A Conversation with Christopher Wolf, Founder of FPF

Christopher Wolf is the founder and Board President of the Future of Privacy Forum and a leading attorney in privacy and data protection. Chris helped break the path for privacy law and the modern Internet. He has had a hand in advising and shaping thinking on many leading-edge tech issues including Internet free speech, Internet hate speech, and the parameters of government access to stored information. At the same time, he led the development of a top-ranked privacy law practice at Hogan Lovells.

Chris originated and edited the first privacy law treatise published by the prestigious Practicing Law Institute and has written and lectured widely. He has testified in Congress and before the Privacy and Civil Liberties Board, participated in the 2014 White House Big Data Workshops, and served as a panelist at numerous FTC privacy-related workshops.

While playing this industry-leading role in the development of privacy and tech policy, Chris also dedicated a major portion of his time to charitable and philanthropic causes such as the Anti-Defamation League and Food and Friends, a Washington-based nonprofit that provides home-delivered meals and nutrition counseling for people with life-challenging illnesses, and several other charitable organizations. FPF staff who have known and worked with Chris praise him as a friend, colleague, mentor, and role model.


How does the Future of Privacy Forum today compare to your vision when you founded it?

When I founded the Future of Privacy Forum in 2008, the vision was that it would be a place where we could advance the responsible use of data while respecting individual privacy. We’ve stayed true to that mission. Working with Jules and the tremendous FPF team, it has been a pleasure to help the organization grow into a thriving community of business, academic, and civil society thought leaders, influential in shaping public policy on many privacy issues.

We realized early on that privacy isn’t just a legal compliance obligation. It’s good business. It can be a feature that consumers will find attractive if they’re dealing with a company that highlights its privacy practices.

We have grown steadily, in terms of both impact and traditional measures like staffing. And we have developed partnerships around the world. In fact, over the last year, we have significantly expanded our global role with the opening of the Israel Tech Policy Institute and our training and other cooperative projects with European data protection authorities. This year, we are expanding both our international presence and our state activities, while continuing to produce impactful reports, filings, and best practices and convening illuminating stakeholder meetings and events.

What is a project of which you are particularly proud?

There are many. One that comes to mind is Privacy Papers for Policymakers. The purpose of PPPM is to provide a succinct understandable digest in lay terms of the leading thinking about privacy for policymakers across the country. When PPPM first started we were in a tiny room at the National Press Club with space for about ten people. Now it’s held in a large hearing room on Capitol Hill and attracts a couple of hundred leading scholars and policymakers.

It’s not just the best policy research on privacy, it’s the privacy research that will be most useful to policymakers as they search for workable solutions. For those of us deep in the trenches we have many in-depth privacy resources available, but PPPM is really the only channel to put the best privacy scholarship in a helpful format for policymakers in Congress, the Administration, and state governments across the country.

PPPM is just one example of how we have spent the last decade bridging the gap between policymakers, industry, civil society, and academics as we explore the challenges posed by emerging technologies and develop practical privacy protections and effective best practices.

What do you think makes FPF stand out for its effectiveness?

FPF has always created space for thoughtful discourse among diverse stakeholders. Because we are centrist and independent, we are able to convene meetings and working groups that attract stakeholders with a broad range of perspectives to participate in lively and respectful discussions. In turn, that allows us to attract top-notch thinking and create concrete solutions to real-world situations. We remain confident in the power of collaboration to integrate privacy protections with responsible data use that will improve people’s lives.

Could you speak a little about the Christopher Wolf Diversity Law Fellowship?

Throughout my life I have fought discrimination, bigotry, and bias, and it is a great honor to have my name associated with a Fellowship designed to develop privacy professionals of diverse backgrounds.

Chanda Marlowe is our inaugural Diversity Law Fellow, and she has been a wonderful contributor to FPF. She’s an expert on location and advertising technology, algorithmic fairness, and how vulnerable populations can be uniquely affected by privacy issues. I’m looking forward to following her accomplishments during her career in privacy.

What is next for FPF?

