Ep. 04

Daniel Barber  0:14  

So in our ever changing environment, trusting your financial partner is more important than ever. Today, we’re thrilled to welcome Alfredo Della Monica, Vice President and Senior Counsel for the US privacy legal team at American Express. Welcome Alfredo.

Alfredo Della Monica  0:30  

Thank you for inviting me. Love to be here.

Daniel Barber  0:32  

Yeah, excited to be on the show. So you have quite the background leading into to Amex would love to just, you know, learn a little bit about you and what your path was there. And we can kick it off after that.

Alfredo Della Monica  0:43  

Sure. So as you might have guessed already, from my accent, I’m fully 100% Italian, graduated law school in Italy. I started then immediately after law school in a US law firm in Italy, where I was a full regulatory lawyer dealing with antitrust, intellectual property, privacy and other things. 

Of course, then I studied abroad for a couple of years doing a masters in Europe, and a masters in the US. And then I came back to the same firm, where basically, my workload started to shift from pure antitrust into more privacy. 

And I started to advise American Express almost exclusively on privacy matters. So at that point, after a year working as an outside counsel for Amex, they decided to offer me a job in London, leading the privacy legal team for them in London, the European privacy team. And so I mean, I couldn’t refuse that. 

So after five years, basically, with the company in London, I moved to the US as leading US privacy lawyer for the US team, which was another change into my life and expertise. But at the end of the day, it worked out really well, because right now, I feel like a 360 GDPR CCPA, kind of legal privacy expert.

Daniel Barber  2:00  

Yeah. And I mean, I mentioned you followed things from the EU privacy directive through to the GDPR. And the different measures. What was that background? As you kind of watched, especially at Amex, watch the GDPR involved and eventually go into practice in early 2018?

Alfredo Della Monica  2:16  

Yeah, you’re absolutely right. So my background really goes back into the directive, I started doing privacy law back in around 2000, which were the early years of the directive. And to be completely honest, that was really a passion since law school. 

When I think about what I did at law school, I wrote a paper on the security of internet payments in 2001, when my professors were like, what are you talking about? And so it was really, it was really fun to see the progression of you directly, which was, you know, also implemented into different laws into different countries. But the main drivers for the directive, the driver forces for the direct you were really Germany, Italy, and probably Spain, right. 

And then you, you see this kind of legislative move towards more privacy, more regulation around data, you know, it was growing the data on the tech side, and of course, legislation was growing on the other side. 

And so fast forward, of course, 15 years GDPR comes into play took a lot. I mean, my steep learning curve has been 15 years. But when I saw GDPR coming, I was already like, a lot of these things are really the development that German and Italian data protection authorities had put together in the last 15 years, right. Talking about profiling, talking about cookies. 

Again, when I started doing privacy, there was not even a e-privacy direct, the first privacy directive is of 2000 to 2003. I think. So it’s fascinating how the tech and the data and the entire space moved so quick that you know, legislation is always couldn’t keep up. And then all of a sudden, we get these huge piece of legislation, GDPR that took more than two years to come to some sort of final text. You might have heard the comments, you know, the golden line it was around at the time was that this has been the largest piece of legislation in the history of EU legislation. 

And again, its privacy where the privacy directive was not that big of an importance before. And then having been a EU privacy lawyer for a while. I’ve been you know, once I moved back to the US, it was fascinating and not really surprised for me to see how the states were moving to a similar model. Right. 

So a lot of countries took GDPR as a model for their legislation, but the US as an environment as a cultural, different kind of approach to these things. And yet, I think California, you know, did want to take GDPR is a model and so it was expected they kind of tried to borrow some of the concept. They tried to award the same kind of rights that GDPR was awarding European citizens. And again, I’ve been, you know, in a kind of a privileged spot to see how American companies, including American Express, were reacting to something like this, which was again, very interesting and fascinating to watch all the way.

Daniel Barber  5:14  

Yeah. So he talked about keeping up, how do you keep up? Right? I mean, there’s there’s a lot of places that you can read different information and try to keep informed, especially with the CCPA developments that are moving really quickly. You know, if you were to think about your top three sources, what do you think they would be as sort of a legal and privacy pro?

Alfredo Della Monica  5:33  

Sure. So there are plenty of legal sources, you can go around right every little or big or medium sized firm as a newsletter, or we receive some sort of updates. 

But if I can share something new, probably a few years ago, a New York based firm, Morrison and Forrester created the global privacy Alliance, which is a combination of a cross section of global businesses, financial services, aerospace, consumer products, automobile, so you really put everyone together. Of course, I think there is a membership that you have to pay. 

But once you are part of these Alliance, you get very specific updates from the firm on every sort of logistical move around the world on privacy. So they’ve not covered just us to Europe. You know, sometimes I get updates about Kenya, data protection and privacy law, or, you know, Singapore, or anything around the globe, because they have a very solid network of lawyers. And they do have usually a very specific email that they send out with very good details. 

And then of course, I use the GrailCast, of course, global data review, and other sources that, generally speaking are very helpful when you need to have a cross country kind of legal advice to give out, because you can compare easily legislations around different countries. 

