Today, Anthony was joined by Robert Bond for a fascinating episode of his “Privacy in The New World” series. Robert is a Senior Counsel in Bristow’s LLP award-winning Data Protection & Privacy team, and was one of the UK’s first Data Protection lawyers.
This episode’s highlight’s include:
Anthony Brown: [00:00:00] Ok. Hello there, and welcome to another episode of my Privacy and Data Talks podcast. I’m Anthony Brown, as hopefully you’ll know by now. Today, I’m really thrilled actually, to be joined by somebody who is incredibly well known and regarded within privacy and data circles. Some may say, although I’m sure he won’t say it himself, somewhat of a legend amongst the community. So Robert Bond, I’m really thrilled, as I said, to have you on on the show today, Robert. For anyone that doesn’t know is, well, one of the originals, actually one of the original sort of data protection and privacy lawyers in the UK, his career straddles an outstanding four decades and Robert is now currently senior counsel in the Tier one and superb team privacy and data team at Bristows. So good morning, Robert. How are you?
Robert Bond: [00:01:11] I’m good and yes, thank you very much for having me on the on the show, so to speak.
Anthony Brown: [00:01:16] Well, yeah. Well, it’s an absolute pleasure. I’ve known you a few years and as I just said, I’m sure, I’m sure you’re known to many, many people and you’ve you’ve been involved in some hugely significant work over a long period of time. I know, Robert, that your sort of career really started in the late 70s when you trained and qualified as a lawyer. You’ve then gone on to become one of the most respected data protection and privacy lawyers in the UK, if not further afield in Europe and around the world. And all this long before privacy and data protection became the sexy sort of place or area to focus on, particularly in law. So I just hope, Robert, could you just open up by telling us a bit about your journey and your career as you know and what’s led you to where you are today, please?
Robert Bond: [00:02:15] Yes, sure, Anthony. So you just said I qualified as a lawyer in the late seventies and actually my first job was with a law firm in Burton on Trent, and I had the pleasure of doing lots of work for in coop and Allied Breweries, and I was a general commercial and corporate lawyer. But about three months into my first apartment or flat that I owned in Burton, I got to know my next door neighbor because the guy used to keep me awake at night with these strange sounds coming through the flat wall. And one morning I said to Malcolm, What on earth do you do Malcolm at 3:00 in the morning? And he said, Well, you better come in and have a look. I’m I’m doing a video game and they’re on the floor was a motherboard. And he said, I’m doing a variation on Space Invaders. And so he was eighteen. I was twenty four. Within six months, he got his first publishing deal and I remember putting together a publishing agreement for a computer game where I couldn’t find a precedent. And so it was a question of putting together a music publishing agreement and a book publishing agreement, and within a year, Malcolm had started to make his first million. Wow. He became my first real client, and then from him, he introduced me to the people that ultimately did Tomb Raider.
Robert Bond: [00:04:08] And then from there I did work for Electronic Arts. Need for speed and various things. And so back in the early eighties, I was one of the first lawyers doing computer games. Wow. And it just so happened in 1983, when I was the honorary solicitor to the local Chamber of Commerce that in order to advise them, I was always looking at new law coming through. And one of the bits of law was the 1983 Data Protection Bill, which became the 84 Act. And I remember looking at this and thinking, actually, this could be an interesting area of the law, not realising that it would completely take over my life. You know, many years later, and so I did start doing work in the mid-eighties on data protection. Nobody was really doing a great deal, to be honest, and if you remember back in the eighties, we didn’t have the World Wide Web and we didn’t have the internet, we had only just about got fax machines and so on, and data was still moving about in big, chunky boxes. You know, we just didn’t have what we have now. So there wasn’t a huge amount to do. And then in about when was it in the late eighties, I think I got instructed to act for the Data Protection Commissioner before it was the Information Commission by Rosemarie Jay, who is another of the originals, and she was the in-house lawyer at what we now have is the ICO, and she wanted me to advise on some definitions as to when you know, a controller was a controller, etc etc, So that was quite nice to advise the regulator. And then I ended up doing a lot of work in technology and early public key infrastructure and digital signature technology in the late nineties. 1998, I did my first global data transfer agreement for Electronic Arts and then went on to do lots and lots of work for American multinationals. When my firm in London was taken over by US firm and I was fortunate enough to be very involved with the International Chamber of Commerce. So we actually, in the working group on e-commerce, we drafted the precursor to the standard contractual clauses. Way back in the day and the first standard contractual clauses was heavily borrowed. What we’d created. Then I chaired work on the ICC Guide on Binding Corporate Rules when they were just an idea. So I was very fortunate to be sort of, yeah, at the cutting edge. The great thing is when, when it’s not standard, you can easily become an expert because there’s nobody else to argue with you.
