Explorez tous les épisodes du podcast Masters of Privacy
| Titre | Date | Durée | |
|---|---|---|---|
| Robin de Wouters: non-deprecated cookies, legitimate interest and small businesses | 08 Sep 2024 | 00:23:58 | |
Earlier this summer, Google announced that its Chrome browser would after all keep third party cookies. This interview with Robin de Wouters is the first of two episodes exploring the consequences of that update from the point of view of our usual stakeholders (DPOs, CMOs, CDOs). Robin de Wouters is the Director General for the Federation of European Data & Marketing (FEDMA), in Brussels. He has a strong background in communication and public relations across the private, non-profit and institutional spheres. He previously worked in the field of human rights with Euromed Rights, the ONE Campaign and the United Nations. Robin is also the Vice-Chair of the Board of the European Interactive Digital Advertising Alliance (EDAA) and the Communications Director and Spokesperson for Democrats Abroad Belgium, the international arm of the US Democratic Party. References:
| |||
| Newsroom: Summer 2024 | 03 Sep 2024 | 00:28:07 | |
Ok, the summer is nearly over, which means it is time for a Newsroom summarizing everything that’s happened in the last two months at the intersection of marketing, data, privacy and technology. California and the FTC have more specific weight on our list this time around - perhaps because much of Europe, including regulators and hackers, was OOO during the entire month of August. So, expect to hear about:
(And yes, also about Google’s monopoly, the resilience of 3rd party cookies and Apple’s DMA struggles, but only in passing, as you’ve probably had enough of those.) Expect us to follow the usual structure: ePrivacy & Regulatory Updates; MarTech & AdTech; AI, Competition and Digital Markets; Zero-Party Data and Customer Centricity; Future of Media. With Celine Takatsuno and Sergio Maldonado. References:
Also, find a full blog post on the Masters of Privacy website. | |||
| Stephen Almond (ICO): data protection law as a primary tool to ensure AI governance | 06 May 2024 | 00:25:04 | |
“There is a UK AI Regulation - It is called the UK GDPR” (John Edwards, February 2024). Stephen Almond is Executive Director for Regulatory Risk at the UK’s Information Commissioner’s Office (ICO), leading the teams charged with engineering information rights into the fabric of new ideas, technologies and business models as part of our dynamic digital economy, including through the Digital Regulation Cooperation Forum. Prior to joining the ICO, Stephen led a World Economic Forum initiative to promote the adoption of a more agile, innovation-enabling approach to regulation with governments and tech firms worldwide. He previously worked in leadership roles across the UK Government, including creation of the White Paper on Regulation for the Fourth Industrial Revolution and roll-out of the Regulators’ Pioneer Fund, which invested in regulatory sandboxes and similar initiatives to unlock technological innovation. References:
| |||
| Amy Worley: US privacy compliance for B2B startups, cross-border AI regulation, and a first glance at the American Privacy Rights Act | 15 Apr 2024 | 00:29:33 | |
Amy Worley is Managing Director at BRG, a global leader in data protection, information security, and AI governance. A licensed attorney, certified privacy professional, and certified information systems security professional, Amy formerly served as the Chief Privacy Officer for a billion-dollar pharmaceutical and medical device company and now serves as a fractional Data Protection Officer for several multinational companies. Amy’s consulting practice is focused on helping clients implement sustainable programs that result in meaningful compliance with state, national, and regional laws and build corporate trust. She is passionate about the intersection of data, people, and power.
References:
| |||
| Luke Mulks: Brave’s privacy-preserving ads, publisher dilemmas, AI, and Google’s Privacy Sandbox | 09 Apr 2024 | 00:48:01 | |
Luke Mulks is VP of Business Operations at Brave Software, makers of the Brave browser. He has previously worked in AdTech and print publishing, and he has also founded a few businesses. He is in charge of new business initiatives and strategic revenue growth and oversees the BAT community. Our wide-range conversation has encompassed new business models for media owners, privacy-preserving ads, putting a price on personal data, the manner in which Apple’s bottleneck asphyxiates bolder or more creative approaches to monetizing people’s attention, and Google’s Privacy Sandbox.
References:
| |||
| Ellison Anne Williams: Homomorphic Encryption and its interplay with other PETs | 02 Apr 2024 | 00:24:13 | |
What is Homomorphic Encryption? Can it be leveraged in the context of cross-vertical challenges? Dr. Ellison Anne Williams is the Founder and CEO of Enveil, the pioneering data security startup protecting Data in Use. She has more than a decade of experience spearheading avant-garde efforts in the areas of large scale analytics, information security and privacy, computer network exploitation, and network modeling at the National Security Agency and the Johns Hopkins University Applied Physics Laboratory. In addition to her leadership experience, she is accomplished in the fields of distributed computing and algorithms, cryptographic applications, graph theory, combinatorics, machine learning, and data mining and holds a Ph.D. in Mathematics (Algebraic Combinatorics), a M.S. in Mathematics (Set Theoretic Topology), and a M.S. in Computer Science (Machine Learning).
References:
| |||
| Radha Gohil: the marketer’s approach to privacy, progressive consent and MarTech vendor audits | 25 Mar 2024 | 00:20:03 | |
Is there a sweet spot between privacy compliance and marketing outcomes? What is “progressive consent”? Radha Gohil is a Data Governance and Privacy leader at Shell. She works on AdTech and MarTech data flows, as well as digital and programmatic supply chains, applying privacy compliance requirements to marketing-related practices. This includes consent management and, in general, acting as a bridge between Marketing, IT, CDO and legal. On top of that, Radha chairs the Digital Governance Steering Group at the ISBA (Incorporated Society of British Advertisers). She has previously worked at PwC and The Telegraph. With Radha we have covered the manner in which marketing teams navigate privacy compliance or even leverage a privacy-first approach as a competitive advantage. This includes dealing with transparency requirements or the difficult trade-offs involved in gathering proper consent when required to do so.
