Darshan
Hey everyone, welcome to another episode of DarshanTalks. I'm your host Darshan Kulkarni. It's my mission to help you trust the products you depend on. As part of that, it's actually trusting that your privacy safe and ensuring that appropriate steps are taken to make sure that the product you receive the services you receive, don't compromise you in any significant way. So um, so if you are interested in anything associate with the life sciences, if you're interested in just business to business disputes, this conversation can be really kind of interesting. If you think about as you know, I'm an attorney. And I advise companies with FDA regulated products. So if you think about drugs, wonder about devices, ponder over pharmacy. This is a podcast for you. Again, both of us are attorneys. My guest today and I are all our attorneys. So do have to clarify, this is not intended to be legal advice. I'm a pharmacist as well. So it's not intended preclinical advice either. So that's, that's one of the key pieces. I do these podcasts because there are a lot of fun. I like to ensure that everyone's sort of enjoying themselves. So if you are please like, share, and leave a comment, please subscribe. We'd love to have you be part of this community. You can always reach me on twitter at DarshanTalks. Or you can also reach out to me on my website DarshanTalks calm. Our guest today, our guest today is an attorney of flash, flash Greenberg. She is the go to privacy guru at five star. So we're going to find a lot more we're going to discuss a lot about what that means and what that looks like. So stay tuned. This is going to be really, really exciting. Our guest for today is Krishna. Gianni, how are you Krishna?
Krishna
Hey, Darshan, thanks for having me. I'm well,
Darshan
I'm doing well. Thank you for coming on. Um, I tell me a little bit more about what your role is at flast? or what have you been working on? And how have things been?
Krishna
Yeah, things have been really good. I'm in our acconci office today. Usually I'm in Philly. So I sort of have the benefit of going back and forth. Things are great. We are a full service firm. For anyone who doesn't know, we are a regional firm here in the Philadelphia region. So we've got offices in Conshohocken, New Jersey, New York, now Florida. And we're full service, which is great, because as a privacy attorney, I find that my practice area overlaps with a ton of other practice areas, of course have to take privacy and security into into consideration and building out structures and launching websites and, and the like. So I've done some of that. Recently, lots of privacy policies and sort of compliance and counseling on folks who are launching consumer facing products, and lots of websites for that. And we're also handling some pretty, pretty big litigation for for companies that are engaged in business to business disputes, as you mentioned, regarding the development of software technologies, I think we've mentioned this a little bit before we went live here, but I'm also working with another software developer who used to sell sort of CDs, old school CDs, think of like, you know, my generation, we played carbon, San Diego, on CD ROM, so he would sell software, that way to medical providers, you know, and of course, when we talk about any medical information, we're dealing with protected health information or pH I, and now he's migrating or moving to a cloud based system. So we're helping him with that, that update.
Darshan
So there's so much here that we need to get into let me let me start with all the basic questions you mentioned that you work on, on developing the privacy policies for websites. That's one of the things you threw out there. I get these questions all the time. Well, I have someone reach out to me going, you know what, I'm developing a website for my company, can you help create a privacy policy? And don't it's a minor thing, don't worry too much about it, don't spend more than a half hour to an hour working on it. Because you know, we can just sort of copy it from another website, put it up up here. What is your response? When you get that question?
Krishna
Oh my gosh, and that that is something we get, depending on the size of the company and who we're dealing with, and their level of knowledge about privacy and security. We get that a fair amount too. And when I try to tell people is that look that not only is the law moving in the direction of being more privacy conscious, and understand that data is a commodity, that people and in theory have a right to access control. And the idea is to be transparent when you can and so so I try to caution people against slapping a boilerplate privacy policy on their websites depending on what they do, and the level of sophistication of their company and really building out a privacy policy so that their their employees and their vendors are are bound by that policy so that they are putting a notice on the website that is both current that stays updated. And that reflects policies that that both informed consumers are the data subjects of their rights, and let them know as data controllers or processors, what they do with their data. So we really I really try to create sort of this like dialogue and synbiotic conversation about this and letting them know that if they if they do want to take the easy route, that's okay. But that's something that, you know, we should caution against, because we're going to have to revisit it and revamp it down the line anyway.
