Masters of Privacy – Détails, épisodes et analyse

Peter Craddock joins us once again to discuss the recent EDPS v Single Resolution Board decision by the Court of Justice of the EU. Although it builds on the previous Scania and Breyer cases to settle on the “relative” nature of personal data, its practical implications on everything we do in the Marketing Technology and digital advertising spaces cannot be overstated.

Peter is a lawyer as well as a software developer. He is based in Brussels, heads the EU Data/Cyber/Tech Law team at Keller & Heckman, and helps international companies with their global data strategy and with EU data litigation.

References:

* Peter Craddock on LinkedIn

* When is data no longer personal? And what are the implications? (Peter Craddock)

* EDPS v. SRB (full text of the decision)

* Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing (Masters of Privacy, 2024)

Meaghan Henderson started off as a litigation attorney in Los Angeles, subsequently joining Snap Inc.’s Trust and Safety operations. She is now Global Head of Privacy at iRobot (makers of the ubiquitous Roomba, a robotic vacuum cleaner).

We have gone over the many tasks that Meaghan has managed (and regularly manages) to accomplish as a one-person team: rolling out a full privacy program, raising internal awareness, coordinating with security teams, complying across multiple jurisdictions, and being part of the AI governance committee.

References:

* Meaghan Henderson on LinkedIn

* Generally Accepted Privacy Principles (GAPP)

* ISO/IEC 27701 (program maturity over time)

* Fair Information Practice Principles (FIPPs)

* NIST Privacy Framework

* OECD Privacy guidelines

* Amazon and iRobot agree to terminate pending acquisition

Who can really claim to be a privacy engineer? Does this change in the digital marketing arena? What is the winning formula to integrate this role within the company’s privacy practice?

Thomas Ghys has worked as a management consultant, data scientist, and data strategist, including a 5-year stint at McKinsey, prior to setting up his own privacy engineering practice. He has deep expertise in MarTech and AdTech, auditing traditional machine learning models and data flows. He is also the founder and CEO of Webclew, a tool that helps with the auditing of websites and mobile apps.

References:

• Thomas Ghys on LinkedIn
• Webclew: scanning websites and apps for privacy risks
• CNIL: a focus on mobile SDKs, announcing enforcement actions in 2025
• Thomas Ghys: BAPD expectations for cookie compliancy unattainable for most publishers
• Dr. Augustine Fou: dismantling marketing attribution, ad fraud controls, and the business case for third-party cookies (Masters of Privacy, February 2024)

Sandy Tsakiridi is a ​​dual-qualified Senior Legal Counsel in HSBC's global Data Privacy team. As part of her responsibilities, she provides advice on privacy-related matters, including privacy risk management across all customer-facing lines of business and internal functions of the HSBC Group. Prior to her current role, Sandy worked as an external legal counsel in leading international law firms and one of the Big Four in Brussels and London. 

Sandy holds a Bachelor and four postgraduate degrees in law from University College London (UCL), the London School of Economics & Political Science (LSE), Université Paris 1 - Panthéon Sorbonne and the Brussels School of Competition. She is an Advisory Board Member of the International Association of Privacy Professionals (IAPP).

We cover, in this order:

• What can we expect from the upcoming EU Artificial Intelligence Act? 
• What does it take to deploy an AI Governance Framework in the Financial Services sector?

References:

• Draft EU AI Act
• Sandy Tsakiridi on LinkedIn
• Recorded contents of the Legal AI Summit (Sandy was a speaker in 2022)
• Upcoming changes to UK Data Protection laws

Brendan Quinn (Esq.) is a qualified Irish Solicitor, New York Attorney, and Fellow of the Chartered Certified Accountants (FCCA), holding an LL.M from University College Dublin and Higher Diplomas in Computer Science and Data Analytics, as well as a postgraduate in Financial Technology. He is also the author of Data Protection Implementation Guide: A Legal, Risk and Technology Framework for the GDPR (Wolters Kluwer, September 2021). 

Among other things, our guest helps innovative software companies in their compliance with Privacy by Design and data security requirements, including data anonymization research and DPIAs.

We cover, in order:

• Things that tend to be missing in Data Protection Impact Assessments (DPIA)
• New avenues for GDPR enforcement stemming from the Whistleblower Directive and the Collective Redress Directive
• Interplay between the GDPR and data protection provisions contained in the new Digital Services Act and Digital Markets Act.

References:

• Data Protection Implementation Guide: Discount code for 25% off on the Wolters Kluwer website (valid until December 31st 2022): 25EOY2022
• Brendan Quinn on LinkedIn
• EU Whistleblower Directive
• EU Collective Redress Directive

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast.

References:

• Full Newsroom (Fall 2022)
• Tara Taubman-Bassirian on the Instagram fine
• Peter Hense on valid consent
• Cory Underwood on Google Analytics and Sephora
• Derek A. Lackey on Joe Biden’s Executive Order (a marketer’s perspective)
• Stephan Grynwajc on Joe Biden’s Executive Order (a lawyer’s perspective)

Selected updates: 

Enforcement

Starting with Europe, the most discussed recent case, and perhaps the most complex, is Ireland’s 405m EUR fine to Meta for the manner in which it exposed contact details for 13-17 year olds on Instagram business accounts. At its core: the European Data Protection Board (EDPB)’s intervention to find a compromise between the Data Protection Commissioner (leading supervisory authority for most US tech giants) and other Data Protection Agencies accusing it of resting on its laurels. 

