WEBVTT 1 00:00:00.120 --> 00:00:03.720 Welcome to this deep dive. We're tackling global privacy today, 2 00:00:03.919 --> 00:00:07.799 and our guide is doctor Allen Tang's book, Privacy in Practice. 3 00:00:07.960 --> 00:00:12.640 It's a fantastic resource, really dives into data protection, laws, policies, 4 00:00:12.839 --> 00:00:14.720 real world examples, you name it. 5 00:00:14.839 --> 00:00:16.480 Yeah, it's like a crash course on how all this 6 00:00:16.480 --> 00:00:19.679 stuff actually impacts you and me, not just theoretical stuff. 7 00:00:19.719 --> 00:00:22.920 Exactly, we're going to go way beyond just being left alone. 8 00:00:23.000 --> 00:00:26.199 You know, what does privacy really mean when we're practically 9 00:00:26.239 --> 00:00:27.679 swimming in data these days? 10 00:00:27.800 --> 00:00:29.960 Right? Because it's not about hiding in a bunker, right, 11 00:00:30.039 --> 00:00:33.399 it's about how companies are handling our data, what rights 12 00:00:33.439 --> 00:00:34.119 we actually have? 13 00:00:34.320 --> 00:00:34.799 You got it? 14 00:00:35.079 --> 00:00:38.560 So first things first? What is privacy? Doctor Tang makes 15 00:00:38.560 --> 00:00:41.759 a good point. It's not just about being left alone. 16 00:00:41.799 --> 00:00:43.320 Oh okay, so there's more to it. 17 00:00:43.479 --> 00:00:47.920 Yeah, it's also about autonomy control access to your data. 18 00:00:48.200 --> 00:00:50.320 Okay, I could see that, but like what does that 19 00:00:50.399 --> 00:00:52.399 look like day to day? Like if I'm using a 20 00:00:52.399 --> 00:00:55.640 smart speaker or what are those fitness trackers? Is that 21 00:00:55.679 --> 00:00:56.759 messing with my privacy? 22 00:00:56.840 --> 00:01:00.119 Perfect example? Think about a smart speaker always listening for 23 00:01:00.159 --> 00:01:04.920 your voice, right, super convenient, but it's constantly picking up audio. Yeah, true, 24 00:01:05.079 --> 00:01:09.159 so that could be bumping into your territorial privacy, like 25 00:01:09.400 --> 00:01:13.920 your expectation of privacy at home, but also communications privacy, 26 00:01:13.959 --> 00:01:15.560 like what you're saying in your own space. 27 00:01:15.760 --> 00:01:17.640 Wow, I hadn't thought about it like that. The lines 28 00:01:17.680 --> 00:01:19.280 get kind of fuzzy, they really do. 29 00:01:19.680 --> 00:01:23.879 That's why doctor Tang breaks it down into four key areas, 30 00:01:23.879 --> 00:01:28.120 information privacy, bodily privacy, territorial and communications. 31 00:01:28.200 --> 00:01:30.519 Okay, so not just one big umbrella term. 32 00:01:30.599 --> 00:01:32.799 Nope, they often overlap, but it helps to think about 33 00:01:32.840 --> 00:01:33.400 them separately. 34 00:01:33.519 --> 00:01:35.280 Makes sense. Could you give us like a quick rundown 35 00:01:35.280 --> 00:01:36.000 to each Sure? 36 00:01:36.159 --> 00:01:40.480 Information privacy that's about your personal data, name, address, what 37 00:01:40.519 --> 00:01:44.400 you do online, the basics, gotcha. Bodily privacy that gets deeper. 38 00:01:44.799 --> 00:01:49.079 It's stuff that's uniquely you, genetic data, medical records, biometrics 39 00:01:49.120 --> 00:01:50.439 like part of your physical being. 40 00:01:50.640 --> 00:01:54.359 Okay, so info privacy is like digital you, bodily is 41 00:01:54.400 --> 00:01:56.760 physical you. What about the other two? Right? 42 00:01:56.840 --> 00:01:58.920 So, territory we touched on that with the smart speaker, 43 00:01:59.040 --> 00:02:03.560 right reason, expectation of privacy and spaces your home, car, 44 00:02:03.760 --> 00:02:06.879 even public restrooms they have an implied right to privacy. 