How Ukrainian got admitted to 4 Western universities and began working with data protection in the USA: interview

Lawyer Halyna Vasylevska, at her age of 24, has already launched a couple of startups, got admitted to several courses in technology law at some of the top colleges globally (Cornell Tech, King’s College London, London School of Economics, and Stockholm University), and got hired by the American company TrustArc, managing privacy issues for Fortune 500 companies. Halyna is also involved in the drafting of privacy bills in the U.S.

AIN.UA’s editor has talked to the lawyer about how to choose a Western education course and get admitted for study, as well as about the trends of user data protection.

About the career:

You are a lawyer. How did it happen that you got involved with startups?

My career is entirely uncharacteristic for the industry. I struggled with my Maths at school, but I was always good at negotiating. It was there that I understood that this skill can be monetized. Law school was the closest option, so I entered the Kyiv-Mohyla Academy. Already in our third year, my friends and I began thinking about our own project. We thought up a startup whose main point was to automate documentation.

Was that your first startup?

Yes. The idea was to write a piece of software that would automate the preparation of basic legal documents. It was 2014 or 2015; we thought it was a brilliant idea. We whipped up a presentation, found programmers, and decided on who would be the co-founders. However, it didn’t work out, and we closed the project.

Before the closure, we brought this project to the Hackathon in Lviv, where I met some guys who needed a lawyer specializing in personal data protection. This was how I became part of Medics team, which works on services for booking medical appointments and signing medical declarations. I have five generations of doctors in my family, so the healthcare industry was very close to me. And so, I became a lawyer in a medical startup. By that time, I had already had some experience of working with international donors, grants, organizations, plus I had advised several IT companies, so it looked as if I could be useful to them.

Now Medics is a functioning company, although I am no more operationally involved with them. Today, it is one of the largest medical reform vendors in Ukraine. We had begun working with the Ministry of Healthcare since before the medical reform became something big. And when I tell my American colleagues that in less than sixth months since the beginning of the medical reform we succeeded to cover 70% of the population (by the total number of signed declarations), it is something utterly mind-blowing for them.

About the studies:

You have experience of working at the Parliament of Canada and as the Masters of Laws in the USA. Please tell us more about it.

In Canada, there is a program, which has been functioning for more than 30 years. Its purpose is to send young Ukrainian leaders to the Canadian parliament for work experience. I got there in the fall of 2017. The interesting part was that I worked on the state program for the reimbursement of medical expenses there, as well as on data protection and AI regulation issues. I came back from Canada in December 2017, and this experience had really recalibrated my worldview.

I understood that I had to go abroad and study those things that we cannot study here. For example, the legal regulation of technology.

I began searching for programs preparing lawyers for this sphere, but such courses were quite a few. There are LLM programs focusing on technology, for instance, several suitable options in the US; these were: Cornell Tech (where I would study), NYU, Berkeley, and a program at Santa Clara University. The rest are LLMs with optional tech courses [Editor’s note: LLM is an MBA analog for lawyers].

I also considered programs in the UK and continental Europe, including those at the London School of Economics and King’s College London.

Based on the combination of factors, I liked the programs at Stockholm University, King’s College London, and Cornell Tech best of all. When it came to choosing the concrete program, based on offers, Master of Laws in Law, Technology, and Entrepreneurship at Cornell Tech was great in combining my previous experience, the industry focus, and opportunities to really work with companies.

How did you manage to get to several top-notch programs?

Firstly, I had been investigating the programs for a very long time: their admissions criteria, working destinations, admission history, what is the success rate.

The majority of the programs that I applied to had an admission success rate of 2–3%.

The key point is your personal statement. In effect, it is your address to the university, explaining why, of all applicants, they should choose you, enlisting your achievements, and telling them about your plans. Here, it is important to understand that in the U.S. your marks and previous experience are considered less valuable, compared to such key points as your current results and unique achievements, whereas in the context of British programs, it’s the opposite: academic performance is key.

My good level of English was among the crucial points also. Currently, I often talk to Ukrainian students who wish to get a higher education somewhere. Insufficient level of English and failure to understand the clear goal of the program are problems routinely faced by our students.

