E23 - Avishai Ostrin Senior Privacy Consultant PrivacyTeam
Your browser doesn't support HTML5 audio
Avishai_Ostrin
39:34
SUMMARY KEYWORDS
privacy, people, Israel, debbie, conversation, vaccinated, government, data, passport, country, world, legislation, decision, war, line, measures, home, agree, talk, year
SPEAKERS
Debbie Reynolds, Avishai Ostrin
Disclaimer 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
Debbie Reynolds 00:10
Hello, my name is Debbie Reynolds. They call me "The Data Diva." This is "The Data Diva Talks" Privacy podcast, where we discuss privacy issues with industry leaders around the world to talk about things that businesses need to know right now. So today, I have a very special guest in Avishai Ostrin, who is the Senior Privacy Consultant at PrivacyTeam in Israel. Hello.
Avishai Ostrin 00:38
Hi, Debbie. Thank you so much for having me on.
Debbie Reynolds 00:41
Well, so we aren't exactly strangers, right? We worked with each other, we have been back and forth for many, many months, I think, on LinkedIn, and we've done things together, I think we recorded some stuff, or we talked about things about privacy in the US and the different places. , you always have such an interesting perspective. And I think one issue that we have when we talk when we're not recording or doing it's not that we get excited, and we end up talking for a long time about stuff.
Avishai Ostrin 01:17
It's true. It's true. It's what you can do, it's all we can do is really talk and each other, Debbie, so so it's great to be on the show to be able to do that and, and be recorded.
Debbie Reynolds 01:30
Yeah. Well, it's really interesting. I think, just being in Israel and having Israel be a country that has pretty strong privacy protections, and also being so close to the EU. I think you have a really good perspective. And then as, as we, as I do, you also work with companies that have multinational dimensions. Right, talk a little bit about what it is you do.
Avishai Ostrin 01:56
Yeah, sure. Pleasure. So I actually, up until recently, I was the head of privacy at Asserson, which is a UK law firm based here in his pub. And what I was doing was advising companies on compliance, UK and EU GDPR regulations. And recently, I moved to PrivacyTeam, which is Israel's number one privacy consulting business. And we serve as external DPO. And also provide just general privacy consulting services to some of Israel's and the world's really leading tech companies. And it's been exciting. It's an exciting move for me and a bit of a new step. And so I've kind of taken the lawyer hat that I've worn for many, many years I was in. I was first a corporate commercial lawyer and then specialized in privacy, but really in the legal realm. So within a law firm, and I've taken that hat off and put on my consultant hat. And what that kind of allows me to do in this business, being a consultant is it allows me to zoom out from a specific jurisdiction from a specific qualification that I have, whether it's Israel or UK, and to be able to have a much more global view of privacy, which is really the way that, companies, as you mentioned before, Debbie multinationals, especially need to have that global view of privacy. And, and not just focus on one specific jurisdiction, or have the privacy program that focuses on jurisdiction by jurisdiction, because that simply doesn't work.
Debbie Reynolds 04:03
It doesn't. I was working with a company identity company in the UK that was developing technology that is going to be used in different countries. And we were trying to come up with a retention period for the identity data that we take that they would capture. And it was interesting because we were like, well, for India, it has to be, at least, up to 24 hours, and therefore, Illinois, because of the HIPAA law, can't be more than three years. So, just sort of trying to wrangle all those things together is always a challenge. But, happy you joined me on the consulting side.
Avishai Ostrin 04:46
I was always following in your footsteps, Debbie, following in your steps. That's great.
Debbie Reynolds 04:50
Well, you put something on LinkedIn that I thought was fascinating, and I would love to sort of pick it apart a bit. You can tell more detail. So you had posted something on LinkedIn about you having a conversation with someone about privacy. And typically, what happens is, we end up in a conversation with people who aren't in the privacy area. And they want to know why it's so important, why we think it's such a big deal. And so you sort of started the post off about sort of your back and forth with this person. And then you had posted an article that you've written for the Times of Israel, just sort of about that topic. So I would love for you to talk through, talk through for the audience, that conversation that you had, and then talk a bit about your article, which is fantastic, by the way.
