Tech, Privacy & Law: A Short History?
In today’s episode, I was joined by Fox William’s Technology & Data Privacy Partner, Kolvin Stone. He will be talking us through some of the newest legal & regulatory privacy challenges for businesses; particularly those operating in disruptive industries where tech & privacy are inextricably linked (think FinTech, HealthTech and EdTech). Drawing on his 20+ years’ experience as a specialist lawyer, Kolvin provides us with a whistle-stop tour of the tech & privacy evolution and provides some insights to privacy law issues within the complex world of Adtech.
Episode highlights include:
Kolvin Stone: [00:00:00] And there was a lack of understanding in terms of how the tech industry work because it is incredibly complex to work out, particularly when you’re talking about real time bidding, which is really the focus for the ICO and the CMA. That is a complex ecosystem made up of multiple different players that are sharing data in real time on a multi jurisdictional basis.
Anthony Brown: [00:00:21] This is the padcast. Your privacy and data podcast with me, Anthony Brown, interviewing leaders from across the industry to provide you with news, views, insight and opinion. Hello there. I’m Anthony Brown, and another very warm welcome to another episode of the padcast. Today I’m joined by Kolvin Stone. Kolvin is a partner and head of technology and privacy at the leading law firm Fox Williams, where he advises on strategic transactions and regulatory matters involving data and technology for many domestic and international, private and public companies ranked highly in the legal five hundred. Kolvin has significant experience advising on internationalization of technology and internet enabled services, including e-commerce, social media, big data, digital marketing, and also has a really significant amount of experience in the complex world of ad tech. So as a senior lawyer operating across all of these very exciting areas, I thought it would be great to get Kolvin on the show and ask him to help us understand a little bit more about the space where technology and privacy intersect, which as we all know is an increasingly diverse and complex ecosystem which seemingly has a never ending flow of new laws and regulations. So a very warm welcome Kolvin. Welcome to the padcast. How are you today?
Kolvin Stone: [00:01:47] Well, thank you, Anthony, and thanks for inviting me.
Anthony Brown: [00:01:49] Well, it’s an absolute pleasure. It’s absolute pleasure. As I said, very keen to get your take on this intersection that I know you specialise heavily in. You work with a lot of startups and businesses within the health, tech and tech edtech sort of businesses. So it’s a really exciting space. I know you focused in these areas for for a number of years now, so I think it’s only appropriate to probably firstly ask you, how did you originally get into tech and where did it all begin for you?
Kolvin Stone: [00:02:18] I’d like to say that I was coding in my bedroom as a as a teenager growing up, but it wasn’t like that at all. It was. It was happenstance, really. It was when I started my training contract at Fox Williams in 1999, and at the time, I don’t know if you remember it, but it was the dotcom boom. Yeah, absolutely. It was a crazy time. It was a crazy time in tech. There were lots of companies that were raising huge amounts of money at the time, actually. When you think about it now to launch a business, you basically just need coffee shop, a laptop and internet connection and an AWS account and off you go. But back then, people actually needed a lot of money to start a business. They needed servers a building and all sorts and so while I was sort of doing my training contract, I started to come across all of these new kind of businesses that had essentially raised quite a significant amount of money on the back of an idea. But actually, what’s interesting about those ideas is that they’re all businesses that are now successful but back then they really kind of didn’t get anywhere because the infrastructure wasn’t there so that if you remember the internet experience, but trying to dial up to the internet would take about 20 minutes and that if you had a computer at home, it was really painful. And then and then you suddenly got a connection and it crashed. So a lot of people, they didn’t necessarily have a computer at home as well. They would tend to use one at work. There was no smart devices, no broadband. So yeah, the infrastructure was just terrible. And also culturally, people weren’t used to, you know we were acting for