Reema Moussa 0:00 From the Internet Law and Policy Foundry, this is the Tech Policy Grind Podcast. Every week, our fellows chat with leaders in the technology and internet law and policy space on recent developments and exciting topics such as privacy, internet governance, cybersecurity, tech legislation, and more. I'm your host, Reema Moussa, and I'm a member of the fourth cohort of Foundry Fellows. The Foundry is a collaborative organization for internet law and policy professionals who are passionate about disruptive innovation. In this episode, Foundry Fellow Lama Mohammad sits down with Sophia Baik, a postdoctoral researcher at the Center for Long Term Cybersecurity at UC Berkeley and incoming assistant professor at the Department of Communication Studies at the University of San Diego to discuss all things privacy, but specifically the American Data Protection and Privacy Act, also known as the ADPPA. They dig into the importance of the bill, its threats to being struck down, and a greater conversation on data privacy rights, policy, and legislation. As a postdoctoral researcher at the CLTC Sofia works on projects that examine how companies, customers, citizens and other relevant stakeholders have reacted and been impacted by various data protection laws, including the EU's General Data Protection Regulation, otherwise known as the GDPR, the California Consumer Privacy Act or CCPA, and the California Privacy Rights Act, the CPRA. You can access all of Sofia's research publications on her Google Scholar profile. Lama is a member of the fourth class of ILPF Fellows. She currently works as an associate at the Glen Echo Group in Washington, DC, a communications and public relations firm specializing in tech policy. At the Glen Echo group Lama works on policy and communications within artificial intelligence, augmented and virtual reality, cybersecurity, the digital divide and privacy. Lama Mohammed 2:31 Hi, Sophia, thank you so much for joining this week's episode of the Tech Policy Grind podcast. We're excited to have you on the show to discuss the American Data Protection and Privacy Act, also known as the ADPPA. So Sophia, let's dive right in. I want to start really broadly. And could you please explain to our listeners why does data privacy matter? As a longtime advocate for data privacy rights, I'm often told: "I don't care about privacy companies and the government already have a vast majority of information on me, it does not matter." So what do you say to comments like these? Sophia Baik 3:10 Yeah, thanks, Lama. privacy matters because it guards our personal autonomy. Privacy helps people develop individuality, and make choices about their bodies, thoughts, feelings, and various aspects of lives without necessarily being manipulated by other individuals or entities. This also matters at a societal level, because such personal autonomy is necessary to constitute a public, which is critical for a well functioning democracy in particular. So I would respond to such comments that if the status quo as individuals being known to companies and the government, by default, that should be actually changed. Also, the evolving information ecosystem we live in today is very connected and networked. And we are often identified by such network data systems as either a member of a group or as an individual who shares certain characteristics with a set of other individuals. This means that our privacy is interdependent. Privacy is not only an individual value, but also a collective value in this context. Therefore, privacy is not just about information on you, but about information on you, your family, friends, and networked us. Lama Mohammed 4:34 Yeah, thank you so much for putting it that way. I think a lot of people forget that privacy isn't just about the one individual it's about the collective community. And when you put it that way, it's more about the sense of, oh, I'm not just impacting myself I'm impacting everyone that I care about. And that's often a really good way to talk about the importance of privacy and why we need a comprehensive federal privacy legislation because it's hard to tackle this on our own. And so connecting this back do you mind explaining to the audience what the American Data Protection and Privacy Act is, and we will refer to as the ADPPA throughout the rest of the episode. And why this bill is so monumental and important? Sophia Baik 5:18 Yeah, the ADPPA is a new bipartisan, bicameral bill recently introduced in Congress. And this just say only this July only a few weeks ago, the House committee members voted to pass it. This is monumental because if fully passed, it will be the first ever comprehensive federal privacy law in the United States. There are some compromises made on key issues that have been considered roadblocks to passing a comprehensive privacy law on a federal level. These include preemption of state laws, meaning that the federal law overrides any other stronger state laws and a private right of action which allows individuals to sue regulated entities for their violations. The ADPPA preempts state laws while offering some exceptions such as exempting Illinois Biometric