In the first episode of season 4 of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Outschool welcome season 4 launching on Data Protection / Privacy Day 2023! From current events, to laws, to breaches, to SCCs - we probably covered it all! Paul even challenged ChatGPT to describe our season 1.
The Serious Privacy podcast, by TrustArc, season 1 covered a variety of core topics related to privacy and data protection. Some of the key topics discussed in season 1 include:
Overall, season 1 of the Serious Privacy podcast aimed to provide listeners with a comprehensive understanding of the current state of data privacy and the challenges that organizations face in protecting personal information in the digital age. It also provided practical tips and best practices for organizations to create and implement a data privacy program to protect sensitive data and comply with regulations.
Should you have any questions or suggestions, please reach out to us via email@example.com or firstname.lastname@example.org, or via Twitter at @podcastprivacy. You find us on LinkedIn as well - just look for Serious Privacy. You will find K on Twitter as @heartofprivacy and myself as @EuroPaulB.
The Annual TrustArc Global Privacy Benchmarks survey is open until March 31st, and we want to hear from you. How is the industry shifting, and what trends do you foresee?
This doesn't assess individual or company privacy competency. Rather, it allows you to shape the future of privacy protection initiatives. Please, share your views on how enterprise's manage data protection and privacy.
As always, if you have comments or questions, find us on LinkedIn, Twitter @podcastprivacy @euroPaulB @heartofprivacy and email email@example.com. Rate and Review us! #heartofprivacy #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO
S04E01 - We're Back!
paul_breitbarth: [00:00:00] So is that what we're doing now? We just start recording without introductions, without music, and whatsoever
K: We'll, we'll kick that off. We'll add it to it. But you know, Paul and I, this is the first time we've spoken in three weeks or so since the last podcast recording. I mean, we email and we chat back and forth, but first time we've seen each other and of course we just start talking about, well, the I A P P and the Global Privacy Summit, and Paul told me he thinks there's a Comic-Con right before the Global Privacy Summit.
So hey, Maleficent might make an appearance, but yeah, we're just, we just start chit chatting and then we're like, oh, you know what? Our fans might actually want to hear the things we chit chat about, because otherwise, then we gotta repeat it when we turn on the recorder.
paul_breitbarth: That's true. Welcome to season 4k.
K: Welcome to season four. Isn't this [00:01:00] exciting?
paul_breitbarth: It's strange. I'd never expected us to make it this far.
K: Right. And yeah, I get it. We don't have millions and millions of listeners, but the ones we do have are fantastic and we do a great job. And we're not doing this to make money. We're doing it because both of us are passionate about privacy, and we enjoy it.
K: there are so many things to start with. We thought about having a guest on for
paul_breitbarth: is only one thing to start
paul_breitbarth: the unexpected question.
K: the unexpected que Oh my gosh. Did my brain totally not do that? Okay, hold on, hold on, hold on. I got one.
ooh. What makes you feel wonderful?
K: see, see.
paul_breitbarth: These are difficult questions to start to start the year with, but probably when people say kind things about me or to me, even
K: Oh, [00:02:00] nice.
I like that. I will say kind things to you, maybe enough to offset the unkind things. I say , but that's
paul_breitbarth: hear those.
K: I know. I was gonna say, I rarely say unkind things. I tease people, but they're rarely unkind. I like that. You know, I might have to adopt that because it does make you feel wonderful. I mean, I think about the past, the past year and what kind of unexpected thing made you feel wonderful.
It was that it was. unexpectedly saying nice things or recognizing us or giving a little gift. You know, that always makes someone feel wonderful. And of course I always feel wonderful when I see my grandchildren.
paul_breitbarth: Of course. Well, there are, there are actually two more. When you say looking back at, at last
paul_breitbarth: specific moments there was one when I attended the privacy conference, the privacy space [00:03:00] in Lemington Spa. When somebody was just flabbergasted when I entered a room that that was, that was a really nice moment, although also a little awkward, but also very complimentary.
K: you got that fan moment.
paul_breitbarth: yeah, that was that was literally a fan moment.
K: and they stand out cuz we don't get 'em often.
paul_breitbarth: The other one was during my birthday weekend. As I think I told you, I brought a lot of friends to Brussels for the weekend for celebrations and they had written a song. This is in any case, a Dutch tradition. I'm not sure whether the US does it at well as well for special occasions. But friends or family pick a, pick an existing song and they write new lyrics and they sing that to you.