companies that were looking to sell clothes and goods online, and it sounded brilliant, right? You don’t need to go to the shops anymore, but people culturally weren’t ready to buy their clothes online, and they weren’t comfortable putting their payment details in. So, you know, the infrastructure wasn’t there. People weren’t there culturally. But a lot of these ideas that we saw in 99, 2000 were really good ideas and ultimately proved to be correct, but we weren’t ready for them. I got seduced by acting for those types of companies that were essentially looking to change the world or disrupt the market. And I found that the the sort of legal work was was really novel because at the time there was a raft of legislation coming in from principally the EU, as they were looking to regulate what they called the Wild Wild West. And so a lot of those regulations still apply now things like e-commerce regulations, we still have privacy regulations at that time. And so it was interesting trying to get to grips with these new regulations and ultimately help companies navigate that to launch the business and your business models, their products, their services, but also then looking at the existing laws and how they work with these sort of highly innovative, challenging kind of business models and that’s particularly the case with privacy because we struggled for years trying to make the sort of Data Protection Directive work in the new sort of digital and technological era mean, and that was obviously one of the principal drivers for the GDPR. And so trying to often try to work out how the regulation fits with these new business models was what I found really interesting back in 99, 2000, 2001. And ultimately, it’s what I stood, what I still do today. So it kind of really started there, I mean, after the dot com bubble crash. In I think it was around about 2001, 2002, I was I certainly had a lot of clients that I didn’t have any. But then things slowly, slowly, slowly recovered. And actually for a while, I did some litigation, some more sort of general commercial work. But what was kind of interesting is things started to pick up again around 2002 2003, and then people remember this. But there was this concept of Web 2.0, and that was all the generation of social media and Google and Amazon. And ever since then, it’s been an amazing ride, and data aspects of that have just got bigger and bigger and bigger and bigger and bigger and bigger. So yeah, that’s where that’s kind of where it all started. It’s kind of interesting when I think about it now, 20 years ago, I’m still pretty much doing the same thing. I was doing that I was, I’m doing now,
Anthony Brown: [00:06:24] Boy, haven’t things changed? And it’s funny that you didn’t mention Y2K, either the Y2K bug. I mean, you know, that was ….
Kolvin Stone: [00:06:33] I remember that … Yeah, yeah, that was right. That was what a damp squib that was. I mean, I think I started my legal career in September nineteen, ninety nine. And yeah, that was generating quite a lot of work and excitement at the time. And then suddenly nothing.
Anthony Brown: [00:06:48] Yeah, I know this. This session is, you know, about you and I’m interviewing you, but just some background to me, actually. You know, I started in my space as a headhunter in 2001, but my very sort of earliest job really was I was kind of working part time, also studying an IT service services business. And that was all around that sort of period. We’re talking ’99 2000, and you know, they were focused very much on selling local area networks and it was all, you know, you’d go they’d go in and see a small company and they’d have 30 users. And then suddenly there was the Y2K piece. And blimey, I mean, a lot of people made a lot of money out of that, didn’t they?
Kolvin Stone: [00:07:35] Yeah, yeah, really? Well, yeah, yeah. The way that people expressed it was the world was going to end, right? Yeah. Yeah, it’s kind of it’s crazy.
Anthony Brown: [00:07:43] It’s crazy. In fact, I remember in the lead up to GDPR, and obviously it’s not a comparison as we fully know, but I know that there was a lot of people saying, Oh, this is just going to be, you know, it’s another Y2K is a lot of smoke and mirrors, you know, a lot of people are going to make lots of money. It’s not going to be that significant. And I mean, I mean, ridiculous, right? It’s only demonstrated over the last few years how integral fundamental data privacy the new laws are to us, you know, society and businesses, you know, across the UK, EU and the world. So I guess it’s been incredibly busy time for you.
