Privacy Law

SPOTLIGHT ON PROFESSOR LYDIA DE LA TORRE, CALIFORNIA PRIVACY PROTECTION AGENCY BOARD MEMBER

VOLUME 1, 2024, PRIVACY LAW SECTION JOURNAL

Written by Jennifer L. Mitchell*

Between Professor Lydia de le Torre’s roles as a Board Member of the California Privacy Protection Agency (CPPA), the Founder of Golden Data Law, and a law school professor teaching novel courses on artificial intelligence (A.I.), there is no doubt that Prof. de la Torre is one of California’s most influential privacy lawyers.

Prof. de la Torre was appointed to the CPPA Board by the California Senate President pro Tempore Toni G. Atkins in March 2021 and served on the Advisory Board of Californians for Consumer Privacy during the Prop 24 ballot campaign. She is an affiliated researcher at the Center for Data Science and Artificial Intelligence Research (CeDAR) and teaches privacy, data protection, and AI courses at UC Davis Law and U.C. Law San Francisco (formerly U.C. Hastings). Prof. de la Torre is the founding partner of the teaching law firm Golden Data Law (GDL). GDL serves clients in the not-for-profit sector, and its mission is to mentor a diverse and inclusive group of law students and recent grads so that they can grow into solid ethical professionals. Prior to her appointment, Prof. de la Torre served as an of-counsel to Squire Patton Boggs and had in-house counsel roles at several multinational organizations. Prof. de la Torre is an international expert in data protection issues and the European Union’s approach to regulating data and A.I. in particular.

I had a chance to catch up with Prof. de la Torre to learn more about her distinguished career path, her background in comparative law, and her views on the future of privacy and the profession.

JENNIFER: Thank you for your history of supporting the California Lawyers Association (CLA), and we appreciate you taking the time to share your insights with us. Could you tell us about your background, starting as a European-trained lawyer, and how you ended up specializing in privacy?

PROF. DE LA TORRE: I was born and raised in Spain and completed my law studies at the Complutense Facultad de Derecho in Madrid, from which I graduated in 1995. I wanted to work for the Arthur Andersen organization, which in Spain at the time had three branches: an accounting/auditing branch (which collapsed in 2001 after the Enron scandal), a consulting arm (which later became Accenture), and a law firm (Arthur Andersen Asesores Legales y Tributarios.) With that purpose in mind, I enrolled in an LLM program in taxation offered by Arthur Andersen and joined the Arthur Andersen law firm arm in 1996. Shortly after I joined, the firm merged with the leading local law firm, Garrigues, the name under which the firm still exists today. Because of the merger, the corporate practice grew significantly. I was able to move from the practice of tax law to corporate practice by working under Pablo Olabarry, a now-retired partner who is one of the most brilliant corporate attorneys with whom I have had the privilege to work with and who, incidentally was one of my teachers during the LLM program. Since I was highly interested in emerging technologies, I raised my hand, so to speak, to be called upon to do any corporate or transactional work that was connected to them.

One of the laws affecting emerging technologies that were in effect at the time was the LORTAD (Ley Orgánica 4/92 de Regulación del Tratamiento Automatizado de Datos), enacted in 1992. This Spanish law pre-dates the EU privacy directive of 1995. The LORTAD (like the GDPR) was not considered a “privacy” law because, in Spain, the right to privacy and data protection are enshrined separately as fundamental rights in our Constitution. The LORTAD regulated computerized data processing to ensure Spaniards did not see their other fundamental rights, including the right to privacy, eroded by technology. That is the core of the Spanish right to data protection as conceived by our Constitutional Court. The LORTAD did so by regulating how computerized systems handled data related to individuals, or in other words, by limiting how computers are allowed to “think” about us humans.

The LORTAD created the Spanish Data Protection Authority (AEPD), giving rise to Spain’s legal data protection field. The partners at my law firm did not quite know what to do with the LORTAD, as it introduced what, at the time, were entirely new concepts into the Spanish legal system, e.g., controller, processor, and processing. That opened the door for another senior associate and me to become the leads advising clients on data protection compliance. I often tell students how we spent hours and hours for days on end trying to figure out where to provide the disclosures that the LORTAD required for transparency because what we now call “privacy notices” did not yet exist.

