In this episode of On Point with Korem I sat down with Kevin Pomfret, a lawyer with Williams Mullen but also the director of the Center for spatial law and policy. Kevin is one of the few people in the legal profession that has studied the implications of geospatial technology with respect to licensing, data privacy, intellectual property, and regulatory issues. We cover a tremendous amount of ground during this conversation so if you’ve had questions about the legal constraints around data use as well as personally identifiable information, drones and even the impact of Apple’s iOS14 release, you won’t want to miss this podcast.
Joe Francica: Well, Kevin thanks for doing this and I’m sure there’s like a ton of places we can start with regard to spatial law, just because of the things that have even been in the news, but really what I wanted to focus on, some of the things that your practice is working on, and just maybe what are the top three legal issues confronting private companies especially with respect to geospatial data.
Kevin Pomfret: Yeah, thanks Joe, I appreciate the opportunity to talk about this and it’s interesting I periodically go back to the blog I started about 10 years ago that I actually no longer keep up to date, as unfortunately a lot of people have done with blogs, but I go back and look at what some of the top stories that I wrote about then and where we are now and it’s really quite amazing how much the legal regulatory landscapes have changed around geospatial information during that time and I guess it makes sense if you think about it with respect to how the technology has evolved and the applications are developed. I think for me the three issues that I see most regularly are; one, just licensing of geospatial information for products and services in general whether that be on the commercial side or with government agencies just working through those issues. Both from an intellectual property standpoint but then also as you start to…the way I think of a licensing agreement or a data sharing agreement, where the rubber meets the road, on a lot of these legal issues because it’s more than just a transfer of intellectual property rights but it’s also an allocation of various risks associated with the use and the collection of the data and for instance around privacies. Who’s going to be liable if someone’s privacy is violated or infringed upon? So that’s why a license agreement is certainly where I’m spending a lot of my time. Privacy data protection and what I would argue is sort of cyber security, which is what I would argue is the flip side of data and privacy, is probably the second big issue, and that’s growing in importance. And then the third are; the regulatory issues around the various sectors around how data is collected and used. So, for instance, if it’s satellite data dealing with the licensing regime associated with that, if it’s drone data, the regulatory issues associated with drone data. If it’s mobile data, the issues around that from a regulatory standpoint. So, those are really the three big ones that I see most regularly.
JF: So, let me pick up on that topic of terms and conditions. It’s a topic that we face a lot because we do a lot of contracting for our clients because we have a lot of data partnerships. It seems like once you have figured out that you want the data, that looking at the T’s and C’s is kind of the last things that you pay attention to, in particular to the derivative data, that if you’re buying even commercial data that you want to use but then you want to do analytics on its that derivative data that kind of gets people stuck in the T’s and C’s, do you see that much?
KP: Oh, I see that quite a bit. Geospatial data is meant to be shared with other people and it’s meant to be aggregated, as you know, Joe. Many of the products and services that are developed around geospatial aren’t just from one source but it’s a variety of sources and increasingly those sources may come from government and commercial and then even from the crowd, right. And so putting all those together from a derivative product standpoint can be a real challenge and so yes, thinking through those and then understanding what intellectual property protection may be associated with the different data types, in addition to the contractual ones, is really important. Now, if you’re just going to use it internally for internal business purposes, that’s a relatively easy one to resolve but as we said, data is meant to be shared and often that’s with the customers or the public or with other business partners and that’s when you start to get into some of these really hairy issues.
JF: Yeah, and in particular, and I certainly don’t want to name names, but we run into issues regarding persistence of data beyond what its intended use for, in other words, you use it once and then it goes away but a lot of people want to persist the data throughout the database. So as you say, it can be shared. So yeah, well I can certainly see where those issues would come to the forefront if you’re not paying attention to the T’s and C’s. Let’s go to the issue of privacy because that seems to be one that percolates a lot into people’s mind share and in particular, tracking. Is this an issue that really come more into the mainstream at this point and what are the kind of the legal and technical changes that this might portend?