References:
| |||
| Matthias Eigenmann: Confidential Computing, contractual relationships and legal bases for Data Clean Rooms | 18 Mar 2024 | 00:34:14 | |
Will Data Clean Rooms help us avoid consent, or personal data altogether, and make the most of first-party data for data collaboration and addressability purposes? Matthias Eigenmann is a Swiss lawyer with over 10 years of practical experience in technology and data protection law. He currently works as legal counsel and DPO at Decentriq (a Data Clean Room), and is also an advisor on data protection matters to a large hospital in Switzerland. Prior to this, he spent several years working in tech and data protection law at a law firm, as well as as an in-house counsel for IT contracts and data protection at PwC Switzerland. References: | |||
| Rie Aleksandra Walle: The DPO’s guide to better sources, constructive debates, and a happier life | 11 Mar 2024 | 00:26:01 | |
Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment. Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast. With Rie we will explore her own tips and tricks to stay sharp and up to date, avoiding a myriad of shallow or confusing sources and digging for the best possible answers at all times - all of it while avoiding clickbait, radical opinions and the avalanche of so-called privacy experts clogging LinkedIn feeds. References:
| |||
| Dragos Tudorache: Dealing with foundation models, data protection, and copyright matters in the EU AI Act | 04 Mar 2024 | 00:32:23 | |
Dragos Tudorache is a Member of the European Parliament and Vice-President of the Renew Europe Group. He is the LIBE rapporteur on the AI Act, and he sits on the Committee on Foreign Affairs (AFET), the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA), the Subcommittee on Security and Defence (SEDE), and the European Parliament's Delegation for relations with the United States (D-US). He was the Chair of the Special Committee on Artificial Intelligence in the Digital Age (AIDA). Dragos began his career in 1997 as a judge in Romania. Between 2000 and 2005, he built and led the legal departments at the Organization for Security and Co-operation in Europe (OSCE) and the UN missions in Kosovo. After working on justice and anticorruption at the European Commission Representation in Romania, supporting the country’s EU accession, he joined the Commission as an official and, subsequently, qualified for leadership roles in EU institutions, managing a number of units and strategic projects such as the Schengen Information System, Visa Information System, and the establishment of eu-LISA1. During the European migration crisis, Dragos was entrusted with leading the coordination and strategy Unit in DG-Home, the European Commission Directorate-General for Migration and Home Affairs, until he joined the Romanian Government led by Dacian Cioloș. Between 2015 and 2017, he served as Head of the Prime Minister’s Chancellery, Minister of Communications and for the Digital Society, and Minister of Interior. He was elected to the European Parliament in 2019. His current interests in the European Parliament include security and defense, artificial intelligence and new technologies, transatlantic issues, the Republic of Moldova, and internal affairs. We have addressed the following questions around the new EU AI Act:
References:
| |||
| Dr Augustine Fou: Dismantling marketing attribution, ad fraud controls and the business case for third party cookies | 25 Feb 2024 | 00:26:26 | |
Dr. Augustine Fou has nearly three decades of experience in digital marketing, including client-side experience at American Express and agency-side experience at IPG and Omnicom, where he served as Group Chief Digital Officer of eight agencies serving pharma and medical device clients. Dr. Fou also taught digital strategy at Rutgers University's executive education program and NYU's School of Continuing and Professional Studies. With Dr. Fou we will aim to answer the following questions:
References:
| |||
| Stefan Filipović: Young DPOs - Challenges and Opportunities | 19 Feb 2024 | 00:28:38 | |
Stefan Filipović is a privacy lawyer that began his career at the outset of GDPR enforcement in 2018. Throughout the years, he has built his expertise by working at a law firm focusing on IP and privacy, at a university as a researcher investigating legal challenges in regulating AI-based technology, and as a privacy officer and a counsel for a few Norwegian companies. Today he is a DPO at reMarkable. For several years, he also volunteered at ICANN, and for a period of time, at NIST’s privacy workforce. Beyond his focus on privacy compliance, he maintains a strong passion for information security, computer science, and risk management, as well as corporate governance and finance. References:
| |||
| Jay Averitt: the evolving role of the Privacy Engineer, technical privacy reviews and DPIAs | 30 Aug 2024 | 00:27:55 | |
Jay Averitt is currently a Senior Privacy Product Manager at Microsoft, where he manages technical privacy reviews involving Microsoft365 products including CoPilot, GPT, and other LLM products. He was previously a Privacy Engineer at Twitter, where he managed technical privacy reviews across the platform. He’s been working in privacy for over a decade as both a privacy technologist and a privacy attorney. Before switching to technical privacy, he worked as a technology counsel at SAP, SAS, and Lenovo.