45 00:02:07.319 --> 00:02:12.840 And then communications privacy that's keeping your conversation's confidential, phone online, 46 00:02:13.479 --> 00:02:14.360 even snail mail. 47 00:02:14.919 --> 00:02:17.280 Okay, starting to see how complex this whole web of 48 00:02:17.360 --> 00:02:19.960 privacy is. And it's not just companies we got to 49 00:02:19.960 --> 00:02:20.520 watch out for it. 50 00:02:20.599 --> 00:02:24.800 They're right, it's governments too, all that surveillance stuff, even individuals, stalkers, 51 00:02:24.879 --> 00:02:27.360 identity theft, that's a whole mess wild. 52 00:02:27.800 --> 00:02:31.919 Luckily we have laws, right, doctor tang mentions this global 53 00:02:31.960 --> 00:02:34.520 patchwork of privacy laws. What does that mean for US? 54 00:02:34.840 --> 00:02:37.319 Well, good news is over one hundred and thirty seven 55 00:02:37.360 --> 00:02:38.319 countries have some. 56 00:02:38.400 --> 00:02:39.479 Data protection law. 57 00:02:40.000 --> 00:02:41.360 That's a lot, it is. 58 00:02:41.520 --> 00:02:44.639 But not all laws are created equal, you know, scope, 59 00:02:44.639 --> 00:02:47.840 how they define personal data, your rights, it all varies. 60 00:02:47.960 --> 00:02:50.120 So it's not as easy as saying global law, we're 61 00:02:50.120 --> 00:02:50.759 all protected. 62 00:02:50.840 --> 00:02:51.919 Nope, not that simple. 63 00:02:52.080 --> 00:02:54.960 Like take GDPR, that's the EUS big one. Yeah versus 64 00:02:55.120 --> 00:02:57.120 CCPAC Pere, California's deal. 65 00:02:57.439 --> 00:02:59.319 Okay, yeah, I've heard of those. But what are the 66 00:02:59.360 --> 00:03:01.000 big different as we should know about? 67 00:03:01.240 --> 00:03:04.719 Well, GDPR is a broader geographically, any company dealing with 68 00:03:04.759 --> 00:03:07.400 EU resident data, no matter where the company is has 69 00:03:07.439 --> 00:03:07.879 to comply. 70 00:03:08.240 --> 00:03:11.319 So a US company with EU customers, they still got 71 00:03:11.360 --> 00:03:12.240 to follow a GDPR. 72 00:03:12.639 --> 00:03:17.919 You bet ccpack PA it's influential, but more focused on California, So. 73 00:03:17.960 --> 00:03:20.560 Location matters big time for which laws apply. 74 00:03:20.759 --> 00:03:21.360 Absolutely. 75 00:03:21.680 --> 00:03:24.680 Then there's how they define personal data. GDPR is wide 76 00:03:24.960 --> 00:03:27.400 anything that identifies you directly or indirectly. 77 00:03:27.560 --> 00:03:28.520 Hmmm, makes sense. 78 00:03:28.639 --> 00:03:31.919 CCPAC pery started a narrower but CPRA broadened it a lot. 79 00:03:32.039 --> 00:03:34.840 Okay, so getting closer. What about the rights these laws 80 00:03:34.879 --> 00:03:37.000 give us? Do those differ to Yeah? 81 00:03:37.039 --> 00:03:39.919 GDPR starts with a whole bunch of rights. Access your data, 82 00:03:39.960 --> 00:03:42.639 correct it, delete it, restrict processing, even move it to 83 00:03:42.680 --> 00:03:43.400 another company. 84 00:03:43.520 --> 00:03:44.840 Wow, that's a lot it is. 85 00:03:45.280 --> 00:03:50.599 CCPA originally focused on data sales disclosure, but CPR expanded 86 00:03:50.639 --> 00:03:53.039 those rights, getting more similar to GDPR. 87 00:03:53.439 --> 00:03:55.879 So they're kind of moving towards similar levels of protection, 88 00:03:56.080 --> 00:03:57.960 even if from different starting points. 89 00:03:58.039 --> 00:03:58.479 You got it. 90 00:03:58.479 --> 00:04:01.319 And that's a trend throughout doctor Tang's book, this global 91 00:04:01.360 --> 00:04:02.599 push for stronger standards. 92 00:04:02.599 --> 00:04:04.919 Okay, that's good to hear, But how did we even 93 00:04:05.039 --> 00:04:08.479 get tea here? Was there always this concern about data protection? 94 00:04:08.680 --> 00:04:10.639 Like did people one hundred years ago even care? 95 00:04:10.840 --> 00:04:11.639 It's been a journey. 96 00:04:11.639 --> 00:04:14.360 Doctor Tang talks about privacy one point oh two point 97 00:04:14.360 --> 00:04:17.439 oh three point zero shows how tech changed our understanding 98 00:04:17.480 --> 00:04:18.680 of privacy and the laws. 99 00:04:19.079 --> 00:04:22.680 Who I like that? Okay, walk us through these privacy eras. 100 00:04:22.720 --> 00:04:25.680 What was one point oh like privacy one point oh? 101 00:04:25.680 --> 00:04:28.639 That was late eighteen hundreds, early nineteen hundreds. It was 102 00:04:28.680 --> 00:04:34.319 mostly about protecting yourself from nosey pres government snoopings. 