Daniel Barber  6:56  

That makes sense. 

Alfredo Della Monica  6:57  

Last thing, I would say, I love to read a lot, but I usually try to reverse engineer what my privacy matter is, is always going to be. So I love to read tech magazines, I read and I love to read where the tech is going. Because as we said before, where tech is going, legislation will get there, they will just need some time, but you know, you will catch up. And so if you if you’re reading an understanding where the tech is going, I think you’re always a step, a little step ahead of the legislation that is coming your way. 

Daniel Barber  7:24  

It sounds like that was your research early on. Right? I mean, you’re you’re anticipating financial markets before they actually went to where they are. That’s really cool. Shifting gears a little bit. We’re all going to hopefully the ballot box coming up here in about a week. You know, the hot topic for folks in privacy is proposition 24. What risks Do you see with the regulation, the way that it stands, and just the general climate of what we’re voting on number 24 on the ballot.

Alfredo Della Monica  7:53  

I see, and I’ve seen advancing CCPA towards GDPR and EU concept, right and proposition 24. It’s just another spill to the wheel in the same direction. But really concerns me in terms of risks, or kind of operational compliance problems or problematic things to do is the fact that proposition 24 CPRA is moving too fast into the EU direction, right? So the US has a different cultural environment is a different legal system is a different economy. Right. 

And regardless of what’s happening right now, for a second, of course, that’s very important and will impact in the same way. But you know, even if we were in a normal situation, my concern is that we are injecting EU concepts concept into us legal systems without really appreciating how complex that could be. Right? 

So we cannot introduce into a US legal system, which is a very highly litigating system. Things like private right of action for privacy violation of Proposition 24. Right, that is a big thing. And I’m not saying I’m against it, I love it, but it has to be done in the appropriate way. Because again, that isn’t a new concept that doesn’t really translate into the US legal system. And so you need to understand what you can use them that EU concept before having it as a trigger for some important, you know, private litigation in the US.

Daniel Barber  9:20  

Yeah, it’s such a mixed topic. I feel like across the privacy community, it’s split pretty pretty down the middle on folks that are very supportive of the the move, and folks that are also have a lot of apprehension of the change. So I’m always curious to see how folks are sit there. I mean, in sort of a similar vein, where do you see opportunities? Right. I mean, I think Amex is, you know, built on trust, right? That’s a huge part of the value proposition of Amex, but just, you know, across financial services as an industry, where do you see the opportunities for for folks in privacy?

Alfredo Della Monica  9:56  

Yeah, when I totally agree with you when people talk about trust. They talk about our brand, they usually just refer to the security right to the, to the actual protection of the data. But I do believe privacy is a tremendous advantage for financial services for, you know, we continue to see pressure from FinTech and other companies to enter the financial space. Why, of course, it’s a very good business model. But also because you know, the data that you have are so powerful, right? It’s all about what you and I spend around the globe. 

That is an incredible, powerful data for marketing for financial stability forever, right. And so while it is good that everyone tries to enter this space, because of course, from a competition standpoint, for consumers, it’s great. I also think you know, that you need to have a solid infrastructure, you need to have some sort of solid understanding of what are the customers needs. 

And so when it comes to banks and financial services, I think that that is where we could use privacy as a differentiator, right? We know how important is the financial data of our customers, and our customers want us to use the data? You know, when people go around and talk about monetizing data, we do not monetize data in a way that other companies believe we are right? We absolutely don’t, because we want to protect the privacy of our customers. And so it’s different from companies throwing, you know, free products or free things just to have access to your transactions data, because they are then selling what you’re buying to marketers or other things. That’s a totally different policy from what financial services do. And I think, you know, that could be a great advantage for firms like Amex,

Daniel Barber  11:38  

privacy can provide a specific advantage for Amex.

Alfredo Della Monica  11:42  

Yes. So, you know, I think I’m accessing historically, given great attention to brightness. You know, when I joined, I was very surprised to see that we had something called privacy principles that dated back to the 1990s. 

And, you know, that’s why I always say, I love to be now an expert on both sides of the pond, because you know, the privacy, right, really born in the US, just under a different completely set of understanding your culture, but he born here. And so I think you know, that privacy for ours is the strength that comes with our trust of our customers. And that is where I think adding a reputable brand means carrying a lot of responsibilities versus what your customers expect from you. 

So what we are doing building on these great attention that we always add, is now starting to create products that are really privacy by design. And they have privacy controls in mind from the get go. Right? So whenever we have a new product or a new feature that is asking some interaction with user, we always try to give control over the data to the user. You know, we love those toggle yes or no for choices. And of course, you know, it’s your choice, and we have to be as transparent as possible. But I think we really strive to get the perfect balance between a smooth customer journey, and a high level of privacy and security for your personal.

Daniel Barber  13:07  

Yeah, well as an Amex customer myself, I can attest that I feel secure and I can trust the brand. But yeah, I want to thank you again on Friday for joining the GrailCast today. And for those tuning in. We’ll have another episode in a couple of weeks. And thank you for the time and look forward to seeing you again soon.

Alfredo Della Monica  13:23  

Thank you again, Dan. It was a pleasure.