework. I was talking to our friends at Gartner and they said, look, this adequacy ruling probably will be overturned in the next two to five years. So I just wanted to get your thoughts on it, Alysa. What's happening? What's the lowdown? What do we need to know?
**Alysa:** Sure. Well, let's talk about why we need the framework. One of the requirements in GDPR is that to transfer data — right, European personal information to the US, a country that does not have adequate privacy laws, deemed adequate because we don't have a national privacy framework — that you need to have certain protections, right? And that means both for transferring, sending it cross-borders, but even accessing it. And you think about global companies that of course they've got servers in the US, they've got servers throughout the EU, they've got processors, right, who all need to have access to the data to be able to perform the services. So one of these key things is, well, what's the lawful framework we can use? Privacy Shield was really helpful because you'd have your lovely certification — safe harbor before that — that said you've done all the things you need. You don't have to add extra contract terms for that. Right? The seal essentially solved the issue. Well, that was invalidated. So then there's been effort for quite some time to get this third version. And so now we have it, but I think everybody is holding their breath. It was topping the headlines for any privacy lawyer and certainly on the business side. I think what you heard from Gartner is true in that I don't know how long-term it's going to be a solution, and there's quite a bit of effort for one who wants to get through that and sign on to the framework, which we're still waiting for some of the details. But you have to go through those steps. And so where I see most companies' questions obviously already popping up is you can't rely on one strategy. It's really about exploring multilayered options. You've got standard contractual clauses — that's one of the other options. I don't see companies stopping doing that. Many, in fact, have had to do all of these data processing agreements for privacy laws anyway and they just have an appendix for a global application including having the standard contractual clauses. So I think there's a multilayered approach. I think you're going to see the tech vendors probably embrace it, but we've heard it's gonna be challenged by Max Schrems. And so I don't disagree that it may go away because it's not yet sufficient once it gets pressure tested.
**Jonathan:** Gotcha. And the other piece of it was that Gartner was saying, hey, treat this as a grace period, but move towards a cloud strategy that doesn't depend on the ruling, essentially. Which I think that means make sure your cloud provider keeps European data in Europe. Right? And I just wonder how realistic that is.
**Alysa:** I don't think it's realistic. That's the simple answer. I don't see data localization — it has been brought up over the years — and just the way that companies work, I don't see it happening that way. I mean, you'll see some, but it's small pockets. And even where you have some of the big tech vendors provide servers entirely within certain EU countries, I don't see companies having the ability to do that and really the liberty to have all of their processors entirely within Europe. I just don't think that's an economical strategy or a practical strategy. So I think that the business demand is not gonna be there to make that environment support that approach.
**Jonathan:** Got you. Are there alternatives? Like a global permissioning system — just to understand consent globally and consent in the broadest possible terms. Right? Like, what can you do? What can't you do? Opt-out. Opt-in.
**Alysa:** Well, I think what you're asking is — it's complicated. And in privacy, there is no deep breath of relief in knowing that I've dotted all my i's and crossed all my t's when it comes to privacy compliance. I think it's constantly moving and shifting on what's the expectation, what you need to do, whether it's US, whether it's EU, whether it's UK — everything is moving and dynamic. And so what you're doing on permissions today versus what you may be doing a year from now, right, that will change your risk profile as you're also thinking about things like data transfer. So at the end of the day, what's your layered approach? How have you evaluated your risk profile around that? How reliant are you on having data transfer occur, and really having a good understanding of that?
**Jonathan:** So we all just gotta get a little comfy with ambiguity around these laws maybe for a while, and just stay flexible and stay nimble, stay on a swivel, and have our principles, right, on how we wanna treat customer data, an if-you-will.
**Alysa:** A hundred percent. Continuing to both learn and respond to the new privacy laws, because those are gonna keep changing. Continue to learn and respond to both the business shifts that are happening and what's the demand there. But I think also from an engineering standpoint, we now have privacy engineers. The concept of privacy by design has really now, I think, flowed out and we're starting to see good signs of that with data scientists. I just think everything is moving and that changes and at least presents new options than might have been a year ago or even today.
**Jonathan:** Thanks, Alysa. My second favorite topic — Massachusetts. Was reading a couple days ago that they're looking at a bill that will ban the sale of cell phone data, or location data specifically. Is that a trend we're seeing? What's going on there?
**Alysa:** So when I hear you ask that question, what I saw there was a headline in The Wall Street Journal on this point, right? And it takes me back to — anytime we see not the legal press, but The Wall Street Journal, top story — I think it gets more discussion in the boardroom. Are these significant trends? Because it sounds certainly significant. And what I took from that story — I mean, Massachusetts, yes, it has this bill on geolocation. And in the privacy world among the nerds, there's been a lot of focus on geolocation in Congress and whatnot, certainly post-Dobbs. I don't know if that Massachusetts bill is gonna go the distance. I have a sense it may not. But what we have seen as a theme — the states, we've got comprehensive privacy laws, so many more states getting added to the list. We have states having more specific laws like health information, right? Washington, Nevada, Connecticut. And then there's other issue-specific things that are popping up, whether it's biometrics, location in some sense with a nexus to a topic that's sensitive. So I do think we're going to see a whole lot of that. And that is happening because we don't have federal comprehensive privacy legislation that has some preemptive effect. And usually you kind of ask, well, why don't we have that? And there's just still such tension with preemption and private right of action. So I think that just doesn't look realistic. And so again, in the absence of that, we're going to see these states continue to experiment.
**Jonathan:** Gotcha. Thanks, Alysa. Well, I think that's a wrap for us today. I appreciate the time.
**Alysa:** Sure. Good to see you.