Information Privacy Act from being preempted, and allowing California Privacy Protection Agency to enforce the ADPPA within California. The ADPPA also provides a private right of action that goes into effect after two years, with some limitations such as procedural requirements to notify FTC and State Attorney General's. That said, the ADPPA is important because it can open a pathway toward a comprehensive federal privacy law, which has been long overdue, or at least it can facilitate more cross cutting conversations and advance our understanding of what a comprehensive federal privacy law could and should look like. Lama Mohammed 6:57 Awesome, thank you so much for that explanation. And kind of connecting this back to the current work that you do at the Center for Long Term, Cybersecurity, also known as CLTC, you've been sort of examining how different stakeholders are impacted by various types of data privacy laws. So when Congress comes back from their recess, following Labor Day in September, and they pass this bill, how do you think stakeholders would be affected for better or worse? How would, how do you see the future? Sophia Baik 7:30 Yeah, well, it is a little hard to anticipate how exactly ADPPA will affect stakeholders for better or worse at this point. But I do want to highlight that there are several dimensions we can consider across and within stakeholder types. First of all, I think the responsibility for privacy can be more shifted from individuals to companies. If the data minimization clause in the ADPPA in particular gets meaningfully enforced. One of the main criticisms against existing data privacy laws so far has been that they are very much reliant on a notice and choice framework. Eventually, making individuals bear the burden of meticulously exercising their rights. While providing such rights remains critical, a provision like data minimization, which prevents the collection, processing and transfer of covered data unless limited to what is reasonably necessary, could impose less responsibility on individuals and more on institutional entities. Also, those who reside in states without any statewide privacy laws will be provided with some necessary privacy protections. However, a resident in states like California may also think that their state laws offer stronger protections in some or many ways, and that the ADPPA's state preemption will weaken the protections they have been guaranteed. Additionally, and importantly, those who have suffered from data discrimination could anticipate more protections, as the ADPPA has explicit languages for civil rights protections and prohibits discriminatory data uses. And when it comes to companies, there will be some different effects on big entities and small entities. For example, there are more restrictions on what's called large data holders in the act whereas small companies are exempt from clauses such as a private right of action. Also, data brokers will be another type of stakeholder that will be greatly impacted by the ADPPA because the law requires data brokers to register with the FTC and individuals may submit a single request to all registered data brokers to have their covered data deleted within 30 days. And last but not least, companies whose business model is oriented toward targeted advertising will be also affected by ADPPA, because the bill provides individuals with a right to opt out of targeted advertising. And the ADPPA further prohibits targeted advertising on children and minors in specific. Lama Mohammed 10:18 So I don't know about everyone else but that sounds pretty solid to me. And I think one of the most important components of ADPPA is its commitment to civil rights, especially as it expands protections against algorithmic discrimination. So what are your thoughts on the commitment of the bill to protecting civil liberties? Do you think it needs to be stronger? What are some of your favorite parts of it? And speaking on to specific communities that desperately need privacy rights, especially marginalized communities, how does the bill work for them? Sophia Baik 10:54 Yeah, I mean, I can't agree more that ADPPA commitment to civil rights is one of its most important components. And in fact, one key line of my research has been to explore how we can enshrine data privacy as a civil right in the information age. And I think the ADPPA's recognition and inclusion of civil rights protections is a step forward to deal with emerging discriminatory harms that haven't been adequately addressed by existing legal frameworks developed pre-internet era largely for brick and mortar entities. And ADPPA prohibits the use of personal data to discriminate based on protected characteristics, and requires large data holders to conduct annual algorithmic impact assessment on algorithms that pose a consequential risk of harm and submit to the FTC. I think the civil rights protections can be definitely stronger by requiring companies to use independent third party auditors in their algorithic impact assessment, for example. Also, in the current ADPPA version, the private right of action does not apply to algorithmic impact assessment. And I