Kolvin Stone: [00:08:20] Yeah, I mean, that was crazy. I think everyone back in twenty eighteen was so busy, and I do remember people saying that that GDPR is a bit like Y2K, and I’m like, Well, I never thought that was going to be the case. I think there was an element of you know once we got past that, everyone was so focused on that deadline that once we got past that deadline, I think people were so exhausted that they did. And I think they kind of realized that actually the world didn’t really change after May twenty five and that life was carrying on as normal. So I think people did take a bit of a pause and think, OK, but the last 18 months we’ve seen it again, an increasing focus on privacy and people are now starting to update their GDPR compliance programs because at the time they were just trying to put in a base level. We’ve seen, you know, a lot of increased scrutiny on certain industries more proactively on behalf of regulators, and that’s just only going to get only going to continue. Also driven by a more litigious culture now around privacy, which we didn’t have, you know, a few years ago, and that that is starting to change the change the agenda and change people’s focus on privacy as well. Hmm. Going back to the time when I first started advising on privacy, it was kind of really interesting because all of those technology businesses, you know, they were collecting data, but nowhere near the sort of level of data they collect now. And I remember having conversations with clients around their privacy compliance. And, you know, they would often say to me, Well, am I going to get into trouble? I was like, Well, probably unlikely. If I get into trouble, what does that? What does that look like? I was like, Well, you’ll get probably the worst thing that will happen will that the regulator will send you an enforcement. Ok, well, what happens if I don’t comply with that? They could take you to court, OK, and what happens if I get prosecuted? Well, the worst that can happen is a maximum fine of £5000. So the hold on that you’re you’re telling me that, you know, the initial response I’ll get is being told off and I’ll get an enforcement notice. And then if I don’t comply with that, then I might be prosecuted in court. And in the worst case scenario, I’ll get a £5000 fine. But yeah, well, why am I? Why am I talking to you that if that’s not going to happen and if that’s the worst case scenario It’s more expensive to pay you to help me, so those were the those were the conversations I had like 20 years ago and even 15 years ago. And now you don’t have to have those conversations, people saying to you, I’m concerned about this. I’m worried about this. Can you can you help me or you’re acting for a customer or a sort of in the B2B space? Its their customers that are saying, what are your privacy and security practices? If you’re if you’re hosting our data, we need to know it’s secure. So that has just completely changed. No one needs to convince anyone that privacy compliance is important.
Anthony Brown: [00:11:04] And if if the fines aren’t significant enough, then look at the reputational damage and the, you know, the damage to your brand. So. And that’s where we’re at now, isn’t it? This is why it’s such an exciting time in the privacy world. Every week, every day, it seems at the moment there’s a new headline grabbing story within privacy. I mean, not least, obviously at the moment. Facebook, just every day there’s a story about them. The Facebook and Apple piece Facebook versus the Australian government looks like Facebook as you’ve blinked with that and are going to stand down, which is can only surely be good news for everyone. I know it’s very complex. It’s not cut and dry these scenarios. And and also actually interestingly, I know we’ve chatted about this quite recently, the clubhouse. That’s quite a topical news story at the moment as well. And having done a bit of further reading myself on Clubhouse. And for those that don’t know, it’s an app that’s really in the headlines at the moment, it’s an audio only social networking app that works by basically being invited by individuals, and it’s got all of the components that Silicon Valley startup would want. It’s have got celebrities involved. It’s got Elon Musk talking about it and getting involved, and it’s just been valued at a billion US dollars not actually making any money at the moment. But of course, there’s massive privacy issues around it. Having read this as well, I mean, it started. It’s been born in Silicon Valley, but yet the the actual technology piece has been developed in China. It sits on servers in China. It just you just think, where’s the data, what’s going on? You know, it’s just it’s it’s crazy. It’s crazy.
Kolvin Stone: [00:12:39] Yeah, yeah, yeah. The social networks have always had, you know there always been privacy issues around around social networks because I think the way that they have often grown is using sort of viral marketing techniques, which are not necessarily kind of consistent with how we see privacy, particularly around issues of transparency, user control and consent, and also this issue that they are quite often international at a very kind of early stage, not like somewhere like fintech, where often those businesses grow in a particular jurisdiction and then expand very carefully and thoughtfully into another jurisdiction because of the regulatory kind of hurdles, social networks have the ability to grow really, really, really quickly. And at the heart of that is concepts of kind of viral marketing and creating this sort of viral loop that they all use to grow to grow their user numbers. And I think Clubhouse is an example of that because one of the sort of privacy issues around Clubhouse is how people’s contact data is shared. And there’s been a lot of criticism on Clubhouse. And the fact that it’s not its practices are not consistent with what we would call privacy, privacy, good practice or even really privacy at privacy law.
