The Privacy Advisor talked with Fieldfisher Partner Phil Lee, CIPP/E, CIPM, FIP, for this Volunteer Spotlight. Lee is part of Fieldfisher's Privacy and Information Law Group and sits on the IAPP Education Advisory Board. He has worked on multi-jurisdiction privacy projects with more than 80 countries while specializing in behavioral profiling and cookie regulation, e-marketing and international data transfer strategies.
Here, Lee talks to The Privacy Advisor about his perspective on cookies and cross-border data transfers at a time when both are in flux.
The Privacy Advisor: How have you volunteered with the IAPP and what was the most rewarding aspect of the time you’ve put in?
Lee: I've done various bits and pieces over the years. One of my earliest experiences was shortly after I joined Fieldfisher when we were authoring the first edition of the CIPP/E textbook — I wrote the chapter on EU direct-marketing rules and made sure I knew them inside out so as not to make a mistake in the book.
That led to various subsequent volunteer opportunities with the IAPP, from participating in webinars, to becoming part of the IAPP Privacy Faculty, to being on the IAPP's U.S. Advisory Board when I was running Fieldfisher's Silicon Valley office, to running CIPP/E training days.
Definitely the most rewarding aspect for me is running CIPP/E training days, though. I get a real buzz out of being in a room full of enthusiastic students eager to learn more about European privacy. They come in all shapes and sizes — some are complete newcomers to privacy, while others are more experienced privacy professionals looking to learn about European law.
The Privacy Advisor: Was there a particular event or moment that led you to a career in privacy?
Lee: Yes. I was a trainee at my first law firm, and shared an office with the firm's privacy lawyer, Nick Graham, who taught me a great deal but, on this particular day, one of the partners was looking for a trainee to advise on a fairly technical question concerning the U.K. Data Protection Act 1998.
Data protection, in those days, was not the sexy subject it is today — trainee lawyers ran a mile from it, much in the same way I would if someone were to ask me a question on tax law. However, I was fortunate to grow up with a dad who worked in IT as a database programmer and had a degree in computer science myself. I remember looking at the question and thinking it didn't look so difficult, and the law and the technology just kind of made intuitive sense to me. So I took it on, answered the question and never looked back.
The Privacy Advisor: You advise on many topics in the privacy space. Which area do you most enjoy consulting on?
Lee: I love working with innovative tech companies. At heart, I'm just a big kid who enjoys playing with new gadgets, as anyone who has seem my mountainous collection of devices at home will tell you.
Some of the stuff I've seen coming out from exciting tech companies over the years has been crazy, always interesting and, very occasionally, really has the power to change the world. The puzzle solving aspect of how to apply data protection principles to those emerging kinds of technologies, that feeling of being something of a privacy pioneer and knowing I'm advising on things that few other people have ever advised on is what I really enjoy.
The Privacy Advisor: What are your thoughts on Google phasing out third-party cookies? Is it the right decision?
Lee: That's a very difficult question to answer. Cookies divide opinion — among those who know and understand them — very sharply. I don't think people really object to cookies as a technology. They object to the idea of tracking, and there are plenty of ways to track people that don't need and don't use cookies. There's a sense from some quarters that tracking is inherently bad, and I don't believe that. Targeted advertising can be beneficial and cookies can serve other useful functions like preventing malicious actors from engaging in fraud on websites.
However, there is a perception — and, on a personal level, I don't disagree with it — that the element of control has shifted too far away from individuals and their ability to manage how their data is used. That is something that needs to be addressed and any developments that give back control to individuals have, I think, to be welcomed.
The Privacy Advisor: Which cross-border transfer issue do you hear about most these days: Privacy Shield or post-Brexit transfers?
Lee: We're asked questions about both very regularly. Unfortunately, the GDPR hasn't effectively addressed the issues of international data transfers at all. We're still trying to apply some 20th century legal thinking to 21st century data flows, and the inadequacy of those solutions is simply all too apparent. The concern I have is that with so many regions modeling their own privacy regimes off of the GDPR, this problem will grow exponentially with time. But then, I suppose, sometimes things have to get worse before they get better.
The Privacy Advisor: Having worked with organizations from so many countries, which one do you feel currently has the best grasp on privacy?
Lee: I couldn't say. Privacy is very culture-specific and you find those cultural values reflected within local privacy laws.
I generally find things I admire, and things I don't admire, about most regions' privacy rules. The umbrella nature of EU privacy law is something I admire because it creates equal data protection rights for all data subjects, but it can equally be something of a blunt instrument in some sectors. Conversely, the U.S. approach of having more sector-specific legislation lends itself better to context than the GDPR, but also means that there can be gaps.
Photo by Keagan Henman on Unsplash