think this should be included. in fact. The ADPPA further needs to clarify what counts as consequential risk of harm versus low or minimal consequential risk of harm, because such boundaries can be often fuzzy, as seemingly minimal harm can lead to consequences or harm. And I think when these protections are strengthened, marginalized communities, including African American communities, Latino communities, and LGBTQ communities, and every others who are vulnerable to the misuse of their personal data can be better protected. Lama Mohammed 12:48 Yeah, thank you so much for sharing. And I kind of wanted to touch upon your last point on third party auditors. There's a lot of debate about its use, how effective it is. What do you think is a more, I would say, good use of using third party auditors? Why should we advocate for its use? And what are some of the reasons why people are sort of hesitant about using it? Sophia Baik 13:18 Yeah, there are definitely pros and cons of using third party auditors and that should be provided more clear guidelines and standards, by regulatory agencies for it to be actually meaningful. But one of the most appropriate ways to advocate for third party auditors is because we have seen lots of limitations when it comes to self regulatory auditing processes. If companies were regulated under this privacy laws can define their own metrics to be measured by and evaluated by. And if they can just abide by their own rules, without necessarily having to report them, and make those reports publicly available to third parties eyes, it will be really hard for the general public to ensure that these assessments have been done correctly and adequately. So that's why third party auditors can be one way not the only way to complement these regulatory means so that those assessment processes can be given chances to be evaluated by different parties. And also one of the ways to strengthen the auditing process done by third party entities will be making sure that there is a systematic mechanism to certify these third party auditors and the third party auditors also need to be provided a sort of standard set of things to be evaluating when they are auditing these different entities so that all these audits are not necessarily different from company to company. And it is hard to compare what that means across entities and industries, for example. Lama Mohammed 15:20 I think it's really important that we briefly discuss the fall of Roe v. Wade, since we're talking about civil liberties. And so the overturning of this decision is also an attack on digital civil liberties. If we have a bill like ADPPA enacted, how does it protect reproductive rights? Sophia Baik 15:43 Yeah, I mean, data privacy is closely connected to reproductive rights, and especially in overturning of Roe versus Wade Because women's health information is available across various digital outlets and communication means. For example, geolocation data that signal visits to abortion clinics, or that are collected by menstrual cycle tracking apps can be misused to identify and criminalized these woman. One major protection provided by a bill like ADPPA will be a coverage of women's health information as sensitive covered data, which is subject to additional protections. The ADPPA's current definition of sensitive covered data includes information about the past, present or future physical health, mental health, disability, diagnosis or healthcare condition or treatment of an individual. Because the ADPPA regulates entities beyond health providers covered by HIPAA, ADPPA can mitigate some of these gaps in protecting data possibly captured and processed by wearable devices or wellness apps. Also, the ADPPA will offer rights to access and deliver data to individuals across states. And these rights can be exercised by women. But we still need to recognize a loophole, such as the ADPPA's allowance of law enforcement to access this data, even though they are only for authorized lawful purposes. While this is a common provision in any of the privacy laws, there are implications will likely stand out more than ever in the fall of Roe versus Wade. Lama Mohammed 17:28 I think it's very important that you highlighted that law enforcement still has access to this information. So does ADPPA not do enough to protect individuals from surveillance? I know, in the Muslim community, data brokers will share geolocation data of people's homes from their prayer apps that's sold to law enforcement agencies like I.C.E.. How do we make sure that this bill is protecting individual's liberties when it comes to you know, search warrants? This seems like a violation of people's Fourth Amendment. What are your thoughts on that? Sophia Baik 18:09 Yeah, absolutely. So I mean, this is really important question because the US government use of personal data is generally restrained by the Fourth Amendment search and seizure, which requires a search warrant to order companies to share user data with government agencies as you just mentioned, however, there have been limitations. For example, law enforcement regularly uses a subpoena to obtain personal data from companies and the