Darshan
So so you talk about the the movement towards more control the movement towards patients and subjects and consumers having access to that. And, and being, as you put it, data controllers, if you will, as companies, I guess my question for you is, a lot of these startups haven't, they're still working on what their idea is, to start thinking about processing data is an afterthought. It's almost like how they're gonna make money. But do we need to worry about that right now? do you advise startups to get into that space and start sort of get their hands dirty early on? Or do you sort of do a phase wise, here's where you are right now work through this component? And then talk to me about this component? How do you how do you sort of advise companies?
Krishna
Yeah, that's a great question. And I think again, I mean, I don't want to be like a typical lawyer and say everything depends. But it depends to some degree on what the company is and what they're aiming to do with that data. So if they're selling data for profit, there's a whole nother set, especially when taking into account California has ccpa, and especially the new not yet in effect, but newly passed law, the cpra. There are all sorts of implications on on companies that sell data for profit, or to earn revenue, I should say. But if you're not doing that, if you're just using data for whatever, for data analytics, for example, or, or to process financial information, all that is important because that what I caution against is just sort of slapping a policy and like not taking it into account and then trying to filter it in later. Because it doesn't work that way. Data is part and parcel of everything we do, especially when we're working online, we're collecting everything from name, address, email address, financial information, in some cases, when it comes to things like telehealth protected health information. So building a privacy by design policy from the ground up is I think, more effective and even more cost effective, arguably, in the long term. And of course, like, attorneys, we always think about risk, you want to mitigate your risk, that's something if a breach happens, right? If a cyber attack happens, and it results in a breach, you are protected, to some degree, depending if you've taken this into account built in and you're doing, you're doing the right stuff from from the ground up.
Darshan
So I mean, those that's super important. And sort of like you said, it's goes to risk mitigation and prioritization, and all those good things. But let's say we've got a company now that's a little bit more developed. They've got their feet underneath them, and they're going okay, I need to start thinking about a privacy policy, and how that connects? How do you guide them?
Krishna
Yeah, that's great. So I would start with a series of questions, you know, what, what does the company do? What, how does it collect data and from whom, because Another consideration is, you know, you have these sort of categories of data, you've got financial data, you've got health hazard, health information, some of these things are governed by federal statute. But when you're coming to sort of different levels of data, apart from like, subject matter categories, you're getting into how old is this person, you know, if you if we're talking about the data of minors, you have to be careful about how you treat that, especially if they're under the age of 13, pursuant to a different federal statute. So all that matters in terms of collection and storage. And then the idea is to figure out to map that data, right where it goes in the systems who has access to that data, we really try to emphasize data minimization principles, which means only collect the data you need for the purpose of your business, and don't store it for longer than you need, you know, if you've got someone you've not spoken to, or it was no longer a customer or patient, there are some laws that govern how long you've got to keep that information. But generally don't keep it right, because stale data is, is a liability. So we sort of start by asking a series of questions, and then and then go through the types of data, map that data and then employ a series of policies and thus notices to the public or to the patients about those policies. So that, again, it's transparent and consistent across the board,
Darshan
which is really, really interesting. So you talk about this principle of data minimization, which is super interesting. I sort of came out from war, I think, at least from GDPR. And that was where it really started. But there's there's a whole element and this is, it's not just a privacy data at this point, I'm talking about data in general. In the in the life sciences, one of the big things we struggle with, is this idea that more data is good data, because then I can connect and draw connections I didn't even know about. So my question for you is, how do you argue with the logic that, yeah, maybe more data is good data, because you can draw correlations that you couldn't see before?
