Growing up in the Netherlands before moving to the US for college helped attorney Juliana Spofford develop an international perspective at an early age. As a foreign student in the US, she earned a BA in Art History from Smith College in Northampton, MA, then went on to the Northeastern University School of Law. Northeastern’s renowned co-op program allowed her to work at a Boston firm (Sullivan & Worcester) during law school. She landed a clerkship with the Rhode Island Supreme Court right out of law school, then returned to Sullivan & Worcester doing corporate litigation.
Once she became a mother, big firm litigation work was no longer practical, so she started working part-time for smaller law firms, one of which was a boutique intellectual property (IP) firm, where she worked doing copyright and trademark law during the late-1990s and early-2000s. After a brief hiatus, she was hired to work as in-house counsel at a local start-up, which was sold to Dow Jones/News Corp. in April 2008, right before the Great Recession hit. She was hired by Dow Jones with the acquisition. From Dow Jones, she moved to another B2B start-up, which eventually was acquired by Dun & Bradstreet in 2015, where she became Assistant General Counsel and ultimately the Chief Privacy Officer. She was recently tempted back to the start-up world by a new company, Aidentified.
Traversing start-ups and large corporations, and with years of experience dealing with Internet- and privacy-related legal topics in China and India, Spofford’s insights cover a wide range of relevant topics and pending changes to cyber- and privacy law on a global basis. Enjoy.
Q: Intellectual property law has exploded in importance with the Internet, as have concerns over privacy. What are some of the key issues currently? Do you think privacy is a lost cause?
Spofford: Initially, intellectual property laws were impacted when the Internet took off because so many firms were having a hard time protecting their creative works online, and the boundary between copyright and fair use was being stretched beyond our traditional views. This quickly grew into more pressing concerns about privacy rights since data was becoming a commodity — personal data/personal information from the Internet was being scraped, and was being bought and sold without permission for various purposes.
Currently, the concepts of 1) what is personal information (“PI”) or personally identifiable information (“PII”) and/or what is sensitive personal information (“SPI”) and 2) what personal data do you have the right to claim as your own (for which someone might need permission to sell it to a third party), have been the biggest questions that legislators around the world have been grappling with. In addition, as cybersecurity laws grew out of privacy legal issues, the even bigger question became: How do we protect that personal information (especially if it is sensitive personal information) so it is not compromised in a data breach (which could lead to financial/reputational harm from fraudsters impersonating you with your personal data)?
I do not think that privacy is a lost cause, and I firmly believe it is up to the companies commoditizing data to make sure that the boundaries are policed. The hard part is that many in our younger generations may have different concepts of what data should be considered private as they have grown up with social media.
Going forward, I think privacy law will continue to change along the boundary where publicly available data ends and private data begins. For example, using personal data about your business persona, which is typically available on the Internet, should likely not be protectable, but health data, credit card information, biometric information, and your national identification/social security number should definitely be subject to tighter controls.
What makes all of this more intricate is that different cultural norms and standards are frequently applied to privacy legislation around the world. Data classified as SPI in the EU may be different than SPI in the US, India, or China.
Q: Privacy seems like an area full of nuance. Can you walk us through some of the major issues and gray areas you’ve had to deal with in the trenches?
Spofford: One of the major issues companies throughout the US dealt with in the last year was how to apply the most restrictive US state privacy law to date, the California Consumer Privacy Act (the “CCPA”).
The CCPA went into effect on January 1, 2020, and pertained to the collection of personal information of California consumers — broadly defined as California residents. It required all companies subject to the law (and its application is very broadly construed) to come into compliance by July 1, 2020, when enforcement of the CCPA became law, although the regulations promulgated by the California AG interpreting the various nuances of the law were not issued until August 14, 2020.
The law brought new operational challenges for businesses since it required extensive changes to internal and externally facing privacy policies and businesses’ internal operational systems to be able to respond to California residents’ requests to exercise their rights to delete their personal information and/or their right to access and know what personal information a company had collected on them.
D&B spent a significant amount of time in 2020 implementing a program for CCPA compliance that had many twists and turns along the way since we were not yet sure how to interpret certain sections of the law and whether we would be subject to those questionable sections without the more specific regulations. In addition, the CCPA brought along additional obligations for D&B’s data providers, which we needed to make sure such providers were going to be adhering to. In the end, D&B was able to implement a full program in a timely fashion, but there was some decision-making along the way that was incredibly nuanced and led to some nail-biting and risk assessments.
This is the way it is with new laws, and luckily we had some prior practice in 2017 and 2018 when the company was undergoing a massive program to become compliant with the EU’s General Data Protection Regulation (GDPR, which went into effect in May 2018). It makes practicing in the privacy law area exciting and cutting-edge, but the laws are so new that we are all still seeing how they will play out in the years to come with respect to enforcement and fines.