companies may undoubtedly conformed to such requests. Also, contexts get blurred when there are partnerships or contracts between public and private sectors. As many of you might be quite familiar with by now Amazon Ring doorbell camera company has forged video sharing partnerships with over 400 police departments across the US, for example. So such unwarranted data sharing and use across private and public sectors needs to be prevented in a comprehensive federal privacy law. But then the reality is that we are still missing the complete the US privacy framework overall, because the US privacy laws tend to regulate just private sector is not the government agencies or in between, which is one of the key differences between the US privacy regulations and the EU's GDPR. Lama Mohammed 19:34 All right, thank you for bringing up GDPR because I really wanted to ask you know, the US has never seen a comprehensive federal privacy legislation, which is what makes ADPPA very different from state laws. So how does it differ or similar to state laws like the California Privacy Act, and how is it similar or different from international laws like the European Union's General Data Protection Regulation also known as the GDPR. Is there anything that we can learn from GDPR? Sophia Baik 20:09 Yeah, absolutely. I will start with the ADPPA's relationship with other state laws in the US, especially the California's privacy laws. First of all, the critical difference between ADPPA and state laws like CPRA, California Privacy Rights Act is that ADPPA protects everyone across states. I mean, this is too obvious, but it is in fact a key aspect of ADPPA that makes it important and also challenging. And there are some differences for future amendments too. Generally speaking, it will be harder for ADPPA to be amended than other state laws. Because mobilizing federal level agreements tends to be more difficult both procedurally and practically. Also, as currently written, Congress can amend ADPPA in the future in ways that could either strengthen or weaken privacy protections. Whereas the CPRA explicitly explicitly states that amendments must be in furtherance of its private privacy protections. Another difference between ADPPA and CPRA is that ADPPA regulates nonprofit organizations and small businesses as well, even though they are with several exemptions. ADPPA also offers a broader private right of action. While CPRA's private right of action has been limited to data breaches. There are some provisions in the ADPPA that are likely considered weaker than CPRA. For example, the CPRA provides a right to opt out of automated decision making. The ADPPA prohibits algorithmic discrimination, but it doesn't necessarily offer such a right to opt out of automated decision making. And speaking of GDPR, the ADPPA and GDPR do have several similarities, which are noteworthy. Both laws require data minimization, for example, and individuals have a set of rights such as right to request access, correction, and deletion of covered data under these two laws. There are also comparable concepts when it comes to regulated entities. For example, a covered entity under the ADPPA is comparable to a controller under the GDPR. And a service provider under the ADPPA is comparable to a processor under the GDPR. The ADPPA and GDP are further consider what they each call sensitive covered data as special categories of data. These require additional protections, but what it includes is a little divergent. And one key difference between ADPPA and GDPR is that as I mentioned, all your ADPPA doesn't cover government entities while GDPR covers them. Also, there are no specific defined fines under the ADPPA unlike the GDPR that impose fines of up to 20 million euros or 4% of worldwide turnover. And as GDPR went into effect earlier than either California's law or if passed the ADPPA, there are definitely lessons learned. And there are some empirical research findings that have been emerging recently in scholarship that talks about how legitimate interest under GDPR can be misused and remains unenforceable in many ways, or how the fines have been working greatly to impact some of these institutions, because they are pretty high. Or there were also lessons learned from those coordination across EU countries, member nations because they are require a lot of coordination across countries. And that can be something the US should be learning as US is a federal system and there are a lot of coordinations that will have to be done across states once the federal privacy law becomes available. Reema Moussa 24:38 We'll be right back. But internet law and Policy Foundry's 2022 Policy Hackathon is the Foundry's third policy hackathon happening this October 14th through 16th. The Policy Hackathon is a three day event that brings together creative technical and policy professionals from around the world to tackle emerging and long standing problems related to the intersection of law, policy and technology. The theme of this year's Hackathon is Privacy, Trust and Safety in the Metaverse. Additionally, the Foundry is holding a writing competition, and a series of virtual events about all