Most immediately, we are holding a celebration on April 30 of FPF’s ten years serving as a catalyst for privacy leadership and scholarship. At the event, we are going to honor four trailblazers in the privacy field: Helen Dixon, Ireland’s Data Protection Commissioner; Dale Skivington, who was the Chief Privacy Officer at both Dell and Eastman Kodak; Trevor Hughes, the President and CEO of the IAPP; and Peter Swire, the Elizabeth and Tommy Holder Chair of Law and Ethics at Georgia Tech and an FPF Senior Fellow.

It’s going to be a wonderful evening. Other speakers will include Andrea Jelinek, the Chairwoman of the European Data Protection Board, FTC Commissioner Rebecca Slaughter, and Abigail Slater of the White House.

Of course, we haven’t lost our focus on the future of privacy. As I reflect on where we are as an organization and where we are going, it occurs that many new technologies came into play during our first decade. AI and machine learning, genetic testing, connected cars, smart communities – those technologies were considered science fiction when FPF was founded. Now they have a significant and growing impact on society.

FPF will continue to study emerging technologies and influence their adaptation in ways that respect individual privacy. Only time will tell if the most pressing new privacy issues come from implantable devices, quantum computing, global networks, or something else. We want the use of data to remain a net benefit for society. Data holds greater promise than ever to improve our health, knowledge, and quality of life – as long as it is well-managed to control risks and empower individuals. That is what makes FPF’s work both exciting and important.

FPF at 10: A Conversation with FPF Fellows

Fellows are a crucial part of the Future of Privacy Forum’s work; they conduct research, organize events, give presentations, and write reports and best practices. As the inaugural Elise Berkower Memorial Fellow, Michelle Bae has focused on publishing the comprehensive guide on GDPR and CCPA, analyzing federal and state privacy bills and their impact, and launching the Privacy Book Club which now has more than 750 members. As the 2018-2019 Georgetown Policy Fellow, Jeremy Greenberg has worked on AI governance and best practices, provided analysis of federal and state privacy bills, and organized the annual Privacy Papers for Policymakers event, among other projects. Tyler Park has focused on student privacy issues during his time as the Education Privacy Fellow. He was recently promoted to Policy Counsel.

This series previously featured interviews with fellows Carson Martinez and Chanda Marlowe.

Together, FPF fellows bring diverse experiences and skill sets to the job and do substantive work that makes a real difference in the privacy field. Michelle, Jeremy, and Tyler recently offered reflections on their FPF fellowships and thoughts about their future careers.


 

What drew you to a career in privacy, and FPF specifically?

JG: I knew I wanted to focus on privacy when I took a Criminal Procedure class in law school, which covered the Fourth Amendment, unreasonable search and seizure, and other issues that deal directly with privacy. The following summer, I interned for the Federal Communications Commission (FCC) doing work on telecom, privacy, and tech issues. I really enjoyed that internship, so I continued to pursue courses related to privacy, tech law, and policy. My externships in DC during law school made me even more interested in privacy, so it was a no-brainer for me to apply for a fellowship at FPF, where I knew I would be doing top-of-mind privacy work.

TP: I always knew I wanted to work in tech policy in DC. I was full-time at the FCC before joining FPF. I learned about FPF through friends, and the more I learned, the more impressed I was. Not only does FPF have a well-earned reputation for being centrist, moderate, and thoughtful in its approach to privacy issues; it is also known for launching young professionals’ careers. Jules (Polonetsky, FPF CEO) and John (Verdi, Vice President of Policy) have long been committed to supporting FPF fellows in their career goals, whether those goals involve staying at FPF past their fellowship—as in my case—or moving on to other opportunities. As Jeremy said, it was an easy decision.

MB: After graduating from college as a law major in South Korea, I worked in-house at Citigroup for four years and loved the opportunity it gave me to find practical solutions to complex legal problems. I learned about privacy during law school from a lawyer who specialized in privacy practice, and I found this field fascinating as it is a constantly evolving area of law where new, exciting challenges emerge every day. While working as a privacy intern, I also met Carolina Alonso, the previous Georgetown Fellow, who told me about FPF’s unique role in bringing together academics, industry, and policymakers around these issues.

How has your FPF experience enabled you to meet your career goals?

MB: Analyzing the practical implications of the many privacy bills being debated at the state and federal level was very helpful. I helped Jules run a call for banking leaders where FPF brought together the CPOs of the top banks. Organizing and attending meetings like that has been an invaluable experience in understanding the implications and challenges the companies are facing with GDPR and CCPA. It’s rare that a recent law school graduate gets to interact one-on-one with leading decision makers in the privacy field, and I was able to do that quite often. I really appreciate that fellows are given many opportunities to work on interesting and substantive projects at FPF.