Anthony Brown: [00:07:36] Blimey Robert. Ok, so someone some would call you a trailblazer, wouldn’t they? I think. I mean, that’s fascinating to hear. I mean, the amount of stories I suspect you could tell. One thing I’d like to know actually, what? What happened with Malcolm, what became of Malcolm is he is he still with us?
Robert Bond: [00:07:57] Oh yeah, Malcolm, Malcolm. He went on the company was called Zenito Microsec.. And if you Google, then it’s micro sec. Or if you go and look at my LinkedIn page, I did a whole thing about how we got started in that area. And, you know, some of the interesting stories. Oh, I can remember at one time there was my client Domark had published a game called Splitting Images, and they got a cartoonist to do, you know, images of Margaret Thatcher and, you know, Neil Kinnock and all sorts of political people at the time. And then, of course, they immediately got litigation from spitting image. We had this crazy phone call because the two guys that founded Domark at the time both had pink Porsche cars, and they were they were driving around London. Speaking into those great big bricks, do you remember.
Anthony Brown: [00:09:01] Loads of money. All that stuff was that, yeah,
Robert Bond: [00:09:06] Ok, we’re going to have to change the name. What are we going to call it? Let’s call it splattered cabbages. And then somebody else says, No, no, we’ll call it the game they tried to ban. And then then I said, it’s all about trying to beat the computer as an image appears to work out who the image is. Why not call it split personalities? And that’s actually what it became. And they got it back on the shelf. So I have still got in my bottom drawer the original game they tried to ban. But just to finish off so Malcolm did a whole load of games at Zenito micro sec. And then once he’d made a lot of money, he spent more time on the farm and being a non-executive director. So he’s still around about some we keep in touch.
Anthony Brown: [00:10:03] That’s amazing. That’s an incredible story. I mean, it’s like a sliding doors moment, isn’t it? You know, sort of of all the chances that you took on that flat and then, you know, or the property and then he Malcolm’s next door. I mean, talk about sort of, you know, helping each other there and it set you on a certain path, didn’t it? And Malcolm? Well, it led to him making lots of money and being on his farm. So everyone’s a winner there.
Robert Bond: [00:10:29] Yeah, of course. The other thing that was great fun was that Domark did some of the original James Bond computer games, so we did live and let die and a view to a kill and living daylights. And they always used to launch the game at a premiere at the studios. And so I always used to be invited there, and it was great fun because you’d get to the security gates and the guy would go name and you’d go Bond.
Anthony Brown: [00:11:03] Anyway, I like it. I like it. So I mean, obviously, I mean, the journey, you know, there’s so much to talk about, but the journey, the privacy and data protection journey and therefore the businesses perhaps that you’ve worked with over the years, it’s been enormous. I mean, it’s off the scale, isn’t it? You know, the scale of the tech boom and and where we find ourselves now, of course. But what’s your sense then in the evolution of how businesses have evolved with their use of data and how ethical? Perhaps you sense that they are these days or or how the ethical part of what they do is how far up the list is it, do you think?