Anthony Brown: [00:13:54] So Kolvin, you get from your experience, and I know, as we mentioned earlier, you’re working and have been working now for several years with some super excited businesses within fintech and adtech, health tech, those sort of businesses. What do you see as a key differentiator for you personally when you were advising those sort of smaller sort of startup businesses versus the larger, more traditional corporates?
Kolvin Stone: [00:14:21] Yeah, I think with the sort of fast growing companies, I think you need to be much more of an enabler actually. You need to be you effectively need to be their general counsel so that the general counsel does is gets much more involved in understanding the business, understanding the risk and then helping the company launch their products and services in a compliant fashion as possible. Bearing in mind some of the kind of risks, risks and the priorities. So I think you’re much, you’re much closer dialogue with you know the business and the kind of engineering teams as opposed to when you’re advising a large corporate. Actually, often you’re dealing with the in-house lawyer and they’re the ones having those conversations. And so therefore, it’s much more of a kind of, I would say, giving more kind of legal advice that the in-house lawyer will then take and do that role that I just I just talked about. So I think when you’re advising a fast growth company, it’s quite important to what you’re doing is almost educating the business as well as giving them kind of legal advice because they don’t necessarily understand what the legal and even what the commercial risks are because they’re just very focused on you know Changing the world or disrupting a market or launching what they considered to be this really cool new product and don’t necessarily have a consideration for what happens if people perceive it in this way or what happens if you haven’t necessarily maybe got consent in the wrong way and the right way and you’re criticized on some sort of internet forum, they just think that this is really cool and everyone’s going to like it. And I think you’re often that kind of sounding board for saying, Well, have you thought about this, this and this? And I think that that really requires you to get really embedded into the business, really understand the product and the service. And you don’t do that so much with with a large corporate. Actually, it’s much more around giving more pure and traditional legal advice to the in-house lawyers who then kind of play that role. So it’s really being the in-house GC, I think so.
Anthony Brown: [00:16:30] It must be it must be incredibly rewarding and exciting, obviously, to be at that very early stage. And I guess then that comes in with the sort of privacy by design piece as well. I heard somebody talking the other day and they said that, you know, ultimately, if you launch a product and you haven’t factored in privacy by design, then it’s too late, particularly with these high tech businesses that are apps and the like. If it’s already been launched, you know it’s too late, you know, people have got to build it in now, early doors with these products. So I guess that’s where you come in your early stage. You can steer you can advise you’re offering commercial advice as well as the legal advice. It’s it’s the whole 360 piece, really ultimately, isn’t it?
Kolvin Stone: [00:17:09] Yeah. You know, it really is. I mean, it did used to be the case that people would kind of, you know, build a product launcher. And if they got into trouble, they were sort of asked forgiveness. But in the meantime, they may have gained X number of users or I think that approach is changing even for the really early stages, because if you do certain things in the wrong way, it can be sort of catastrophic for the business reputation, but also in terms of kind of regulatory fines that, you know, we spoke earlier about Facebook and Cambridge Analytica. That was a product and a feature that was was actually very old and it only came back to bite them much, much later. So people have to be aware of those kind of risks at the time they launch products and services. And it is about it really is about kind of understanding that people just don’t when they’re in there with their internal development team, they just don’t really think about that. Some of these issues, they just think, Well, this is really cool and the users are going to love this because I love this. But then you realize that they’re scraping maybe huge amounts of data at the moment, there’s a focus on. We talked about Clubhouse from a developer perspective. They think, Well, this is a really cool feature. Why? Why wouldn’t someone’s friends want to know about it? And so they create these referral schemes, but they’re antithetical to how we think of things from privacy perspective, because what you’re doing is you’re collecting large amounts of data about individuals and they have no idea you’re doing that. Those are the conversations that you have with developers because they don’t see often they don’t see anything wrong with things like referral schemes.