Krishna
Yeah, that's a great question, especially taking into account the field that we're talking about, which is life sciences. So you're talking about things like I think it's all our money. Right now is clinical trials, vaccine research and research and development generally in the scientific field. So I answer a question by giving you a caveat, it depends on what type of data and how it's stored. So if you've got personally identifiable information or protected health information, again, that's a huge liability. You can do it, but you've got to do it in certain ways and make sure you've got the right structures in place and security in place. But what would be more important, more important for your business, probably, it's just having the data and not having it be connected to a data subject or an individual, which means that you can do dynamize it or probably better is d identify it. And I know that this is the GDPR provides exceptions for among other laws, they, you know, if you have data that's de identified, meaning that it can't be connected to a single person, then the risk of having that data and thus having unauthorized access to that data greatly diminishes.
Darshan
So so we're talking about these two terms, and they get thrown around a lot. Could you help explain what the identification is? And well, how does that compare to pseudo anonymization?
Krishna
Yeah, so So dynamization is, it's just a lesser level of protection, because it's, it's think of a student, right? You're assigning something to a set of data, that is not the actual person's name, or perhaps not linked to all facets of their data, ID or digital ID, we should say. But it's not as it's not as robust in terms of protection as de identified data, which removes several more factors, and really, strips the data of, to the extent practicable and possible, in some cases of linking to an individual person. So let's say someone finds out that patient a has some disease that may have a stigma around it, you know, it's important that that data is de identified for the purposes of clinical trials or performing research, because we don't need to deprecation it, we need to know what the data yields what the research yields rather. So So in that case, I think it can be important for for researchers, developers, hospitals, in some cases, to keep data, even more data than they may need perhaps, or a greater set of data then another type of industry might need. But for the medical field, you might need more data. But the idea is if you store it, D identify it, then, you know, then then it subjects the company to less liability if there is unauthorized access. And I think that is something to consider across the industry.
Darshan
I think that that's that's a really important point is that this idea of unauthorized access, but doesn't. When I talk to clients, they all know the importance of, of data privacy, and they know the importance of protecting patient information. But there's a certain sense of fatalism that I sent when I talked to them, which is, if I'm gonna get hacked, I'm gonna get hacked. I'm not sure how much more I can do. I have an entire IT team, but it gets past them. What am I going to do? So what why bother going above and beyond? If there's sort of is that that there's that sense of fatalism? I just heard that there's a whole local hospital that that you and I have probably been around. I don't want to name names, because I don't know if it's news yet. You recently got hacked. And the truth is, most hospitals are getting hacked. And that's a that's a big issue. I guess my question to you is, how do you help convince companies that yes, there may be a sense of fatalism around it. But the fact is that you still need to take those steps.
Krishna
Yeah, and I think that's where having the backing of my my full service firm comes into play. We've got corporate folks, we've got litigation, folks, I work a lot of litigation. So putting my litigator hat on for a moment when I'm looking at these at these cyber attacks that result in breaches, especially when it becomes when it relates to protected health information. I'm not just thinking about Okay, sure you might get there might be a cyber attack on your organization. I'm thinking okay, what is someone going to sue you as a result of that? And if they do sue you What is your defense going to be? Is their defense gonna be, you know, we, we outsourced our it, we have no consistent contact with them. Our privacy policy is five years old, our systems have not been updated our hardware and our software is outdated. And by the way, we've never talked about cybersecurity a single board meeting, that might be a significant problem when it comes to finding liability for having done that. So I think a sense of fatalism for experiencing an attack is one thing, a sense of fatalism that could actually post existential crisis to your organization is a completely different thing. And I think, you know, having those discussions, putting systems in place, making sure your vendor agreements are up to date, making sure your privacy policy is up to date, making sure software is up to date, all of that all of those things can be factors that courts or regulatory agencies take into account in assessing penalties, fines and other violations. So and to some degree, you know, Want to be sensitive to clients or hospitals or medical providers that are small or that are startups or that are just maybe, you know, it's a business decision. So to some degree, if you want to make a business decision that you understand could subject you to more liability if you don't update that, when you've got the funds, and the time, that's fine. But we My job is to let people know what the risks are, if they don't do that, either now or in the, you know, pretty pretty soon in the future.
