Reading time: 5 minutes

By Utsav Rakshit & Ong Chin Ngee | Edited by Wan Ding Yao

TechLaw.Fest 2021 (“TLF”) took place virtually from 22 September to 24 September 2021, becoming the virtual focal point for leading thinkers, leaders and pioneers in law, business, and technology. LawTech.Asia received the exclusive opportunity to interview Alexander Southwell, Partner at global law firm Gibson, Dunn & Crutcher LLP (Gibson Dunn) post his panel discussion titled “That’s the Way the Cookie Crumbles” alongside Charmian Aw (Reed Smith), Steve Satterfield (Facebook) and Michael Kleber (Google). Alexander co-leads Gibson Dunn’s pre-eminent Privacy, Cybersecurity and Data Innovation Practice Group with Ahmed Baladi, Ashlie Beringer and Connell O’Neill, who were also speakers at TechLaw.Fest 2021. The group advises clients in Asia-Pacific, Europe, the Middle East, Latin and North Americas.

While cookies track us, Alexander has been tracking them. We tapped into his knowledge on key issues relating to the evolution of cookies. We also sought his views on tangential topics he specialises in, particularly in the area of data protection, cybersecurity and legal technology and technology law (for which the latter two are key tenets of this year’s TechLaw.Fest!).

What will a post-cookie world look like, in your opinion? In particular, how would internet users be affected?

It’s still very much an open question of what a post-cookie world will look like and how exactly the systems will be established, both from a technological and regulatory standpoint. 

The internet that people use daily is considered free, yet it is essentially ad-supported, and most people seem to understand this. As third-party cookies are on the way out, there will inevitably be some tracking and customization of one’s experience. What remains to be seen is (a) how is that done from a user consent and technology standpoint, (b) how future regulations would affect that transition and (c) how market forces would play out.

“I think that there will be more customization and options available for individuals that may allow people to have different types of experiences on the internet, some that are less tailored to them and that may ultimately prove to be less interesting.”

There will be more customization and options available for individuals that may allow people to have different types of experiences on the internet, some that are less tailored to them, and that may ultimately prove to be less interesting. In this regard, perhaps the market will encourage more tracking to have a more customised relationship. There’s a lot of brilliant people working on this and trying to do the right thing in terms of providing notice and choice.

Further, strong emphasis is placed on privacy enabling technology, and I believe a privacy-centric approach will ultimately be the direction we move in. While the use of third-party cookies may eventually fade out, other forms of tracking technology that people have knowledge of and provide their consent to will emerge over time.

With the delay in what some may consider being the imminent “death” of third-party cookies, what are some key developments in this area and corresponding measures put in place by advertisers?

The AdTech industry has been at the forefront of figuring out how to manage the question of tracking or serving targeted ads that are helpful to people. The fundamental core of an advertising effort is to reach people who want to be reached. After all, it’s not an effective use of resources to send ads for something that’s entirely unhelpful to somebody, and most advertisers don’t want to do that. Advertisers are trying to find a way to strike the right balance—delivering useful ads and appropriately track.

“Ultimately, consumers can be smart about how they engage and part of what companies have to do is figure out how to ensure that that people are educated and understand the issues and are making choices that they are comfortable with.”

One of the most interesting questions is how newer generations, who have been more exposed to the ad-supported internet, will view developments regarding cookies and tracking. Would they see things in a different light? I myself have kids who use and are active on social media platforms like TikTok, something which I am, let’s say, less active on. And there will probably be something new in the next five or ten years that everyone wants to do. Ultimately, consumers are pretty smart about how they engage. Companies are trying to figure out how to ensure that people are educated and understand the issues, and thus able to make informed choices.

The core issue at the heart of the cookie debate is data privacy. Moving forward, how do you see data privacy enforcement actions by regulatory bodies evolving?

Regulations

The actions of government regulators have had dramatic effects on the online space and the way companies handle and use data. As technology often changes faster than regulators can keep up, regulations tend to be slightly behind the times.

The typical regulatory approach is to put out a proposal, take commentary, set aside a period for consultations before rolling out the regulation. This is the way it works in Europe and sometimes the United States. A unilateral approach to enacting regulations can be problematic because regulators are not always aware of the latest technology or the complexity of companies’ issues.

Increase in Enforcement Risks for the Companies

With new regulations being put in place at all levels (federal, state, and city, as well as of course internationally) and developments in terms of regulatory approaches, there is quite a bit of uncertainty – and this makes it challenging for companies as they want clear rules to operate under. That being said, this makes it an exciting time to be practising in this cyber and privacy space.

Cybersecurity is another regulatory minefield. What are some of the key trends and issues in global cybersecurity that you notice that would merit closer attention in the coming years?

Cybersecurity is a major issue around the globe. Governments are having a hard time managing the risks. In this era of remote working and the convenience of conducting operations over the internet, we see a sharp increase in the number of companies’ security compromised due to phishing and other attacks.

This really is a challenging area for both companies and governments. Companies are implementing internal cybersecurity policies and upgrading their systems to guard against cyber threats. Governments recognise the need for intergovernmental cooperation despite geopolitical tensions.

In these uncertain times, good cyber hygiene is of critical importance. There should be regular backups, updating, and patching of systems. Plans and protocols should also be put in place to ensure that in the event of an attack or compromise, relevant personnel are alerted and activated promptly so that corrective actions may be taken quickly to address the security incident.

Could you share a little bit with us about some of the experiences that you have had in advising in the technology area and what keeps you going?

Sure! I have been practising in the cyber and privacy area in private practice for about 15 years, which is long in “internet years.” Before being in private practice, I was a federal prosecutor working for the Department of Justice in New York, focusing on cybercrimes and securities fraud. I have thus been active in this space for over 20 years and have been fortunate to have experienced a lot, and it has been an exciting ride.

I enjoy diving into the technology and thinking about and strategizing about its implications.  And I enjoy distilling and translating technical terminology into clear concepts in court or regulators. In fact, I vividly remember having to explain a virus defence to a jury in a case that I did when I was a prosecutor. Right now, I enjoy working with companies at the cutting edge of new technologies and new uses!