things Metaverse. For more information about the Hackathon, the writing competition, and other Hackathon related events, you can visit the Foundry's website ILPfoundry.us, or our social media pages. I'm sure by now our listeners understand just how important this privacy bill is, but I think you were alluding to it previously, why is ADPPA at risk and moving past the House or even having the House vote on it? Do you mind explaining to our audience why? Sophia Baik 26:03 Yeah, um, first of all, it is still hard to predict if the bill can get enough support in the Senate. For example, the Senate committee chair Senator Maria Cantwell has been quite critical of this bill so far and hasn't indicated any willingness to change her stance yet. And this can change over time. So I'm speaking about what's happening in early August. And the legislative process can be further delayed by the US midterm elections happening this November. So there are a lot of moving parts for this bill to eventually pass. Also, there are strong objections from California in particular, because many of the California officials or residents suggest that ADPPA's preemption of the CPRA will be a significant setback. So there are some hurdles and challenges remain that remain for us to observe moving moving forward. Lama Mohammed 27:10 Yeah, I completely agree. I agree, but I'm hoping for the best for this bill, especially at following midterm elections. So I would say is there anything else in the bill you wish were included? What frameworks are missing? Sophia Baik 27:28 Yeah. As I'm asked about what I wish to be included in the ADPPA, I'd like to talk about a few key missing pieces. The first and foremost, I wish we can tweak the current state of compromise state preemption if possible. State preemption can and should work to provide a floor not a ceiling, if we want privacy protections to be robust and reflexive. For example, there are federal sector privacy laws, like HIPAA Health Insurance Portability and Accountability Act, that do not preempt stronger state laws unless they are contrary to it. And I believe there should be room to update laws to respond to fast changing technologies or evolving privacy issues in the future. I recently read a post by Daniel Solove, of a prominent privacy scholar who suggested a temporary preemption clause that would sunset and force Congress to revisit the law in a later time. And I think that can be a possibility. I also wish there are stronger private right of action. As I alluded to, earlier a little bit. The ADPPA's private right of action excludes some of the bills core protections, including data minimization, covered algorithm impact assessment, privacy by design, and unified opt out mechanisms. In particular, I think data minimization should be included in the private right of action. As I emphasized earlier, effective data minimization is critical for the ADPPA to structurally shift the burden from individuals to companies. And last but not least I wish the ADPPA to more explicitly allocate resources to regulatory agencies. For example, while the FTC has been a de facto central agency to oversee privacy regulations at the federal level, it's been repeatedly flagged that it lacks resources and staff, while its responsibility is tremendously growing every day. So I think those can be addressed by ADPPA, if that's a possibility. Lama Mohammed 29:47 Yeah, I can I completely agree on expanding resources and funding for the FTC. I think over time we've seen especially in light of antitrust and broadband access that there is so much that the FTC needs to tackle and there just isn't enough. So I wanted to go back because we discussed how ADPPA has a risk of not becoming a bill. Until then, how can people protect their privacy, especially in light of Roe falling, expanded bills that are attacking rights against LGBT youth? The world is getting scarier than we know it online. And so how can people protect themselves, especially marginalized communities? Sophia Baik 30:36 Yeah, it's really a hard question to answer because when it comes to this question, I do not necessarily want to impose another responsibility on marginalized communities by encouraging them, encouraging them to do something even though that is necessary and important. As I mentioned earlier, I do believe in the need for shift of responsibility from individuals to institutional entities at the structural level. That said, I think there can be some things we can be doing in the everyday moments. In the meantime, as we don't have comprehensive protection yet. And one thing is to really just start trying little changes. In daily moments, for example, you can rightfully request to opt out of facial recognition technology at airports, lots of people either do not know they have the right to opt out and refuse or just opt in for convenience. And many of the airport or airline employees do not inform the individuals have such right. And I always try to be the person who says such rights and opt out of such technology. And I see people behind me in a queue starts doing it after seeing that they have such a right in fact. So doing such little things