Anthony Brown: [00:18:43] Yeah, it’s on that note. I mean, is there any specific issues or you’re you’re increasingly advising on for technology companies or of the ilk that we’ve been talking about? You know, is this something that keeps cropping up or something that you need to regularly give advice on? Or maybe the first port of call that you say, Look, we need to look at this.
Kolvin Stone: [00:19:02] More often than not. It’s a sort of user onboarding process. So working through with clients how they on board users, a big focus at the moment is on profiling and automated decision making. So we’re think a fair amount of work with sort of fintechs that are using AI more and more and more. So it’s working through how that works from a user, from a user experience and making sure that you are telling users what you need to tell them at any particular time that you mentioned privacy by design and privacy by default. How you build that into into products and services at various points in that user experience. Often you’re sharing data with third party service providers, so it can be credit reference agencies. It can be people in the open banking space. So there’s a lot of kind of real time sharing with sharing of information and working how you do, working out, how you do that kind of in a transparent and lawful manner and ultimately giving the individual control. So that, I think, is something that we do all of the time. So just working through that kind of user experience and how you make it compliant. Bearing in mind the kind of use of AI data sharing that now goes on with various different partners in real time, looking at consents for sort of marketing and advertising because that continues to be a challenge and certainly from a consumer perspective, the sort of marketing and advertising piece is really important to the growth strategy of the business, but also how they kind of generate revenue.
Anthony Brown: [00:20:31] I know. As well, and obviously, we mentioned it during this conversation, but ad tech, obviously it’s such a complex area as we know and I know you’ve done a lot of work in this space. There’s not a huge amount of specialist lawyers actually who have got the level of understanding that I know that you have so obviously adtech is in the spotlight at the moment Obviously, as we mentioned before, again, you know, the war of words between Facebook and Apple, regulatory investigations being carried out by the ICO and CMA. How do you see this situation playing out and will there be an impact on the ad tech industry?
Kolvin Stone: [00:21:04] Absolutely. I think we’ve now been seeing that for the last few years. I think the real kind of the real sort of death know for certain types of ad tech practices was really kind of GDPR. So people could see this sort of writing on the wall with GDPR. I mean, in some ways, the law hasn’t really changed. I mean, there was always a requirement to get consent and be transparent. I think what has changed is the consent standard has been raised and I guess there is a greater expectation around transparency. But these were challenges for the tech industry have been for years. But I think it was the there was a lack of kind of regulatory enforcement and there was a lack of understanding in terms of how the adtech industry worked because it is incredibly complex to work out, particularly when you’re talking about real time bidding, which is really the focus for the ICO and the CMA. That is a complex ecosystem made up of multiple different players that are sharing data in real time on a multi jurisdictional basis. And often people are wearing different hats but playing different functions. So it’s even more difficult to work out kind of what’s going on. But I think really things started to change with the GDPR, and people could see that some of those business models were unlawful and broken and they couldn’t continue and then at the same time, this sort of war of words between Apple and Google previously and now kind of Facebook has been going on for for a while because from Apple’s perspective, now they don’t generate money on the basis of ad revenue, but their competitors do. And so it’s not only good from a privacy perspective to be seen to be pushing a privacy agenda. It’s also good from a business perspective because if they are implementing tools which make it more difficult to carry out certain ad tech practices, that’s obviously going to impact on some of their competitors. So whilst on one level they can be seen to be a good citizen from a sort of privacy perspective. It’s also quite helpful, I think, from from a business perspective that they are pitched themselves as very kind of pro privacy because they just don’t generate revenue on the basis of advertising. So what does that mean? I think that there are certain ad tech business models that will just ultimately die. Some have died already, people have pivoted. And what we’re seeing is a much more privacy friendly approach to to ad tech. So a lot of the businesses that are focused on that adtech now that have launched in the last year or so have privacy at their core and I think actually it’s kind of interesting by the time that I think the ICO probably completes its investigation of of ad tech, I think the industry would have would have already moved on because as I said, you know, a lot of people have seen the kind of writing on the wall. I think we will see less of the sort of cross-platform cross-device tracking. I think Google have come out and said that they are going to not use third party cookies anymore. So that really kind of kills that cross-platform cross-device tracking, which has been the bedrock of a lot of ad tech for for for a number of years. Yes. So I think over the next 12 to 18 months, we’re going to see even more change and the industry really, really move away from from practices that evolve involve sort of cross-platform across device tracking. This is what technology is all about because as people realize they can’t do things in a certain way, they create new business models, new technology, new practices to operate in a different environment. And that’s exactly what’s happening. So we’re seeing, as I said, a much more pro privacy ad tech business models and technologies.