This field has a deep ethical dimension, which I find fascinating, so I am very fortunate to practice it after so many years.

JENNIFER: It is hard to imagine a world before privacy notices! Given your European privacy career origin, how did you transition your focus into the practice of privacy law in the U.S.?

PROF. DE LA TORRE: I moved to the U.S. in 2001 for personal reasons and could not practice law because I was only licensed to practice in Spain. The cost of attending law school in the U.S. made that option inaccessible to me. I worked as a court interpreter and taught interpretation at a local university until I learned I qualified to take the California bar exam without attending law school based on having been licensed to practice in Spain. At that point, I decided to prepare independently for the California bar exam under the supervision of Judith Saucedo, a graduate of UC Davis School of Law and an incredibly smart attorney, who chose an unconventional career path that would allow her to raise her family while making good use of her legal education by creating a business as a bar exam tutor and mentor. I passed the California bar in 2010 and became licensed in 2011. In order to forge a career path toward a practice in the area of emerging technologies in the U.S., I completed an LLM in Intellectual Property Law at Santa Clara University, and from there, I joined the eBay privacy team and, later, the PayPal privacy team.

In 2017, I was given an opportunity to return to Santa Clara University as its inaugural privacy fellow to work under Professor Eric Goldman. I welcomed it, as it enabled me to go back to teaching and to research a topic that had intrigued me for years: state privacy laws, in general, and California privacy, in particular. The timing was fortuitous as it happened before the California Consumer Privacy Act (CCPA). It allowed me to connect with Californians for Consumer Privacy and the organization behind the CCPA from almost the beginning of the process.

I did not support the 2017 initiative version because I opposed the limited access rights and the overbroad private right of action provision. However, I became a supporter when it was amended in 2018, prior to its passage through the California Assembly and Senate.

Professor Goldman placed significant trust in me by allowing me to co-direct the Santa Clara Law Privacy Certificate Program and teach Comparative Privacy at the school. In this dual role, I became aware of how experiential opportunities for law students set them on the path for career success, yet not everyone, such as first-generation college attendees, has access to them. As a consequence, today’s bench of privacy practitioners is not fully representative of the population whose interest privacy laws are meant to protect. This lack of representation in our profession impedes our ability to accurately identify and remediate the biases we know can easily be inadvertently embedded in automated decision-making technologies (ADMT) and in AI.

When my fellowship ended, I joined Squire Patton Boggs, where I practiced until I was appointed to the California Privacy Protection Agency (CPPA) Board. My appointment compelled me to leave Squire Patton Boggs, as simultaneously practicing at a big law firm would have created conflicts of interest. I took the opportunity then to create Golden Data Law (GDL).

GDL is a practice that combines my love for teaching and mentoring with my long-time passion for the practice of data protection law. GDL is a “teaching law firm” incorporated as a public benefit corporation that provides paid experiential opportunities to deserving, diverse fellows. Judith Saucedo, who taught and mentored me through my passage of the California bar exam and has since become one of my closest friends, joined GDL as the Academic Partner in 2021. The two of us have joined forces to become the engine behind the firm. For now, GDL serves the non-profit sector, as my role with the board is incompatible with advising organizations subject to CCPA. We took on clients who support our mission and were incredibly fortunate to have Candace Moore, a bright and talented Santa Clara School of Law graduate, accept a role as our inaugural fellow at the end of 2021. Candace works directly with clients under my supervision while receiving mentoring support from Judith. We expect to seek a new fellow in 2024, and grow our practice from there in order to fulfill our mission of fully preparing our fellows to enter practice in their desired sector.

JENNIFER: Thanks for sharing that interesting career trajectory, and congratulations on the founding of GDL. How do you think that your background as an EU-trained lawyer shapes your view on U.S. privacy law, and what similarities in the legal frameworks do you see?

PROF. DE LA TORRE: I have taught Comparative Privacy Law for years, focusing on GDPR and comparing it to other leading legal frameworks. That, plus my perspective as an EU data protection lawyer, has been a critical factor in shaping my views on U.S. privacy law.

I am not a proponent of importing the EU data protection framework wholesale into U.S. law. The origin of the right to data protection in the EU can be traced back to the European reaction to the rise of automated data processing in the ‘60s and ‘70s, which is closely connected to the history of the region and particularly to the use of computers by the Nazis and other authoritarian governments in Europe.