References:
| |||
| Newsroom: Winter 2024 | 12 Feb 2024 | 00:23:12 | |
Nina Müller and Sergio Maldonado discuss a few recent events across the EU, the UK, and the US: Yahoo/Uber ePrivacy fines, Google Chrome (Incognito Mode) settlement, US Congress Social Media hearing, upcoming UOOM/ Global Privacy Control enforcement across various states, and Spain’s AEPD Guidelines to circumvent cookie consent requirements for high-level Digital Analytics. Please find relevant links and additional updates across all of our usual core sections (ePrivacy and regulatory updates; MarTech and AdTech; AI, competition, and digital markets; PETs and Zero-Party Data; future of media) on the PrivacyCloud website. | |||
| Peter Craddock: Could core advertising components fall under the “strictly necessary” ePrivacy exemption? | 04 Feb 2024 | 00:39:43 | |
Could we re-interpret article 5.3 of the ePrivacy Directive so that the “strictly necessary” (to provide a service) consent exemption gives shelter to the core technical building blocks of advertising solutions making journalism possible? Can we not deal with personal data (should it be involved at all) or behavioral targeting (should it be the case) separately under the GDPR? Peter Craddock helps us answer that question. Our guest is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. Peter is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area. References:
| |||
| Damien Desfontaines: Differential Privacy in Data Clean Rooms | 28 Jan 2024 | 00:28:53 | |
Can we take Data Clean Rooms to the next level in terms of baked-in privacy? Damien Desfontaines is a Scientist at Tumult Labs, a startup that helps organizations safely share or publish insights from sensitive data, using differential privacy. Before that, he led the anonymization consulting team at Google, and got his PhD in computer science at ETH Zürich. He maintains a blog that teaches you all about differential privacy. References: | |||
| Tejas Manohar: Data activation and composable CDPs in a privacy-first world | 22 Jan 2024 | 00:32:27 | |
Tejas Manohar is the co-founder and co-CEO of Hightouch. Prior to founding Hightouch, Tejas was an early engineer at Segment, a leading Customer Data Platform (CDP) acquired by Twilio. The following topics have been covered in this interview:
References: | |||
| Molly Martinson: Dealing with data processors, sensitive data and opt-out signals in the growing patchwork of US state privacy laws | 15 Jan 2024 | 00:34:35 | |
Molly Martinson is a lawyer at Wyrick Robbins, a Raleigh-based law firm with outstanding privacy compliance credentials. She advises clients on a whole range of applicable privacy frameworks (CCPA, CPRA, FCRA, CAN-SPAM, COPPA, HIPAA), data breaches, laws regulating data brokers, and laws governing website and mobile application privacy policies. She also regularly advises international and U.S.- based clients on the applicability and requirements of the EU General Data Protection Regulation (GDPR). Molly received her B.A., cum laude from Wake Forest University and her J.D. with honors from UNC Schoolors Writing Scholar. She also received the Gressman-Pollitt Award for Excellence in Oral Advocacy. Molly served as a law clerk to the Honorable Robert N. Hunter, Jr. on the Supreme Court of North Carolina and the North Carolina Court of Appeals before entering private practice. References:
| |||
| Romain Robert: Pay or OK in AdTech - How it started and where it’s going | 08 Jan 2024 | 00:41:01 | |
Romain Robert is member of the litigation chamber of Belgium’s Supervisory Authority. He worked in various Brussels law firms between 2002 and 2011. Between 2007 and 2011, he was also a researcher at the Research Centre in Law and Society at the University of Namur. In 2011, he joined Belgium’s Supervisory Authority as a legal advisor. He worked as legal officer at the Policy and Consultation Unit of the European Data Protection Supervisor (EDPS) as of 2015 and joined the Secretariat of the European Data Protection Board (EDPB) in May 2018. In April 2020, Romain joined NOYB - an NGO conducting strategic litigation to enforce digital rights - where he was Program Director until July 2023. References:
| |||
| Renzo Marchini: Unintended consequences of the EDPB’s Guidelines on storage and access beyond cookies | 05 Dec 2023 | 00:31:00 | |
Renzo Machini is a London-based partner at Fieldfisher's Data and Privacy team. He holds CIPP/E, CIPT and FIP certifications from the IAPP and is well versed in Cloud Computing, Big Data and other technologies overlapping with privacy and GDPR compliance. He has authored "Cloud Computing: A practical introduction to the legal issues" and, prior to becoming a solicitor, he worked for five years as a software engineer at Logica (now CGI), a major independent UK software house. With Renzo we are directly addressing the biggest elephant in the ePrivacy room today: What are the unintended consequences of the EDPB’s recent Guidelines on the technical scope of article 5.3 of the ePrivacy Directive? References:
| |||
| Newsroom: Fall 2023 | 28 Nov 2023 | 00:18:31 | |
Nina and Sergio run through the most relevant news of the past three months at the usual intersection of marketing, data, privacy, and technology - stopping at a few less commented and yet quite relevant fines, guidelines, or upcoming legal frameworks. In particular, this episode covers:
Best of all, we managed to avoid OpenAI’s drama. With Nina Müller and Sergio Maldonado. References:
| |||
| Arielle Garcia: How privacy awareness leads to respectful, effective marketing | 20 Nov 2023 | 00:26:38 | |
Arielle Garcia combines a really good understanding of the advertising industry with award-winning expertise in privacy and responsible data use. She is the founder of ASG solutions, a consultancy firm specifically focused on helping marketers drive sustainable growth through respectful marketing and was previously UM Worldwide’s Chief Privacy Officer. She holds a JD from Fordham University and has been recognised as a Top Woman in Media and AdTech by AdExchanger in 2023 (as well by others in prior years). In 2021 she was inducted to the American Advertising Federation’s Advertising Hall of Achievement due to her impact on the industry. What we have covered in this episode:
References: | |||
| Jeffrey Bustos: Retail Media, privacy, and the future of addressability | 13 Nov 2023 | 00:23:55 | |
Jeffrey Bustos is the VP, MAD (Measurement Addressability Data) + Commerce at the IAB where he develops industry standards and guides for measurement and addressability solutions to enable revenue growth, efficiency, and scale with a focus in Retail Media Networks, Video / Advanced Television, and Privacy Enhancing Technology. His projects include: Categorization & Definitions Buyers Guide for Retail Media, Data Clean Rooms and Privacy Preserving Solutions Research, and Attention & Engagement Metrics Standards. Previously, Jeffrey worked at GroupM where he led Data & Audience Strategy for eCommerce clients, assisting them with cookieless solutions, audience strategy & activation, as well as data taxonomy & identity resolution for CDPs and Data Clean Room activations. References:
| |||
| Nick Manning: Advertising, Who Cares? | 25 Aug 2024 | 00:38:11 | |