103 00:04:33.720 --> 00:04:36.120 Like keeping the Feds out of your business pretty much. 104 00:04:36.399 --> 00:04:40.160 Think about the Fourth Amendment in the US no Unreasonable searches, right, 105 00:04:40.560 --> 00:04:42.000 that's classic privacy. 106 00:04:41.600 --> 00:04:42.040 One point oh. 107 00:04:42.120 --> 00:04:44.759 Gotcha. So back then privacy was like keeping big brother 108 00:04:44.800 --> 00:04:46.439 out of your stuff exactly. 109 00:04:46.959 --> 00:04:49.120 But then came computers databases. 110 00:04:49.399 --> 00:04:52.680 Suddenly we could store tons of data and bam, privacy 111 00:04:52.720 --> 00:04:53.240 two point zho. 112 00:04:53.279 --> 00:04:55.399 Okay, so things got more complicated they did. 113 00:04:55.480 --> 00:04:56.920 This is mid twentieth century. 114 00:04:56.959 --> 00:05:00.240 We start seeing early data laws, fair credit reporting in 115 00:05:00.279 --> 00:05:02.839 the US, Data Protection Directive in the EU. 116 00:05:03.199 --> 00:05:05.480 So people realize, hey, this data thing is getting out 117 00:05:05.480 --> 00:05:07.439 of control. We need some rules exactly. 118 00:05:07.639 --> 00:05:10.279 And that leads us to privacy three point zero. Where 119 00:05:10.279 --> 00:05:14.279 we are NW internet, smartphones, social media, the Internet of. 120 00:05:14.279 --> 00:05:15.720 Things, data data everywhere. 121 00:05:15.800 --> 00:05:18.040 Right, We're making more data than VR, and it's used 122 00:05:18.040 --> 00:05:22.040 in crazy ways, targeted ads, facial recognition, even predicting crime. 123 00:05:22.279 --> 00:05:25.120 Wow, So privacy three point zero is like trying to 124 00:05:25.199 --> 00:05:27.920 tame this databast, make sure it's used responsibly. 125 00:05:28.040 --> 00:05:28.560 You got it. 126 00:05:29.000 --> 00:05:33.560 That's why we see stricter laws like GDPR, CCPACQRAA. China's 127 00:05:33.560 --> 00:05:35.720 got their own PIPL. 128 00:05:35.160 --> 00:05:37.040 So trying to keep up with all the tech changes. 129 00:05:37.000 --> 00:05:40.839 Exactly give individuals more control in this digital age. 130 00:05:41.160 --> 00:05:43.879 This reminds me doctor Tang talks about the business case 131 00:05:43.920 --> 00:05:47.720 for privacy, right, it's not just about avoiding fines, legal trouble. 132 00:05:47.839 --> 00:05:52.839 He's spot on good privacy practices can actually HLP organizations 133 00:05:53.160 --> 00:05:57.439 build trust, loyalty, even give them an edge over competitors. 134 00:05:57.639 --> 00:06:00.439 Okay, so how does that work in real life? Give 135 00:06:00.519 --> 00:06:01.240 us some examples. 136 00:06:01.360 --> 00:06:04.759 Think about data breaches. Companies can face huge fines, their 137 00:06:04.759 --> 00:06:07.879 reputation goes down the drain. Sometimes execs even go to 138 00:06:07.959 --> 00:06:08.720 jail hikes. 139 00:06:08.720 --> 00:06:09.800 That's serious, it is. 140 00:06:10.199 --> 00:06:13.600 But companies that focus on privacy data protection, they often 141 00:06:13.639 --> 00:06:16.079 see more trust from customers. People stick with them. 142 00:06:16.199 --> 00:06:19.120 So it's not just legal or ethical, it's good business. 143 00:06:19.160 --> 00:06:21.839 Absolutely. Consumers are getting smarter. They want companies they can 144 00:06:21.879 --> 00:06:22.800 trust with their data. 145 00:06:22.959 --> 00:06:25.680 So it's about being transparent showing your response with that. Okay, 146 00:06:25.680 --> 00:06:28.519 so what does this mean for companies practically, how do 147 00:06:28.560 --> 00:06:31.720 they build a good privacy program? Where do they even start? 148 00:06:31.920 --> 00:06:35.759 Doctor Tang lays out some core principles. Any program should 149 00:06:35.759 --> 00:06:42.560 have these transparency, purpose limitation, data minimization, accuracy, and security. 