So that's what they
K: Oh, that is awesome. I actually wrote a privacy song to the frozen lyrics,
paul_breitbarth: let it go or hold it tight.
K: It, it, I don't, I'll have to go back and look 'em up, but I wrote it to their frozen lyrics. It was probably more along the lines of, rather than Let it go is [00:04:00] let me know. Might have been, don't know. But my favorite refrain that goes through my head all the time is, I want privacy. Privacy. I gotta have privacy and security, but yeah, I can't sing, but there we go. But yeah, that, but I will tell you, let me, let me go back to the grandkid moment. My, my little one, the, the girl who's not two years old yet, she has learned to say Mimi in the past like nine months and she still calls it a me, when she runs to the phone to show But she gets to the phone and you're gonna see body language. Here she goes.
Where Pa-pa? Where Pa-pa?
K: She just runs to the phone to see Mimi, but the first thing out of her mouth is not, hi. It's where Papa. I'm like, really? Dude? I might take that out, but I'm not. But yeah, I'm like, I am. But a pathway to the great man. So yeah, keep me humble [00:05:00] anyway.
paul_breitbarth: Welcome to the Patriarchy in 2023.
K: right. The year of the rabbit people. Let's hope we don't hop around all the privacy laws and everything.
If I can build that into the theme, but oh my gosh.
In preparation so much,
paul_breitbarth: yes, it has not been a quiet month.
paul_breitbarth: and of course, given the date that we are on Happy International Data Protection
K: Data privacy day in the US and Canada.
paul_breitbarth: Okay. With that caveat, I'm fine with
K: And of course my youngest daughter's birthday, which this year she turns 30. If that doesn't make you feel old, I don't know what would
paul_breitbarth: That doesn't make me feel old,
K: he makes it, makes him judge me.
paul_breitbarth: Nope. no judgments
K: Oh my gosh. So data privacy day and we thought if we, if we talked too long on this episode, we might break it up into two episodes for y'all, [00:06:00] but they would be released together. Not one, one week and one the next week, but we'll take the second week off like we normally do, regroup, recalibrate, and get back into it.
Speaking of which, if you would like to be a guest on our podcast and you've got a good voice for a podcast or a good personality for it,
paul_breitbarth: you don't just have a product to sell because we get a lot of requests from companies that say, we want to promote our product, or we want to promote our service. That's not why we are here. We want to talk substance. We want to go into the nitty gritty details, and if there is a product that we want to talk about, then it's one that we.
K: Yeah, it's, it's one that we wanna talk about something that's new or something that's interesting or something we've had questions about that might be feel free to write us what, what's our email address again? Paul
paul_breitbarth: well, our email addresses are changing, but for now, let's use podcast@Seriousprivacy.eu.
K: firstname.lastname@example.org You can also go to our LinkedIn page for Serious Privacy. [00:07:00] Drop us a note there. We get that. And I believe you can also message us on LinkedIn, so there's no excuse for not being able to reach out to us. You can make comments to the podcast. But let us know. But also if you know someone that might be good to have on the podcast, I'm kind of on a rip the past week or two trying to prepare for the day.
One that I feel like we've had some big names from the EU on our podcast and some other countries too. We've had some big names on, but we haven't had big names from the US on, Travis LeBlanc might be one of the, one of the few because we've had him on, but we haven't had the really big names in privacy.
So I reached out to Senator Mark Kelly from here in Arizona. I don't expect an answer, I don't expect it to go anywhere. . I also reached out to Nuala O'Connor at Walmart. Reached out to her, of course, would welcome them anytime on the podcast. So if you think of some names or you know, some people that'd be good to have on that, other people would like to hear from, [00:08:00] drop us that note as well. I mean, I'm still after Kamala Harris, but I'm giving up on that. I mean, year three of that.
But you never know. Gold could strike somewhere, somehow could happen. And I do have some professional friends, former law students who are in pretty significant positions in the federal government. They, of course have to get permission from the government to be able to speak. So I might start kicking off that process now to see about having them on.