KP: Yeah, that’s really interesting so, if you, by saying if it’s in the mainstream, whether it’s top of mind of a lot of people, I would say yes it is. I think more and more, and by that I mean sort of the legal community in the policy community and in the business community, I think in the conversations I’ve had even over the past several months, there does seem to be a lot greater sensitivity associated with location information and how it’s being used and what the privacy and data protection issues associated with that. Having said that, whether I would not say that the legal framework around data protection and geolocation privacy has by any means reached its full…fully fleshed out, I think that it’s still evolving and frankly in the very early days, and you can see that if you track geolocation privacy from GDPR, the European data protection law, and then you look at CCPA, which is the California law and then the Virginia recently passed the Virginia consumer data protection act, and just how location data is defined and how it’s used, and the impact that it’s going to have on various organizations is evolving and so I think it’s going to be increasingly challenging and increasingly important to understand those distinctions and build those into your workflows.
JF: Do you see something like CCPA…you said that you saw a law passed in Virginia…do you see that being adopted as kind of a legislative framework for other states and you will see more of that?
KP: So, the legal profession is in the policy and regulatory profession, is like many other professions, in that you get a form and then you adopt it pretty easily. You use it as a form to adopt to other matters. the GDPR, CCPA are all based on frankly privacy principles that array that arise back in the 1970s. Issues around notice and consent and sort of a whole litany of things that you need to do, sort of for best practices, and what these laws are doing are trying to implement those into a legal framework. So, they’re all based on that and from that standpoint GDPR, our CCPA and Virginia consumer data protection act, all have sort of the same basic framework. Where you get into the difficulties is the nuances around definitions and some issues around what does consent…So yes, you need to get consent but is it affirmative consent? Is it opt-out consent? What does that consent apply to? What’s the definition of geolocation information? When do you do need to do a data processing or data privacy assessment to determine how you’re using it? Those are the differences that you’re seeing between the different laws and then different definitions; controller and processor are used and with respect to this GDPR and the Virginia consumer data protection act. CCPA has a little bit different definition although the phrases or the terms are basically the same.
JF: Okay interesting. Yeah. One of the things I wanted to ask you about, because it actually does relate to some consumer protection, is the use of telematics and in particular by property and casualty and particularly auto casualty insurance companies. This seems to be an area where there may be pitfalls at every turn and there may be some reluctance to use some of the telematics data collection and the trade-off that you would get, if you used it, in order to get a lower rate. I have never used one, I know that in Europe it’s a little different, sometimes they’re requiring that. I mean, what do you see in terms of the PII implications, issues related to data breaches that we see more and more of? What sort of stands out to you with the use of that technology?
KP: So I’m going to take a step back because I think the question you ask highlights the thing that you and I have been talking about maybe for 10 years Joe, if not longer, which is; even if you’re not subject to a privacy or data protection law in your business environment or you’re not subject to it now, in many instances either your vendors or increasingly your customers will be subject or believe they’re subject to that, and what that means is you know all the wonderful applications that people see around the way they can combine various types of geospatial information for these great products and services that you see are going to be difficult because either your vendor or customer is going to have a regulatory framework they’re going to need to address, right. So, in the telematics field you’ve got law regulations and best practices that are developing around those industries that may not take into account some of the other benefits that you can get another value that can be provided because they’re just trying to protect their, you know the risk that they’re facing, right! So that’s the challenge that that we’re seeing. And I understand it, right! I think if you’re in the telematics business you’ve got a certain thing that you want…certain reasons you’re using this data and you’re trying to protect and make sure that you’re not increasing your risk associated with other people using it in ways that might not comply with those regulations. So, I think that’s a real challenge for the geospatial community in general. It’s being adopted in other technologies and other applications, each subject to their own regulatory framework, their own business models. Some of that data may not be as easily used as I think some folks in the geospatial community thought it could be or would want it to be used. And that balance, I think, is going to be really, really important going forward in trying to determine how you can use the data in ways that enhance the value but also protect the privacy or there are issues around data quality as you and I have talked about before Joe. Just because a data set can be used for something doesn’t necessarily mean that it should be used for something. It may not be accurate enough, precise enough, timely enough, so how do you balance that in a legal document? So, there’s a host of issues. I think we’ll get there eventually, and they’ll be sort of a common understanding both from a business and operational and legal background or legal perspective but I think there is going to be some unease and messiness along the way.