Darshan
It's interesting, I always think about that word, businesses, business decisions, because I find the concept fascinating. And what I mean by that, is, you're right, we, we all take this position that, yes, you can spend the money on it, or maybe we spend it later on. But as a lawyer, I always think I, it's my job to tell you the risk, you can make the decision you want. Right? What point have you have you sort of found this idea that they now have something written down that says this is a risk? And they're going to now ignore it? And so how do you? How do you handle that part of it?
Krishna
That that can be difficult, I will say that I have not had the experience yet of a client experiencing Well, I had one potential client come to us and have a discussion about, and this is not a life sciences. But he's an attorney, his attorney, his firm was, was hacked. And he had no idea when the hack started, he had no idea when it definitively ended. He did not know what data had been accessed and what was done with that data. But his his payment, I think a payment coming to his firm from another firm for a settlement had been intercepted, which is how they discovered the cyber attack in the first place. And he was very concerned about getting that money back. But not concerned with the rest. And so we kept trying to tell him well, like, Look, that's huge, you know, this lump sum payment that goes to your client that goes to your firm, absolutely important. But also like getting a hold of like, the scope of this attack is paramount to your very existence, as you know, as organization. So like, let's talk about that. And he just was not interested. And so for a lot of reasons, like it's sort of didn't work out in terms of representation. But that can be difficult. It's, it's a fine line, it depends on the organization, and what their resources are, and sometimes what their level of understanding is about the repercussions. You know, the law is just starting to take shape, it does not follow the same pace of technology, of course, cyber attacks and other sorts of innovation in the sciences. And so that sometimes is is difficult to manage, you know, people who are not so well versed in the law, but may have a really robust sense of the science. And you know, you sort of have to say, well, the last catching up, but also, if it gets to this point, you're in real trouble.
Darshan
I love what you're getting into. But let me ask you a question that you sort of hinted that we talked about technology changing and sort of reminded me of something. And I'm fully aware, you may not have dealt with the issue. So if you haven't Feel free to say I haven't dealt with this issue yet. But when we think about technology, I think recently about blockchain. And the big thing with blockchain is, it is immutable. That's the whole point of it. And yet, everyone I know, is talking about putting things onto the blockchain, including patient information. How do you advise that? First of all, are you aware of either an exception or methodology? And again, there may be other methods that have you have they come across your table yet? Where you can sort of address and work with blockchain and still be in compliance with GDPR ccpa, or something else?
Krishna
Sure, you know, I will say that I personally have not dealt a lot with blockchain. But for example, I mentioned at the outset that I was talking with a software developer who was moving to the cloud, right? So he's moving system, there's going to be communication available, there's going to be storage, and also sort of interactive platforms available. And he told me sort of like, Look, I don't think I'm gonna use encryption for XYZ, I said, Wait a second guy, you're dealing with protected health information, you are filling out this from scratch, you really want to consider using end to end encryption for all of your communication to the extent you're talking about protected health information and patient data generally. And he's sort of there's a little bit of pushback. And again, he's a software developer, he understands the industry he's in he's sort of created this from the ground up is his business. So it's not a blockchain story. But the idea is we always I, again, like I am very risk averse, I will sort of always recommend this high level of protection of the highest level encryption in transit and at rest, because it's the greatest level of protection you can get. And if, in your business judgment, you decide not to do that, that's fine. But depending on the type of data, not so much with HIPAA and high tech, but you know, the idea is you, I just tried to caution them against any lower level of protection and if they do that, so you know, it can be okay.
Darshan
Right, right. So let me ask you another question when and I've wondered about this for a while, which is this idea of, I'm sorry, I'm going back to the conversation we had a little earlier around anonymization of pseudo anonymization and what questions we've dealt with, and I'm sure this has come across your table before, is this idea that there's no such thing as an optimization anymore? With? So how do you deal with that concept when you're advising companies? So I'll let you sort of expound on that a little bit.