Robert Bond: [00:11:47] But it’s it’s going up when you when you look at what’s happened, you know, as technology inevitably has kept a pace of the law. We moved from very sort of one dimensional, two dimensional movement of data to this system where data goes everywhere. Yeah. It doesn’t go from A to B. It is going everywhere, and gradually the business has learned the value of data and and to be fair, so has government. There are so many different things being done by government for very good reasons with people’s data and of course, the coronavirus pandemic and track and trace and that sort of thing is a good example. But. I think as the media has focused on when things go wrong and as the ICO has done more investigations into the untransparent way in which data is being manipulated, so eventually good businesses have realized that by being transparent, by embedding ethics as much as privacy into design, that’s how you differentiate. You differentiate yourself from the opposition. Mm-hmm. And so we are seeing, you know, big organizations and small organizations genuinely saying, we want to tell you how much we do love your data and genuinely why you should prefer us to others. Yeah. There are still lots and lots of organizations that have buried their heads in the sand on the basis that we’ll never, it’ll never go wrong for us etc. And of course, inevitably it will. The conundrum that we all have is that you’ve got government wants everything, business uses everything and the consumer gives away everything. And the tough thing is that even when you’re trying to be compliant and you have a really nice privacy notice and so on, your problem is, is that of the people that could read the notice, the vast majority don’t.
Anthony Brown: [00:14:32] And they may not understand it if they do read it.
Robert Bond: [00:14:35] And of those that do, the majority wouldn’t understand it. And we’ll probably at some point have to have a equivalent of the highway code for the digital highway. You know, we all know where to cross the road and what it means when the red light is on and the green light isn’t and so on and so forth. We don’t need, you know, two pages of information to make that clear. But we don’t have the same for how we travel digitally.
Anthony Brown: [00:15:11] Yeah. On that note, Robert, I mean, obviously, as we’ve seen this year, everything’s fast forward. It’s hugely, you know, the population, the world’s digitalized, you know, across the board. And it’s quite interesting, isn’t it? You know, there’s been some high profile breaches, of course, and there will continue to to be. So do you think as a society or, you know, the general public, do you think people are becoming more aware in general of of, you know, the, you know, the risk factors with their data?
Robert Bond: [00:15:47] Yes, I think they are. I think it has changed. 2008 at the firm I was then with, we set up a not for profit to go into schools to teach kids about privacy and we called it the I in online, I as in me, I as in eyes and information, and back in 2008 to 2010 when we were doing surveys with teenagers. And eventually we got from 16 year olds down to eight year olds. The vast majority weren’t really aware. Now, with the work that I’m involved in with the safer internet centre, we’re seeing much greater awareness by teenagers about how to what the risks are and so on. It’s still actually the parents that are neither privacy savvy nor technology savvy, and that’s still where the risk is. But every time the media focus is on an incident, individuals start, I think, to be aware more. But it is a big risk time for us as we are all working remotely and we are more reliant on digital than we ever were. We know that this is an ideal opportunity for the bad actors to prey on those that are still blissfully unaware of the risks. Yeah, it’s still a challenge.
Anthony Brown: [00:17:30] And I guess it’s like anything, you know, over the course of time that evolves, there’s always an unfortunate few who are the ones who are most at risk when things haven’t been dealt with in the way that I’m sure in the future we’ll look back and go, Blimey, those poor people who lost all their data or they’d been groomed, you know etc etc, they’re the ones in the, you know, right in the firing line at the moment. And it’ll be smart people like you, Robert, over the course of time that will hopefully get us all in shape. And but I think without question, as you said, you know, I think the the light needs to be shone on it more frequently and I think it is being being done. So I think a lot of it, you know, I’ve got two young kids. A lot of it ultimately comes down to the parents. But I like your idea of, you know, the highway code analogy. I mean, absolutely, I can see that I hadn’t necessarily thought about that myself, but I think that would be so valuable to people. Just a really tangible, straightforward way of understanding stuff and communicating, you know, with people about the risks. So, yeah, I’ll be looking out for that. In the future, it’s going to have a Mr. Robert Bond stamp all over it. So over the course of the last few weeks as well, I mean as if we haven’t got enough going on in the world. Privacy pros will be well aware that it’s been just a crazy time, with new regulations coming through new rulings. You know, not least this trend to the EDPB guidance and safeguards for transfers and obviously the new standard contractual clauses. So it’s a minefield, isn’t it? You know, particularly, I guess. Well, yeah, it’s a big business. I mean, well, any businesses, what do you see, Robert, out of the recent events as being the key areas that businesses should be reviewing or considering with the new changes?