Avishai Ostrin 05:38
Yeah, thank you. Thank you very much. So the conversation that I had to be honest is not different from many of the conversations that I've had before about this stuff with people with whether my family members or close friends of mine. And I'm sure that it's something that you and the other privacy professionals in the audience can very much relate to. It's an instance where someone, you're having the conversation, and they say something along the lines of why do you care about this stuff so much? It really, why is it so important to be you go on and on about this privacy stuff? And, we try to explain why we feel that it's important and why we think that its privacy is a human right, and we should be protecting it and not and not curtailing it or setting it aside. Privacy is a human right. And, it's important to make sure that human rights are protected and not set aside or curtailed in any way. And the conversation that I was recently having this type of conversation was a context of COVID or the war, as I call it, the war people call it the War on Coronavirus. And when I was the conversation, kind of what I was saying to this person who was asking me was or it sorry, they were saying to me, yes, I understand that the right to privacy is important. But obviously, what you need to understand is we are at war. We are at war with a virus that is threatening the very fabric of our society and the way that we live. And therefore, we need to do everything that we can in order to defeat this virus. And that really made me think, it gave me pause, and it made me think, and I thought to myself, well, okay, so let's say we're at war, but even in war, even in times of war, we have rules that apply. They're called the Geneva Conventions. And they tell us what we can what countries can and can't do in the time of war. You can't use chemical warfare, you can't, and there are all of these. You can't use prisoners of war. So there are a set of rules that are put in place. And so that taught me to okay, if there are a set of rules that apply to war, then surely there should be a set of rules that apply to the War on Coronavirus as well. And that's kind of where the idea for my article came from, which is how basically if we're talking about Coronavirus, and we're talking about measures that we need to take in order to combat Coronavirus. How far are we willing to go? And how much, how far are we willing to take those measures in order to in the interest of fighting this "war"? And, the examples that were that I was looking at, in Israel. There were a few examples. So the first one that came to, that came to my mind that I mentioned in the article was that Israel, last year at the beginning of the Coronavirus pandemic, decided to use to utilize the intelligence services to provide surveillance on people who had contracted COVID to make sure that they weren't leaving their homes. So using military or secret intelligence against citizens imagine in the US, the government deciding to use the CIA to basically determine where people's whereabouts and make sure that people that had COVID weren't leaving their houses. So that was one and despite warnings from experts, saying that these tools are not designed to track civilians in the way that and then not accurate enough in the way that the government is hoping to use them. They were. Still, they were still implemented and are still implemented actually to this day. And, they were there were some other another decision. On the number of countries, Israel included, decided to develop a contact tracing app for the Ministry of Health wanted to put together a contact tracing app, and they did they develop the app, but it was a major flop. And the reason that it was a major flop is that no one downloaded it because no one trusted the government to properly handle their data. Another one that came recently, just a couple of weeks ago, was a decision by Israel's central government to share information about. People may have read in the news that Israel is leading the way in the vaccination effort. We have the most number of people per size of the population that have gotten vaccinated. And which, which is wonderful. It's really great. But what Israel had what the government had decided to do is to share information about people who have or haven't gotten vaccinated with the municipalities. Municipalities could call people or contact people and encourage them to come become vaccinated. And, just another issue that's, that's, another one that's come up recently, is that the Ministry of Health is now pushing legislation. This is just in the last week, the Ministry of Health pushing legislation through to try to use bracelets, so people who come electronic bracelets, people who come overseas, will have to use bracelets instead of having gone into isolation, in self-isolation, in government-sponsored hotels, they'll be able to go home, but they'll have to wear these monitoring bracelets, which obviously conjures up images of, people who are incarcerated or under house arrest or something like that. And so, these measures, each one of them when you take them individually, and you say, it's very clear, you can say, okay, we're going to take this measure, because it's going to help us do X, or we're going to take this measure because it's going to help us do Y. So individually, you might be able to pinpoint exactly what the measure's trying to do. And if you zoomed out, and you look at the entire kind of trajectory of what's happened over the last year, you can see a very consistent and kind of slow burn of an erosion of the price of the right to privacy, in the name of the war on Coronavirus. And I think what's missing in this conversation. And it's not just Israel, by the way, there are plenty, the responses I got from my LinkedIn, from my article, and my LinkedIn posts were, hey, it's happening here to people in the UK, people in other European countries, people in the US and elsewhere around the world. And what's missing, in my view from this conversation, is, hey, let's take a step back for a second. Before we ran these measures through Parliament and got them approved. Let's take a step back for a second. And think about how these decisions have, what the long-term implications are going to be. And what is our right to privacy going to look like? Not now, not in a year from now. But in five and ten years from now. What are we doing for the future of privacy now? And how is this going to impact our privacy in the future?