But yeah, let's dive into what the heck do we have to talk about on the first episode of the season, Paul? I mean, it's been so boring.
paul_breitbarth: No, it's not, but no. Yeah, I mean we've, we just, were talking about going to Washington for I A P P. I will for sure be there and this time you will for sure be there as well. So we'll do an on the floor episode. Best of from the IPP Summit. Of course,
K: I still don't have a ticket for the actual summit, but I've got the plane ticket booked in the hotel book, so I'm still kind of hoping until the last minute that somebody will throw [00:09:00] me a free ticket. But hey,
paul_breitbarth: Trevor, if you're listening,
K: exactly, exactly. Toss K one of those free tickets laying around there. We'll do something for you. We'll sing for our supper. We're
paul_breitbarth: And in any case, we are looking to do some sort of a live episode,
paul_breitbarth: the summit where friends, contacts, stars can just walk up and talk to us for the the recording details to be determined looking at all the possible options. But that is something that is coming as well and
K: I am gonna get Paul, one of those tour guide flags that's, you know, six foot tall and has a little flag on it. We can walk around.
paul_breitbarth: no, I'll bring my umbrella.
K: Might be like a two foot flag, but we might actually do that. It could happen. I could do
paul_breitbarth: for sure. It could. One of the things that we will probably be talking about is enforcement.
K: yes. Enforcement's a big issue. I had joked with Paul, let's get Helen Dixon back on as the first guest for this season. We've had her own before. She's [00:10:00] phenomenal to talk to. I don't know that she's got enough free time to come on our show to chat right now because she's incredibly busy. If you've been watching the privacy news at all,
paul_breitbarth: Yes, she has been busy and we are talking 395 million Euro in fines, if I calculated correctly. Of which, yeah, 395.5 million Euro. All to be paid by Meta.
paul_breitbarth: Three investigations, Instagram, Facebook and WhatsApp. With WhatsApp. Clearly being on the low end of the, the ballpark with 5.5 million. The other ones significantly higher. And looking at the reports by now, I've gone through all the 600 and something pages of reporting. I think there are a few issues here at Stick. Question one is, is there a contract, yes or no when you accept terms of service? Question two [00:11:00] mainly relates to behavioral targeting, behavioral advertising. And question three was much more about the yeah, what was question three about I just wrote it down. Hang on. So general transparency, is there a contract or not the, or the data processing for product improvement and for safety and security reasons,
paul_breitbarth: allowed whether that is considered to be necessary under the performance of a contract.
paul_breitbarth: so let's build these down a little.
K: Let's do
paul_breitbarth: So first of all, when you look at whether or not there is a contract, when you accept terms of Hughes I think in general most commercial lawyers would agree that that is the case. And hear the data protection board basically starts moving into the realm of contract law. Not for of, not without reason that people are claiming that GDPR is the law of everything. So now suddenly contract law also becomes the scope of influence, the sphere of influence of data protection authorities. But [00:12:00] here the board said, well, because of the lack of transparency we don't consider that this is a clear contract and certainly not a contract that he would be able to rely upon for all or most of your data processing operations.
K: Well, and certainly not a contract between equal parties. There is definitely more, I wouldn't even say bargaining. There's no bargaining. All the power is on one side. You're just the product.
paul_breitbarth: that's the, the other part that they criticize, the take it or leave it approach that meta is imposing onthe terms of service. Also having very little possibility to opt out of certain data processing operations including for marketing.
paul_breitbarth: that brings us through the behavioral advertising part. There, the question was can you rely upon performance of a contract for advertising? And hear the board said clearly that is a no because individuals have the right always to opt out of direct marketing either by withdrawing consent if they gave consent in the first place, which should then be [00:13:00] freely given and fully
informed and a free
K: Yep. Yep.
paul_breitbarth: which was not the case if you accept terms of service because then it's take or leave it. So no free choice
K: and you should be able to opt out or withdraw your consent just as easily as you gave
paul_breitbarth: Exactly. So that is on the consent part. If it is not consent, then it is legitimate interest, and then you always have the right to object, which is The opt-out, which also always needs to be respected.
paul_breitbarth: the board says, in, in both situations, you can only come to the conclusion that there should be a possibility to opt out of behavioral advertising, which means that it can never be necessary for the performance of a contract because
paul_breitbarth: would not be able to opt
K: right. And if you think about it if you're on Facebook there's always these little blurbs that go around about, oh, you must put on your profile right now, post this paragraph that you hereby don't give Facebook any ip. And if you don't post it by such and such date, which [00:14:00] good god, that date was 10 years ago then Facebook will now and forevermore on your data.