Nick Manning is a commentator, author and speaker on advertising, with a specialization in media. He co-founded Manning Gottlieb Media in 1990, and following its purchase by Omnicom he became CEO of the OMD UK Group. He also co-founded OPera, the media negotiation arm for OMD and PHD. In 2007 Nick joined Ebiquity as Chief Operating Officer before becoming responsible for Ebiquity’s non-UK based operations and Chief Strategy Officer. At Ebiquity he led the team that produced the recommendations for advertisers that accompanied the K2 Intelligence report into media transparency in 2016. Since 2019 he has run his own consulting business, advising advertisers and their trade associations. Nick specializes in helping advertisers improve their effectiveness, accountability and transparency. References:
| |||
| Cristiana Santos and Victor Morel: The problem with CMPs and TCF-based cookie paywalls | 06 Nov 2023 | 00:33:37 | |
Cristiana Santos is Assistant Professor in Privacy and Data Protection Law at Utrecht University, holding a joint international Doctoral Degree in Law, Science and Technology from the University of Bologna, and a Ph.D. in Computer Science from the University of Luxembourg. She is an expert of the Data Protection Unit at the Council of Europe; expert for the implementation of the EDPB's Support Pool of Experts; and expert of the Digital Persuasion or Manipulation Expert Group. She holds an International Chair Starting Career position at the National Institute for Research in Digital Science and Technology (INRIA, 2023-2026) to work on technical and legal aspects of data protection. Prior to joining academia, Cristiana was a lawyer and worked as a legal adviser and lecturer at the Portuguese Consumer Protection Organization. Victor Morel holds a Ph.D in Computer Science from INRIA and works at the Security & Privacy Lab of Chalmers University in Gothenburg (Sweden). He is working on usable privacy for IoT applications, and his interests encompass privacy, data protection, networks security, usability and Human-Computer Interactions, applied cryptography, and the broad spectrum of ethics in technology. He is also a member of FELINN’s collegiate council, a French association (1901) defending decentralization, privacy, and free software through popular education. Cristiana and Victor have co-authored a recent paper titled “Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls”. With them we are directing our attention to consent walls in the context of publishers and the open market, having already dedicated two recent interviews to the “consent or pay” model as it concerns Instagram and Facebook (ie. Meta). We will also try to understand the challenges and potential conflicts of interest faced by CMP (Consent Management Platform) vendors. References:
| |||
| Jeff Jockisch: AI-powered phishing attacks in the age of the Delete Act | 30 Oct 2023 | 00:26:51 | |
Jeff Jockisch is an independent data privacy researcher at PrivacyPlan. He is also Chief Privacy Officer and partner at Avantis Privacy. Prior to compiling the largest known database of data brokers, he spent many years working with startups, technology, and data. He studied Organizational Behavior at Cornell and holds a CIPP/US accreditation (IAPP). Our primary questions today: Can the (brand new) California "Delete Act" or the GDPR be sufficient to avoid major AI-powered phishing attacks? Is there anything else that we could do as individuals or businesses? References:
| |||
| Robert Bateman: Consent or Pay | 23 Oct 2023 | 00:44:35 | |
Robert Bateman is a data protection writer, trainer, and consultant. He has published innumerable articles on the topic, as well as led panel discussions and interviewed key well-known figures in the space on stage, at well-known privacy conferences. Besides freelancing as content creator, he is an associate with Act Now Training and a Subject Matter Expert with Heward Mills, a data protection consultancy. With Robert we have addressed the recent public outcry about Instagram and Facebook becoming paid services for whoever does not want to see ads or consent to the data processing involved in running them. Given that we have already got used to seeing cookie walls on European news websites (in Germany, France, or Italy), we have aimed to open the wider debate around “Consent or Pay” business models. References:
| |||
| Cory Underwood: The new privacy landscape for US-based digital marketers | 16 Oct 2023 | 00:36:19 | |
Cory Underwood is a Privacy and Data Analytics Engineer with a strong marketing data technology background and a good knowledge of both US and EU ePrivacy law. Cory supports the data privacy offerings of Atlanta-based Search Discovery (a data strategy and activation company), leveraging eight years of experience in privacy efforts and multiple privacy related certifications to enable clients to understand the impact of privacy changes. With a combined thirteen years of experience in technology, Cory specializes in speaking and writing on his blog (cunderwood.dev) about upcoming privacy changes, allowing readers to take a proactive approach to compliance challenges. In our second interview with Cory we have looked for answers to the following questions:
References:
| |||
| Katharine Jarmul: Demystifying Privacy Enhancing Technologies | 09 Oct 2023 | 00:25:21 | |
Katharine Jarmul is a privacy activist and data scientist focused on privacy and security in data science workflows. She’s a principal data scientist at Thoughtworks and has worked at various companies in the US and Germany before that. She is also a frequent keynote speaker at software and AI conferences. Katharine has recently published “Practical Data Privacy” (O’Reilly, 2023), in which she provides a deep dive of Privacy Enhancing Technologies (“PET”), including detailed answers to increasingly common questions: How can we actually anonymize data? How does federated learning work? Can we already leverage Homomorphic Encryption to run analysis or work with data even while it is encrypted? How can we compare and pick the most appropriate PETs? Can we use open source libraries? In our discussion:
References: | |||
| Jakob Plesner: Copyright Exceptions for Generative AI | 02 Oct 2023 | 00:29:11 | |
Jakob Plesner Mathiasen is an attorney with a focus on Intellectual Property and emerging technologies. He serves as the Secretary for the Danish Society for Copyright Law and is the mind behind the Danish Entertainment Law podcast. He also teaches Entertainment Law at the University of Copenhagen. With Jakob we’ll try to better understand the copyright implications of Generative AI, and this should help many DPOs, CPOs, or innovation managers deal with the intellectual property side of their new AI Governance responsibilities. References:
| |||
| Ito Onojeghuo: Effective Privacy Notices | 25 Sep 2023 | 00:29:16 | |
Ito Onojeghuo works with a number of global establishments as an independent Data Protection Consultant, Group Data Protection Officer, and EU Representative. She is also the CEO at ALLNETLAW, which is a leading UK-based IAPP Training Partner. Besides holding an LL.M in Internet law and policy, Ito is a Fellow of Information Privacy (FIP), a Certified Information Privacy Professional, and an Independent Conformity Assessment Advisor for the UK Age Check Certification Scheme (ACCS). With Ito we have addressed a very important topic sitting at the heart of data protection or privacy compliance for every business: Effective Privacy Notices (or “Privacy Policies”). References:
| |||
| Newsroom: Summer 2023 | 12 Sep 2023 | 00:25:01 | |
Have you spent the past three months isolated from the world? We are bringing you up to speed with a long list of updates and news at the intersection of marketing, data, privacy, and technology. Visit this episode's blog post on Masters of Privacy for a long list of references and notes. | |||