150 00:06:43.199 --> 00:06:45.839 Okay, lot to unpack there. Let's start with transparency. What 151 00:06:45.879 --> 00:06:48.040 does that mean? Like on the ground, it. 152 00:06:47.959 --> 00:06:51.079 Means being honest with people about what data you collect, why, 153 00:06:51.279 --> 00:06:52.879 how you use it, who you share it with. 154 00:06:53.079 --> 00:06:55.480 No more hiding behind legal jargon and fine print. 155 00:06:55.639 --> 00:06:59.639 Nope, clear, easy to understand privacy notices people have a. 156 00:06:59.680 --> 00:07:00.199 Right to know. 157 00:07:00.639 --> 00:07:02.560 Makes sense. What about purpose limitation? 158 00:07:02.959 --> 00:07:03.600 This is key. 159 00:07:03.720 --> 00:07:06.560 You've got to be specific about why you're collecting data 160 00:07:06.600 --> 00:07:08.120 and only use it for that reason. 161 00:07:08.360 --> 00:07:11.040 So no more just grabbing data just in case, right. 162 00:07:10.959 --> 00:07:14.600 No data hoarding. Got to be selective, responsible about what 163 00:07:14.680 --> 00:07:17.160 you store. That's where data minimization comes in. 164 00:07:17.240 --> 00:07:19.879 Okay, So how do companies figure out the minimum data 165 00:07:19.920 --> 00:07:22.519 they need? Yeah, especially if they don't know how they'll 166 00:07:22.560 --> 00:07:23.439 use it in the future. 167 00:07:23.720 --> 00:07:28.000 That's the tough part. Requires careful thought. Got to justify 168 00:07:28.160 --> 00:07:31.199 keeping ecch piece of data. Move away from that collect 169 00:07:31.240 --> 00:07:32.480 everything mindset. 170 00:07:32.879 --> 00:07:35.519 So big shift in thinking. What about accuracy? Why is 171 00:07:35.519 --> 00:07:36.319 that so important? 172 00:07:36.519 --> 00:07:39.240 Well, so many decisions are made based on data now 173 00:07:39.319 --> 00:07:44.040 right inaccurate data that leads to unfair outcomes, discrimination, all 174 00:07:44.079 --> 00:07:44.879 sorts of problems. 175 00:07:44.959 --> 00:07:47.959 Makes sense, especially with algorithms and AI making more decisions 176 00:07:48.000 --> 00:07:49.120 these days, exactly. 177 00:07:49.319 --> 00:07:53.360 And lastly, security, what does that mean for privacy? Security 178 00:07:53.399 --> 00:07:56.680 is putting up those safeguards technical and d organizational to 179 00:07:56.680 --> 00:08:02.759 protect data from well everything, unauthorized access, use, disclosure, changes, deletion. 180 00:08:02.519 --> 00:08:03.120 You know it. 181 00:08:03.160 --> 00:08:06.120 So digital walls to keep out the bad guys, kind 182 00:08:06.120 --> 00:08:10.160 of encryption, strong passwords, access controls, and a plan for 183 00:08:10.240 --> 00:08:12.199 when things go wrong, a breach response plan. 184 00:08:12.519 --> 00:08:15.759 So it's not just tech, it's policies, training, a whole 185 00:08:15.759 --> 00:08:16.600 culture of security. 186 00:08:16.720 --> 00:08:17.120 You got it. 187 00:08:17.160 --> 00:08:19.839 Everyone from the top down needs to understand how important 188 00:08:19.839 --> 00:08:20.839 protecting data is. 189 00:08:21.120 --> 00:08:22.560 It sounds like a lot of work to build a 190 00:08:22.560 --> 00:08:25.839 strong privacy program. It's not just checking boxes, it's making 191 00:08:25.879 --> 00:08:30.120 privacy part of the company's DNA right, and doctor Tang 192 00:08:30.199 --> 00:08:32.519 actually takes it a step further with this idea of 193 00:08:32.600 --> 00:08:36.679 privacy by design. Yeah, we're talking tell me more. Is 194 00:08:36.720 --> 00:08:40.279 privacy by design even possible? With how fast tech moves, 195 00:08:41.320 --> 00:08:45.200 can companies innovate quickly and deprotect privacy. 196 00:08:45.399 --> 00:08:48.720 It's a challenge, but it's the challenge. Privacy by design 197 00:08:48.879 --> 00:08:53.000 means making privacy part of every system, every process from 198 00:08:53.039 --> 00:08:54.480 the very beginning. 199 00:08:54.159 --> 00:08:56.039 So not adding it on later as an afterthought. 