TP: The practical experience is top-notch. We’re working every day with thought leaders who are active in privacy conversations around the country. FPF allows fellows to work directly with the major players and make a name for ourselves. Jules and John have gone out of their way to introduce us to people in this space who can help us with our careers, and the Policy Counsels have been fantastic about giving me feedback on my work and mentoring. Beyond helping me with my career, I know I’ve made valuable friendships here that I expect to last for a long time.

JG: I agree. It’s great to work at a small organization, because it means that we all do substantive work out of necessity. We have to produce key writing and presentations, moderate public panels, and take ownership over assignments that most folks straight out of law school don’t have the chance to take on. Another thing that’s great about working at FPF is that our nonpartisan, pragmatic orientation has given me greater appreciation for the many stakeholders and perspectives in the privacy landscape. Finally, the friendly, collaborative culture at FPF is something I will look for at organizations I work with in the future.

What debates and trends in the world of privacy do you envision working on over the course of your career?

TP: Working on education privacy has made me realize the extent to which concerns in that area are mirrored everywhere else. It’s the basic question, “How much personal information am I comfortable sharing as part of my use of technology?” And that’s not just a question for individuals to answer; it’s a question that communities, governments, and international bodies will have to answer as well. We’ll be wrangling with that question for a long time, since individuals, communities, and countries have differing privacy expectations, sensitivities, and needs.

JG: I’ve been focusing on AI governance best practices lately. I think we are entering a tipping point in AI where it’s ubiquitous in our everyday lives. What does AI mean for jobs in the future? How can we manage bias? Those will be key questions, and I’m grateful for having had the chance to work on this issue with such intelligent people while the technology has become more integrated into our lives.

MB: On-the-ground implementation of laws like GDPR, CCPA, and key state privacy bills is still very much up in the air. I expect practical implementation and monitoring will be a huge issue going forward. For example, FPF recently submitted comments to the Office of the California Attorney General regarding the implementation of the CCPA, and I hope to learn more about CCPA from the California AG’s rule-making process. The follow-through is just as important as the legislative process itself and requires a continuous focus.

TP: That’s a great point. We’re in Washington at a fascinating time in privacy. Student privacy laws have been under consideration for the past five years or so, but it’s only in the past year that broader consumer privacy laws have begun to impact the United States. As exciting as it is to be thinking about privacy frameworks at the beginning of the process, we know we will have to adjust our approach as technologies, political realities, and legal protections continue to change in the future.

A Conversation with FPF's Gabriela Zanfir-Fortuna

In Europe, FPF helps regulators, policymakers, and staff at data protection authorities better understand the technologies at the forefront of data protection law. FPF works with the Brussels Privacy Hub of Vrije Universiteit Brussel to provide an annual program to support practical data protection scholarship. FPF also offers the Digital Data Flows Masterclass, a year-long educational program to help officials better understand data-driven technologies such as AI and machine learning, mobility, biometrics, and uses of location data.

FPF Senior Counsel Gabriela Zanfir-Fortuna is a European privacy law scholar and coordinates FPF’s work on European privacy and data protection. Before moving to the U.S. and joining FPF, Gabriela worked for more than two years for the European Data Protection Supervisor in Brussels, both for the ‘Supervision and Enforcement’ and ‘Policy and Consultation’ Units. She obtained her PhD in law in 2013, from the University of Craiova, with her thesis “The rights of the person with regard to personal data protection.” In 2015, C. H. Beck published her book, Personal data protection. Rights of the data subject.


Could you tell us a little about your career as a data protection official in Europe?

Before I moved to the U.S. in 2016, I worked as a legal officer for the European Data Protection Supervisor. I worked there for about two and a half years, and that was precisely the period when GDPR was being negotiated. It was a very exciting period to be in Brussels, during the GDPR negotiations, the development of Privacy Shield, and negotiations on the EU-U.S. umbrella agreement. I also participated in the meetings of the Article 29 Working Party.