| Nick Baskett: Mastering DPIAs | 11 Jul 2023 | 00:27:24 | |
Nick Baskett is DPO at Holland & Barrett. He has a personal interest in ethics and philosophy, encryption and AI, and he once published a book on Data Protection Impact Assessments. He was also the founder of one of the early Cyber Security consultancies in the UK (Matta). With Nick we have discussed best practices around Data Protection Impact Assessments or Privacy Impact Assessments, including their management at scale in the context of privacy operations, as well as risk assessment efforts associated with Generative AI projects. References:
| |||
| Catherine King: from words to action in data ethics | 29 Jun 2023 | 00:25:18 | |
Catherine King is a content creator, moderator, enabler and instructor in the fields of data ethics and also the broader data and analytics space. She is currently global head of brand engagement at Orbition. Catherine was recently a speaker at the Ethics in eCommerce Summit in London (put together by the Ethical Commerce Alliance) in which we coincided. With her we have explored a more controversial and practical approach to data ethics, under the acceptance that morals reflect a particular stance in a wide range of really important social issues, rather than a universal truth applicable to all. References: | |||
| Tony Fish: Is our philosophy of data consistent with our approach to privacy and data ethics? | 19 Aug 2024 | 00:35:21 | |
Tony Fish is an investor, author and self-confessed maverick. He has been building digital businesses since 1990, with a first exit in 1995 and many businesses founded, co-founded, sold and listed after that. He thrives in complex, groundbreaking and uncertain environments, being currently focused on rethinking corporate governance models, ethics and AI, data policy and evidence-based decision making in volatile situations. He is a speaker and author of four books, as well as a visiting fellow for entrepreneurship and innovation at Henley Business School, has taught at London Business School in AI and Ethics, the London School of Economics and Sydney Business School. His latest book (“Decision-making in uncertain times”) has been widely available since early June. References:
| |||
| Newsroom: Spring 2023 | 18 Jun 2023 | 00:46:39 | |
With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ Notes: A more comprehensive coverage of all relevant updates can be found on our blog. The topics below have been specifically addressed during this recording: GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union. LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018. The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios). TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024. The EU Commission announced that it would stress-test Twitter’s ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct. Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France’s CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario - in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available. CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website’s consent banner. FTC enforcement actions involving the use website/app user data for digital marketing purposes (healthcare, children): GoodRx, Betterhelp, Edmodo, Premom. The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421 EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions:
The IAB released TCF 2.2 on May 16th, finally removing the extremely confusing legitimate interest selectors for advertising and content personalization, replacing purposes and feature descriptions with a more user-friendly language, standardizing information about vendors, and providing a path for end users to withdraw their consent. CMPs are due to implement these changes by September 30th 2023. Following the TCF 2.2 announcement, Google has started reviewing and certifying Consent Management Platforms introducing new requirements under its Additional Consent Mode specification (important to remember that Consent Mode’s Ghost call is still considered in breach of ePrivacy unless consent is specifically requested). | |||
| Adam Klee: combining media addressability, privacy compliance and customer empowerment | 28 May 2023 | 00:36:00 | |
Adam Klee has an impressive resume in the AdTech world, having worked at Disney, Google, NBC, Twitter, Polar, or Spotify. He is the founder of Licorice, a platform that “gives consumers the privacy they want and publishers the data they need”. Adam’s passion for solving this problem comes from both his years developing new ways to help drive better yield for publishers, and his experience as a consumer, where he thinks privacy should come standard. We are covering:
References:
| |||
| Eve-Christie Vermynck: Responding to a personal data breach | 27 Apr 2023 | 00:24:42 | |
Eve-Christie Vermynck is a dual-admitted lawyer (civil law, common law) working at Skadden, Arps, Slate, Meagher & Flom. She advises clients on Cybersecurity, Privacy, IT/IP, blockchain and related topics. She is also a member of the Data Law Committee at The City of London Law Society. With Eve-Christie we are going to discuss the specific practical steps when it comes to dealing with personal data breaches in the UK or the EU. References: | |||
| Mattia Fosci: The publisher’s dilemma in a first-party data world | 06 Apr 2023 | 00:32:53 | |
As a lawyer turned entrepreneur, Dr. Mattia Fosci combines privacy and AdTech expertise. He is the founder and CEO of Anonymised, an advertising platform that helps publishers understand and monetise their audiences at scale across all browsers and devices, using only anonymous data. We have covered or touched on:
References:
| |||
| Winter 2023 Newsroom | 16 Mar 2023 | 00:37:05 | |
With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ This was a pretty active season in terms of regulatory updates and decisions or guidelines coming out of supervisory bodies: Spain’s AEPD issued a decision on the use of Google Analytics by the Royal Academy of Spanish Language (“RAE”), becoming the first EU Data Protection Agency to see the glass half full in the use of the widespread digital data collection service (having been considered high-risk in Denmark, Italy, France, the Netherlands and Austria). It must however be noted that the RAE was only using the most basic version of the tool, without any AdTech integrations or individual user profiling - and in this regard aligned with the CNIL’s long-standing guidelines for the valid use of the tool. At EU level, the Artificial Intelligence Act (which we have covered this quarter in a couple of Masters of Privacy interviews) made fast progress with the Council adopting its final position. At the same time, new common rules on cybersecurity became a reality with the approval of the NS2 Directive (or v2 of the Network and Information Security Directive) on November 28th. The updated framework covers incident response, supply chain security and encryption among other things, leaving less wiggle room for Member States to get creative when it comes to “essential sectors” (such as energy, banking, health, or digital infrastructure). Across the Channel, the UK’s Data Protection Agency (ICO) issued brand new guidelines on international data transfers, providing a practical tool for businesses to properly carry out Transfer Risk Assessments and making it