The history and culture of the U.S. is quite different. In our country, which has benefited immensely from the digital revolution, the consensus is that development and use of computerized technology should not be banned or restricted unless and until specific concerns are identified. Regulating personal data in the U.S., therefore, calls for a different approach, one that finds inspiration in the EU model while still being true to the unique American perspective. In fact, this is precisely the balance achieved by the CCPA. The CCPA is revolutionary. It reshaped the global dialog around data and privacy for the first time since the EU enacted data protection laws in the ‘80s and ‘90s. It has spurred on other states to adopt similar laws and will certainly impact other countries. I hope that we will soon see a federal law modeled after the CCPA that does not require the pre-emption of existing, more robust state frameworks like the California one.

JENNIFER: Speaking of the CCPA, what can you share about the process for being appointed to the CPPA Board, and what drove you to seek this appointment?

PROF. DE LA TORRE: Finding an opportunity to serve in the public sector was a goal for me after my fellowship at Santa Clara Law School ended. Because of my interest in policy, the regulatory role of the CPPA, which rests in the Board and cannot be delegated, made the prospect of serving as a Board member very attractive.

That said, during the campaign for Prop 24, the initiative that amended the CCPA and created the Agency, I never expected to be considered, much less appointed, to serve as an inaugural board member at the CPPA. For one thing, I was still in the process of obtaining U.S. citizenship. Additionally, my background was primarily in the practice of law. Although I had researched and taught California privacy law, I had not written scholarly papers on the topic. I was pleasantly surprised when I was invited to share my résumé to be considered for the role. The process was similar to any other hiring process. I went through several remote interviews over a three-month period and was selected for the role. After terminating my employment with Squire Patton Boggs, and completing the rigorous disclosure process, I was sworn in and attended the inaugural meeting of the Board on July 14, 2021.

I am grateful to California’s Senate Rules Committee and the President pro tempore of the California Senate, Senator Toni Atkins, for the trust they placed in me by appointing me to serve as an inaugural board member of the CPPA. The role placed significant responsibilities on my shoulders, but I have been able to carry it out successfully, thanks to the unwavering support of Senator Atkins’s leadership staff, the collaborative and supportive culture that we created within the Board, and the colleagues and friends who have generously helped me along the way.

JENNIFER: One area that has received increased focus from California privacy practitioners is the intersection between employment law and privacy law. What do you think about the future intersection between these two disciplines in light of the CCPA’s coverage of employee data?

PROF. DE LA TORRE: Applying the principles and rights enshrined in the CCPA in the context of employment law in the U.S. is new and very specific to California, as other states do not regulate employment data. However, this is not necessarily an area where guidance is missing, given that data protection compliance in employment has long been required in Europe meaning that resources are available on best practices from the local EU regulating authorities.

Beyond that, I prefer not to make any concrete statements, as the California Attorney General’s office has announced an investigative sweep through inquiry letters. I understand letters have been sent to large California employers requesting information on CCPA compliance with respect to the personal information of employees and job applicants. I am confident that the California Attorney General’s office will release information on the inquiry to the public when appropriate. I would encourage practitioners to pay close attention to it.

JENNIFER: Many of our CLA members serving in private practice and in-house corporate privacy positions would be curious to know how your prior roles impact your perspectives and contributions to the CPPA.

PROF. DE LA TORRE: Throughout my time at the CPPA, I have consciously worked to represent the community of responsible privacy professionals to whom I belong. Contrary to what some believe, most privacy compliance in-house professionals deeply care about privacy and work tirelessly to guide their organizations toward responsible data stewardship. In this regard, I have been influential at the CPPA in seeking transparency for the regulated community by championing the idea of an active Board that takes responsibility for policy decisions while holding the Agency accountable for executing them. During my first year on the Board, one of my areas of focus was setting up a regular calendar of meetings at which policy decisions could be made with public participation, as opposed to allowing for those decisions to be made by the Agency behind closed doors.

Moving forward, I support the creation of two permanent subcommittees for the board: one to oversee the operations of the Agency and one to direct any further changes to regulations. The first would ensure that the Agency is budgeting and expending resources responsibly and in alignment with the policies set by the Board. The second would ensure that the Board takes the responsibility for improving the regulations, which, as directed by statute, is non-delegable. This, and the appointment of staff to support the Board, will ensure it can adequately fulfill its duties in a way that would be similar to how corporate boards and other agency boards operate.

