Podcast: Emily Yu on Privacy and the Future of the IP Law Section

David Lizerbram: Hello, and thanks for tuning into Intangible Assets, a podcast by the intellectual property law section of the California Lawyers Association. I’m your host, David Lizerbram. The California Lawyers Association is the bar association for all California attorneys. Our mission is to promote excellence, diversity, and inclusion in the legal profession and fairness in the administration of justice and the rule of law.

David Lizerbram: Okay, so in this episode I’ll be talking to Emily Yu, who’s the privacy director at ROBLOX, where she advises and assist the company with compliance on existing and emerging data protection and video game regulatory requirements. She’s also the incoming secretary for the intellectual property section of the California Lawyers Association. We talk about Emily’s background, privacy law, and GDPR and other hot topics, and the future of the IP section. So, here’s the interview. Enjoy.

David Lizerbram: Emily, welcome to the podcast.

Emily Yu: Thank you for having me.

David Lizerbram: All right, so let’s first do a little getting to know you, tell us a little bit about where you came from and how you got into the law and then privacy law specifically.

Emily Yu: Sure. So, I’m actually originally from Colorado and I used to work in information security and IT area. I used to work for the United States Department of Agriculture for a short period of time and some friends had convinced me essentially to look at law school as a potential career change opportunity because I was getting bored with what I was doing. So, I looked at a few schools and saw that Santa Clara University had a really outstanding intellectual property program and thought it’s similar to my interests but not entirely. But I went ahead and applied and got in and started doing a lot of work in intellectual property, but then found that it wasn’t entirely aligning with my previous information security interests.

Emily Yu: So right before my 3L year, Eric Goldman had announced that SCU had a new privacy law certificate program, and so I went and talked to him and was able to figure out all the requirements and get it completed within my very last year of law school. And from there, I basically fell in love with privacy law. I interned at TrustArc, which at the time was called Trustee. Talked to a lot of different companies and dealt with their privacy programs. I took classes from some pretty notable folks, including Dorothy Glancy and Scott Shipman, who used to be the CPO over at eBay. And they provided a lot of really great insights as to what the industry was like. And yeah, that’s basically how I got into privacy.

David Lizerbram: And what was the nature of the privacy certificate program?

Emily Yu: It was a combination of things. So, you had to have several different types of courses, including like advanced court and criminal procedure. And then you also had to have an internship that was privacy specific. So, it couldn’t be just like your typical corporate counsel type internship. It had to focus on privacy predominantly. And you also had to pass a CIPP exam, and then also publish somewhere. And so, I ended up getting published on the IAPP’s website on an article regarding a court case. Now that I’m thinking about it, I can’t even recall what court case it was on. But yeah, so there are a number of things you had to do just to show that you are very deeply invested in privacy law and being part of that field and and getting to know the people who work in that field. And so, it was a very practical certification program.

David Lizerbram: And it sounds like that was helpful in terms of you getting out of law school and getting into the career.

Emily Yu: Oh yeah, absolutely. Because it kind of forced me to do the internship, forced me to become more familiar with the IAPP, which is the International Association of Privacy Professionals. And that’s like the big association for all privacy professionals globally. And so that year, it was actually held in San Jose. So, I was able to attend as a student and get to know a lot of the people in the privacy space. And yeah, basically as an example, also like Dorothy Glancy’s class was a seminar, if I remember correctly. And she had a number of guest speakers coming from different areas of privacy law. So it wasn’t just focused on data privacy, it looked at other types of privacy like body privacy as well.

David Lizerbram: Interesting. And how did you come to work for your current employer, ROBLOX? Or is it ROBLOX?

Emily Yu: ROBLOX.

David Lizerbram: ROBLOX, okay.

Emily Yu: Yeah, so currently I’m the privacy director at ROBLOX and I spent a couple of years working as the lead privacy counsel over at CA Technology. And prior to that, I worked at TrustArc as a global privacy manager. So it’s kind of like an evolution of moving from helping companies with building up their privacy programs, and doing a lot of privacy operationalizing there, to shifting in house and then jumping into like another in house position.