clear that either such tool or the guidelines provided by the European Data Protection Board will be considered valid. Already into the new year, the European Data Protection Board (EDPB) issued two important reports, on valid consent in the context of cookie banners (in the hope to agree on a common approach in the face of multiple NOYB complaints across the EU) and the use of cloud-based services by the public sector. The former concluded that the vast majority of DPAs (Supervisory Authorities) did not accept hiding the “Reject All” button in a second layer - which most notably leaves Spain’s AEPD as the odd one out. They did all agree on the non-conformity of: a) pre-ticked consent checkboxes on second layer; b) a reliance on legitimate interest; c) the use of dark patterns in link design or deceptive button colors/contrast; and d) the inaccurate classification of essential cookies. The latter concluded that public bodies across the EU may find it hard to provide supplementary measures when sending personal data to a US-based cloud (as per Schrems II requirements) in the context of some Software as a Service (SaaS) implementations, suggesting that switching to an EEA-sovereign Cloud Service Provider (CSP) would solve the problem and getting many to wonder whether it also refers to US-owned CSPs, which would leave few options on the table and none able to compete at many levels in terms of features or scale. All of which can easily lead us to the latest update on the EU-US Data Privacy Framework: The EDPB released its non-binding opinion on the status of the EU-US Data Privacy Framework (voicing concerns about proportionality, the data protection review court and bulk data collection by national security agencies). The EU Commission will now proceed to ask EU Member States to approve it with the hope of issuing an adequacy decision by July 2023. This would do away with all the headaches derived from the Schrems II ECJ decision (including growing pressure to store personal data in EU-based data centers), were it not for the general impression that a Schrems III challenge looms in the horizon. In the United States, long-awaited new privacy rules in California (CPRA) and Virginia (CDPA) entered into force on January 1st. Although both provide a set of rights in terms of ensuring individual control over personal data being collected across the Internet (opt-out, access, deletion, correction, portability…), California’s creates a private right of action that could pave the way for a new avalanche of privacy-related lawsuits.In any case, only companies meeting a minimum threshold in terms of revenue or the amount of consumers affected by their data collection practices (both of them varying across the two states) will have to comply with the new rules. Lastly, Privacy by Design will become ISO standard 31700 on February 8th, finally introducing an auditable process to conform to the seven principles originally laid out by Anne Cavoukian as Ontario(Canada)’s former Data Protection Commissioner. Enforcement updates It’s been interesting to see how continental Data Protection Agencies (“DPAs”) keep milking the cow of the ePrivacy Directive’s lack of a one-stop-shop for US or China-based Big Tech giants. The long-awaited ePrivacy Regulation never arrived to keep this framework in sync with the GDPR (which does have a one-stop-shop), and this leaves an opening for any DPA to avoid referring large enforcement cases involving such players to the Irish Data Protection Commissioner (“DPC”) whenever cookie consent is involved. This criterion has been further strengthened by the recent conclusions of EPDB cookie banner task force. Microsoft was the last major victim of this particular gap (following Meta and Google), receiving a 60-million euro fine from France’s DPA (CNIL), which shortly after honored TikTok with a 5m euro fine (once again, due to the absence of a “Reject All” button on its first layer - or “not being as easy to reject cookies as it is to accept them”) and, not having had enough, went on to give Apple an 8m euro fine for collecting unique device identifiers of visitors to its App Store without prior consent or notice, in order to serve its own ads (which is akin to a cookie or local storage system when it comes to article 5.3 of the ePrivacy Directive). The CNIL ePrivacy-related enforcement spree did not stop short at Big Tech. Voodoo, a leader in hyper-casual mobile games, was also a target, receiving a 3 million euro fine for lack of proper consent when serving an IDFV (unique identifier “for vendors”, which Apples does allow app publishers to set when IDFA or cross-app identifiers have been declined via the App Tracking Transparency prompt). Putting the ePrivacy Directive aside, and well into pure GDPR domain, Discord received a 800k euro fine (again, at the hands of CNIL) on the basis of: a) a failure to properly determine and enforce a concrete data retention period; b) a failure to consider Privacy by Design requirements in the development of its products; c) accepting very low security levels for user-created passwords; and d) failing to carry out a Data Protection Impact Assessment (given the volume of data it processed and the fact that the tool has become popular among minors). And yet, one particular piece of news outshined mostly everything else in this category: Ireland’s DPC imposed a 390 euro fine on Meta following considerable pressure from the EDPB for relying on the contractual legal basis in order to serve personalized advertising - itself the core business model of both social networks. We had a debate on the matter with Tim Walters (English) and Alonso Hurtado (Spanish) on Masters of Privacy, and published an opinion piece on our blog. This last affair is a good segue into Twitter’s latest troubles. Its new owner, Elon Musk, not content with having fired key senior executives in charge of EU privacy compliance (including its Chief Privacy Officer and DPO), has suggested that he will oblige its non-paying users to consent to personalized advertising. The Irish DPC (once again, in charge of its supervision under the one-stop-shop rule) asked Twitter for a meeting in the hope to draw a few red lines. Meanwhile, the Spanish AEPD, still breaking all records in terms of monthly fines, sanctioned UPS (70,000 euros) for handing out a MediaMarkt (consumer electronics) delivery to a neighbor, thus breaching confidentiality duties. This will have a serious impact on the regular practices of courier services in the country. Back in the United States, Epic Games and the FTC agreed to a $520m fine for directly targeting children under the age of 13 with its Fortnite game (a default setting that allows them to engage in voice and text communications with strangers has made it worse), as well for using for “dark patterns” in in-game purchases. Separately, in what we believe it is a first case of its kind, even in the EU (with the ECJ FashionID case possibly being the closest we have been to it). Betterhelp has received an FTC $7,8m fine for using the Facebook Lookalike Audiences feature (and alternative offerings in the programmatic advertising space, including those of Criteo, Snapchat or Pinterest) to find potential customers on the basis of their similarity with the online mental health service’s current user base. This involved sensitive data and follows repetitive disclaimers by Betterhelp that data would in no case be shared with third parties. On the private lawsuits front (especially important in the US), Meta agreed to pay $725m after a class action was brought in California against Facebook on the back of the ever-present Cambridge Analytica scandal. Also, the Illinois Biometric Information Privacy Act (BIPA) kept putting money into the pockets of claimants and class action lawyers, in this case forcing Whole Foods (an upscale organic food supermarket chain owned by Amazon) to settle for $300.000 - we have previously previous cases against TikTok, Facebook or Snapchat, albeit it was the monitoring, via “voiceprints”, of its own employees (rather than its customers) that triggered this particular lawsuit. Legitimate Interest strikes back To finish with this section, very recent developments justify turning our eyes back to the UK and the EU as there is growing momentum for the acceptance of the legitimate interest as a legal basis for purely commercial or direct marketing purposes: While the CJEU decides on a question posed by a Dutch court in January, in which the DPA issued a fine to a tennis association for relying on legitimate interest to share member details with its sponsors (who then sent commercial offers to them), a UK court (First-Tier Tribunal) has ruled against the ICO (UK DPA) and in favor of Experian (a well-known data broker) for collecting data about 5.3m people from publicly available sources, including the electorate register, to build customer profiles and subsequently selling them to advertisers. Experian has relied on legitimate interest and found it too burdensome to properly inform every single individual (this being the ICO’s main point of contention). The decision does appear to indicate that using legitimate interest would not be possible if the original data collection had been based on consent, but even this is not entirely clear. So, just to make it even more clear and simple, the UK Government presented a new draft of a new UK Data Protection Bill on March 8th that includes a pre-built shortcut to using legitimate interest without need for the so-called three part test (purpose, necessity, balancing). Data controllers can now go ahead with this legal basis if they find their purpose in a non-exhaustive list provided - which includes direct marketing. Competition and Digital MarketsGoogle was sued by the Department of Justice for anti-competitive behavior in its dominance of the AdTech stack across the open market (or the ads that are shown across the web and beyond its own “walled gardens”), using its dominance of the publisher ad server market (supply side) to further strengthen its stranglehold of the demand side (advertisers, many of them already glued to its Google Ads or DV360 platforms in order to invest in search keywords or YouTube inventory) and, worse, artificially manipulating its own ad exchange to favor publishers at the expense of advertisers - thereby reinforcing the flywheel, as digital media publishers found themselves with even less incentives to work with competing ad servers. Zero-Party Data and Future of Media(The piece of news below obliges us to combine both categories this season) The BBC has rolled out its own version of SOLID pods to allow its own customers to leverage their own data (exported from Netflix, Spotify, and the BBC) in order to obtain relevant recommendations while staying in full control of such data. Perhaps a little step towards individual agency, but a giant one for a digital media ecosystem mostly butchered by the untenable notice-and-consent approach derived from the current legal framework - which takes us back full circle to Elizabeth Renieris’ new book.
| |||
| Nicola Newitt: the legal case for Data Clean Rooms | 09 Mar 2023 | 00:33:11 | |
Nicola Newitt is a UK qualified lawyer who trained in private practice and worked at Slaughter and May before moving in-house to start her privacy career in Bupa’s international health insurance business. She is now Senior Privacy and Product Counsel at InfoSum, a leading Data Clean Room. With Nicola we have covered a very hot topic for anyone in the Marketing Technology or AdTech spaces. Our discussion included the following questions:
References:
| |||
| Joana Mota: Privacy compliance in a web3 world | 03 Mar 2023 | 00:25:00 | |
Joana is Partner at Cuatrecasas, where she leads the Technology, Media and Telecom team. She has also worked for 3 years at ANACOM, Portugal's telecom and media regulator and one of the two supervisory authorities when it comes to the ePrivacy Directive in Portugal, the other being the Portuguese Data Protection Authority. Besides being fully versed in the opportunities presented by blockchain technologies, and having advised startups in the crypto space, Joana is co-author of the chapters on Portugal in The Privacy, Data Protection and Cybersecurity Law Review, 7th Edition (2020) as well as other relevant publications and I was happy to find out that she is also a Queen Mary’s University alumni (as I am myself). With Joana we will cover:
References: | |||
| Sunny Kang: Machine Learning meets Privacy Enhancing Technologies | 17 Feb 2023 | 00:22:02 | |
Sunny Seon Kang is Global Privacy Counsel at VISA, specializing in AI Governance and Privacy Enhancing Technologies. She is well versed in comparative privacy law across the US, the EU and the UK. She has studied at Stanford and Berkeley in the US, as well as UCL in London, and is a member of the New York Bar. With Sunny we are discussing a highly complex but very exciting topic: Privacy-Preserving Machine Learning, as well as a more generic understanding of Privacy Enhancing Technologies. References:
| |||
| Tim Walters: The bigger picture on Facebook and Instagram being deprived of a contractual legal basis | 19 Jan 2023 | 00:34:44 | |
Tim Walters is a strategist, analyst, advisor, and speaker sitting at the intersection of data privacy, customer experience, and marketing strategy. Privacy Lead at Content Advisory, as well as founder of Zero Theory, Tim previously founded The Digital Clarity Group. He has also been a Senior Analyst at Forrester Research. Some of his keynotes and publications include: “The Total Impossibility of Customer Experience Management”, “Data Privacy Goes Mainstream: An Unexpected Opportunity For Customer Experience”, and “Trust Is Imperative in the Customer Experience Era.” References:
| |||
| Jose Belo: Artificial Intelligence in MarTech and AdTech | 15 Dec 2022 | 00:35:26 | |
Jose Belo (FIP, CIPP/E, CIPM) is a legal professional and Data Protection Officer, specialized in data protection, privacy and compliance. Jose is currently an International Research Fellow at the ISLC at the University of Milan (Italy). His last professional engagement was as Head of Data Privacy at Valuer.ai, an AI-powered tech company from Copenhagen, Denmark. Since January 2022, Jose has been appointed as a Member of the IAPP European Advisory Board. Jose is also, currently, co-chair of the IAPP Copenhagen Chapter. Formerly, Jose was co-chair of the Portugal and Luxembourg Chapters of the IAPP. We cover, in this order:
References: | |||
| Newsroom: Spring 2024 | 19 Jun 2024 | 00:22:00 | |
We are closing this season with a Spring Newsroom before we officially kick off the summer, summarizing everything that’s happened in the past quarter across our usual five sections: ePrivacy (enforcement, regulatory updates), MarTech/ AdTech, AI/ Competition/ Digital Markets, PETs/ Zero-Party Data, Future of media. This includes:
A full transcript with links and additional resources can be found on the PrivacyCloud blog.
