Jim Koenig, Fenwick & West Jim Koenig, co-chair and partner with Fenwick & West.

 

Fenwick & West partner Jim Koenig wants to reinvent how law firms help their clients.

In Koenig's view, it isn't enough to just help clients comply with specific privacy regulations or respond to cyber challenges. So he helped design Fenwick's Privacy & Cybersecurity Practice, of which he is co-chair, into what he refers to as a “one-stop shop.” This shop employs legal and industry professionals to offer everything from security assessments to training to “privacy-by-design” product services. Fenwick attorneys even sit on some clients' product design councils.

With such a hands-on approach and clients like Facebook, Google and Uber, Koenig is at the forefront of consumer cybersecurity and privacy. But that is nothing new for the MIT graduate who helped co-found the International Association of Privacy Professionals (IAPP) and was called upon to help companies comply with some of the earliest FTC privacy rulings.

➤ Would you like more news from the intersection of law and technology? Sign up for What's Next, a weekly email briefing that explores how new technologies are revolutionizing the business and practice of law.

Koenig sat down with Legaltech News to discuss why he became a privacy attorney, his thoughts on FTC enforcement, and why he believes privacy is a cornerstone of modern innovation and business.

LTN: You went to MIT as an undergrad. What made you want to become a lawyer?

JK: I thought at the time that it was too early for some of the internet and emerging technologies, and I thought the best thing for my career was to focus on what made me different. I had background in business and technology and I figured with adding law, that will allow me to really appreciate all the dimensions a company would need.

When the Cambridge Analytica scandal happened, Facebook was under a 2011 FTC consent decree that required it establish a privacy program. Was the FTC agreement ineffective?   

While I'm not speaking specifically about Facebook, the FTC takes on cases particularly in groups to make points about in certain practices. And in that time period, 2011, 2012, 2013, the FTC had a series of case about what constitutes a comprehensive privacy program.

There has been a call by former FTC commissioner and others to make the process potentially even more thorough, but on balance I think the consent decrees and the level of expected detail balance consumer privacy protections with giving the companies enough flexibility to be innovative, grow and to be competitive.

In short, you don't want a consent decree to put a company out of business and they have to strike the right balance. Many companies are free to design [comprehensive privacy programs] based on what's appropriate for the nature of their business, the sensitivity of their information and their size—it's not one-size-fits-all.

[The question is], are the standards thorough enough? Do you have the appropriate administrative safeguards? That doesn't mean that something can't get through. It's about the right balance.

The EU's GDPR comes into effect in a few weeks. How aggressively do you think it will be enforced?

Most data protection authorities (DPAs) have been hiring and have arrangements where part of the fines and penalties they levy will be used to support their own budget and operations. So if you look at the tea leaves, there is likely to be more activity, more investigations, and more fines and penalties than the Europeans have ever had in the past. That being said, the four percent potential penalty is likely not to be levied initially. It is likely the DPAs are going to use the threat of the four percent penalties as a means to help encourage companies to enter settlements with them quickly.

Do you believe GDPR will lead to standardized privacy practices worldwide?

The GDPR is just one of many global regulations. For global companies, the trend is to not just build for GDPR, but to build global privacy programs where in almost all cases the personal information of all of their customers, B2B partners, employees, workers and others are treated similarly. This provides a consistent baseline to respect privacy, a consistent standard for employees and data scientists and security teams to implement, and from a business point of view, it also means your data will be collected and handled consistently and interoperably.

If companies make the investment in trying to achieve a global program, they may be able to do larger scale analytics across their databases, if implemented with the appropriate level of privacy, security and homogeneous data handling standards. So there is a benefit for companies that invest more in broad privacy and security baseline.

So are there standardized approaches to privacy by design?

To be meaningful and impactful privacy by design has to be customized and fit for the company's products and services and for the primary and secondary uses of the information, as well as the company's internal and third party risks. General high-level principles won't drive those into the product.

To me, the promise of privacy, what's at stake for getting privacy right, is that it unlocks the trust needed for business to expand innovation and technology, whether it's autonomous vehicle, digital health, internet of things, gaming, etc. If we get it wrong, it will slow down trial and adoption of these new technologies, and it will retard innovation.

➤ RELATED COVERAGE: Ready or Not … Here Comes the GDPR