JF: I remember…again when we first started talking about privacy issues, a lot of it had to do with almost generational acceptance of providing your location information and, of course, when you know the applications were developed for mobile devices there was more hesitation on the part of maybe older people, less so with the younger generation, I don’t know whether that’s changed or not? And part of that, I think, has to do with the recognition of Apple iOS 14 allowing you to change your location preferences and hide them where it’s necessary and of course, that’s caused the big stir with some of the other social media platforms. So maybe the first question is, do you still think those generational gaps exist and second, we’re certainly more aware of the location privacy issues on mobile devices and whether that’s changed over the last few years?
KP: I still think location privacy is very different than other types of data that we consider to be sensitive, like our person financial details or medical information. I think location in general is a lot more complex and nuanced. I think there’s a generational component. I think there’s probably a gender component. I think whether you grew up in a rural community or an urban community, you probably have a different sense of what your location privacy is. Religious components to it, as well. I mean there’s a level associated with location privacy that we still haven’t grappled with yet and I think it’s going to make it an issue with respect to lawmakers and regulators because I think that inherently privacy and data protection is a trade-off between public good and private risk and that will vary between groups of people and trying to find a law that sort of threads that needle, I think is going to be really, really difficult. We would never give anyone, or I wouldn’t give you my credit card information or my health records, but you know I could share with you my location and not worry about it but that’s changing right. So ,I think that differences are still out there. I think it’s interesting to me that in some ways, like you said with Apple, it’s more industry that’s taking and it’s the big companies that are dealing with this issue in terms of kicking people off their apps or taking measures so they can’t collect data well ahead of at the federal level, what the government is doing at least here in the United States. And, they’re doing that for reputational risk, they’re doing that for their own liability risk as well. So, there’s a lot of factors in play here. It’s a difficult environment for businesses that are trying to sort of figure out how to do this and what they can do and the solution isn’t just a legal one, it’s a technical. You can make technical changes, you can make operational changes, you can put practices and policies in place but you need to understand the lay of the land and where it’s going in order to try to mitigate the risks in a way that’s satisfied. Whether it be regulators or industry partners.
JF: Yeah, so you just raised an interesting question which is, we certainly have the ability to control more of our location privacy. There is a certain additional awareness of location privacy because of mobile apps and also, we know this data is being collected and so I have to think that companies who are collecting data, and we’re and they’re all collecting some level of data, and in particular it seems to always be tagged with location. This has got to put more focus on what companies are doing with this data because location seems to bubble to the top almost immediately. I mean if you’re collecting sensor data off an app, you automatically get it tagged with some latitude or longitude. So it’s not just the data is there, it’s the volume of data that now we’re collecting and I just have to believe and maybe you have a perspective on the fact that….have to realize what they’re dealing with, when they may not have had to deal with it previously.
KP: I think that is the case. I think there is just the volume of data and the power of the data because once you’re able to link one data set to a location you can link other data sets to a location and it can be used for a variety of purposes and, so yeah, no, it’s a real challenge and I think until recently it’s fallen more on the technical and the business folks but I think it’s increasingly incumbent upon the operational folks and the legal regulatory risk management folks to understand how that data is flowing through an organization? Who has access to it? Who they’re sharing it with? When it’s being deleted? All the things that’s been done with other types of data? For a while financial health records but I think the issues around location data are rising to the foreign for many companies.
JF: Yeah, and when I think of some of the applications around identity resolution, whether that’s for potentially good purposes like fraud detection and no-fly lists, that’s one thing but it also percolates into area of consumer data where you’re just trying to sell them a different type of a product, but we’ll be talking to another company that does identity resolution, but this is exactly to your point you know you’re linking data from one point to another and it raises all sorts of issues.