JENNIFER: You are juggling so many impressive roles at the moment. How do you do it and what is a typical day for you?

PROF. DE LA TORRE: Interestingly, both my roles as a CPPA board member and as a founding partner of GDL rely heavily on developing similar leadership skills that go far beyond technical know-how. The keys to juggling both roles are setting a strategic plan for development, understanding, and assessing the plan’s financial implications, attracting talented professionals to whom tasks can be effectively delegated, and supervising their work.

My “typical” workday ranges from attending CPPA board subcommittee meetings, and reviewing legislative drafts to attending GDL dual mentorship meetings, and working with our fellow on supervising client workstreams, such as drafting EU Data Protection Impact Assessments (DPIAs). During the law school academic year, my typical workdays also include preparing and giving lectures in my role as an adjunct law professor.

As a mother of two young children, I am also juggling personal family obligations. This was especially challenging during the COVID lockdown, as it was for everyone else. As challenging as juggling my professional responsibilities is, at the end of the day, I love what I do and the people with whom I work. I have significantly grown professionally from the experience of handling the challenges.

JENNIFER: What advice would you give law students or young lawyers trying to transition into a career in privacy?

PROF. DE LA TORRE: For California attorneys interested in the field, joining the Bar privacy section, and perhaps the IAPP or a similar industry-focused organization, would be beneficial to jump-start their careers. Learning from other established jurisdictions is also helpful. A core understanding of data protection in the EU and familiarity with the guidelines provided by the local regulators is obviously still
a must.

Privacy is booming, but it has its challenges. To become proficient at it, you need to be confident operating in grey areas and comfortable asking questions. Because regulations and guidelines can never fully stay abreast with the speed of technological development, privacy professionals have to be able to provide advice where clear regulatory guidance may not exist or is subject to interpretation.

JENNIFER: What is your prediction for the most impactful privacy issue in the next five years?

PROF. DE LA TORRE: My prediction is that the most impactful legal issue starting now and extending into the next five years and beyond is the regulation of Artificial Intelligence. From the regulatory point of view, we cannot tackle this challenge appropriately without implementing interdisciplinary approaches that include privacy law and other fields, such as I.P. law and product liability law. This is the path to human-centric A.I. technology that does not harm individuals.

We are waiting to determine if the EU will enact the proposed A.I. Regulation draft. If the Act is not enacted by the beginning of 2024, it will likely not be enacted until the end of the election cycle in Europe, which would be 2025 at the earliest. Regardless, in the U.S. it is imperative now to find answers to the most pressing questions posed by the ongoing implementation of A.I.

I am truly honored to have had the opportunity to be a core part of the team that is taking action in California. The New Rules CPPA subcommittee on which I serve recently released the draft of the new CPPA rules on risk assessments and ADMT. The proposed framework is designed to ensure the responsible use of ADMT and A.I. and to provide consumers with control over how their personal information is used. Although changes will be triggered by the feedback we expect from the Board and through the formal rulemaking process, I can confidently predict that the final rules will take a step forward toward ensuring emerging technologies, including ADMT, are designed with privacy in mind. Supporting the responsible use of ADMT, while providing appropriate safeguards, will benefit Californians and consumers across the U.S.

On a more personal note, I can predict that I will be shifting my focus to this impactful and emerging issue. Next semester, I will be teaching a law-school course entitled “AI and the Law”, which is being offered for the first time at UC Davis, where many A.I. research initiatives are already thriving across campus. I am additionally involved in initiatives to seek funding that will enable UC Davis to be more actively engaged in addressing the many societal challenges that we have seen and will continue to see in this field.

Endnote

Jennifer L. Mitchell is a Partner in the Los Angeles office of BakerHostetler, where she leads the Los Angeles and Costa Mesa Digital Assets and Data Management practice. Jennifer focuses her practice on privacy compliance and advisory services. You can contact Jennifer at JLMitchell@ bakerlaw.com or learn more about Jennifer’s background here: https://www.bakerlaw.com/professionals/jennifer-l-mitchell/


Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment