Masters of Privacy – Details, episodes & analysis

Earlier this summer, Google announced that its Chrome browser would after all keep third party cookies. This interview with Robin de Wouters is the first of two episodes exploring the consequences of that update from the point of view of our usual stakeholders (DPOs, CMOs, CDOs). 

Robin de Wouters is the Director General for the Federation of European Data & Marketing (FEDMA), in Brussels. He has a strong background in communication and public relations across the private, non-profit and institutional spheres. He previously worked in the field of human rights with Euromed Rights, the ONE Campaign and the United Nations. Robin is also the Vice-Chair of the Board of the European Interactive Digital Advertising Alliance (EDAA) and the Communications Director and Spokesperson for Democrats Abroad Belgium, the international arm of the US Democratic Party.

References:

• Federation of European Data and Marketing (FEDMA)
• Robin de Wouters on LinkedIn
• Sergio Maldonado, Nobody was ready for the Privacy Sandbox, but deprecating cookie banners is long overdue
• Google announces they are not deprecating third-party cookies
• Peter Cradock (Masters of Privacy): Could core advertising components fall under the “strictly necessary” ePrivacy exemption? 
• CNIL publishes study on alternatives to third-party advertising cookies (Freevacy)

Ok, the summer is nearly over, which means it is time for a Newsroom summarizing everything that’s happened in the last two months at the intersection of marketing, data, privacy and technology. 

California and the FTC have more specific weight on our list this time around - perhaps because much of Europe, including regulators and hackers, was OOO during the entire month of August. So, expect to hear about:

• A CDP (Segment) being sued for its data collection practices
• Uber’s Catch-22
• The FTC discards hashing as a means of anonymization 
• Chrome could be forced to support Global Privacy Control
• The AI Bill drama in California.

(And yes, also about Google’s monopoly, the resilience of 3rd party cookies and Apple’s DMA struggles, but only in passing, as you’ve probably had enough of those.)

Expect us to follow the usual structure: ePrivacy & Regulatory Updates; MarTech & AdTech; AI, Competition and Digital Markets; Zero-Party Data and Customer Centricity; Future of Media. 

With Celine Takatsuno and Sergio Maldonado.

References:

• Sergio Maldonado, Nobody was ready for the Privacy Sandbox, but deprecating cookie banners is long overdue (ie., third party cookies are not going away)
• Class action was filed against Twilio in California
• Uber received a $290m euro fine in The Netherlands
• The Federal Trade Commission audited hundreds of websites and apps, finding all sorts of dark patterns
• Controversial California AI Bill
• California passes another law that, if signed, will require browsers to implement Global Privacy Control standards
• FTC: Hashing email addresses does not result in anonymized data 
• Netflix announces data collaboration partnerships
• Apple tries a little harder to appease the EU Commission with additional Digital Markets Act measures

Also, find a full blog post on the Masters of Privacy website.

“There is a UK AI Regulation - It is called the UK GDPR” (John Edwards, February 2024).

Stephen Almond is Executive Director for Regulatory Risk at the UK’s Information Commissioner’s Office (ICO), leading the teams charged with engineering information rights into the fabric of new ideas, technologies and business models as part of our dynamic digital economy, including through the Digital Regulation Cooperation Forum.

Prior to joining the ICO, Stephen led a World Economic Forum initiative to promote the adoption of a more agile, innovation-enabling approach to regulation with governments and tech firms worldwide. He previously worked in leadership roles across the UK Government, including creation of the White Paper on Regulation for the Fourth Industrial Revolution and roll-out of the Regulators’ Pioneer Fund, which invested in regulatory sandboxes and similar initiatives to unlock technological innovation.

References:

• Technology and Innovation Directorate at the ICO
• ICO: Guidance on AI and data protection 
• ICO: Draft Guidance on Privacy Enhancing Technologies (PETs) 
• Dragos Tudorache: dealing with foundation models, data protection and copyright in the AI Act (Masters of Privacy)

Amy Worley is Managing Director at BRG, a global leader in data protection, information security, and AI governance. A licensed attorney, certified privacy professional, and certified information systems security professional, Amy formerly served as the Chief Privacy Officer for a billion-dollar pharmaceutical and medical device company and now serves as a fractional Data Protection Officer for several multinational companies. 

Amy’s consulting practice is focused on helping clients implement sustainable programs that result in meaningful compliance with state, national, and regional laws and build corporate trust. She is passionate about the intersection of data, people, and power.

References:

• Amy Worley on LinkedIn
• BRG: Privacy and Data Protection services
• Draft: American Privacy Rights Act 2024
• Dragos Tudorache: Dealing with foundation models, data protection, and copyright in the EU AI Act (Masters of Privacy)
• EDPB Guidelines 8/2020 on the targeting of social media users

Luke Mulks is VP of Business Operations at Brave Software, makers of the Brave browser. He has previously worked in AdTech and print publishing, and he has also founded a few businesses. He is in charge of new business initiatives and strategic revenue growth and oversees the BAT community. 

Our wide-range conversation has encompassed new business models for media owners, privacy-preserving ads, putting a price on personal data, the manner in which Apple’s bottleneck asphyxiates bolder or more creative approaches to monetizing people’s attention, and Google’s Privacy Sandbox.

References:

• Basic Attention Token
• Brave Ads Manager
• Brave: Blocking annoying and privacy-harming cookie consent banners
• Brave: Privacy And Competition Concerns with Google’s Privacy Sandbox
• How we tried to fix advertising, ecommerce, and media by putting people in control of their data — from WeRule to PrivacyCloud

What is Homomorphic Encryption? Can it be leveraged in the context of cross-vertical challenges?