Well, Does that how you withdraw consent, you make a post on Facebook that I withdraw consent for behavioral advertising. I mean that's as easy as you gave consent. Frankly. You should be able to think you, you are withdrawing your consent and that should withdraw your consent. Cuz that would be as easy as you gave it, cuz you never really gave it, but okay.
paul_breitbarth: that's true. And, and at the very least you should find something in your settings. And also there it is not available. There are no choices that you can make at least not in the, the level of detail that you would
expect under, under GDPR ePrivacy,
K: They do have a lot of choices in their privacy settings on Facebook.
paul_breitbarth: They have way too many choices, which also makes it very complicated
K: That could be
paul_breitbarth: the point that you are agreeing or disagreeing
K: right. Exactly. So there's a lot of work to be done there. Now remind me, is Facebook appealing this?[00:15:00]
paul_breitbarth: Oh, I'm sure they will be, I mean this is, this is almost 400 million euros, so they'll be sure to appeal this. And this will go up to the courts again. So to be continued. the final point though that the board makes is meta also relies on performance of a contract for product improvement and processing data for safety and security. And there also the
paul_breitbarth: this is not necessary. I think you can argue that point, whether or not it is necessary to be able, at least in any case, for safety and security
K: Right, right.
paul_breitbarth: data for product improvement. Maybe
K: Here in the US we assume that that's happening, but everywhere else they don't.
paul_breitbarth: also in Europe you should, this is something that, that is also just part of regular business practice. The main point, however, is that the board says it is described too vaguely. And I think it would be better by the way, to rely upon a legitimate interest for either of those. But also then you should explain in [00:16:00] more detail what it is you are doing so that people who are not data protection gigs like we are, might have a bit of an idea of what kind of data would be processed, in what way, what kind of analytics would take place for product improvement, what kind of red flags could be, could be posted
paul_breitbarth: security issues or safety issues. So how to do all of that. And there, I do agree with the board that the lack of transparency is a serious problem, by
paul_breitbarth: meta, but for a lot of companies.
K: And, and let's not just leave it at the lack of transparency. Let's leave it at honesty. and forthrightness, not trying to hide something in playing word games.
paul_breitbarth: the fairness principle.
K: on, yeah, on the, on the flip side though, if a company disclosed everything in their privacy notice, good Lord, it would be longer than my dissertation
K: nobody would read it anyway, except for [00:17:00] privacy geeks perhaps.
But, you know, that's, that's the balance we're running. I think I've said before, my teenage daughters way back when were asking, well, why do you write these things if no one reads 'em? Well, because you have to tell people. And how do you tell people without telling people?
It's a vicious, vicious circle.
paul_breitbarth: I've been saying it for a while already, that I would love to see the privacy space develop. More videos like the
paul_breitbarth: instruction videos. I'm hoping that one day I'll have the budget to do it myself for, for my own company. But that would be probably the perfect way.
I mean, you can, you can keep the legal text, you can keep,
paul_breitbarth: lengthy explanations in writing also there in reader-friendly versions. But someday it would be nice if you have that 30 seconds or one minute video where you just explain in an accessible and fun way, this is how we work with your
K: I'm doing that. , I, I won't have the budget to, for a big [00:18:00] production, so it'll just be a little video. And I don't yet know yet if I'm gonna make like a little Muppet or something to do it. But I am going towards the ages of the learners that we have at our own company out school. And you know, we go down to three years old and up to 18, and so I am breaking the ages up into the grade level, and I'm going to record videos because ages three to five, what do they understand?
paul_breitbarth: The wheels and the bus go round and round, round
paul_breitbarth: round and round.
K: You know, don't give your full name. Don't tell people where you live. You know, things like that to go on up.
And so I'm working on doing that as well. I've reached out to Common Sense Media, which does a lot of evaluation of, you know, companies and stuff to see. What kind of knowledge have they gained already from privacy notices and children [00:19:00] and stuff to know what resonates with them. So anyway, so, and it probably spurned from your suggestion years ago of you would like to see videos explaining privacy notices.
So I'm trying different ways cuz people learn in different ways too. Some are visual, some have to read, some have to hear it, you know, some have to do it. So it is, so, okay, we've got Facebook, we've got that.
paul_breitbarth: what's happening in in, in the us I've seen a barrage of state legislation being
K: yes, yes. Let's look up what we have. So
paul_breitbarth: Everybody thinks
the federal season is over. We have a new non-functioning Congress, so let's take it back to the state level.
K: right? I think it was just coming out of 20 22, 1, it was a, you know, mid-year election cycle. People's focus was somewhere else. But two, everyone really thought that federal law was gonna pass. Now we're realizing, huh, that ain't likely to happen. So states are back at it once again. I think it's fabulous.