Debbie Reynolds 14:22
Right. I think I think you're right. It's kind of the drip, drip drip of things that happened. So maybe like you said, one thing by itself may not be a problem, but many things built up over time kind of changes because you're sort of moving the field goal, right, you're moving the line what you think is acceptable, and those lines rarely ever go back to the way that they were, so.
Avishai Ostrin 14:50
Exactly.
Debbie Reynolds 14:51
I think too. Some people want to comport privacy with security. And I think all of us know that sort of false equivalency, the opposite of security isn't privacy or vice versa. So I think it's important to be able to do both, but a lot of what is capable of being done is related to the kind of the national and state laws of kind of where you are. And then also, just what citizens think, are, is acceptable. So a lot of it has to be the citizen saying, I don't think this is acceptable, let's find a better way to do this, being involved in, try to be involved in things like legislation. But, we all know that almost any government has powers when it comes to emergency situations that somehow can truncate individuals' rights, but in the end, those powers are supposed to be temporary. So when the emergency quote-unquote is over, it's supposed to go back to normal. But I think what we're finding is that, what we know now, we didn't know a year ago, so a year ago, actually, today is March 2. So last year, March 2, I was at taking up my last trip out of the country, and I was coming back from Costa Rica. And so the world is very different, obviously, when I came home, but I think surprise, right? This is March 2, and actually, in the US, there had only been one death that was COVID. And now we're what 515,000 people in the US who have passed away last year. But I think then, too, we were thinking, oh, this is temporary, we're just gonna be doing this for, a couple of weeks, I'm just going to go work from home, for a couple of weeks, and a year later, we're still working from home, and they're still trying to sort it out and trying to figure out well, wait a minute if this is a long term thing, just like you were saying before if people are giving up their privacy for something, the short term, I think that's a different conversation than saying, we don't know how long it's gonna take this may be years, so are we willing to sort of extend that state of grace? I guess, beyond kind of our normal contours are what we thought this was going to be?
Avishai Ostrin 17:34
Yeah, very true. And you see, you see the permanence and some of the solutions already, I mean, you're talking about what's the future of international travel gonna look like they're talking about, passports in Israel, we've already got a national, it's called the green passport. Where if you get vaccinated, or if you are recovering from, if you've recovered from Corona, you can get, you can get the green passport, which is basically a centralized database of people's health data. And so, and this is, this is really important, Debbie, I really want to stress this is that I am not trying to say that we shouldn't take these measures. That's not what I'm trying to say at all. And I'm also not saying that we shouldn't do whatever we can in order to eradicate this virus from the face of the earth. What I am saying is that if you want to make responsible decisions, you need to have what I call my article, you need to have a responsible adult in the room that you ask, you need to have involved the correct stakeholders, make sure that you have someone from the Privacy Protection Agency in the room when you're making the decision. So they can tell you guys listen, this isn't the way to do it, because this is going to cause x, y, z, we have to do it differently. We have to do ABC because that's the way that's going to less impact people's privacy and people's and people's data. So I'm not at all saying one second, let's just sit back and do absolutely nothing, but the conversations that should be happening or not happening. And that's my my my qualm with the situation. And it's the Israeli government is just an example of what's going on, I think, all around the world. I want to pick up also on one other thing that you said to me because I think it's it's super important to understand that the stress the interplay between privacy and security, and the fact that you don't miss it's not a zero-sum game. The fact that you have security doesn't mean that you don't have privacy. There's a very if you ask someone if you ask a privacy professional like myself, what is Israel's privacy kind of view is it's very much security-oriented. The legislation and Israel lend themselves very much to security to data security. And too, there is very, very prescriptive about how you, you need to protect information, how you need to protect data, what kind of encryption you need to use, etc. In fact, just less just in the last weekend to the last few days, there was a bill introduced in the Israeli Parliament that gives the Israeli Cybersecurity authority that gives them very, very broad sweeping authority and rights in terms of protecting the Israeli Cybersecurity space. Right. So, so the ability to even to the extent that they would be able to go into private companies, IT systems in order to try to fend off a security threat. Now, of course, these are being passed as emergency measures because of COVID. And because everyone is working from home. But the conversation that's missing, the voice that's missing here is yes. Cybersecurity is extremely important. But so is privacy. Let's implement that as well. Let's put that at the top of our list as well. And that is a conversation. That is the voice that isn't being heard and the conversation that isn't being had. And it's a shame because if, if especially the Israeli government, but governments around the world cared as much about privacy as they did about, Cybersecurity and other issues that they see as national threats, then I think we'd be in a completely different place.