Q: At Dun & Bradstreet, you had to deal with privacy issues worldwide, since you had D&B entities and offices in China and India. What’s the state of play generally in those countries? What are their aspirations? What factors jumped out as critical to success for companies trying to grow there?
Spofford: China is an especially difficult jurisdiction to do business in as a foreign company. The privacy and security laws are relatively new and pretty vague at times — specifically, the China Cybersecurity Law and the Personal Information Security Specification. The final regulations for the laws have not been published yet, which gives the Chinese government room for broad or narrow interpretation of the laws without a definitive guideline as we are typically used to in the Western world. In addition, the China National Security Law adds more layers of nuance to the privacy laws as it includes guidelines for the collection and sharing of “important information” — which can be SPI in the more traditional sense, but also include PI or even company information that could be seen to include information about matters of China national security, with far-reaching implications that have an effect on data localization requirements (meaning, what data needs to be kept in China and what data can cross borders and be transferred to countries outside of China). The constantly moving regulatory landscape makes doing business in China tricky. D&B relied heavily on its privacy and compliance attorney in China, trade and government affairs organizations, and outside counsel law firms in China to help us make sense of the legal landscape and to stay in compliance.
India had been fairly relaxed on the privacy side until late 2019 when the India Privacy Law bill was introduced. India currently has laws in place to protect SPI type of information, and there are currently laws in place that SPI financial data on Indian citizens held by financial institutions in India is not allowed to be transferred outside of India. The India Privacy Law is not yet finalized and was stalled in the legislature due to the India elections and Covid-19.
The new India Privacy Law, when passed — this will likely happen in the first quarter of 2021 — contains sweeping changes to the data protection landscape in India and borrows some important concepts from the GDPR but also has some of the nationalistic tendencies similar to the China Cybersecurity Law (e.g., it has data localization requirements for certain types of data currently defined as “critical personal data”).
The India Privacy Law has implications far beyond India, as the country seeks to develop a comprehensive data governance framework that would affect virtually any company attempting to do business in India. India — thanks to its population size, gross domestic product, and influx of new Internet users — will be able to exercise leverage over multinational tech companies and shape global policy when the law goes into effect. Those US companies doing business with India companies, whether they use them for outsourcing or data collection, will have to pay attention to what the final new privacy legislation looks like and implement some plans to become compliant as it is anticipated to cover all India personal information (whether or not it is collected or processed in India). It will be a lot like what happened after GDPR went into effect in the EU.
Q: The Covid-19 pandemic has changed everything, and your ability to travel to various countries was suddenly curtailed. What kinds of adjustments did you have to make? What effect did it have on your ability to execute?
Spofford: I went from traveling almost all the time to being home 24/7, which was definitely an adjustment. However, since my days were frequently filled with international conference calls, I was used to interacting with my team in New Jersey, London, and Shanghai remotely. The rest of my client contacts were in various other offices, such as Texas, California, Ireland, India, Hong Kong, and Australia.
The volume of calls did go up exponentially, with often 12-14 calls a day with no time left to work on any actual deliverables, so that the to-do list grew like crazy with the extra stress.
On July 1, 2020, D&B took a portion of the company public — it had been taken private by a private equity conglomerate in February 2019 after 175+ years as a public company. This was quite a feat given the pandemic.
In the midst of all of this, I was deeply involved in a remote legal compliance and privacy review and audit of our China business in early July, which lasted about three weeks and then shortly thereafter in early September with another remote legal compliance and privacy review and audit of D&B’s South Asia, Middle-Eastern, and African alliance partner, which lasted another three weeks. These audits/reviews would have been done in person in the pre-Covid-19 world and were always a lot of work, but we had to do these virtually given the travel limitations. It was tough because we had to be “on” for calls early in the morning — for China we started at 5 am — where we were questioning and testing compliance frameworks of the entities at issue and trying to understand the various aspects of the businesses (sometimes with language barriers depending on the person being interviewed). On the other hand, it was actually nice not to have to travel. We learned we were definitely able to do this type of audit/review virtually, but it took a lot out of the team since we also had to do our regular “day jobs” during the rest of the day and never had any downtime to recover. The pace of this type of work is ultimately not sustainable.
We had a buzzword at D&B for a few years before the new ownership in 2019 — “sustainable high performance.” It was something the company was committed to, meaning that you had to take care of yourself if you worked hard — to be able to sustain your high performance, your work/life balance, your health, and your outside interests were very important.
The ability to carry out such sustainable high performance has been greatly impacted by Covid-19.
Q: You’ve been traversing the start-up/corporate line for the past 15 years, with D&B and Dow Jones having acquired startups you helped grow. You’re now back on the start-up side. What drew you back to the world of start-ups? Is there anything you’ll miss about working for a major international corporation?
Spofford: Aidentified is the fourth start-up I’ve joined as in-house counsel.