Robert Bond: [00:19:23] So I still think that we generally don’t understand our data estate. You know, we had a lot around GDPR time of we need to do data mapping. You need to do data classification. And here we are some years later, and I still think we don’t understand the provenance of that personal data that we’ve got. And. Each time, I think to revisit that, what I found as I funnily enough as consumers become more aware of their rights, we are seeing much more aggressive use of individual rights requests, whether it’s subject access or whether it’s erasure or whether it’s data portability etc and we don’t always understand what was the lawful ground or as one of my clients calls it, the awful ground on which we relied when we when we collected the data and our CRM systems aren’t designed to say on what basis you collected that piece of data about that individual as opposed to that piece of data about that individual. And we actually need to know that because when you get an aggressive individual saying I want my data ported from you to your competitor, portability only applies when the data was given either with consent or as contractual necessities, so not where the data was acquired because of legal requirements or vital interests or legitimate interests. But if you don’t know the lawful ground, you don’t know whether you have a right to not hand it over or whether you have to hand it over. So I think that revisiting what we’ve got and why we’ve got it and also how long we are keeping it, because there’s still many businesses whose data retention policy is one single line. We keep data no longer than is necessary, period, and that doesn’t wash.
Robert Bond: [00:21:51] And we as we have incidents and we lose control of data and then we have to tell data subjects, by the way, we lost your data. The next thing is they’re going to go. But we didn’t even know you had our data in the first place. How come you got our data? Why did you think you could have it and why have you still got it? Yeah, and you don’t have an answer if you’ve not got a good retention policy and you don’t have a good handle on the data estate. I’ve also found, actually, while we’re all focusing on the Schrems issues and so on, we’re forgetting that we have to keep looking back at our Article 30 record of processing activities because that’s where we should be mapping all of this stuff as well. So that’s another one to keep under review. We’ve seen more use of data protection impact assessments, although I gather that the government didn’t do one when it started the COVID controls. But the other thing where we’ve now got post Schrems is we’ve now got to start doing international transfer adequacy assessments. So there’s yet another assessment we’ve got to start doing. And yes, there’s been, you know, guidance from the EDPB, but it’s not very helpful and it’s not very realistic. And it’s. Most multinationals are struggling to envisage just not transferring data, you know, from the EU to a particular country because it might have a regime that has rights to intercept for national security etc. It’s a very difficult time where business has got to be seen to be doing the right thing without knowing entirely what the right thing is. Yeah, tough time.
Anthony Brown: [00:24:10] Yeah. And then and this is all with the backdrop of Brexit, of course, in the UK. So where do we start with that? Robert? Data protection and Brexit.
Robert Bond: [00:24:22] So, you know, here we are with a few weeks to go until we are not in the EU and we still don’t have an adequacy decision. Um, and I personally, I think it will be a miracle if we get adequacy by the end of 2020, given that Japan had to wait several years to get their adequacy decision this year. And of course, it’s not helpful that again, the European Court of Justice have highlighted a number of regimes that have got unacceptable interception laws for enforcement and so on, like the U.K. and like France and so on. We’re going to have to do some changes to our legislation. I think if we are going to be seen as being adequate, given that we’re part of the Five Eyes and we’re constantly sharing data with the US, three letter agencies from our four letter agency and with Canada and Australia and and so on, but not with the rest of Europe directly. So I’m not sure that they’re going to jump up and down and say, yes, you’re adequate, but we can’t afford when we Brexit to change our regime, we will have to and we will, of course, keep a UK GDPR.