Debbie Reynolds 22:17
Yeah, I agree with that. I mean, I think it's, there are so many issues, I think, that are playing around with Cybersecurity and privacy right now. One thing was cyber, I think, and I think it's a good idea what you're talking about, which I wish would happen more in the US is like, I think there needs to be more collaboration and sharing between the government and private industries about Cybersecurity where, right now, it's like, everyone's sort of doing their own thing right now. And we're all facing the same issue. So it's more of like a divide and conquer thing, where I think if we could have more openness and collaboration about sharing even information about, this is something that happened, here's, here's what you can do to prevent it, as opposed to this, the cybercriminals going from business to business, wreaking havoc, and not being able to share that information in a way that will prevent it for someone else. Also, I think, every, I think it's interesting to see how all these different countries are handling this. So we're all sort of having the same issues, but we're all sort of handling it in different ways. So I would like to see more collaboration there as well, maybe like a Geneva Convention of privacy where we can agree on some basic things just across the board. And then, obviously, there'll be specific things to the area that we can talk about, but I think having something at a high level that we can agree on, and we should be able to agree on a decent amount, I think.
Avishai Ostrin 23:54
Yeah, I think that I think your European listeners would probably point to convention one away and convention one away plus, but yeah, I mean, it's, it's, it's a difficult thing, right? Because it, when you're talking about the national level, you have so many different voices in so many different things that are and different people and, and different viewpoints, really because, I started this off by saying that privacy is a human right. Not all the world agrees with that view. Right? You guys in the US. That's not it's not privacy is not constitutional right now, in the same way that it is in Israel or in Europe. And so, it's, even agreeing on on the basics, are is difficult, is difficult, but yeah, but interestingly, by the way, when you mentioned collaboration between the private sector and the public sector, the first thing that came to my mind did this context in the context of COVID It was the Apple and Google contact tracing initiative, which was, which was mind-boggling to me. That was it was struck down by so many governments that weren't willing to adopt it. Because? Because it didn't, because what it didn't do is it didn't centralize the data in one central database. And so they said, No, no, no, no, no, we're going to have total control over this information. We're not going to use the Apple Google framework. And those ones, unfortunately, that failed the track and trace. Okay, and the app in your in his pocket, it was developed? Definitely, so so it is. I completely agree with you that we need to see more public-private collaboration. Definitely. Yeah.
Debbie Reynolds 25:52
I think, well that the contract tracing thing with the Apple and Google thing? I don't know. I don't think there's just one reason why people didn't, didn't sort of grasp onto it. I can say in the US, one of the major problems that we have is just the lack. , well, just Well, let's contrast. So the tracking tracing capability that Apple and Google had in Israel was, the countries were being able to do on a country basis, where in the US, it was a state basis. So every state, so basically, you're throwing this whole new thing on every state and sort of states didn't want to some did some, some of the states that didn't want to couldn't do, it just didn't have the bandwidth or skill or the money to be able to implement it. So we have a very fragmented system here, because a lot of these efforts are done state by state. And I guess I didn't realize I knew it in some regard. But I didn't realize it. And the way it is now how different the US is from state to state, it literally is like different countries. So I live about 30 minutes from the border of Illinois and Indiana. And I can tell you. It's like night and day when you cross over the border. So I live in a blue state. So we were early state that we pass a law that you have to wear masks, for example, when you're in public places and stuff like that, then I go to Indiana, I was like optional. , I just couldn't believe I'm like, I'm 30 minutes across the border. And it's totally different the way they're handling it.