Perhaps even more relevant to the interplay that we mostly care about (MarTech/AdTech + Privacy) was the French DPA’s announcement of a potential 60m EUR fine for Criteo. All hints point to a lack of proper oversight in the obtention of valid consent through publishers and advertisers. The role of these two was instrumental in building what the company had once claimed were “IDs and interests for 72% of all internet users”, so this case could bring us full circle into the Consent Management Platforms debate and whether they can be relied upon. All in all, it is no wonder that Criteo has moved firmly into first-party data territory, now calling itself a Commerce Media platform. 

The Digital Analytics space got its own share of excitement too. Denmark became (with Austria, France, and Italy) the fourth country to make it clear that Google Analytics breached the GDPR unless additional measures are taken. As explained in detail by France’s CNIL, the only way to avoid scrutiny was using a reverse proxy (a company’s own EU-based server, filtering out important pieces of information prior to forwarding calls to Google’s servers). As many will remember, this was only the tip of the iceberg of the 101 complaints filed by NYOB against companies using either Google Analytics or the Facebook pixel. 

Next in line was TikTok, quickly catching up with Meta/Facebook and Google in terms of privacy violations, penalties, privacy lawsuits and privacy-related scandals. Its latest trophies: the UK’s DPA (ICO)’s proposed 27m GBP fines for its mishandling of children’s data (they were allowed to sign up without parental consent, information provided was insufficient, and special categories of data were being processed), a 92 million settlement in Illinois (under the State’s Biometric Information Privacy Law on which every major social media platform has stumbled before) and recent coverage of the manner in which its tracking pixels follow everyone around the web.

Legal updates

It may not be a new law or court case, but Joe Biden’s Executive Order to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) is the biggest piece of news on this front. All going well in Brussels, it could put an end to the nightmare currently faced by the millions of customers of US-based SaaS MarTech and AdTech solutions that happen to process data on US soil, including Google Analytics, Mailchimp, HubSpot, or Salesforce Marketing Cloud. 

For its part, the UK wants out of the GDPR and this could actually result in a more dynamic environment (it relied on an Oxford University research that claimed that the GDPR is costing UK businesses 8% of their profits). For one thing, they are proposing to let small businesses get on with their lives. 

Future of media

Elon Musk completed his acquisition of Twitter, announcing monthly charges to its heaviest users - starting with those displaying a “verified” blue icon, who happen to be the ones caring the most about the status their identity or following confers to them. This was criticized as a “misinformation nightmare”, in very timely Halloween fashion. 

Stephan Grynwajc is admitted as a lawyer in the EU, the UK, the US and Canada, having worked as a privacy practitioner and DPO in both Europe and North America for the last 20 years. His own law firm offers external DPO services to EU/UK and US/Canada-based companies. Stephan is also a partner specialized in international privacy at Outside GC, a bicoastal US law firm.

Stephan publishes regularly on various privacy topics, including for the IAPP Privacy Advisor. He is also an Adjunct Professor on privacy and data protection at various universities.

References:

• Privacy at the Crossroads: A Comparative Analysis of Regulation in the U.S., the EU and Canada
• Joe Biden’s Executive Order
• Summary of Privacy laws in Canada
• Law Office of S. Grynwajc (and LinkedIn Page)
• Outside GC
• IAPP Privacy Advisor

Derek A. Lackey is Managing Director of Newport Thomson, a Privacy Agency based in Toronto. With more than 30 years of marketing, advertising and privacy experience, he is focused on data protection & privacy and its effect on the brand. Derek is the author of “CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians”, and looks to simplify the implementation of new data management practices within organizations. 

This will be the first of two separate perspectives on the basic premises that make EU-US data transfers so difficult (in the aftermath of Joe Biden’s Executive Order paving the ground for the Data Privacy Framework). We will also get a first impression of the Canadian scenario as an interesting blend of both approaches.

References:

• Newport Thomson
• Derek A. Lackey on LinkedIn
• Joe Biden’s Executive Order
• Max Schrems’ first reaction to the EO
• CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians

Peter Hense is a partner at Spirit Legal, Germany. He specializes in data privacy litigation, particularly in the area of Advertising Technology.

In this episode we discuss the uselessness and potential demise of Consent Management Platforms (CMPs) in a first-party data future. We will also touch on Data Clean Rooms and whether they actually deserve the label.

References: 

• Peter Hense on Twitter
• Spirit Legal
• Introductory article (Sergio Maldonado)
• Brave’s announcement: Automated removal of consent pop-ups
• Consent-O-Matic: OneTrust files patent to circumvent CMP blockers (Vice Media)
• Tilman Herbrich on Data Clean Rooms

Tara Taubman-Bassirian is a French lawyer specialized in Privacy, Internet law and Intellectual Property. She is a published author, for many years raising awareness of privacy, data protection and cybersecurity issues. Tara has also launched an initiative, Fly A Kite, to raise cybersecurity awareness especially to keep kids safe online. She also holds an LLM from Queen Mary University. 

References:

• EDPB’s binding decision on the Instagram case
• Instagram’s 405m EUR fine
• Tara’s website: Datarainbow
• Tara on LinkedIn