200 00:08:56.240 --> 00:08:59.840 Exactly, think about potential privacy risks throughout the entire life 201 00:08:59.840 --> 00:09:03.559 of product or service. Build in those safeguards from day. 202 00:09:03.360 --> 00:09:05.759 One, so baking it in, not bolting it. 203 00:09:05.720 --> 00:09:10.120 On, exactly, being proactive that can lead to better privacy solutions. Overall, 204 00:09:10.279 --> 00:09:12.960 turns a compliance headache into real positive change. 205 00:09:13.000 --> 00:09:15.240 That makes a lot of sense. So how do companies 206 00:09:15.279 --> 00:09:17.720 actually do this? What are some concrete examples? 207 00:09:17.840 --> 00:09:20.120 Doctor Tang has a bunch of practical steps, but two 208 00:09:20.159 --> 00:09:23.080 big ones are data inventory and privacy notices. 209 00:09:23.120 --> 00:09:25.159 Okay, data inventory, Why that's so important? 210 00:09:25.279 --> 00:09:28.480 You can't protect what you don't know you have. Data 211 00:09:28.519 --> 00:09:32.200 inventory means mapping out all the personal data your company handles, 212 00:09:32.519 --> 00:09:34.960 where it is, what it is everything. 213 00:09:34.759 --> 00:09:37.440 So like a map of all the data flowing through 214 00:09:37.480 --> 00:09:40.840 the company. But I bet most companies have no idea 215 00:09:40.960 --> 00:09:42.039 where all their data is. 216 00:09:42.279 --> 00:09:45.840 It's more common than you think. Creating that inventory. It 217 00:09:45.840 --> 00:09:48.519 can be a huge ge task, especially. 218 00:09:48.120 --> 00:09:50.480 For big companies, I can imagine. 219 00:09:50.080 --> 00:09:53.399 But it's necessary if you're serious about privacy. Helps you 220 00:09:53.480 --> 00:09:57.399 identify risks, see if you're collecting too much data, find 221 00:09:57.480 --> 00:10:00.799 weak spots in security, make sure your privacy note are accurate, 222 00:10:00.879 --> 00:10:01.759 the whole nine yards. 223 00:10:01.799 --> 00:10:05.200 So it's the foundation of a good program basically. And 224 00:10:05.240 --> 00:10:07.840 speaking of privacy notice, doctor Tang talks a lot about 225 00:10:07.879 --> 00:10:08.759 those two he does. 226 00:10:08.840 --> 00:10:12.879 He's all about making them clear, concise, actually user friendly. 227 00:10:13.200 --> 00:10:15.720 No one wants to read pages of legal mumbo jumbo. 228 00:10:15.879 --> 00:10:18.120 I've definitely been guilty of just scrolling through those without 229 00:10:18.120 --> 00:10:20.080 reading a word. So how do you make them engaging? 230 00:10:20.279 --> 00:10:23.720 Plain language, Ditch the technical terms, break down complex stuff 231 00:10:23.720 --> 00:10:24.759 into bite sized pieces. 232 00:10:24.799 --> 00:10:27.159 Okay, so read people like humans exactly. 233 00:10:27.240 --> 00:10:30.039 Explain what data you collect, why, how you use it, 234 00:10:30.080 --> 00:10:32.480 who you share it with, what rights people have. 235 00:10:32.840 --> 00:10:33.600 Make it simple. 236 00:10:33.919 --> 00:10:37.320 It's about respect, acknowledging people's right to know what's happening 237 00:10:37.320 --> 00:10:38.039 with their data. 238 00:10:38.080 --> 00:10:42.480 Absolutely, a good privacy notice builds trust, shows you're committed 239 00:10:42.480 --> 00:10:43.320 to transparency. 240 00:10:43.600 --> 00:10:46.279 That makes sense. But let's be real. Things aren't always 241 00:10:46.320 --> 00:10:50.240 so simple, are they. Doctor Tang mentions these tricky situations 242 00:10:50.840 --> 00:10:55.080 like consent and legitimate interest areas where the lines get blurry. 243 00:10:55.200 --> 00:10:58.480 You're right, those are tough ones with consent. The question 244 00:10:58.679 --> 00:11:02.320 is when is it really valid? We click agree to 245 00:11:02.399 --> 00:11:04.399 so much online without thinking. 246 00:11:04.159 --> 00:11:06.720 Oh all the time? So what are some red flags? 247 00:11:06.759 --> 00:11:09.080 When should we question if consent is actually real? 248 00:11:09.360 --> 00:11:14.000 GDPR is clear consent has to be freely given, specific, informed, 249 00:11:14.039 --> 00:11:15.120 and unambiguous. 