David Lizerbram: So, what types of privacy issues does a video game company like ROBLOX face?

Emily Yu: For the most part, video game companies are just like every other company. You have to deal with the general privacy issues such as complying with GDPR or the new California Consumer Privacy Act. But in addition to that, we also have to take time to balance our interest in privacy and protecting personal information alongside safety. And so in terms of safety, we’re looking towards keeping data for particular reasons, with respects to protecting bullying or threatening behavior on our platform. And that sometimes can contradict at least go head to head with privacy principles, such as data minimization. And so, that’s kind of what we have to deal with on the day to day, is trying to balance those two out.

David Lizerbram: And could you give an example of how you’ve addressed one of those issues? Specifically, working in house and dealing with your client, who’s your employer, and making sure that the company’s priorities are aligned with the needs of privacy law.

Emily Yu: So, let me see. Well, one of the things is like COPPA obviously applies-

David Lizerbram: And COPPA… In case people aren’t familiar with it, COPPA is the Children’s Online Privacy Protection Act, is that right? Or something like that.

Emily Yu: Yes, that’s right.

David Lizerbram: Okay.

Emily Yu: So, it impacts kids that are under the age of 13. And so if you’re a company that ends up collecting information on children under the age of 13, you need to basically first off like disclose the information you’re collecting, disclose who you’re sharing it to. All of that can be found in the privacy policy online. And you have to be very careful because it’s not just kids in the United States, it’s kids globally. And so, one of the things that they’ve done actually prior to my being here, because I’ve only started about a month and a half ago, is that they have this really advanced chat filter that filters out a lot of content, including any types of pieces of information that may appear to be personal information. So, if something seems like it could be a name or an email address or a physical address, it basically hashes it out.

Emily Yu: Also, curse words and profanities, that’s also hashed out and it’s a pretty strict filter for those that are under the age of 13. We have like different types of accounts based on age. So, one kid that might be 13 or 14 will have a slightly different chat experience than someone under 13, but we also wanted to make sure that their playing experience was ultimately the same. We just want to make sure that we have safeguards in place to protect those children.

David Lizerbram: And do you hear from parents or other people involved with the welfare of the kids that are on the platform and how do you incorporate that kind of feedback?

Emily Yu: I personally don’t have direct contact with parents by any means, but we tend to work really closely with parents and with other external groups that are involved in like the video game area and also in areas that protect children and like prevent child exploitation, as well as like different agencies and law enforcement. We have a basically an active role or an active participant in those areas. So, we have different folks in our company that will go to specific conferences that are related to that and talk about the ways in which we can further protect kids. So, one example of that is I know there was like a recent online harms paper from the UK. We’ve had folks that went out to the UK and spoke with those regulators to see what are their plans, in terms of practical operationalizing of the things that were mentioned in the online harms white paper. And so, we just want to make sure that what we’re currently doing aligns with that and is also like protecting those kids in the best way we can.

David Lizerbram: And I think probably the privacy law that got the biggest news in the last few years is probably GDPR, which is something you’re quite familiar with. So, it’s been about maybe a year and a half or something like that since GDPR went into effect. Can you give a thumbnail of what’s happened in that year in terms of how companies have gone about implementing it and what we’re looking at in terms of enforcement actions? Both in terms of the larger companies and whether they’re looking at small to medium sized companies as well from enforcement.

Emily Yu: Sure. I think that what’s really interesting about GDPR is from like an external perspective, it might seem like okay, it’s there, it’s done. You just have to follow it and that’s all you need to do. But when you’re working in the privacy field, it’s still like ever evolving somewhat because we’re seeing like the results of a lot of the court cases that have been determined against several companies. And that helps us figure out ways to fine tune operationalizing a lot of the requirements there. Another thing too is that even though GDPR does cover like the entire EU, we still have to consider that member states has specific derogations. So, something that I’ve experienced while dealing with GDPR is that you still have to have someone, like an external counsel with boots on the ground within specific countries, to provide advice with regards to certain types of personal information.

Emily Yu: So one example that came up, not here at ROBLOX, but at my former employer, was that we were looking at the national identifier in France. And because a lot of global companies use cloud based systems, that information is going to be accessible worldwide, just as kind of a given in terms of the type of system it is.