Prior to that, I had finalized my PhD in law and I wrote my thesis on the rights of data subjects in Romania. I dedicated years to researching how data protection law interacts with civil liability. So I had an academic and regulatory background when I moved to the U.S.

How did you get involved with FPF?

After I moved to the U.S., I participated in an event organized by FPF and the Goethe-Institut in Washington DC on Understanding EU Law, Institutions and Policymaking. The discussion helped the American audience and stakeholders understand what was coming with GDPR, how the European Court of Justice works, and the legal framework for privacy in the EU. I had a very good experience at that event, where I talked about the independent data protection authorities and the new European Data Protection Board. I appreciated the serious information that FPF was sharing. FPF understood the bigger framework and the overall legal system in the EU, as opposed to just looking narrowly at GDPR obligations.

I felt FPF could be a very good place for me, and here I am, two and a half years later, continuing to work on building a better understanding of the EU system here in the U.S, and helping to build a common language in the areas of privacy and data protection.

What has been the focus of your work at FPF?

I have been translating the European Union data protection law framework, privacy framework, and European Court of Human Rights framework to be easily understandable for our stakeholders here in the U.S. My goal is to bridge the gap between the European privacy culture and data protection culture and the U.S. privacy culture. I do that by drafting reports, organizing workshops and other events, coordinating the FPF European Council, and giving presentations and speeches.

What are some differences in the privacy cultures between the EU and the U.S.?

One big difference is that in the EU there are two different concepts – privacy and data protection – and in the U.S. we think of them both as privacy. In the EU, there is privacy protection on one hand – based on respect for private life – and data protection on the other hand. In the EU, we protect both the rights to private life and the rights to personal data protection. They are both protected as fundamental, comprehensive rights, but they are not absolute rights. Here in the U.S., the Constitutional protection of privacy is more limited. This creates challenges for developing a common understanding of the legal framework.

Also, the EU has more regulation, and this is a particularly heavily regulated area, much more than in the U.S. Here in the U.S., there is more room for interpretation of what the various privacy laws mean.

What are some of the projects you have worked on at FPF?

I worked with the Internet Privacy Engineering Network, KU Leuven, and Carnegie Mellon University to organized a workshop in November 2017 to look at privacy engineering as a common language between the American privacy framework and the European privacy and data protection frameworks. We brought together scientists, policymakers, practitioners, and industry representatives, and we had a productive conversation that led us to believe privacy engineering is a common language. Engineers look at issues in a clear, practical way, and that makes privacy engineering an area to find common ground between two quite different legal systems.

Another project I worked on is our detailed comparison between the California Consumer Privacy Act (CCPA) and GDPR, which we completed with DataGuidance. The report looks at differences and similarities between the two laws at a granular level. The two laws differ in significant ways, including their scope of applicability, the extent of collection limitations and rules concerning accountability. However, they are similar in certain definitions, the establishment of additional protections for people under age 16, and the inclusion of rights to access personal information, among other provisions. State legislatures in the U.S. are using GDPR and CCPA as models for legislation, which is one reason why it is important to understand their different approaches.

How have the European privacy and data protection frameworks affected the rest of the world?

They certainly are affecting the rest of the world. This influence was first felt as a result of how the EU regulated transfers of personal data across borders. We also see a huge impact that GDPR is having on lawmaking and policymaking around the world. Brazil adopted a law last year inspired by the GDPR framework. In India, a law is being considered that has similarities with the GDPR regime.

Convention 108 of the Council of Europe, which was modernized in 2018, is an international treaty that has the core principles of the European data protection law. It is very consistent with GDPR, and countries in other regions have signed on to it. The latest is Argentina, just a couple of months ago.

What are you looking forward to in your work with FPF?

This is a very exciting time in terms of policymaking in the U.S., with comprehensive privacy legislation being considered and state laws being adopted. I am looking forward to following those discussions and debates, and contributing with lessons learned from the European experience.

I’m also excited about FPF’s plans for an enhanced presence on the ground in Europe. That would be a big benefit for the policy debate over there, given FPF’s expertise in understanding data flows and the technical and legal aspects of processing amassed data.


FPF will host our next Privacy Book Club on April 24 at 2:00 PM EST. Join us to discuss Habeas Data: Privacy vs. the Rise of Surveillance Tech by Cyrus Farivar. Sign up for the book club here.

We hope you will join us at our 10th Anniversary Celebration on April 30. Buy your ticket here.

Future of Privacy Forum Releases Policymaker’s Guide to Student Data Privacy

Plain-Language Resource for Policymakers Addresses Student Privacy

WASHINGTON, DC – April 4, 2019 – Future of Privacy Forum (FPF) has released The Policymaker’s Guide to Student Data Privacy, a crucial resource for federal, state, and local policymakers interested in developing thoughtful student data privacy legislation. Since 2014, state policymakers have built new legal frameworks, passing almost 120 laws specifically to protect student privacy, with additional bills introduced each year.

“Despite the best of intentions, some efforts to protect student privacy hamstring students, teachers, and schools with unintended consequences,” said Amelia Vance, Director of Education Privacy at FPF. “Having people on the ground—students, parents, teachers, administrators, and ed tech companies—involved in the policymaking process can keep well-intentioned laws from limiting important uses of data and technology in the classroom.”

The guide is a starting point to help policymakers craft or update laws addressing student privacy. It covers federal laws as well as the broad approaches that states have taken, including the policies that have caused unintended consequences. Additionally, the guide includes student privacy topics that policymakers commonly address, such as school safety, third party data use, transparency, and parental rights.

FPF wrote the guide collaboratively with an advisory council of other student privacy experts from the following organizations: AASA, The School Superintendents Association; the Alliance for Excellent Education; the Council of Chief State School Officers; Data Quality Campaign; the National Association of State Boards of Education; the National Conference of State Legislatures; and the National School Boards Association.

“Student data and privacy are paramount to student learning and student safety, and AASA is pleased to have partnered with our friends at Future of Privacy Forum to support the creation of this timely and relevant guide,” said Daniel A. Domenech, Executive Director of AASA. “This guide is an excellent starting point for policymakers as they look to introduce new or improve existing law, and to inform any conversations at the federal level.”

About FPF:

FPF brings together industry, academics, consumer advocates, and other thought leaders to explore the challenges posed by technological innovation and develop privacy protections, ethical norms, and workable business practices.FPF helps fill the void in the “space not occupied by law,” which exists due to the speed of technology development. As “data optimists,” we believe that the power of data for good is a net benefit to society and that it can be well-managed to control risks and offer the best protections and empowerment to consumers and individuals.

About the Education Privacy Project:

The Education Privacy Project aims to equip stakeholders – K-12 and higher education advocates, ed tech vendors, policymakers, and local and state education agency privacy leaders – to better understand how to protect student privacy and to implement privacy-protective solutions that also allow important uses of data and technology in the classroom to help students. The Project helps district and state education privacy leaders further their knowledge of best practices and resources, support implementation of state and local privacy policies and laws, and equip them to become grassroots spokespersons for balancing privacy with the important uses of data and technology in education.

 

Media Contacts:

Amelia Vance

[email protected]

Tony Baker

(202) 759-0811

[email protected]

The Israel Tech Policy Institute: A Discussion with Limor Shmerling Magazanik

 

While Israel’s image as the “Start-up Nation” is well known in tech circles, the country has lacked a central organization capable of promoting the same level of thought leadership on tech policy and privacy issues. The launch of the Israel Tech Policy Institute (ITPI) in June 2018 ensured that this is no longer the case. ITPI is headed by Limor Shmerling Magazanik, a 10-year veteran of the Israeli government’s Privacy Protection Authority who was recently named one of Forbes’ Top 50 Women in Tech 2018. In this week’s 10th anniversary update, Limor answers questions about ITPI’s unique advantages as an incubator of innovative tech policy, and how it can affect discussions about privacy, technology, and ethics going forward.


You spent over a decade with Israel’s Privacy Protection Authority. What are some differences between privacy law in Israel and the U.S.?

Unlike the U.S., which doesn’t have a comprehensive, national privacy law, Israel passed a law in 1981. Additionally, Israel has a human right to privacy explicitly enshrined in its founding documents. The Privacy Protection authority has jurisdiction over corporations, NGOs, and government bodies. American privacy law takes a more patchwork approach, with laws differing between states and various government agencies responsible for privacy.