Even having a high level of English proficiency, before I mailed off my statement, I ran through my contacts from Canada, from the U.S. and sent it out to them for proofreading. As a result, there was not a single program that I applied to and where I wasn’t accepted and offered a scholarship.

How to write your personal statement, if you want to enroll in an MBA/LLM or another study program abroad?

When you pick programs for yourself, you look at the requirements and often realize that you don’t quite meet them. For example, suppose there is a program that trains investment bankers or stock market professionals. In Ukraine, it is difficult to get an investment banking background in the sense that is traditional for the program. That is why you have to rewrite this message about yourself, so as to underline the relevant data, find the key requirements, and word the document accordingly.

One more point. Rewriting each of those letters took me about a week. I think, there is nothing harder than writing something about yourself and your achievements in a correct and convincing way. I sent those letters to people who had applied to similar programs or worked in my target industries.

I received my very first draft back all red from corrections. I looked at it and thought that the admissions office would react in the same way. I rewrote it, making it shorter and focusing on the essential points, and they enrolled me.

I remember how I called my parents, and my mom told me, “They just accept geniuses there.” And I replied, “Yeah, mom, I’ve got accepted too.”

Then there were negotiations regarding the scholarship. It is a separate kind of art, more art than science.

How studying at Cornell Tech was useful?

I chose a program at Cornell Tech because it best matched what I wanted to do next.

The main problem for me there was the professional culture shock, realizing how everything was done differently, how the program was geared towards startups and creating startups, developing innovations. Technology transactions, licensing, technology, blockchain, bitcoin, cryptocurrencies, relevant taxing, mergers and acquisitions. I mean, startups in Ukraine rarely go beyond 3 or 4 rounds of investment, and we don’t have regulations allowing these operations as such.

Moreover, the training methodology itself was new to me. I remember coming to my class and thinking, “Now, where is the list of questions for the seminar?” I buried myself in further reading, and it turned out that there were articles from Wall Street Journal and Forbes on the list, but no academic sources in the meaning that I was used to within Ukrainian education.

It came as a shock: do people pay such money for their study, just to get articles from the Internet for reading? On the other hand, it was a course on technology transactions; what academic articles can there be?

Spoiler: in more specialized courses I read 100 pages a week, half of which were cases, and half, academic articles.

For instance, we had a course called Lifecycle of a Venture-Backed Startup, taught by the person who had been Facebook’s first corporate lawyer. He told us he was now taking selfies with all startups working with him because he didn’t make it with Zuckerberg back then.

One of Slack’s first investors taught us Corporate Innovations. He recalled how the founder of Slack had been going through tough times and had to sofa-surf somewhere. And so, he came to my lecturer to stay for a while and told him about a tool they had cobbled together to communicate within their team, while they had been working on a whole different product for a design. It turned out, he had been speaking about Slack. It’s funny, but in a week after that class, Slack held an IPO.

Such stories can blow your mind really hard, especially when you realize that you become part of them. As well as the expertise level of the people you work with. The level of openness. And the complete lack of showing off.

About the data protection sphere:

How did you get into TrustArc?

TrustArc creates technologies for managing privacy in global organizations. It has more than 1,500 clients, with some Fortune 500 companies among them; I cannot name all, but there are Credit Karma, Merck, and Intuit, for example.

The company develops technologies helping to manage all data gathered by applications and companies (for instance, what an application would know about you, if you are a Ukrainian citizen, you live in California, and you access the Internet using a Dutch VPN).

All of this is regulated by numerous statutory documents, imposing different obligations on companies. And you must comply with them, in order to work with any large company from the USA or Europe. If you don’t pay attention to data protection, they won’t deal with you.

I am sometimes asked why I chose this career. Because data is not the new gold, not the new oil – it is much more cool and important.

Roughly speaking, TrustArc writes software and tools that allow companies to manage their privacy policies, control how such policies are observed, address risks. For example, one of the latest products is a risk algorithm that, based on various criteria, calculates the possible risk of working with a particular vendor. As for me, I personally manage the regulatory requirements of the company’s 4 main products dealing with everything concerning cookies and advertising.