[00:20:00] We have several states that have introduced legislation. We've got Oregon and Oklahoma. Never surprising Indiana, New York, Iowa, Kentucky, Tennessee. Never surprising Massachusetts, New Jersey. Who else do I, oh, the one that surprised me, Mississippi. But, you know, two years ago when we were watching this, it's, it's hard to realize that in an entire season we didn't have proposed state legislation.
paul_breitbarth: Oh, we had some, we had some at the start of last year,
but nothing came from
K: Not really big. It's gonna be big this year. We're gonna follow these all through. And so the last time we really talked about states would propose legislations and the ones that got tabled, like Bill C 27 and Canada got tabled,
Mississippi, Mississippi has a privacy law.
I'm from Mississippi. Y'all Mississippi has a privacy law proposed. That always surprises me. And you know, [00:21:00] nothing in the laws are really shocking. Of course they don't align with each other,
paul_breitbarth: anything from Washington.
K: no, not yet.
paul_breitbarth: fifth, sixth time.
K: I was actually looking to see if by the time we started today, if they did have one proposed.
So let me look it up while I'm right here. And see if Washington dropped one in the last day or two.
Let's see, nothing's coming up. Not seeing one yet, It, when they do pass one, it's going to be good. no doubt about it. So yeah, as far as I can tell, they don't have one dropped yet. But you know, that's one of the states that everybody looks to and says,
paul_breitbarth: It's likely to come. I mean, yeah,
we know. We know that it,
K: yeah, once you pass it, it's gonna be a model, a model law for other states.
But other states are driving. I did look up Arizona this morning to see if we had anything. I don't see an omnibus privacy law proposed yet in Arizona, there's a ton of other privacy [00:22:00] related laws related to minors related to healthcare. There is one for biometrics. So different things like that. So there's a lot of privacy related laws, and if we got into a conversation about that, this session would be 12 hours long of the different things.
But we have to quit piece milling it, e even if we look at it on a state level, we have to quit piece milling it. We need to put it together in an omnibus law that governs what we do. I'm not gonna say everybody needs to be like California. I don't know how the end of the exemption for human resources or B2B data is going to impact No other state addresses those.
They are written into the law as exemptions, which is totally against GDPR and most other privacy laws. So that in itself is going to be interesting to watch. So I'm, I'm thrilled. I'm energized, I'm invigorated by seeing more state laws come up and I'm kind of really hoping federal happens. Kind [00:23:00] of really hoping, but I got other things to worry about on the US federal level.
paul_breitbarth: Well, you know, the at the start of the year, I was looking at CNN and BBC News quite a lot during the soap opera that was called the Speaker Election.
K: uhhuh. Oh,
paul_breitbarth: I don't, I don't have too many high hopes to be honest for Congress this year.
I mean, if something straightforward, like electing a speaker is already so difficult, then how do you pass legislation?
K: I, got nothing. I got nothing. I, I, that was a joke. I'm sorry that that was a joke. It was utterly ridiculous. Okay. So breaches so far in 2023, it would surprise you to learn what they are. I forget the first one that started, but we had the Twitter data breach, which there's a lot of stuff going around about Twitter, but there was a Twitter data breach email addresses.
200 million Twitters, I believe, being sold, I think for a very, very low. . They, [00:24:00] they say the flaw was fixed, but the data was still out there. Chick-fil-A breach they had suspicious activity. They've published information about what you should do if you notice sufficient activity on yours. So we had that.
You didn't hear a lot about the Chick-fil-A one the PayPal breach. So there was, it's not necessarily that there was a breach. There was actors stole the login credentials. Not sure if it was all one thing or if it was across certain things, but people's breaches were breaches. People's accounts were being changed to another email address.
They would take the money and then they changed the email address back to the original that hopefully the original person would never low. Now, if you had two factor authentication on your PayPal accounts, they shouldn't be able to do this. So you have that and then mail. Had a breach. They had one about six months ago.
They had another one. They're saying it was very few accounts that were actually accessed, but they had that. And then probably the biggest one that everyone's [00:25:00] hearing about is the T-Mobile data breach. 37 million. Usually the prepaid customers, but it does include others. They thought they'd had data being accessed since, I don't know, November of last year or so.
I use T-Mobile, so I have yet another year or two of data monitoring, but that's about all they do here. I will say though, that people who join the class action suit against, oh, I forget who it was, and that settled, they've been posting their checks like $5 and 67 cents or something that they got as a payout from the class action.
paul_breitbarth: So you mean to say that that money was actually, literally sent in a paper check
K: I mean they could have sent it to their PayPal accounts, but those were hacked.
paul_breitbarth: I mean, okay. The fact that the US and France are still using paper checks is,
is still mind boggling to me
K: Crazy, right?
paul_breitbarth: of existence in the net since 1999.