Avishai Ostrin 27:42
And COVID doesn't respect state lines, does it?
Debbie Reynolds 27:47
No, it doesn't respect the state lines. And even when you have brought up the thing about passport, immunity passports, I was talking about people on LinkedIn this time last year, about immunity passports, and it just seemed like it was so distant. Like, it just seemed like it was such a crazy, wacky idea. And we're dealing with it now like this is gonna be a real thing where people aren't going to be able to travel and go to different places if they haven't had a vaccine, or if they aren't wearing a mask, or they can't get social distance, so those things are really top of mind, I think, especially, people like me, who will love to be able to travel again, I'm just trying to figure out how to do it at this point. So yeah,
Avishai Ostrin 28:31
Yeah. Well, if you get your green passport, you're more than welcome to Israel. In the end, all your listeners should feel free. It looks like we're on track to be the first country to reopen again. So yeah,
Debbie Reynolds 28:47
I'll take you up on that.
Avishai Ostrin 28:49
Weather. We can promise great weather. Don't worry about that.
Debbie Reynolds 28:53
My brother adores Israel. So he's been a couple of times, whatever. He's tried to get me there. So yeah, you guys open up. First, I'll definitely be on the list. That's for sure.
Avishai Ostrin 29:05
Yeah, no, I mean, it's, it's funny that kind of, we joke about it, but when, we're just going back to these conversations that I have, everyone that I speak to points to okay, so look how great we're doing, and we're going to be the first open. And it's amazing. I'm honestly I'm super thrilled and grateful to be in a country that has been that has managed to make such great strides and efforts in order to benefit the citizens of the country. But my question is, then, okay, so we've done this, this is great at what price, what was the price that we've paid in the long term, and it's not something that we're going to see now. It's not something that we're going to see yours it's something that we're going to see in five and 10 and 15 years. What is the price that we've paid? In terms of where has the needle? Where have we been willing to move the needle? Where has the envelope been stretched to? Where we're now that this is the this is the new normal, the new standard? And so at what price? Are we? are we reopening the country? And what's it going to look like going forward? Especially people who care deeply about this privacy stuff.
Debbie Reynolds 30:37
Right? Yeah. Because a lot of times with privacy, and I think this is, I talked about this a lot about sort of software or apps that people use. And I think maybe this analogy holds true in this instance, where the action may happen now, but the harm may be way down the line, the harm it's not immediate. It is delayed in some way. So in some ways, people, oh, this is totally fine. And then, like, as you said, a few years from now, something will happen. And they'll be like, oh well, that was a result of this thing that happened five years ago, and you can't do this. And so you're gonna have to. We have to be able to articulate what the harm is so that people can make informed decisions.
Avishai Ostrin 31:23
Yeah, it's, it's very true. And I think it's also, again, another common phrase that I'm sure you hear very often is, well, what's the big deal? I have nothing to hide? , what, why? Why do I care? If the government has all of my information? And they all have they have it anyway? , so, so who cares? If they have more of it? It doesn't really matter. Or the cousin of that argument, which is, we gave up our privacy decades ago when Facebook took all our data. Who cares? It's all up there anyway. There's no. Your the fight that you're fighting is completely futile. So just you might as well give up. So I've definitely heard those on a pretty consistent basis. What what do you say when you hear those kinds of comments, Debbie?
Debbie Reynolds 32:24
, it is tiring, you feel like you're swimming upstream, sometimes about this privacy thing, but I think it's worth the effort. I was saying maybe it won't make a difference for me, but maybe it'll make a difference for someone who's not yet born. , maybe they'll have more privacy rights or more agency over our data than we have now. So to me, that's important and is worth it.