Krishna
Yeah, it's so interesting. You know, I wish I had the book in front of me by I was reading a book, I think it was the one written by April Falcon DOS, it's a new one that she has just put out. It's all about cybersecurity and privacy. And she cites a study, I think it was performed in the 80s or 90s. So you know, technologically, decades eons ago. And it talks about how at that time, anonymization of data was becoming so obsolete, that even with two or three data points, they were able to tie a data set with a with an actual, individual person, which is startling, what I would say is, you know, to the extent you can D, identify and delete information that relates to an actual patient, or subject or person, because it doesn't matter for the purposes of a clinical trial, or other sorts of research and development, I would advise to do it. Because, again, when you're talking about from my perspective, as an attorney, when you're talking from the perspective of a litigator, you're thinking, Okay, so have you have you made the effort? Like what is the standard legally? And then have you follow that standard to the best of your ability, even if it's impractical, given the sophistication of cyber attacks these days? Have you done it to the best of your ability? That's what I would say, it's no system is perfect. And so I think that the the knowledge of the law and the standards in your industry, and the attempt to meet to comply with those laws is what's going to be taken into account if and when this ends up in, you know, regulatory before we get to our agency or important.
Darshan
So let's let's take a little bit of a pivot and go into some of the things you've talked about. And I don't want to dig too deep, because you talked about some fascinating things. But the one that really struck my interest, I mean, they're there to disrupt Well, actually, all those stuff, my interest. The the one that really spoke to me was this idea of the uniform personal data protection act. And we talked about that a little bit before the before the conversation started. Can you talk to talk to us a little bit about what that is? What are the implications of it? And quite bluntly, why should I care?
Krishna
Yeah, let me tell you what it is, and why you should care. So the uniform personal data protection act was proposed by the uniform law commission. This is the organization that put forth the Uniform Commercial Code for any attorneys out there. It is basically a model bill. And what it does, and this is, this is important, you should care because they spent at least two years, I think this was this project was started sometime around 20 2019, with uniform law commission with the Ulc, as I'll call them. And I wrote a piece a blog piece about this today. So if anyone wants more information, and sort of more in depth, and a link to the actual adopted, u, d, u pdpa. Feel free to check out like my friend via work where the where the article is. But basically, this is important because it provides a model built for states to adopt privacy legislation. And this is something that states have struggled with for many, many years. And as we all know, our federal government has struggled passing any federal data privacy protection. So in the absence of comprehensive federal legislation that deals with that deals with, with data privacy, states are, as we know, in California, Colorado, Virginia, are all adopting laws on the state level. So that can be great, because that means, you know, from an individual consumers perspective, they've got more protections from a business perspective, they've got actual word laws to comply with, whereas it was sort of, you know, here's the best practice, but there's no, there's no mandate. So as an attorney, it was sometimes hard to guide folks in the right direction. This will, this is essentially going to be something that can be just shown to state legislature so that they can take this law and adopted as it's written, and pass it into law that is binding about for businesses and who do business in that state. And or can be modified according to the needs of that state. But it sort of takes all the guesswork and all the all the grunt work out of crafting a piece of legislation from scratch. And I know I'm going on about this, but I'm just I've been tracking state legislation first thing, which is that when we look at laws like California has Virginia's even Colorado to some extent, this is a law that is actually not it does not confer as many rights upon the data subject, meaning, you know, the GDPR, we've got really stringent laws with regard to you know, the data subject has a right to request ratio or deletion other information can no longer be part of a given organization system or data storage Collection. This this model bill contains no such right. That doesn't mean companies shouldn't or can't do it. It just means that they provide for somewhat different rights. And interestingly, as it relates to the life sciences, it does categorize I took some notes on that so I don't sort of misspeak here but it does categorize diagnosis or treatment for health condition and genetic sequencing information as Part of its definition of sensitive data and sensitive data under this model that we'll get it's not law yet. It's treated differently than personal data. So it has implications for the life sciences and and sort of across industries.
Darshan
Well, it's an interesting thing you raise, and I recognize this is brand new. So it's never been tested be not done an analysis on this. But it's funny, you mentioned the word medical data, is it medical data, if it's not being used for medical for clinical purposes? And what I mean by that is, if you're doing clinical research, yes, the data obviously comes from a person, and it has clinical implications for sure. But if it's not being used for the purpose of treatment, or curing or mitigating a disease state, because that's not what you do in a clinical research study, is it still considered to be part of that sensitive data? Or does it not get the same protections?
