Podcast Ep 171: Acclaimed Irish tech lawyer Jeanne Kelly from Browne Jacobson explains why stringent data protection measures make business sense.
Kelly, founding partner with Browne Jacobson in Ireland, talks about why data regulations matter to SMEs and multinationals and why six years later, GDPR is only still finding its feet in the business world.
Kelly recently joined law firm Browne Jacobson last year to spearhead the opening of its Dublin office.
“How do you ensure that you don’t hold onto information longer than you should, who has access to it. These are quite simple things”
Browne Jacobson is a full-service UK and Ireland law firm that employs more than 1,000 people, including more than 450 lawyers of which more than 150 are partners. For 2022-2023, the firm recorded a record turnover of £105m reflecting year-on-year growth of 12%.
Digital capital of Europe
I encountered Kelly many times in the past at a myriad of tech events, including various Google Startup Weekends where we served as judges. Her enthusiasm for entrepreneurship and curiosity about tech, allied with an affable yet no-nonsense “get it done” approach, kept everyone focused.
From protecting the IP assets of start-ups to steering through complex mergers and acquisitions to navigating complex data privacy matters for some of Ireland’s biggest tech employers, Kelly is at home in the dizzying world of intellectual property, patents and GDPR.
Prior to taking on the founding partner role at Browne Jacobson in Ireland alongside Ciarán Markey, Kelly was head of Technology and Data Privacy at LK Shields. Before that she worked at Mason Hayes & Curran and prior to that at A&L Goodbody in tech and IP law roles.
Because Ireland is in effect the digital capital of Europe because of the concentration of HQs of digital giants here, it also puts the country at the centre of some of the most important developments of our digital age.
Unless you’ve been hiding beneath a rock, you cannot help but be aware of Facebook owner Meta being fined €1.2bn by Ireland’s Data Protection Commissioner and being ordered to suspend the transfer of user data from the EU to the US. It is precisely because of these legal wrangles that the entire EU is currently unable to access Threads, Meta’s Instagram-based rival to Twitter.
However, a new trans-Atlantic agreement to allow for personal data transfers may remove this barrier.
At the heart of all of this is Europe’s GDPR (General Data Protection Regulation) law which came into being in May 2018.
As Kelly points out, the origins of GDPR are deeply rooted in recent history.
“There is a German law concept of informational self-determination that, in the information about you as a person like whether you’re married, or whether you’re single, or where you live, or who you work for, what you buy, that all of these things that surround you as an individual are things above which you have rights. Now, they’re not unlimited rights, you don’t have a right to control what other people’s opinion is of you, or to rewrite things about yourself. But that your reputation, if you like, and what is contained about you on other people’s systems, and for very obvious historical reasons. That informational self-determination is a very core part of German law, it has been exported into European law, and adopted with gusto. I have to say it has now become culturally accepted broadly across Europe, whether you’re a civil law or common law country, most famously through GDPR.”
The obligations imposed by businesses because of GDPR require having systems in place to record what you do with that data, if you have consent from the subjects, and to be able to show that if your respective data regulator required it. “How do you ensure that you don’t hold onto information longer than you should, who has access to it. These are quite simple things.”
She says the purpose of the record fines are to be effective and persuasive. Businesses that are used to investing in compliance and governance will view it as just another spend and set of regulations to stay on top of. Others have had to learn fast and put new systems and personnel in place to meet the rules or otherwise risk paying a fine of up to €10m or 2% of turnover, whichever is higher.
For those who may grumble about GDPR and why it matters in Europe in particular, Kelly says you only have to cast your mind back to the rise of Nazi Germany in the 1930s to realise what can go wrong if the wrong people have the right information.
“The core of it goes back to 1930s Germany, which had near flawless records about what ethnicity people had, their religion, so that when the Nazi regime took hold they could target people, sadly, very, very effectively because they knew who they were, where they were and that core underpins all of these practices,” Kelly said.
Privacy in the age of cloud
I put it to Kelly that many businesses these days are dependent on cloud systems that don’t reside on their premises. Many simply pay a subscription fee to giants like Google, Microsoft or Salesforce. They trust their data is safe but ultimately it sits in a data centre somewhere in the world.
For Kelly, that’s no excuse for not knowing where the data is. Firms she says, still need to do their due diligence and have data protection officers who can answer if a regulator comes knocking.
“It could be down to the nature of the data. So, if you are a medical information company and you’re doing clinical research, there’s a higher standard that you have to apply.”
We’ve had GDPR now for six years and as well as businesses having to comply, these same businesses are also dealing with a spiralling level of cyberattacks, ransomware and data breaches. As the HSE cyberattack demonstrated in recent years, it is, quintessentially, a perfect storm for privacy. I ask Kelly can you be liable if a hacker breaches your systems because a colleague fell for a phishing attack?
“As the famous lawyers say, it depends. Yes, in principle you can be liable. And you can be liable even if you provide relevant training.”
She pointed out that you can put in place every precaution and still the hackers might get in.
An added pressure for businesses is to ensure they notify their respective data authority within a stringent time frame. “This can be a difficult process, especially in the bigger companies, because to make any kind of notification to a regulator is a very serious thing. Being accurate and fast is very difficult.”
The full picture
Kelly said that what attracted her to the role of founding partner at Browne Jacobson is its end-to-end capabilities for serving clients who range from local entrepreneurs to some of the biggest FDI investors on Irish soil.
“I was really keen to join a practice that had what my co-founder Ciarán Markey and I call an end-to-end service where you are looking at the documents, but you’re also looking at what happens if this goes wrong? Who’s liable? Which courts are going to jurisdiction over the losses that may be calculated in this? Are there third parties who can contribute towards the loss? Are there third parties who can help me if I have to go to the regulator and say ‘oops, we’ve had a data breach.’
“So I was very keen to have this integrated end-to-end contentious and non-contentious blended together team. I’d seen it before in the past where I’ve worked on a team like that. And I was eager to get back to it. I have a lot of American clients; they work that way. They look at the issue and expect to have a litigator on the call. Whereas in Ireland, traditionally, in the biggest law firms we divided ourselves along the lines of contentious and non-contentious. Whereas clients don’t care about that. They want the issue dealt with in the end.”