KP: It does and but that’s the beauty of it, right! I mean, that’s why it’s such a powerful tool! And, this community has worked hard to sort of get it into the mainstream and to do some of these things but it’s caught the recognition of a number of lawmakers and regulators and what they don’t have is an appreciation of the nuances in the types of location data that you can collect and the accuracy and the precision and frankly the trade-offs between; if you stop using the data for X that means, that means you can’t use it for Y! And Y may be very important to a particular individual, a group of individuals. So making sure you can educate the consumers. Sure I get the apps notices when I turn on an app about do they want you to collect location information and a lot of them are pretty obvious that I don’t need them to, right. But there are probably some that if there was a broader explanation and explained why they were collecting it, then maybe it was would be a little bit more nuanced. But you know notice and consent on us on a smartphone in a “yes” or “no” environment, it’s really hard as a lawyer, it’s really hard to articulate that to the customer, right, and that’s the challenge.
JF: Yeah, one last question before I let you go. It’s been a great discussion, but I have to ask you about drones. It just seems like we’ve become a little bit more lenient to how we allow commercial operators to fly drones. It just seems to be a pandora’s box to our wonderful litigious society but the use of drones and package delivery and emergency management and public safety agencies it’s just exploding at this point. What are you seeing? What challenges are out there and have you seen anything lately that maybe is causing concern in the legal community?
KP: So, I still think and I understand the basis of the question, and I do think there’s been broader adoption of drones particularly over the past couple years but it’s still a very heavily regulatory driven process involving the FAA for many of the type of activities that you reference. Particularly on the commercial side, so the FAA is working through their process and they’ve got some technical and operational issues they’re trying to address but I don’t see the broad adoption yet. Like, I’m not seeing drones flying down overhead or delivering packages here and I’m in the DC area so there’s some concerns around the airports that are close by and national security concern. But I think we’re still a ways away from where those…the privacy concerns associated with drones are gonna surpass, sort of the regulatory air traffic management type issues. But I do think that a drone is simply a platform, right. It’s the sensors and the data that’s collected and how it’s used is the real challenge associated with that and so, for instance, particularly when you start looking at government use of airborne sensors, whether it be from manned aircraft or drones, there’s some recent developments under privacy law. There’s a case, the carpenter case, in US that the supreme court, I think it’s been a couple years now, I apologize I have Covid brain when it comes to what date it was and how far back things go, but it was several years ago there was a carpenter case and then just a couple months ago there was a fourth circuit case that basically said that law enforcement needed to get a warrant in order to do surveillance using manned aircraft and then using other data associated with that to track individuals movement. So, I do think that in the drone space, particularly for use by law enforcement or government agency, there’s an evolving duty, an evolving set of laws and regulations that are going to need to apply before government agencies are going to be able to use that data because even if you’re using it for a purpose that isn’t associated with surveillance, or if you are surveilling an individual, if you’re just surveilling a location for security purpose or other reasons, I think your lawyers are going to look at cases like that and say, “Why are we doing this? Do we have the right to do it? Can we..do we have policies and procedures in place to mitigate any risk of violating an individual’s fourth amendment rights.” So, I think that’s probably going to lead the privacy discussions around drones initially until we have broader level of adoption on the commercial side. And then, I would expect, and this is more probably more than unintended, if we don’t have federal privacy law, federal data protection law that covers that, I think you’re going to have a patchwork of state laws that are going to require you. So Virginia has a different law, then Maryland will have a different law, and that’s going to make adoption for some of these broader mapping purposes. For instance, or surveillance purposes using drones will be a challenge.
JF: Great. Well, thanks Kevin. I guess we’ll leave it there. Really appreciate your insights on this and maybe we’ll have a discussion down the road as these things develop. I really appreciate your time in giving us the legal point of view on geospatial technology.
KP: Yeah, I’ve enjoyed it, Joe. Always good to catch up and we’ll talk soon.
JF: Okay sounds good. Thanks again for joining us on another On Point with Korem and don’t forget to subscribe where this podcast is posted whether that’s Apple podcast, Google podcast, Spotify or YouTube, and if you like today’s podcast please leave a comment in the comment box. Join us again for another episode of On point with Korem, where we’ll get On point.