Krishna
Yeah, that's a great question. I think we'll see that as states adopted and maybe add some caveats to that definition, you know, for the, for the purpose of which could be clarifier.
Darshan
Yeah. The, the interesting, I just saw thing going up, ah, by the way, a lot of people listening, so feel free to jump in with questions and stuff. I already got a couple of questions that I've been trying to hold off. But let me let me put one out there, just so people know that I'm not completely ignoring them. This one's from Lydia, by the way. So I missed a moment. So perhaps you address this do any new privacy and data loss affect physician mobile networks, where life science product marketing messages are targeted to members?
Krishna
Certainly in my office, speaking of technological, you know, default defects. So to any privacy effect position mobile network, where life science marketing messages are targets, numbers, um, you know, I don't know the answer to that off the top of my head, what I will say, again, is if physicians are speaking with their patients over telehealth networks, and other such communication platforms, where they are discussing things like protected health information or sensitive data, as it's not defined anywhere, but data that relates to a patient's mental or physical health, you know, you do want to take HIPAA and high tech into account and utilizing really robust security encryption methodologies that are suited for that type of practice and that type of communication. And generally understand data minimization principle. So if this does not have to be accessed, or you know, sort of accessible to other folks in your office place, you might want to consider, you know, enacting some walls in between the folks who need access and the folks who don't, and that also can help protect that patient data and confidentiality generally.
Darshan
Very, very cool. As you know, I usually aim for these are 1520 minutes, we are already at about double that time. So you are a fascinating conversation. So I hope you'll consider coming back again. But as you know, we asked for questions. So the first question, what is a question like to ask the audience based on what we just discussed?
Krishna
I guess I'd like to ask the audience what their sense is of data privacy? Do they care? Do they care? If they Google something that on their phone A day later, they're getting targeted advertisements for something? Do they care about the robo calls, you know, what is their sense of if their data is being sold, how it impacts them and what they'd want the law to look like? Because that is going to impact greatly, I think what happens over the next three to four years, both on the state and federal level?
Darshan
So I usually try to answer the question for us just so you have a feel for it, I'll tell you that from my perspective. Um, I would love to, I would love to say that I care so much about privacy, and I probably should, that it's usually it's a huge concern in my mind. But if you told me that, I need to tell you where I am, or I need to pay $1 to get access to a newspaper article. Chances are, I'd say just know where I am, and I'll move on with my life. Really, just I don't think that's a smart decision. I just think it's an easier decision. So it goes to the point of, I've had guests on your top left nudging behavior. Have you ever heard that term before? No, I haven't actually. So nudging behavior is basically how Facebook or Amazon how Amazon keeps you clicking on their website, how Facebook keeps their website. So put, making certain decisions easier than other decisions, right? So for me the idea of going on to my web so if someone says either give me $1 or sort of allow for allow for me to see where you are. The allow for me to see where you are button is going to be one click and it's over. Or I need to go in, log into PayPal, make sure I see Okay, then see it's only $1 make sure that the dollar is the only thing that went out, come back and then read the article and I go either the article is not that important, or it's just not worth that much. Is that the smartest thing in the world. Probably not an aggregate, I know it adds up to a lot more than they know where I am. Right? But that second for that decision, the cognitive overload for the second decisions too much, is that different from what you take?
Krishna
Sort of, um, and I don't know if it's cuz I do this work or it's because I also sort of view privacy the way perhaps Europeans view privacy, which is a fundamental human rights. Second, Adela, the CEO of Microsoft has said this too. But there's that caveat when you're talking about developing this is a whole nother sphere here. But you know, artificial intelligence and predictive behavior analytics, you know, you don't want to stifle that technological innovation that can be super helpful for people who, for anybody, frankly, but but there is that like middle ground, I'd like to strike so I never let anyone track My God, all my apps, I don't go on to unsecured Wi Fi networks, if I can help it. I mean, I really am pretty cognizant of this. And I think I hope that people are a little bit more mindful about this, insofar as it relates to their own personal data protection.