250 00:11:15.279 --> 00:11:17.720 Okay, so no pressure tactics, right, Like if. 251 00:11:17.639 --> 00:11:19.879 You have to consent to use a service, or if 252 00:11:19.879 --> 00:11:22.080 it's buried in a huge wall of text, that's not 253 00:11:22.120 --> 00:11:22.759 real consent. 254 00:11:23.000 --> 00:11:25.600 So if you're pressured or tricked, it might not hold 255 00:11:25.639 --> 00:11:28.720 up legally. What about legitimate interests? That sounds tricky too. 256 00:11:29.000 --> 00:11:30.519 It is legitimate interests. 257 00:11:30.559 --> 00:11:33.919 It's another way to justify processing data, but it's a balancing. 258 00:11:33.440 --> 00:11:35.320 Act, well kind of balancing act. 259 00:11:35.200 --> 00:11:40.240 Balancing the organization's interests against the individual's privacy rights. Like 260 00:11:40.480 --> 00:11:43.320 a company might have a legitimate interest in processing data 261 00:11:43.360 --> 00:11:45.440 for security, preventing fraud. 262 00:11:45.919 --> 00:11:47.320 Oh yeah, it seems reasonable. 263 00:11:47.399 --> 00:11:51.080 It can be, but it can't outweigh basic rights and freedoms. 264 00:11:51.600 --> 00:11:54.279 Companies have to justify it, show they've thought about the 265 00:11:54.320 --> 00:11:55.679 impact on people's privacy. 266 00:11:56.240 --> 00:11:58.600 So it's not just a free pass to do whatever 267 00:11:58.639 --> 00:11:59.480 they want with data. 268 00:11:59.639 --> 00:12:00.559 Nope, not at all. 269 00:12:00.799 --> 00:12:04.080 It's all about careful consideration, really understanding the laws. 270 00:12:04.360 --> 00:12:07.039 It's definitely more complicated than it seems at first glance. 271 00:12:07.559 --> 00:12:10.200 There's so much more to it than meets the eye, for. 272 00:12:10.120 --> 00:12:12.440 Sure, And we've only just scratched the surface. 273 00:12:12.519 --> 00:12:14.480 Well, we've covered a ton of ground already in this 274 00:12:14.559 --> 00:12:16.399 deep dive, but there's more to come. 275 00:12:16.799 --> 00:12:19.480 Welcome back to our deep dive into privacy and practice. 276 00:12:19.960 --> 00:12:22.000 We were just getting into some of the trickier parts 277 00:12:22.039 --> 00:12:25.080 of privacy, like when is consent really valid? 278 00:12:25.279 --> 00:12:27.360 Yeah, and now I'm thinking about all the companies we 279 00:12:27.399 --> 00:12:30.480 hand our data over to, not just one, right, this 280 00:12:30.679 --> 00:12:31.879 third party risk. 281 00:12:31.799 --> 00:12:32.919 Thing, it's a big one. 282 00:12:33.080 --> 00:12:36.879 Companies share data all the time, vendors, suppliers, partners, the 283 00:12:36.919 --> 00:12:37.720 whole shebang. 284 00:12:37.960 --> 00:12:39.960 So it's a tangled web basically totally. 285 00:12:40.120 --> 00:12:40.879 And here's the thing. 286 00:12:41.279 --> 00:12:45.000 They're still responsible for protecting that data even if it's 287 00:12:45.000 --> 00:12:46.320 not in their hands directly. 288 00:12:46.399 --> 00:12:47.919 Oh so it's not like they can just wash their 289 00:12:47.960 --> 00:12:48.639 hands of it. Nope. 290 00:12:48.720 --> 00:12:51.840 Doctor Tang is very clear on that. Organizations they have 291 00:12:51.919 --> 00:12:54.360 to do their homework when they work with vendors, you know, 292 00:12:55.080 --> 00:12:56.039 vet them carefully. 293 00:12:56.320 --> 00:12:58.679 So make sure those vendors have good privacy. 294 00:12:58.240 --> 00:13:02.279 Practices too, exactly, and have really solid contracts spell out 295 00:13:02.320 --> 00:13:06.279 who's responsible for what. When it comes to data protection, it's. 296 00:13:06.080 --> 00:13:09.240 Like picking your friends carefully, right. You want to align 297 00:13:09.559 --> 00:13:11.759 with companies that share your values. 298 00:13:11.879 --> 00:13:15.679 Great analogy, building a network of trust. It's crucial. And 299 00:13:15.759 --> 00:13:17.519 it's not just the big name companies we got to 300 00:13:17.519 --> 00:13:19.320 think about. They're also data brokers. 301 00:13:19.360 --> 00:13:21.759 They get brokers. That sounds kind of, I don't know, shady. 