Avishai Ostrin 32:48
Right? Yeah, definitely. For sure. I know, I completely agree. I think my kids all the time in terms of what kind of world where we're leaving for them? , I try, what I try to do is I try to, I think the most effective way, in terms of responding to some of these kinds of arguments that people have, is just to think of a hypothetical but plausible example. So I was having this conversation actually, with a family member of mine. And she said to me, Well, why does it matter? What's what's the big deal? If they have information about whether I got vaccinated or not, what, what is it? What, why does that? What information? What are they going to do with that information? And so, I thought about it for a few minutes. And then I said, Well, what if suppose this theoretical example, what if they now have the vaccination information, and they realize, well, because we don't have all the data about this vaccination, but they realize down the line, that there are people that responded better to the vaccination and people that didn't respond this good, let's say, the antibodies were good in people for a year, and then other people for six months, right? And then let's say hypothetically, that we have a mutation of this virus that doesn't respond well to the antibodies, and we all have to get vaccinated again, let's just say that you this was I was talking to my family member, let's say that you were one of those people who the vaccination only worked for six months. And so they said to you, well, we much rather vaccinate the people who worked for a year, we'd much rather vaccinate them first, because they'll have a longer amount of time that they can be out and about in public. So you go and wait until the end of the line. How would you feel if that were you? I think it gave her kind of pause, and she had to think about it. And she said, actually, that wouldn't make me feel so great. So it's just one completely hypothetical example. But it shows you how we need to be responsible for handling this information. And it can't just be the case that every single, every single person has access to all the data because even people who have our best intentions at heart can sometimes make mistakes or make decisions that aren't in line with the values we believe in. And so those are the things that I think we really need to be careful of. And as I said, as I said in my article, and I said before, these are conversations that need to be had, and they're not being had, and that's the disappointing and upsetting part to me.
Debbie Reynolds 35:55
Yeah, yeah. Well, we're getting at the close of our time, I would love to, and maybe you've already sort of sprinkled us with some of this information already. But if there was one thing, according to Avishai, that you wanted to happen in the world related to privacy, what would that be?
Avishai Ostrin 36:13
Oh, wow, I only get one, Debbie. Are you only going to give me one?
36:17
Well, you can what, I've had some people who've done two or two, three or four. So you have more than one? I'm happy to listen.
Avishai Ostrin 36:24
Okay, no, no, listen, I think I think that on this topic. I'll just say it again and kind of drive the point home? Because I think it's really, I think, I think the number one key thing that needs to happen in this area of privacy versus COVID versus government legislation, is we need to realize that privacy, we need to let the privacy pros in the room to have the conversation. I think that one of the impacts that legislation like GDPR, and CCPA, and the new Virginia law and LGPD and all of the other legislation and the Canadian bill that's come into force in the last few years. One of the amazing things that that one of the transformative things that that those pieces of legislation have done in the commercial context. It's let it's elevated the role of privacy professional to become a board-level issue. And I think, if I'm kind of drawing a parallel from the business world to the government world, we need to re elevate privacy to the equivalent of board-level decision-making in national governments. It needs to be something that's talked about and let into the room so that these concerns and these issues are heard and spoken about and considered, as you said, not just for our sake, but for the sake of generations to come. Because once you open the floodgates, once you move the goalposts, they're not going to move back. So, if there's one thing that I would, I would hope for is let privacy pros in the room. Yeah, the room where it happens to, to quote, Hamilton. That's right in the room where it happens. That's right.
Debbie Reynolds 38:38
Well, thank you so much. This was fantastic. Again, I really love your article. People should go on LinkedIn and connect to our website and look at his content. It's quite good. And you always have really interesting things to say. Congratulations on your new role. I'm sure we'll be looking for you, as always, for interesting things to talk about.
Avishai Ostrin 39:01
Thanks so much. And thank you again for having me on, Debbie. If anyone, everyone should also check out Debbie's stuff, which is, which is also amazing. Videos are short videos are great people. When you're tired of seeing my writing. Go and check out these videos. They're always very informative and very, very helpful.
39:22
Well, thank you so much, my friend, and we will be in contact. I'll talk to you soon.
Avishai Ostrin 39:27
Absolutely. Thanks, Debbie.