For companies with a heavy data component, this is actually a huge question.

In Ukraine, I witnessed a practice where deals fell through because major customers in the West were not ready to work with the inadequate Ukrainian jurisdiction. These were seven-figure transactions falling through because of privacy problems.

I received calls at 5 am and was asked to whip up confidentiality and privacy policies so that the company could show the client that everything was fine with those issues.

But privacy is not a policy downloaded from the Internet; it is about how your organization respects the rights of the users it works with, and you cannot fix such problems within a few hours.

Do you work with companies of Google or Facebook caliber?

I cannot disclose concrete names for reasons of confidentiality, but I work with many companies of the caliber.

Why have there been so many scandals lately, similar to that with Cambridge Analytica, related to privacy issues? Do you help companies solve their privacy problems?

To the first part: in America, sectorial privacy regulations have been formed historically; there is no single comprehensive law or act. There is HIPAA for medical data; there is GLBA for financial information; there are regulations in each individual state.

For example, the CCPA (California Consumer Privacy Act) is now radically changing the dynamics of the issue and setting the trend for other states. There are big discussions going on now, about the efficiency and prospects of adopting a federal act, but it is too early to talk about specific forecasts. Why did it happen to be so?

In the U.S., this sphere has not been regulated for a long time at all. Regulation emerged as a consequence of the tech boom. We are devastatingly dependent on technology, we cannot imagine our lives without it, but on the reverse of the coin, there is our privacy.

What did GDPR begin with? With the idea of limiting the monopoly of technology companies in Europe. Huge fines, like the $170 million that Google had to pay for the violations during the collection of children’s data, are the cost of non-compliance with such requirements, on one hand. On the other hand, such stories show people that they have rights to their own data.

Why there are so many data breaches? Because in the U.S., there are significantly more companies working with data than anywhere else. The market intensity is different, so it might seem from the outside that leaks occur more often here than elsewhere.

Another point that is very pressing in the USA now is technological discrimination. Roughly: if a customer refuses to provide data, the company denies him or her access to the service.

For example, the abovementioned CCPA contains an explicit rule requiring companies not to restrict the rights of the customers based on data that they have or do not have.

And such regulations apply to all companies profiting off targeted advertising, don’t they?

It is true. Among other things, I am involved with products for targeted advertising, and I interact with all major self-governing bodies of the market. This industry will find a solution; there is too much money there not to find workarounds.

On the other hand, regulating the industry helps get rid of unwanted fraudulent schemes. Google had big initiatives in this sphere: to verify any advertisement buyer (previously it had worked only for political ads); Facebook created the Off Facebook service allowing customers to track which websites gather user data outside the platform.

Currently, there is the sensational news about Google’s initiative to abandon the use of third-party cookies. And this is a reasonable decision because if ordinary users could see whose cookies they have on their device and how much data are gathered about them, they would be terrified. So, I would safely advise you to check now in your browser settings what exactly has been collected about you.

It is a fact that without those technologies, the Internet wouldn’t be itself, but they will have to evolve. When CEOs of tech giants speak about the future being private, the actual point is that such companies simply have no other choice.

For me, this means, among other things, that I have to work with very diverse topics and issues, which just a limited number of professionals in my field can work with. I have to work in a wide variety of legal terrains. Today I need to sort out the South Korean personal data legislation (deemed to be one of the strictest globally), tomorrow, to comment on the Brazilian LGPD, whose mechanisms are very similar to those of GDPR, and the next day, I need to go into Russian data localization and the relevant adjudication (for global companies, this is often a key point defining if they will or will not deal with the Russian Federation).

How has the coronavirus influenced privacy regulation? In Ukraine, for example, a law has been passed that allows to process personal data without the owner’s consent when it is related to fighting the coronavirus.