302 00:13:21.919 --> 00:13:24.679 They can be data brokers. They're kind of behind the 303 00:13:24.679 --> 00:13:28.080 scenes in this whole data world. They collect and sell 304 00:13:28.120 --> 00:13:29.279 personal data from. 305 00:13:29.120 --> 00:13:31.840 All over really from where. 306 00:13:31.320 --> 00:13:34.919 Tons of places, and often people have no idea it's 307 00:13:34.919 --> 00:13:35.559 even happening. 308 00:13:35.960 --> 00:13:36.519 This data. 309 00:13:36.840 --> 00:13:40.799 It gets used for targeted advertising, credit scores, background checks. 310 00:13:40.480 --> 00:13:41.399 All sorts of stuff. 311 00:13:41.720 --> 00:13:45.240 So what's the risk with these data brokers? If they're legal, 312 00:13:45.399 --> 00:13:46.200 why should we care? 313 00:13:47.200 --> 00:13:51.039 Well, the big worry is what if that data gets misused, abused, 314 00:13:51.200 --> 00:13:56.240 If they don't have good security, it's vulnerable, right, breaches, leaks, 315 00:13:56.279 --> 00:13:57.000 that kind of thing. 316 00:13:57.159 --> 00:13:59.240 Okay, that makes sense, And even if it's used for 317 00:13:59.240 --> 00:14:02.440 something legitimate. I don't love the idea of my info 318 00:14:02.519 --> 00:14:05.000 being bought and sold without my knowledge. 319 00:14:05.039 --> 00:14:05.440 That's the thing. 320 00:14:05.480 --> 00:14:07.120 A lot of people feel that way. Are there any 321 00:14:07.200 --> 00:14:09.840 laws about this? You know, keeping these data brokers in check. 322 00:14:10.039 --> 00:14:11.000 That's what I was wondering. 323 00:14:11.080 --> 00:14:14.240 Some places are starting to regulate them. California, Vermont they've 324 00:14:14.240 --> 00:14:17.639 got laws now data brokers have to register, give people 325 00:14:17.639 --> 00:14:20.679 more control over their data. Okay, so baby steps, yeah, 326 00:14:20.720 --> 00:14:23.840 but globally regulation is behind. You know, a lot of 327 00:14:23.879 --> 00:14:26.799 work to do, both laws A and D making people 328 00:14:26.840 --> 00:14:28.159 aware this is even happening. 329 00:14:28.279 --> 00:14:29.840 So it's kind of the wild West out there when 330 00:14:29.879 --> 00:14:32.519 it comes to data brokers. Anything we can do to protect. 331 00:14:32.200 --> 00:14:35.840 Ourselves absolutely, check those data brokers periodically, see if they 332 00:14:35.879 --> 00:14:39.960 have your info. Then exercise your rights, you know, access correct, 333 00:14:40.080 --> 00:14:41.320 even delete that data. 334 00:14:41.480 --> 00:14:45.440 So be proactive, take charge of your digital footprint exactly. 335 00:14:45.559 --> 00:14:48.399 And this leads us to another messy topic, cross border 336 00:14:48.600 --> 00:14:52.480 data transfers. Data zips around the globe. But that must 337 00:14:52.559 --> 00:14:54.200 create all sorts of legal issues. 338 00:14:54.279 --> 00:14:56.879 Oh yeah, for sure. Every country has different laws, right, 339 00:14:56.919 --> 00:14:57.440 you got it. 340 00:14:57.759 --> 00:15:00.919 In some countries like China, Russia, they've got these data 341 00:15:00.960 --> 00:15:02.120 localization laws. 342 00:15:02.360 --> 00:15:04.240 Data localization, what's that all about? 343 00:15:04.399 --> 00:15:07.759 Basically, they force certain types of data to be stored 344 00:15:07.799 --> 00:15:10.720 and processed within their borders. They say it's for national security, 345 00:15:10.759 --> 00:15:14.720 protecting their citizens' privacy. I could see that side, Yeah, 346 00:15:14.799 --> 00:15:18.240 but it can also mess with international trades, slow down innovation. 347 00:15:18.600 --> 00:15:22.399 It's complicated, lots of economic and political angles to consider. 348 00:15:22.759 --> 00:15:24.600 Can you give us a real world example? How does 349 00:15:24.639 --> 00:15:26.679 this impact the stuff we use every day? 350 00:15:26.759 --> 00:15:30.279 Doctor Tang uses Microsoft three sixty five as a case study. 351 00:15:30.279 --> 00:15:33.200 It's perfect for this, Microsoft through a US company. But 352 00:15:33.320 --> 00:15:36.240 where your data is stored it depends on your location. 