It's not often these installments of Member Spotlight coincide with a recent job change, but here we are with Laura Tarhonen, CIPP/E. Tarhonen is joining Schibsted, a multi-brand manager based in Norway, where she will serve as privacy counsel. Tarhonen describes the company as "kind of The New York Times meets eBay for the Nordics."
Laura-Tarhonen.png
Laura Tarhonen, CIPP/E

This is just the most recent mark on Tarhonen's lengthy privacy resume. Among other private sector roles, Tarhonen once oversaw and maintained the privacy program for Finnish media company Sanoma. She also has experience in the public sector with time spent at Finland’s Office of the Data Protection Ombudsman and Ministry of Transport and Communications.  

In this Member Spotlight, Tarhonen chatted with Joe Duball about some current and long-standing priorities within her work, as well as thoughts on EU General Data Protection Regulation enforcement.

The Privacy Advisor: So how did you get your start in privacy, and what drew you to the industry?

Tarhonen: The narrative I at least tell myself is that I have always been into technology and "new stuff," but I didn't necessarily even realize it was possible to specialize in technology or data at the beginning of my studies in law school. While participating in a trainee program with Finland's Ministry of Transport and Communications, I first started to realize that "data law" would be a really big thing. I also connected really strongly with the value of privacy and, as our lives become more and more digital, we need to extend the protection and respect our privacy gets in the physical world to the digital world, as well. People didn't seem to pay attention to how much data was collected about them and how it was used — I guess I felt the need to spread the word and elevate the topic by specializing in it and working with some large companies to protect individuals' data.

The Privacy Advisor: Obviously regulatory compliance may differ across industries, but what's your view on the most important consideration or focus when it comes to compliance? Why does this particular consideration take precedent?

Tarhonen: It is a great question. Due to an almost chronic lack of resources, I think privacy people have really had to learn to prioritize their efforts. Like you say, where to focus is quite a company-specific topic as I would factor in things like what is the most sensitive data processing? Are the externally facing documents in order? What is the competition doing? What the regulators are focusing on nevertheless, there is no privacy program if the other people in the organization don't know about it. The biggest mistake for a privacy team is to create what I call the "parallel universe" — where things work as they think and in reality, their organization is doing something completely different. 

The Privacy Advisor: How has your work been affected, if at all, by the "Schrems II" decision on data transfers? If affected, in what ways have you tried to meet the challenges being presented?

Tarhonen: I kind of wish I wasn't affected, but I think all companies operating in the EU are. It is a difficult topic because I agree with the judgment from a data and privacy protection point of view. On the other hand, the whole idea of regulating how data flows between territories goes against the fundamental functioning of the internet and makes it really difficult for the data controllers to comply. One thing I am also worried about is that the international data transfer rules become so tricky to comply with in practice that it ends up diluting the value or importance of data privacy as a topic. One positive thing that will come from this huge exercise of going through all transfers and suppliers is that at least companies have the possibility to reassess whether they can pseudonymize or add encryption to the data they transfer.

The Privacy Advisor: Besides data transfers, what are a couple of commonly overlooked privacy issues you've dealt with recently or are currently grappling with? What's so challenging about these issues?

Tarhonen: I think one area that has been a bit overlooked traditionally but has luckily become more relevant during COVID-19 is employee data privacy. Many controllers have been focused on their "customer-facing" activities, but there are many important and interesting topics related to how employee data is processed. Remote working raises questions around things like virtual meetings, their recording and how participants can be tracked, and then of course there is analytics based on employee data, which is something that can be a big benefit for the controllers but have to be balanced against the interest of the employees, as well.

The Privacy Advisor: You previously spent some time working for Finland's data protection authority, giving you some first-hand knowledge of a regulator's inner workings. With that experience, what are your thoughts on DPA resources and staffing? Do regulators have valid claims when it comes to a necessary increase in resources?

Tarhonen: It was a long time ago, and I think the office has gotten more resources post-GDPR. However, it was really small when I worked there, and there certainly was no lack of work even back then. This was pre-GDPR so the caseload and mandate have grown significantly since then. When looking at the activity of the national (DPAs), it is quite clear the ones with more resources can enforce the GDPR more actively and even be proactive, not only just responding to complaints. I am not necessarily advocating for a huge increase in the resources of the authorities in general, but I think it is problematic if the ability of the DPAs to enforce privacy laws varies too much from one EU country to another as it has an impact on the level playing field.

The Privacy Advisor: What's your take on GDPR harmonization? We're coming up on the regulation's third anniversary, so shouldn't there be shared approaches and fewer diversions by now? Would harmonization make it easier for those running privacy programs and compliance?

Tarhonen: One could say we need to give the authorities some more time to adjust while better defining and practicing their ways of working around GDPR. We are still at the beginning of GDPR enforcement. Still, I have to admit I have been a bit disappointed with the harmonization part. Although the European Data Protection Board has issued a lot of common guidance, it still seems — especially on the national court level — the interpretations of the GDPR vary substantially. This leads to both uncertainty for companies and impacts the level playing field. A partial cause of this frustration has also been the delay of ePrivacy Regulation and varying guidelines from different national authorities on how to obtain consent for cookies. While technically this is not a problem in GDPR enforcement and is due to differences in national ePrivacy laws, it is practically difficult for companies to see the difference as the topics (i.e., cookies and personal data processing) are so intertwined.

Photo by Keagan Henman on Unsplash