Dr. Ellison Anne Williams is the Founder and CEO of Enveil, the pioneering data security startup protecting Data in Use. She has more than a decade of experience spearheading avant-garde efforts in the areas of large scale analytics, information security and privacy, computer network exploitation, and network modeling at the National Security Agency and the Johns Hopkins University Applied Physics Laboratory. In addition to her leadership experience, she is accomplished in the fields of distributed computing and algorithms, cryptographic applications, graph theory, combinatorics, machine learning, and data mining and holds a Ph.D. in Mathematics (Algebraic Combinatorics), a M.S. in Mathematics (Set Theoretic Topology), and a M.S. in Computer Science (Machine Learning).

References:

• Dr. Ellison Anne Williams (full profile), Enveil
• Enveil Drives Data Value Across Silos with Enhanced Encrypted Search Offering
• ICO Guidance on Privacy Enhancing Technologies
• Matthias Eigenmann: Confidential Computing, contractual relationships, and legal bases for Data Clean Rooms (Masters of Privacy)
• Damien Desfontaines: Differential Privacy in Data Clean Rooms (Masters of Privacy)

Is there a sweet spot between privacy compliance and marketing outcomes? What is “progressive consent”?

Radha Gohil is a Data Governance and Privacy leader at Shell. She works on AdTech and MarTech data flows, as well as digital and programmatic supply chains, applying privacy compliance requirements to marketing-related practices. This includes consent management and, in general, acting as a bridge between Marketing, IT, CDO and legal. On top of that, Radha chairs the Digital Governance Steering Group at the ISBA (Incorporated Society of British Advertisers). She has previously worked at PwC and The Telegraph.

With Radha we have covered the manner in which marketing teams navigate privacy compliance or even leverage a privacy-first approach as a competitive advantage. This includes dealing with transparency requirements or the difficult trade-offs involved in gathering proper consent when required to do so. 

References:

• Radha Gohil on LinkedIn
• Incorporated Society of British Advertisers
• ICO: Upcoming action on making advertising cookies compliant

Will Data Clean Rooms help us avoid consent, or personal data altogether, and make the most of first-party data for data collaboration and addressability purposes?

Matthias Eigenmann is a Swiss lawyer with over 10 years of practical experience in technology and data protection law. He currently works as legal counsel and DPO at Decentriq (a Data Clean Room), and is also an advisor on data protection matters to a large hospital in Switzerland. Prior to this, he spent several years working in tech and data protection law at a law firm, as well as as an in-house counsel for IT contracts and data protection at PwC Switzerland. 

References:

• Matthias Eigenmann, Enhanced Privacy for Data Analytics
• Matthias Eigenmann on LinkedIn
• Decentriq, a Data Clean Room
• Damian Desfontaines: Differential Privacy in Data Clean Rooms (Masters of Privacy)
• Nicola Newitt: The legal case for Data Clean Rooms (Masters of Privacy)

Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment. 

Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast.

With Rie we will explore her own tips and tricks to stay sharp and up to date, avoiding a myriad of shallow or confusing sources and digging for the best possible answers at all times - all of it while avoiding clickbait, radical opinions and the avalanche of so-called privacy experts clogging LinkedIn feeds.

References:

• How to stay up to date as a DPO
• The Grumpy GDPR Podcast (NoTies Consulting)
• DPO Hub
• Rie Aleksandra Walle on LinkedIn

Dragos Tudorache is a Member of the European Parliament and Vice-President of the Renew Europe Group. He is the LIBE rapporteur on the AI Act, and he sits on the Committee on Foreign Affairs (AFET), the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA), the Subcommittee on Security and Defence (SEDE), and the European Parliament's Delegation for relations with the United States (D-US). He was the Chair of the Special Committee on Artificial Intelligence in the Digital Age (AIDA).

Dragos began his career in 1997 as a judge in Romania. Between 2000 and 2005, he built and led the legal departments at the Organization for Security and Co-operation in Europe (OSCE) and the UN missions in Kosovo. After working on justice and anticorruption at the European Commission Representation in Romania, supporting the country’s EU accession, he joined the Commission as an official and, subsequently, qualified for leadership roles in EU institutions, managing a number of units and strategic projects such as the Schengen Information System, Visa Information System, and the establishment of eu-LISA1.

During the European migration crisis, Dragos was entrusted with leading the coordination and strategy Unit in DG-Home, the European Commission Directorate-General for Migration and Home Affairs, until he joined the Romanian Government led by Dacian Cioloș. Between 2015 and 2017, he served as Head of the Prime Minister’s Chancellery, Minister of Communications and for the Digital Society, and Minister of Interior. He was elected to the European Parliament in 2019. His current interests in the European Parliament include security and defense, artificial intelligence and new technologies, transatlantic issues, the Republic of Moldova, and internal affairs.

We have addressed the following questions around the new EU AI Act:

• Back story behind the final compromise on foundation models, and the chosen thresholds for a higher regulatory burden
• Interplay between AI models and AI systems
• The “open source” differentiator 
• How and why the AI Act overlaps with the GDPR, copyright law or product liability laws
• Impact of the Data Act on the development of AI

References:

• The EU AI Act (EU Commission’s proposal)
• Dragos Tudorache (EU Parliament’s official website)