353 00:15:36.480 --> 00:15:39.600 Oh interesting, So it's not just one big data center somewhere. 354 00:15:39.320 --> 00:15:43.360 Nope, EU organization. Your data likely stays in the EU, 355 00:15:43.759 --> 00:15:46.919 but other regions your data might end up somewhere with 356 00:15:47.000 --> 00:15:48.200 weaker privacy laws. 357 00:15:48.519 --> 00:15:53.240 So even with global services, local laws still matter. It's 358 00:15:53.240 --> 00:15:56.519 a legal maze. How do companies even figure this out? 359 00:15:56.639 --> 00:15:59.960 Make sure they're transferring data ethically, A and D legally. 360 00:16:00.320 --> 00:16:04.159 It's tough, but crucial if you're doing business globally. Doctor 361 00:16:04.200 --> 00:16:07.399 Tang goes through a few legal mechanisms that companies can use. 362 00:16:07.519 --> 00:16:11.639 Legal mechanisms sounds complicated, They can be, but they're important. 363 00:16:12.080 --> 00:16:16.080 There are things like standard contractual clauses, binding corporate rules, 364 00:16:16.120 --> 00:16:17.480 and adequacy decisions. 365 00:16:17.679 --> 00:16:20.360 Okay, break those down for me. What are the differences. 366 00:16:19.960 --> 00:16:23.879 Standard contractual clauses secs? Those are like preapproved contracts for 367 00:16:23.919 --> 00:16:27.200 transferring data outside the EU. They offer set of safeguards 368 00:16:27.240 --> 00:16:29.559 make sure the data is protected to a similar standard 369 00:16:29.759 --> 00:16:30.960 as GDPR, so. 370 00:16:30.919 --> 00:16:31.639 It's a shortcut. 371 00:16:31.639 --> 00:16:33.720 Basically, don't have to reinvent the wheel every time you 372 00:16:33.720 --> 00:16:35.360 move data across border exactly. 373 00:16:35.399 --> 00:16:38.879 It makes things easier. Then you've got binding corporate rules BCRs. 374 00:16:38.879 --> 00:16:42.919 Those are internal data protection policies good for multinational companies, 375 00:16:43.080 --> 00:16:45.240 governed transfers within their own organization. 376 00:16:45.440 --> 00:16:46.480 Some more customized. 377 00:16:46.519 --> 00:16:49.559 You got it more complex to set up than secs, 378 00:16:49.759 --> 00:16:53.320 but more flexibility tailored to how the company works. BCRs 379 00:16:53.360 --> 00:16:55.840 are like a custom suit. Secs are off the rack. 380 00:16:56.120 --> 00:16:59.200 I like that. And then there are adequacy decisions. Those 381 00:16:59.240 --> 00:17:00.559 come from the European Commission. 382 00:17:00.600 --> 00:17:01.840 Oh, so the EU decides. 383 00:17:01.919 --> 00:17:05.920 They decide if a country has good enough data protection laws. 384 00:17:06.359 --> 00:17:10.119 If they get that adequacy decision, companies can transfer data there, 385 00:17:10.720 --> 00:17:12.880 no problem, no extra safeguards needed. 386 00:17:12.960 --> 00:17:14.960 So it's like a seal of approval from the EU 387 00:17:15.160 --> 00:17:15.759 pretty much. 388 00:17:16.319 --> 00:17:20.039 But those decisions can change, you know, if country's laws 389 00:17:20.039 --> 00:17:23.400 get weaker or there are worries about government snooping, the 390 00:17:23.440 --> 00:17:24.359 EU can take it away. 391 00:17:24.400 --> 00:17:25.480 So it's not a permanent thing. 392 00:17:26.799 --> 00:17:30.799 Keeping up with data privacy regulations is a full time job, seriously, and. 393 00:17:30.720 --> 00:17:34.319 It sounds like it. But understanding these mechanisms it's key 394 00:17:34.400 --> 00:17:36.920 for anyone handling data in this global world. 395 00:17:37.119 --> 00:17:39.960 Couldn't agree more. Okay, let's shift gears a bit talk 396 00:17:39.960 --> 00:17:43.720 about data retention and deletion. Do companies really need to 397 00:17:43.799 --> 00:17:44.839 keep our data forever? 398 00:17:45.160 --> 00:17:46.759 Right? That's something I've always wondered. 399 00:17:46.839 --> 00:17:50.920 Doctor Tang tackles that head on. There's this principle storage limitation. 400 00:17:51.400 --> 00:17:53.519 Companies should only keep data for as long as they 401 00:17:53.559 --> 00:17:55.400