One significant difference is that in 2010 Israel’s privacy regime was deemed adequately compliant with Europe’s privacy standards, and while our privacy laws are under review to determine compliance with GDPR, the adequacy declaration is in full force. The U.S. has not received that declaration due to its lack of a national privacy law. ITPI held a GDPR compliance workshop last May during Cyber Week at Tel Aviv University, where we provided hands-on, practical guidance to help companies prepare for, implement, and comply with GDPR.

It was clear from my experience working in the government that Israel is tackling many of the same questions as the U.S. when it comes to tech policy – and privacy in particular. Even though we have a privacy law, a lot has changed since 1995, when the law was amended last to include digital rights. The “right to be forgotten” is new under GDPR, and is just one of the topics that companies, regulators, and academics are grappling with.

What attracted you to lead ITPI?

It’s no secret that Israel has a booming tech scene. Much of government policy for the past 25 years has been geared towards fostering the growth of this crucial sector; it’s the engine that propels the Israeli economy.

What we lacked until last year, however, was an organization devoted primarily to tech policy, cybersecurity, and privacy. ITPI was born in an effort to bring the best and brightest in academia, industry, government, and NGOs together so that Israel can have a reputation for innovative policy to match its well-deserved reputation as the “startup nation.” I am thrilled to be a part of this effort in its early stages.

What are examples of other events you’ve helped organize in addition to the GDPR training?

ITPI co-hosted a workshop with the Hebrew University Cyber Law Center, the Israel Democratic Institute, and the Israel National Cyber Directorate on Israel’s draft cybersecurity law. By bringing together experts from academia, industry, and government representatives from Israel, the U.S., and the E.U, the workshop allowed attendees to compare Israel’s new proposed cyber law with laws in other countries.

We also recently co-hosted an event with the University of Haifa to discuss Professor Yohai Benkler’s new book, Network Propaganda: Manipulation, Disinformation, and Radicalization in American Politics. Propaganda and “fake news” are areas where tech policy in every country has fallen behind the times, so it was good to discuss an issue that was timely in a way that most people can understand. It was especially significant since Israel is holding general elections in 2 weeks.

What do you see for the future of privacy in Israel and the U.S.?

The new elements of GDPR, such as the “right to be forgotten,” data portability requirements and stronger enforcement powers do not currently exist under Israeli law. While the legislative process plays out in both countries, we need companies to lead the way by adopting ethical codes of privacy practice that go above and beyond what is currently required under the law. This is especially important in the United States, where the legal ecosystem around privacy is so uncertain.

Another area I am interested in is financial technology. During my time at the Privacy Authority, I worked extensively with the local credit bureaus and the Bank of Israel to ensure their compliance with privacy regulations. In the U.S., credit bureaus were organized by the private sector before privacy considerations were given their full due. Additionally, many consumer protection laws do not cover financial institutions. On top of that, you have states passing their own laws, and California’s CCPA in particular will have profound impacts on tech companies based in Silicon Valley and around the world.

I will also focus in the near future on open data for AI development, especially the safe use of health data to support lifesaving and life-improving research.

I hope ITPI can play a pivotal role in developing policy approaches that can be adapted by Israel, the E.U., the U.S., and the rest of the world.


FPF will host our next Privacy Book Club on April 24 at 2:00 PM EST. Join us to discuss Habeas Data: Privacy vs. the Rise of Surveillance Tech by Cyrus Farivar. Sign up for the book club here.

We hope you will join us at our 10th Anniversary Celebration on April 30. Buy your ticket here.

A Thoughtful Discussion of Privacy Issues Raised by AI and Machine Learning

Recently, the Future of Privacy Forum and the Brookings Institution held a discussion session bringing together Hill staff, industry representatives and civil society groups. The conversation was guided by Cam Kerry of Brookings and Brenda Leong and John Verdi from FPF. Topics included whether AI and machine learning issues should be covered in a comprehensive privacy bill, whether privacy is the right lens to capture AI issues, whether AI raises any really unique privacy issues, and what specific concerns are created by automated decision making.

You can read my personal reflections on the thoughtful discussion at Brookings’ TechTank blog.

Mark MacCarthy is a Senior Fellow at FPF and an adjunct professor at Georgetown University. Previously, he was Senior Vice President for Public Policy at the Software & Information Industry Association, where he directed initiatives and advised member companies on technology policy, privacy, AI ethics, content moderation and competition policy in tech.