Darshan
I love his answer as well. By the way, I do care about data privacy, I would like to see monetization the future however, we need to build building data privacy support for those that don't want to control that data or don't care about monetization. I agree about paying for articles, I will not pay.
Krishna
Thank you. That's helpful. And that's I think a lot of folks feel that way that the way you endorse and feel, which is that they're not gonna go on, create an account, upload their financial information only, you know, for a website, they may never revisit.
Darshan
Exactly right. Right. But I don't think I don't think I'm right about this decision, because like you said, in the end, is not the smartest thing. Which is why I do think that there's a significant amount of value to something like GDPR and ccpa, and data minimization principles. Having said that, I find it really interesting, I need to go back to the up VP, a, I think I got that right. I've written it down. That's the saddest part. But yeah, um, but but I think that's going to be really interesting as we continue to see, as, as we see, this tussle between rights being given and rights being taken away. You see a lot of that, for example, and I know you know this more than I do. But the the implication of, of privacy as it relates to global to global surveillance, and and Europe, for example, is taking the position that we don't want any surveillance and you will not use artificial intelligence, for example, in the context of global surveillance. On the other hand, China has gone No, no, that's the entire point. I'm loving this thing. And, and, and then you've got Israel saying, I'll sell you my information, because we are a startup nation. And the data we collected for COVID is great for anyone to use, just come here and use it. So it's just different perspectives, I think it's gonna be fascinating as it plays out. But I always wonder if countries that are more cognizant of individuals data, privacy rights, will land up being further behind, because the AI simply can't catch up.
Krishna
That's a really good point. Although we're sort of seeing the opposite in the States, in some cases, if you look at the US Privacy Shield, which, of course, based on the European Court of justices decision last summer, we are basically for those of you who don't know, I'm sure all of you listening are really sophisticated and know these things. But for anyone who doesn't, there used to be a data sharing agreement that, you know, with the US and the European Union as a whole, and so any data can be shared across the Atlantic Ocean, it went through many iterations. And so basically, it ended up in the US Privacy Shield framework that was gutted completely the EU, the EU basically said, in its decision that the US performs so much surveillance on its own citizens. And and residents of the states, including European citizens, in some case, who lack of recourse if if their fundamental rights of privacy has been violated, that the EU does not want that sort of automatic protection or the adequacy decision standard. So they revoked that adequacy decision. And so US companies are having to spend all this extra money to prove to European to the European Union, pursuant to the GDPR that they are compliant, they have to implement these really expensive in some cases, binding corporate rules or VCRs, or implied standard contractual clauses, or just go ahead and draft their own contracts. There's all sorts of ways this can be done, but it takes the extra effort and it's it can be expensive and and tedious to go through all this extra hoop jumping, just to prove you can get the business and maintain the data, you know, at a reasonably responsible fashion. So it's, it's playing out boys in places is what I'm saying.
Darshan
I agree, though, I have a question. Now whether up DPA is going to help address that in some ways, because one of the big concerns they had was You don't even have a national process a national uniform law. And we obviously that does the I'm gonna start calling it that because just simpler that does not have a, um, the impact of a law, it's more of a recommendation. But it's one of those things that UCC has been so successful that if states do tend to adopt it, it's more meaningful than where we are right now. Which one of the questions I did want to ask I didn't get into was, do you see California and Colorado and Virginia sort of backtrack now going, wait a second, we've got this, maybe we should go on this path instead of this other path? So just what's the what's your take on that? Just out of curiosity?