The Ukrainian response to data collection during the pandemic came as a pleasant surprise for me, because of its proportionate measures. What is happening today falls within the definition of public health disaster as a critical threat and therefore falls under the exception from the perspective of such regulatory acts as HIPAA and GDPR. As part of its fight with the pandemic, the USA has loosened some HIPAA rules and allowed healthcare facilities to exchange information directly. This radically changes the regulatory terrain for any medical lawyer, but in view of the pandemic, it is justified.

So, from a legal perspective, it is a proportionate measure. Another question is: will those data be used for other purposes when the quarantine is over? Plus, Ukraine has no developed jurisprudence in such matters.

I have a lot more questions to contact tracking applications, such as the recently launched Google and Apple application, which allows you to voluntarily (consentingly) track your contacts to control the spread of the coronavirus. Because, if you match the already available data to geolocation, you will get a set of sensitive data. And private companies cannot be authorized to collect such sets of data, unlike governmental institutions.

If you have followed the Ukrainian news, have you read about the application “Act at Home?” There were certain issues with it.

Yes, I saw the app. I am not familiar with the topic enough to give comments. But there is nothing wrong with having such an application. After all, this is the quarantine, although in the digital sphere. Don’t we oblige persons under house arrest to stay at home and report about it through an electronic bracelet, because they pose a threat to the society? Persons with coronavirus quite similarly pose a threat to society. Not because they are good or bad, but because they carry a disease that is potentially deadly for people around them.

Another issue is that the implementation of this meritable idea might be dubious.

Recently, there was a scandal in Ukraine: Ukrainians’ databases were on sale in Telegram bots. They had everything about people: name, Individual Taxpayer Identification Number, place of registration, passport. Can you comment on this?

This situation is a marker of a complex problem within the country. Unfortunately, without proper regulation and competent, correctly functioning regulators, such situations will happen again.

What would you advise startups set to expand to foreign markets? Should they bother about privacy issues? Because it is easier to download a ready-made privacy policy.

Of course, such logic makes sense. But only until your startup has a seven-figure transaction blocked. Let’s be honest: the probability of being pestered by a regulator on these issues is objectively not too high for you. But the probability of suffering reputational risks, missing potentially large-scale deals, and cutting off the routes for company growth is way more realistic and financially painful.

What would I advise? Do the research and understand what rules apply in the market, especially if it is b2b. In this case, just bear in mind that sooner or later this issue will be raised.

Understandably, if a startup has to choose whether to pay salaries to its developers or pay a lawyer who would prepare a privacy policy, the latter is seldom opted for. Nevertheless, you will have to do it over time.

There is no point in downloading privacy policies from a random website. Privacy is not something you have posted on your website. It is about what you really do with user data in your organization. So, to describe in simple words what, and how, the company does with data, what systems it utilizes for data processing, and how a user can disallow such processing – is a much more reasonable idea than to copy incomprehensible texts written for a totally different service.

Just remember that, whereas for Google or Facebook a hypothetical $5 million is the cost of doing business, for you it can mean the death of your business. Even if you avoid fines, data leaks from your application or inappropriate data handling will be the first things about you to appear in the news during Internet searches.

You mentioned your work on issues related to the California Consumer Privacy Act. What is this act, and what should Ukrainian companies working with the U.S. market expect from it?

It is a hot season for privacy professionals now, because in early June, the regulation of the CCPA was adopted, and since July 1, the regulator has an official right to fine companies for not meeting the requirements.

This is a turning point for the whole industry because the CCPA is the first act in the USA that covers privacy issues on a universal, rather than sectorial, level. As an expert having worked on the commentaries on this act, I think this is the beginning of major changes that companies should get used to.

As for the practical steps, it is worth starting with:

  • understanding whether the act affects your business, or the work of your company’s vendors, clients, or contractors;
  • reviewing your confidentiality policy for compliance the requirements of the act;
  • implementing mechanisms that allow persons whose data you process to refuse such processing.

The act is fully changing several things: it obliges companies that fall under its requirements to accommodate requests of a personal data owner (user), obliges them to have the function (a button on their website) Do Not Sell My Personal Information, and sets a number of restrictions on working with targeted advertising.