Emily Yu: And national ID for France, according to GDPR alone, it should be okay as long as some type of like transfer mechanism that’s lawful in place to transfer that. However, they found that there’s not really a legitimate reason to do any type of transfer of that particular piece of data. So, unless we hadn’t asked external counsel with regards to that particular piece, we wouldn’t have really known just from reading GDPR alone that it wouldn’t have been okay to transfer that one piece of data.

Emily Yu: So things like that, those little type of nuances that may occur among the members states and among like the cases and how they’re determined. Also, like recently another example is with the Facebook like button. There was a recent court case that came out and the decision was that when you have that like button, in certain circumstances, your company would be considered co-controller with regards to that information, even though that’s being carried out to Facebook.

Emily Yu: So yeah, it’s really been pretty interesting because of the fact that, again, a lot of people think it’s really a static. It’s been done. It started enforcement in May 25th, 2018 and that’s the end of that. But really May 25th, 2018 is when everything started going for GDPR. And so, we’re going to probably see a lot more with regards to interpretation of that within their court system to see how much more we need to change or update what we’re doing for compliance.

David Lizerbram: That makes sense. And one thing I’m getting from you is a real sense of all the different complexities and scope in terms of what companies are facing as far as privacy laws. So for a practitioner, an attorney who’s working with either a small startup or has just come in house and trying to get up to speed on these kinds of things, are there resources you would recommend? Because there’s just so many things to think of and a less established company or somebody who’s just getting up to speed isn’t necessarily going to have boots on the ground in all the different countries and might not be up to speed on all the nuances.

Emily Yu: Yeah, that’s I think one of the best types of resources is if you go to like the ICO for the UK or like the CNIL for France. They actually have really great websites that have a ton of different resources on building data protection impact assessments and conducting privacy by design and doing all these kinds of things that are required. And then, you can see some of the nuances involved with what their advice is on that. The IAPP has a great website that has a variety of different resources. When we were all busy working on GDPR compliance prior to 2018, they released a top 10 operational impacts series that is super helpful and even discusses some of the nuances of the derogations, which of course at the time they didn’t have a listing of.

Emily Yu: I think I want to say Latham and Watkins has actually like a chart with all of the derogations from the member states that have at least declared them. So, that’s another really great resource for those that need to just find out what might be the differences that they maybe need to take a look at.

David Lizerbram: That’s super helpful. Thank you. So, let’s pivot to the IP section, the organization behind this podcast. How did you first get involved with the California Lawyer Association IP section?

Emily Yu: So funny enough, I had a couple of really close friends from law school that had been participating with the IP section since like the moment they graduated and they did a lot of volunteer work, especially with particular interest groups and entertainment and sports law. And so, they had heard that there was a space opening up for technology, internet, and privacy. And so they were like, “Well, we know somebody who works in privacy, let’s ask if she’s interested.” And so, that’s how I got hooked in was through the technology and internet privacy interest group, which has been fantastic because then I started attending the quarterly meetings that the executive committee for the IP section has and got to know a lot of the people in that section. And really enjoyed the programming, the educational programming as well as the networking that we’ve pulled together. And so, I started volunteering for other things such as the marketing team as well as the social media group and have been doing a lot of random work there. I also volunteered to help draft the CLA’s new privacy policy. And so through just doing all that volunteer work, I really came to love being with the IP section.

David Lizerbram: And about when did you get involved with section?

Emily Yu: I’d say about three years ago I think.

David Lizerbram: Okay. And what are some of the programs… You’ve attended obviously the various institutes and so forth. What are some of the programs that first you got involved with and found to be valuable?

Emily Yu: For sure. Like the IP Institute, I think my first one was a few years ago, got involved with that. I moderated a panel there and put together a panel on GDPR, which was really timely then and that worked out really well. I’ve attended some of their other functions too, like they do trademark office comes to California as well as the copyright office comes to California event every year. And they’re major hits. It’s fantastic if you’re involved in those fields. One I wish I went to but wasn’t able to attend is that they do an entertainment and sports law type conference every other year, and so that’s going to come up in summer of 2020 and I’m really looking forward to that.