| |||
| Sandy Tsakiridi: Practical considerations on AI Governance and the upcoming EU AI Act | 25 Nov 2022 | 00:37:27 | |
Sandy Tsakiridi is a dual-qualified Senior Legal Counsel in HSBC's global Data Privacy team. As part of her responsibilities, she provides advice on privacy-related matters, including privacy risk management across all customer-facing lines of business and internal functions of the HSBC Group. Prior to her current role, Sandy worked as an external legal counsel in leading international law firms and one of the Big Four in Brussels and London. Sandy holds a Bachelor and four postgraduate degrees in law from University College London (UCL), the London School of Economics & Political Science (LSE), Université Paris 1 - Panthéon Sorbonne and the Brussels School of Competition. She is an Advisory Board Member of the International Association of Privacy Professionals (IAPP). We cover, in this order:
References:
| |||
| Brendan Quinn: DPIAs, whistleblowers, collective redress, and the GDPR-DSA interplay | 18 Nov 2022 | 00:28:37 | |
Brendan Quinn (Esq.) is a qualified Irish Solicitor, New York Attorney, and Fellow of the Chartered Certified Accountants (FCCA), holding an LL.M from University College Dublin and Higher Diplomas in Computer Science and Data Analytics, as well as a postgraduate in Financial Technology. He is also the author of Data Protection Implementation Guide: A Legal, Risk and Technology Framework for the GDPR (Wolters Kluwer, September 2021). Among other things, our guest helps innovative software companies in their compliance with Privacy by Design and data security requirements, including data anonymization research and DPIAs. We cover, in order:
References:
| |||
| Fall 2022 Newsroom: Instagram and Criteo fines, GDPRexit, and the Data Privacy Framework | 03 Nov 2022 | 00:31:00 | |
With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. References:
Selected updates: Enforcement Starting with Europe, the most discussed recent case, and perhaps the most complex, is Ireland’s 405m EUR fine to Meta for the manner in which it exposed contact details for 13-17 year olds on Instagram business accounts. At its core: the European Data Protection Board (EDPB)’s intervention to find a compromise between the Data Protection Commissioner (leading supervisory authority for most US tech giants) and other Data Protection Agencies accusing it of resting on its laurels. Perhaps even more relevant to the interplay that we mostly care about (MarTech/AdTech + Privacy) was the French DPA’s announcement of a potential 60m EUR fine for Criteo. All hints point to a lack of proper oversight in the obtention of valid consent through publishers and advertisers. The role of these two was instrumental in building what the company had once claimed were “IDs and interests for 72% of all internet users”, so this case could bring us full circle into the Consent Management Platforms debate and whether they can be relied upon. All in all, it is no wonder that Criteo has moved firmly into first-party data territory, now calling itself a Commerce Media platform. The Digital Analytics space got its own share of excitement too. Denmark became (with Austria, France, and Italy) the fourth country to make it clear that Google Analytics breached the GDPR unless additional measures are taken. As explained in detail by France’s CNIL, the only way to avoid scrutiny was using a reverse proxy (a company’s own EU-based server, filtering out important pieces of information prior to forwarding calls to Google’s servers). As many will remember, this was only the tip of the iceberg of the 101 complaints filed by NYOB against companies using either Google Analytics or the Facebook pixel. Next in line was TikTok, quickly catching up with Meta/Facebook and Google in terms of privacy violations, penalties, privacy lawsuits and privacy-related scandals. Its latest trophies: the UK’s DPA (ICO)’s proposed 27m GBP fines for its mishandling of children’s data (they were allowed to sign up without parental consent, information provided was insufficient, and special categories of data were being processed), a 92 million settlement in Illinois (under the State’s Biometric Information Privacy Law on which every major social media platform has stumbled before) and recent coverage of the manner in which its tracking pixels follow everyone around the web. Legal updates It may not be a new law or court case, but Joe Biden’s Executive Order to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) is the biggest piece of news on this front. All going well in Brussels, it could put an end to the nightmare currently faced by the millions of customers of US-based SaaS MarTech and AdTech solutions that happen to process data on US soil, including Google Analytics, Mailchimp, HubSpot, or Salesforce Marketing Cloud. For its part, the UK wants out of the GDPR and this could actually result in a more dynamic environment (it relied on an Oxford University research that claimed that the GDPR is costing UK businesses 8% of their profits). For one thing, they are proposing to let small businesses get on with their lives. Future of media Elon Musk completed his acquisition of Twitter, announcing monthly charges to its heaviest users - starting with those displaying a “verified” blue icon, who happen to be the ones caring the most about the status their identity or following confers to them. This was criticized as a “misinformation nightmare”, in very timely Halloween fashion. | |||
| Stephan Grynwajc: A lawyer’s take on EU-US data transfers and the Canadian approach | 27 Oct 2022 | 00:21:27 | |
Stephan Grynwajc is admitted as a lawyer in the EU, the UK, the US and Canada, having worked as a privacy practitioner and DPO in both Europe and North America for the last 20 years. His own law firm offers external DPO services to EU/UK and US/Canada-based companies. Stephan is also a partner specialized in international privacy at Outside GC, a bicoastal US law firm. Stephan publishes regularly on various privacy topics, including for the IAPP Privacy Advisor. He is also an Adjunct Professor on privacy and data protection at various universities. References: | |||