can not only protect your own rights, but also inform others of important rights. And another example I always introduce is that you can also refuse to install a tracking device on your cars, which is often promoted by insurance companies with promotions. But I do acknowledge that being able to choose only being able to not choose promotions, for protecting your privacy rights is a can be a privilege itself, because not everybody is in allowed for such affordances. And this is a really huge problem and giving it to solve at a societal level. But if possible, if these are options, you can consider I highly encourage you to start doing this, even though it feels like a not big change you're making but it actually makes a huge change at the end of the day if you're collectively doing it. And also other stuff is really regularly speaking about privacy issues with your friends or colleagues or family members. Because privacy is not just about secrets or intimacy. It is not that you don't need privacy, because you have nothing to hide. We all need privacy for different reasons we have speak we've been speaking of today. So I'd highly encourage everyone to be talking about privacy issues on a daily basis with others. Even if it may feel a little uncomfortable at the first time. It can be an important topic among your groups of friends or beloved ones, if you do it more regularly. Lama Mohammed 34:16 Yeah, I completely agree. I've shown my family and friends, all kinds of documentaries, I have shared so many books. So I really appreciate that sentiment, and kind of continuing your comments. What do you think the future of data privacy looks like? Do you think we are more at risk because of the state of the world right now? Are we at a greater risk of surveillance and infringement of privacy than ever before? Why or why not? And are you feeling hopeful? Sophia Baik 34:46 I want to remain hopeful always, even though it is challenging. But in reality I'd say we are more at risk of surveillance and privacy harms in general than ever before. And it is mainly because the digital transformation of this era we live in has enabled tracing of almost every interaction we are having online and even offline. And these include people's liking certain contents on Instagram, commenting on YouTube clips, or visiting local retailers with their mobile phones that track geographic location, etc. With such advanced technologies, it has become possible and very convenient to collect, process and move data in large scale, and to make inferences using such cross contextual data. Of course, as we have talked about the ADPPA today, there are increasing efforts around the world to address such emerging data privacy issues through different regulatory means. And these are noteworthy efforts for sure. But I do think we would continue to see the race between fast changing technologies and laws to try to catch up. And we need to be paying attention to these developments going forward to make meaningful changes together. Lama Mohammed 36:17 Yeah, I completely agree. What do you think are some emerging technologies that we need to be particularly conscious of? There's the development of the Metaverse, there's greater use of AI is getting more and more, you know, integrated into automated decision making, autonomous vehicles, smart cities, there's so much. Sophia Baik 36:42 Yeah, I mean, all those you mentioned are the technologies we will need to be closely examining and overseeing in the coming years. Not only because they are fast changing, but also because the key theme across these technologies is the automation and how we will identify responsibility, if any, between humans behind such technologies who are developing and governing such technologies versus the technologies that are often deemed a black box, so to speak. Lama Mohammed 37:22 Yes, yes. Sophia Baik 37:24 And defining and clarifying the responsibility will be a key here, even if it will be really difficult and complex task to do. Because if we don't do it, lots of current legal frameworks, or emerging legal frameworks will struggle to document and recognize harms that are introduced by these newer technologies. So and if and if that's the case, the burden will be still on individuals and more vulnerable communities who should go through such harms and not have much remedies in their hands. Lama Mohammed 38:08 Right. Am I totally agree on the black box, I think it's one of the reasons why people are afraid to get involved in the space, because it's just so hard to understand these different algorithms, what they can do what they mean. And sometimes people want to stay away from it entirely. Which, you know, kind of brings me to this next point about your new upcoming role as an assistant professor at the University of San Diego's Department of Communication Studies. So of course, congratulations. It's very exciting. How are you continuing your work to advance data privacy rights in your new role? And what are you doing to educate students and kind of dismantle this black box? Sophia Baik 38:53 Yeah, thank you very much. I'm excited about this new chapter. And I'm going to continue my research