Emily Yu: And I also helped chair the IP and the internet conference that just passed this past summer. Again, fabulous programming, had really amazing speakers that provided really practical advice with regards to dealing with social influencer clients and dealing with some of the new copyright changes and things like that.

Emily Yu: So, one thing that really surprised me too is that for our own interest group, the technology, internet, and privacy group, every month we try to bring on a guest speaker to talk about something in that field. And when I first started the IP section, I was very much like focused in on privacy entirely. But now I have a better understanding of internet and technology law, which came in very handy when I started working at ROBLOX because I’m looking at more than just privacy. I’m also looking at other types of regulations for video game content. And I just felt like, wow, if it wasn’t for the fact that I was in this interest group, I really wouldn’t have had this whole other piece of the law that I needed to know for this position.

David Lizerbram: That’s fantastic. And you are the incoming secretary for the… You’re the incoming secretary for the intellectual property section. When does that term start?

Emily Yu: It should begin just after the IP Institute in November of this year.

David Lizerbram: Okay. Well, congratulations.

Emily Yu: Thank you.

David Lizerbram: And looking at the future, what do you think the IP sections priorities should be over the next few years?

Emily Yu: Definitely recruitment, especially in terms of new attorneys that are coming out. I’m hoping that we can partner more actively with the CYLA, and then also working on improving our marketing and social media communications. I think that that’s going to be really important as we’re reaching out to more members. I also think educational programs are always going to be a very big point of importance for our section.

Emily Yu: And so doing that, continuing the programs that are tried and true, such as the IP Institute and also working towards more cross-section collaboration. I’m also co-starting a privacy working group with some folks in the antitrust sections and business law sections. So, that’s turning out to be really great so far. And then finally, I’m also looking at some more social events and networking opportunities. And this past summer, we had a great statewide mix and mingle event where we basically had a bunch of different locations throw a mix and mingle networking event at the same time on the same day and I think that was really successful. So, I’m hoping we can do that. And also some regional mix and mingles, just so that IP section numbers can get to know each other.

David Lizerbram: Well, that’s fantastic. Well, I appreciate all that. Thank you for all your insights about privacy law and also what’s going on with the IP section. Let’s see, you told me that if people want to reach out to you, they can reach through your email, which is privacyandyu, Y-U, which is your last name, @gmail.com. That’s the best way to get in touch with you?

Emily Yu: Yes, absolutely.

David Lizerbram: Excellent. Anything else we didn’t cover that you wanted to mention in this chat?

Emily Yu: Just want to plug the IP Institute. The theme is going to be IP without borders and it’s going to be held at the Wynn hotel in Las Vegas from November 14th through 16th.

David Lizerbram: Excellent. Well, I will be there and I’ll see you there and hopefully a lot of our listeners, now that they know a little bit more about you, will stop and say hi. Thanks a lot, Emily. I really appreciate it.

Emily Yu: Thanks. Thanks for having me.

David Lizerbram: All right. Thank you for listening to Intangible Assets, a podcast by the intellectual property law section of the California Lawyers Association. So, the 44th annual Intellectual Property Law Section Institute is coming up soon. It’s scheduled for November 14thto 16th, 2019. The theme this year is IP without borders. And fittingly, it’s the first time the event will be held outside of California. I hope you’ll join us this November in fabulous Las Vegas, Nevada for the intellectual property law sections signature annual event.

David Lizerbram: For more info or to sign up, go to CAlawyers.org/ipevents. That’s C-A, like California, lawyers.org/ipevents. And if you’re interested in joining the intellectual property law section of the California Lawyers Association, you can visit CAlawyers.org/joinIP. That’s CAlawyers.org/joinIP. Finally, if you want to send us an email about the show, you want to let us know your comments, you want to suggest a topic or somebody who’d be a great guest on the show, we’d love to hear from you. And you can send that email to IPpodcast@CAlawyers.org. That’s IPpodcast@CAlawyers.org. We look forward to hearing from you, and I’m looking forward to speaking with you on the next episode of intangible assets.