Anthony Brown: [00:24:30] Yeah, yeah. I mean, I’m sure in the future we’ll look back on this period. I mean, it’s hard to pinpoint important years in the last few years, obviously, when you’re looking at privacy. But I think these times with the Giants, you know, the big four as they call the Amazon, Apple, Facebook, Google all start facing off in different ways and maneuvering themselves to be the good guy versus the bad guy or whatever. I think this can only be good ultimately for you and I and the normal people on the street ultimately and and raising awareness, and it’ll be really interesting to look back, I think in a couple of years at this little period of time and how it all sort of develops. Just kind of running out of time here. I know you’re super busy, Kolvin, but I just wanted to ask you very quickly. Regular listeners will know I do like to get some insight from a sort of H.R. or staffing perspective from from my guests. So just thinking about privacy pros here, whether legally qualified or not, perhaps junior mid-level. Are there any sort of career development activities that you would recommend? Perhaps you’ve done them yourself or you think would work particularly well for those sorts of individuals?
Kolvin Stone: [00:25:37] Yeah. So I think any sort of what industry you’re focused on. I think what we’ve seen now in tech is the sort of sub sectors that’s developed. So, you know, 10 years ago, we just talked about tech, but now you mentioned a few recently. Now we talk about ad tech and we talk about fintech and we talk about ed tech. And there’s even a thing called more tech. And around those subsectors, there are ecosystems. And I think if you are interested in ad tech, for example, I would say as a privacy professional, it is good to identify network business education events, conferences that are focused on those little kind of ecosystems and kind of immerse yourself in them because that’s when you’ll start to understand the particular issues facing those type of companies, and you’ll see if you go to any events involving ad tech, health tech and tech. The data and privacy come up time and time again. And so I think understanding how people in that industry think the challenges they face, what they’re trying to do from a sort of product and service perspective can only help you in your role as a privacy professional. You know, one of the great challenges, I think, is communicating and talking to your stakeholders and also understanding the products and the services and the industry. And I think you can do that by being active in a particular network or a kind of ecosystem. I think so. They are really good to do from a sort of professional networking perspective, but it’s also good to do from a sort of business education and privacy education perspective because you’re starting to really understand some of the issues that face that industry. So I think that’s a really good thing to do from a career development perspective, and the IAPP is great as well. They have lots of good resources. I mean, we’re really challenged at the moment to keep up to date with all the news and the regulatory developments. And I think being an active member of the IAPP is a good way of doing that. And some of the courses they run, I think, are also really, really worthwhile.
Anthony Brown: [00:27:40] Yeah. Well, it’s excellent advice and I think there’s no doubt, you know, there’s so many resources available now to to all of us. You know, it’s investment of time and really throwing yourself into it, doing the reading, doing the learning and the accessibility of other people within those ecosystems. Now, as we know, it’s been fast forwarded even more quickly through the pandemic. You know, you’ve linked in and various other groups that you can join and communicate and meet people over Zoom and all that sort of stuff. So I think I concur with everything you said. And I think to any sort of fledgling privacy pros there, listen to what Kolvin said. Get out there, make yourself known and and keep learning. And Kolvin, thank you so much. It’s been really fascinating. Great to have you on the show, and I hope people will have some takeaways, particularly as we said, where this complex ecosystem, where tech meets privacy. So thank you so much. We will be back very soon with another episode of the padcast. But thank you, Kolvin, and we will catch up very soon. Bye for now.
Kolvin Stone: [00:28:40] Thanks, Anthony.