The world of start-ups is creative and cutting edge, and you have a little more freedom from the very tight legal constraints of a public (or large private) company, which is helpful for the energy of the company. Getting a full seat at the executive table again and knowing all that is going on from a legal perspective inside the company is a major draw for me, as is the chance to help to mature the company in a way to position it for a possible acquisition.
However, the legal work inside a small company is definitely challenging, and I enjoy balancing and prioritizing legal risks based on the practical realities of a start-up. Each small company I have worked with has had a different culture, and I’ve learned so much as a person and as a lawyer from each start-up.
My work is cut out for me as I start with Aidentified as we are in the midst of a Series A financing, and I am doing a full legal audit to identify and remediate any legal and legal privacy-related gaps, including California Consumer Privacy Act (CCPA) compliance.
I will definitely miss working at D&B, and I have really enjoyed working at major international corporations during my legal journey. The legal issues are usually just a little more complicated because of the international angle, and I enjoy working with teams from all over the world and like to build close relationships with colleagues in other countries. The legal team at D&B is outstanding, and the lawyers are some of the best ones I know. The camaraderie amongst the lawyers at D&B is unique for an in-house legal department. I will absolutely miss my amazing team of U.S. based and international privacy lawyers at Dun & Bradstreet. They are great subject matter experts, and we were a well-oiled team together (can you tell it was hard to leave them behind?).
Also, I will miss having some of the other resources that are available at a big company, such as an effective and well-established data governance and security team who we worked closely with. I also enjoyed doing government-related privacy and compliance work — since both D&B and Dow Jones are government contractors — which will likely not be something I will be able to engage in at a small company.
Q: Working with leading-edge technology businesses, you’re dealing with fast-evolving topics. How do you keep up? Would your “law school you” be impressed or depressed at how much new learning you’ve done?
Spofford: I try to learn as much as I can about the data services, the technology and security practices, the marketing tools used, etc., in the businesses that I work with since it is the only way to understand where your company really is on that cutting edge. I keep up with the rapidly changing legal landscape with educational tools available to those in the privacy/compliance areas such Continuing Legal Education seminars/webinars, conferences, newsletters (almost every major law firm has a privacy and/or cybersecurity law blog these days that you can subscribe to), in-house counsel online and social media groups, and by joining organizations such as the Association for Corporate Counsel, the International Association of Privacy Professionals, and local and national Bar Associations such as the Massachusetts Bar Association and the American Bar Association.
At Dun & Bradstreet, we also used various government affairs organizations in the EU, China, and India to help us stay up to date with the rapidly changing laws and regulations.
As a legal professional, you never leave law school knowing all that you need to know — most importantly, law school teaches you a way to think and to discern, which carries you through your legal career.
My “law school me” would be impressed with how much new learning I have done and be amazed at the changes that have taken place in the world, as well as the rapid changes they also brought about in practicing law and the various new subject matter areas, such as privacy law, that are now “hot.” Intellectual Property was just taking off in the late ‘80s when I went to law school, and the Privacy field is not something we really paid too much attention to.
Q: Looking ahead, what kinds of things do you see becoming settled or unsettled over the next 5-10 years around data privacy, digital IP, and general Internet law?
Spofford: I think the next five years will bring many changes in privacy and security laws all over the world. In the US, the new administration coming into office is likely to be more interested in passing Federal privacy legislation. How long this will take remains to be seen as the make-up of Congress will have much to do with whether such a law will be passed or not.
In the meantime, states like California, Washington, New York, Massachusetts, and others will move forward with new or updated state-specific privacy legislation, with each law just a little bit different in its content and requirements. This will make things complicated going forward and more difficult (and costly in terms of resources expended) for companies to figure all these new laws out.
Recent subscriber-only posts you may have missed:
- Is China Already Broken? — “. . . the story of China in the third decade of the 21st century may be freighted with more problems and vulnerability than we realize. Authoritarians are good at projecting the illusion of power, but China’s illusion may start to fray . . .”
- The Alt-Right Is Exploiting Preprints — “For bioRxiv, about 2x as many stories have appeared in right-wing outlets than in mainstream outlets. For medRxiv, about 3x as many mentions have appeared in right-wing outlets.”
- Cooking Up a Conspiracy About Security — “. . . fomenting a conspiracy around this [SNSI webinar] . . . may leave universities vulnerable longer, while also fueling the kinds of divisions in the information space [Brembs and others] . . . enjoy.”
- Springer Nature vs. the House of Mouse — “It’s proving costly and counterproductive the way our industry has been driven away from recurring revenues despite their mutual benefits to provider and consumer alike.”
- Saving Ourselves from Feral Media — “. . . if 2020 has taught us anything, it may be that the libertarian information practices of Silicon Valley, the “let the audience decide” habits of both-sides journalism, and the world of predatory publishing and preprints have been big, feral elements in the story of what has gone awry over the past 10-60 months.”