on stakeholder responses to evolving data privacy regulations in California, at the federal level, and across national borders. I'm originally from Seoul, South Korea. So there are lots of debates going on between the Western-centric understanding of privacy regulations, and some of the emerging regulatory approaches in different cultures and regions as Asian countries so I'd love to explore those elements more in the future. And I'm closely examining how these privacy regulations are addressing online behavior advertising in particular, or what's often known as targeted advertising, as we've discussed earlier, and it is to better understand the privacy legislations implications for business models in the digital economy. Because a lot of times, many of these privacy issues are intricately connected. To the business model of many of these companies, and I'm planning to further explore local surveillance programs in the San Diego area, considering there are lots of immigrant communities in the region. And I hope to engage with some of the community partners and civil society, continuing my previous research with civil society actors to better understand what's going on, and what can be done better to protect their privacy rights in the local context. And I'm super excited to be teaching classes and interacting with students in various settings. And I will be given opportunities to teach courses about various issues of communication technology policies, definitely including data privacy rights. And I'm planning to include topics such as algorithmic biases, discrimination that is data oriented, and some of these privacy regulations that are emerging and changing and what we can be doing to advance such regulatory efforts, etc. And one of the key themes in my teaching will be to critically unpack how the responsibility and harms are disproportionately distributed across different communities in our society. Lama Mohammed 41:29 Yeah, I really appreciate that. As someone who identifies with various backgrounds, I very much appreciate that. And I think I really want it to go back to your to your last point. As a first generation American, my parents are immigrants, and the existence of data privacy in North Africa doesn't exist. Data privacy rights, mostly are talked about in the Western world. And how do you think, you know, how do you think other countries in Asia or Africa are sort of left out of this conversation? What effect does this Brussels Effect, for example, have on the development of privacy rights in Asia and Africa and sometimes takes away the attention of the work being done on the ground in those countries? Sophia Baik 42:19 Yeah, that's really important because data flows across borders, and people move across borders, but then we are still bounded by this national jurisdictions that have differences. So there are definitely needs for some harmonization. But at the same time, it is important to respect and recognize the local cultural, and social context that are not always identical. And that said, in South Korea, for example, there are pretty strict privacy protections emerging these days. And it is in part because the Korea's political history hinges on the problematic surveillance by government government. So that is a key cultural value that Korean people is acknowledging. But then, I'd love to talk about how COVID has affected the ways we are making sense of privacy issues, because there were a lot of efforts across countries to do contact tracing using digital technologies, for example, and whether they remain voluntary or mandatory and how people are opting in or opting out of such technological means has been different from country to country. And what I'd like to highlight here is that we cannot necessarily divide these different approaches through the lens of collectivist cultures or individualistic cultures, because it is not that monolithic. Lama Mohammed 44:16 Right. Sophia Baik 44:17 And one of my recent research about digital contact tracing in the US, for example, also show that people are navigating different relationships when they are either accepting or resisting contact tracing technologies. For example, individuals, either in a country like the US or a country like South Korea or China do take into consideration their relationships with government agencies, their relationships with corporations, as well as their relationships with their family members, friends or loved ones who they want to protect through such technologies from the contagious virus. So we cannot say that individuals, the US will refuse contact tracing, because it's a surveillance program or individuals in Asia like China or South Korea will happily accept the surveillance technology because they are collectivist cultures, because it is not really the case on the ground when we actually do research, how things are going in practice. So I'd say to better understand different regulatory frameworks emerging across different regional boundaries, and how people are reacting to these privacy regulations, as are various technologies, we really need more solid research and comparative research across this region so that