Robert Bond: [00:25:55] We’re going to keep e-privacy. The more we diverge from the EU approach, the harder it will be. I think for the EU to say we like you, you’ve got a good regime. But I think that data transfer issue is going to be a problem because on the 1st of January, data is not going to stop moving just because we exited a nanosecond ago. And yet there will be some poor business somewhere that will have an incident. And the regulator will say, You know, why were you receiving that data or why were you using that mechanism when you were no longer an exporter in the EU? You’ve become an importer. Yeah. So there’s there’s lots of stuff that businesses still need to be doing, and there’s a lot of businesses and I understand why sitting on their hands going, I’m sure somebody will put it all right in the end. But you know, it’s I think if things go wrong and you can show you were trying to do the right thing, you know you were moving in the right direction, you’ll be better off than doing nothing.
Anthony Brown: [00:27:09] Yeah. So it’s fair to say then, that all privacy lawyers or privacy pros of all kinds should be strapping themselves in for a very busy period. And 2021 is going to be ridiculous, isn’t it? It’s going to be.
Robert Bond: [00:27:25] Yeah, yeah. Well, I don’t know whether you saw, but I think this was it. Yeah. Earlier this week, again, Europe have just published a draft regulation on data governance. So there’s going to be another piece of legislation for public and private data sharing initiatives for the public good, and they’re now talking about a data act. So there’s all this other and then we’ve still got the e-privacy thing coming along and we’ll have all of the where will we be with standard contractual clauses and and yeah, privacy pros will not be out of business.
Anthony Brown: [00:28:05] Yeah, absolutely. So it’s fascinating stuff, Robert. And you know, thank you for delving into the detail a bit there for everyone. Just finally, I think, you know, given the extraordinary career you’ve had, I think I was interested to know you’ve already told us a brilliant story about the computer gaming side, but in your career, is there a project or a certain matter that you’ve worked on that’s really been, you know, stood out from the rest that you’ve had the most enjoyment of or proudest of?
Robert Bond: [00:28:40] Yeah, I knew you were going to be asked me the question, and I was I was thinking yesterday and there’s loads, but actually the one when I look back, that was fun and I’m proud of is when I was chairing the e-commerce group at the International Chamber of Commerce in the UK. My son Michael was the policy adviser, so I used to have to. He kept reminding me that I reported to him and back in back when we were looking at the cookies issues in whatever it was 2010, 2011, 2012. I think the thing I’m proud of is is that I chaired this group in the ICC to develop the cookies guide. And so those words strictly necessary and performance cookies and so on. They all came from the stuff that we did back then, and it’s lovely when I still see cookie statements that use strictly necessary and so on and so forth. And the ICO Christopher Graham back then was very supportive of what we did and so on. And I remember when we launched the cookies guy, the DCMS had a conference and Ed Vaizey, then the minister saw my son and I both speaking and looked at our badges and said, Are you brothers?
Anthony Brown: [00:30:20] Oh, I bet. Michael, absolutely love that, didn’t they?
Robert Bond: [00:30:26] Yeah. Not. Yeah, yeah, yeah. That was really nice to have actually defined something where you still see the definition being used.
Anthony Brown: [00:30:36] Absolutely. It’s nice. I can imagine Robert. And, you know, I’m sure there’s so many areas with your stamp on somewhere. I mean, you know, I can only say on behalf of the community, you know, thank you for all your amazing work. And you know, it doesn’t look like you’re going to be sort of hanging up your your boots just yet. Anyway, there’s a lot, a lot of work to do for sure. So anyway, it’s been fascinating. I could genuinely talk to you all day. There’s so many stories and we had a chat the other day and there’s a few that perhaps wouldn’t have been sort of fitting for this podcast. Robert has some wonderful tales, but thank you so, so much, Robert. Really great session, and I hope all of our listeners and viewers enjoyed it. So anyway, just we’ll say goodbye. We’ll see you at the next episode. But for now, Robert Bond, thank you so much and we will speak soon. Cheers now. Bye.