Krishna
Yeah, you know, I don't know, I'm, I'm now resident, Pennsylvania, but I used to live in Virginia. And so I it was actually a shock, and I think was a shock to a lot of folks that Virginia just was sort of the next frontier in privacy after California. We I didn't expect that. Um, but I know that California, and I will, I will say, I know, I have heard that the author and sort of champion of the ccpa cpra, Alastair McNair is if the goal is to get California as an as a, as a force as like, a really large state, lots of business, its own adequacy decision from the EU, thereby, oh, we're finding it difficult to comply. So I think that's the goal. I don't know if that's something confirmed, I've not talked to anybody sort of, you know, at that level, but I don't think they're going to roll it back. Because I think that the prevailing laws still, globally, the GDPR is the best level of protection, the most robust law. And what I think a lot of folks don't understand is that it's building on decades of privacy law. So this is not new to Europeans. It's not like they're all of a sudden going, we have nothing. And now we've got the GDPR. It's sort of like for decades, they've had these protections in place, but they were fragmented, in some cases, not as robust as it as it relates to emerging technologies, for example, and now they've done this, at least, you know, it's sort of like the best thing we've had right now. And the cpra is a close second. So I don't see them really that back anytime soon. But we'll see.
Darshan
We'll see. Um, based on what we've discussed so far, let me ask you a question. What is something you've learned over the last month that you'd like to share with the audience?
Krishna
Something I've learned over the last month? Well, in sort of preparing for this podcast, I was thinking a lot about Ph. I, and sort of what I'm talking to lifelines, what's really important. And I learned that in 2019, report, by a company called I was a company called carbon black, they found that personal health data is three times more valuable to hackers than credit card information. And I don't know what, you know, your listeners senses of this, but when I talk to my clients, a lot of what they're worried about is, you know, hacking a financial data, they don't want credit, credit scores to be affected, they don't want theft of personal identity, they don't want you know, to sort of let the things that we think about, I don't think people are thinking as much about their present health information being a commodity, something like, you know, like we hear all the time data is the new oil, three times more valuable than financial information. That's pretty astounding.
Darshan
But that's really interesting to me, especially because that hurts something on the flip side, which suggested that genetic information was not as valuable as I thought it was. Interesting. So I have to go back and find the source. But to me, genetic information seems forever. Like I can't change my genes. But But I would imagine that health information, I guess it's constantly updated, so it makes more value, I don't know. Fascinating. Second, third question, what made you happy this last week?
Krishna
What made me happy this last week, um, let's see. My grandmother had a little bit of scare, but she is out of the hospital back home, and it was sort of a false alarm. So I'm happy that she's fit and healthy. And it just made my day that there was you know, getting older, so I'm happy that she's she's okay. Like,
Darshan
congratulations to her and congratulations to you. Um, um, last question, I'm going to put this up as well. But how can people reach you if they have questions?
Krishna
Sure. So feel free to find me at the link in the screen below classroom, comm forward slash people dash Krishna underscore Johnny, or you can just google me, Krishna Johnny plaster framework.
Darshan
Perfect, perfect. And this was a lot of fun. Thank you so much for coming on. We have one last comment, by the way, from Christine. Um, you're right. I started PHP as part of my degree, and we talked about how profiles getting dumped without shredding. And the consensus was that no one would be interested in health information. That seems I don't know when you studied that. But whoever said that, that's scary. When when people think that there's no value there.
Krishna
Yeah, you know what? I mean, that's a really interesting point. Thank you for bringing it up. And Darshan. I know you want to, we want to roll here. But one quick comment, which is that it depends what that private health information is, and what the consequences to the individual are. I'm thinking it really stigmatized. You know, diagnoses, something like transmitted disease, exactly. HIV AIDS. Those are the implications for where someone lives if they're living in assisted If they are, in a relationship, a personal relationship that they've not yet told their partner about this diagnosis, all sorts of implications, I think not only just for privacy, but about where their ability to earn a living and secure housing can be impacted if that information gets out and if it's not de identifies or in some way do not advise. So I think it depends a lot and first best practices, always shredded documentation. Well,
Darshan
this was a lot of fun questions. I'm so glad you came on. Thank you for coming on, and we hope to have you back soon.
Krishna
Thank you so much. I'd love to come back.
Krishna
This is the DarshanTalks podcast, regulatory guy, irregular podcast with host Darshan Kulkarni, you can find the show on twitter at DarshanTalks or the show's website at DarshanTalks.com