those can inform policymaking around the world. Lama Mohammed 45:53 Thank you so much for that. That was extremely insightful and very enlightening. Thank you. Um, so I guess in your perfect world, how would laws be structured to protect our privacy rights? Do you think there should be one intergovernmental body that assigns a standard privacy law for everybody sort of similar to the EU-US data privacy shield? What are your thoughts on that? Sophia Baik 46:21 Yeah, I don't think like a single governing body will necessarily solve all the problems. So what I would rather prefer is that we make sure that any privacy law does cover and regulate not only private sectors, but also the government and in between, as I mentioned briefly earlier, because this is still a huge missing piece in the US privacy framework, where the current privacy regulations that are being discussed is only about regulating for profit companies or nonprofits or small businesses, but not the government agencies. But because the gray area between public and private sectors is growing and growing every single day, I think it is really important for us to come up with a privacy law that does cover such gray areas, and does recognize the interactions and intersections between public and private because data is everywhere. It's not just in the hands of government or hands of corporations, personal data is in the hands of all those institutional entities. So right, we can actually govenr all those areas and layers of data flow, we can better protect privacy rights. And I think that is the number one criteria for any ideal privacy law, if possible. And another element I think necessary to ideally protect our privacy rights is to broaden our understanding and recognition of privacy harms. In the US, there are tort laws that cover some key privacy harms, but it still remains hard to prove privacy harms when they constitute intangible or non monetary harms. So we really need a more holistic and systematic approach to privacy harms. And this would be critical for making a mechanism like a private right of action, more meaningful and effective. Lama Mohammed 48:35 Thank you so much sure that I completely agree. And just sort of conclude our episode, the Internet Law and Policy Foundry is a career development fellowship. So Sophia, how can our listeners or our other fellows work to advance advocate for their privacy rights, or their communities or their communities that they're allies to? Sophia Baik 48:56 Yeah, I think it's really important to remind ourselves that privacy is for every element of our life to be governed in a way that aligns with our individual and collective values. So it is not seeing about secrets, nothing about just intimacy between a few individuals. It's actually more than that. And we were talking about lots of privacy laws, including the ADPPA today, but I do acknowledge the privacy laws often appear far from reach and it is really daunting to comprehend all the moving parts of privacy laws. It is it is really challenging for me too, as well to catch up with all those little details because they are fast changing. But at the same time, I do want to highlight that it is really important for all of us to keep paying attention to such regulatory developments to move a needle in the right direction. It is our sustained attention I believe that will be a key to advance and advocate for our privacy rights. So listening to a podcast like this or other insightful podcasts or conversations or as or news articles will be a great starting point for every one of us to get closer to understanding our privacy rights and protect them. Lama Mohammed 50:19 Well, on that note, we conclude our episode. If you have an interest in discussing privacy implications as it relates to the Metaverse, please be sure to register for our upcoming Policy Hackathon. And thank you so much to Sophia from UC Berkeley Center for Long Term Cybersecurity, for joining us. And please be sure to check out all Sophia's work by visiting her Google Scholar page. Links to sign up for the Policy Hackathon and Sophia's Google Scholar page will be included in the show notes. Thank you so much. Sophia Baik 50:48 Thank you. Reema Moussa 50:52 Thanks for listening to this episode of The Tech Policy Grind Podcast. Be sure to check out the Foundry on LinkedIn and Twitter. And if you enjoyed this episode, leave us a review and give us a five star rating. It really helps out the show. If you're interested in supporting the show, reach out to us at FoundryPodcasts@ILPfoundry.us. You can find our email in the show notes as well. You can see the full show notes and download the episode transcript for every episode on our website ILPfoundry.us/podcast. The Tech Policy Grind Podcast comes out every Thursday. See you next time. The Tech Policy Grind Podcast was created by the fellows at the Internet Law and Policy Foundry. It's produced and edited by me Reema Moussa, with support from the incredible Foundry Fellows. Special thanks to Lama Mohammed, our Social Coordinator, and Allyson McReynolds our Accessibility Coordinator for all their help with this episode. Transcribed by https://otter.ai