K: Yeah. My [00:26:00] paper checks that I have still have my address from three addresses ago cuz who uses paper checks
paul_breitbarth: the French and
apparently the Americans,
K: and my checks have Disney villains on
paul_breitbarth: but I mean, sending a check
paul_breitbarth: I mean, printing it, cutting it, filling it out, sending
paul_breitbarth: must cost more than the five, six, $7 that you were talking about.
K: It's so 20th century. Right.
paul_breitbarth: It's 90th century
K: It's just, yeah, I agree. But think back, I don't know if, if Europe did this or not, but here in the us gosh, back when I was in high school or college, you used to print your social security numbers on the checks when you ordered them.
paul_breitbarth: Mm-hmm. Yeah. That was the case that the social fiscal number, I believe.
paul_breitbarth: was the case here also back in the nineties. But as
paul_breitbarth: we haven't had checks since 1999 in the Netherlands. I've, I've used them once when [00:27:00] I was living in France during my, my student years, and just for the fun of it to be able to, to say I've used the check? ? I know how it works.
K: Yes. People here still write checks. Go figure.
I know, it's weird.
paul_breitbarth: annoying in the supermarket when there is somebody in front of you who needs to Write
K: Write a check
paul_breitbarth: and you are waiting and looking at your watch and think, I wanna move on.
K: Let's be honest or paying in cash.
paul_breitbarth: Yeah. But that goes fairly quickly.
K: Not here,
paul_breitbarth: Cash is still, oh, okay. Well,
K: All right, moving on. So what's going on in Europe?
paul_breitbarth: well, the, you may recall, and our listeners may recall the episode last year about the IAB B Europe decision and the cookie consent banners with the transparency and
paul_breitbarth: framework or consent framework. the appeal of that case is now before the Court of Justice of the European Union. But at the end of last year, early this year. [00:28:00] Around New Year. There were reports that apparently IAF Europe has struck a deal with the Belgian data protection authority on the requirements for the new banner and what the new TCF or TCF 3.0 should look like. And the Belgian DPA won't release full detail until the court case is fully settled, understandably.
paul_breitbarth: so they also have put in quite a lot of caveats. I understand. Yes. This is what we agree on pending the, the, the judicial
K: If all goes well, possibly if the sun rises at 6:37 AM then this is what we agreed on. Yeah.
paul_breitbarth: and also IAB isn't talking about it too much. They have not released anything in
K: Nope. I haven't seen anything.
paul_breitbarth: But they have been talking to the advertising industry. And one of the the, the branch members in the Netherlands v i a has actually put a blog on their website outlining what the details of the new transparency and
K: Ooh, I missed that.
paul_breitbarth: And of course that's in Dutch, but [00:29:00] the
K: That might be why I missed it.
paul_breitbarth: I did, I did put a, an English version on my LinkedIn will put it in the show notes. But the there are four main points I would say that that will change. First of all, profiling and personalized advertising can only take place on the basis of consent. You would say, but that was still questionable
K: Yeah. Legitimate interest should go away.
paul_breitbarth: well it should and it doesn't.
K: I know.
paul_breitbarth: because the further processing, the further use of the so-called TC string, that is the key identifier will still be allowed on the basis of legitimate interests.
paul_breitbarth: of consent like a cookie banner should become easier and will become easier in the new framework. And also apparently there is no need for a decline all banner on the first layer.
paul_breitbarth: So two big point, I mean that you should be able to rely upon consent. Only in that consent should easily be withdrawn. [00:30:00] Those are the obvious one that everybody has been talking about for years and saying, Hey, take care of this because this is just not right. I'm not so sure about the legitimate interest part because. it cannot be used for collection. It cannot be used for initial data processing, I would say, but for further use, for further compatible use, you should also go back to either the original legal basis or to consent.
paul_breitbarth: say that you can use legitimate interest for further processing? I'm not so sure. I, I, I just don't understand it.
K: Maybe they'll publish more details with it when they come.
paul_breitbarth: I hope so. I hope that we get a full legal analysis, learn on how this would work, because otherwise I would not be able to explain it. And I
paul_breitbarth: fairly knowledgeable on the legal basis in the gdpr. So maybe somebody should say, okay, this is how it works.
K: [00:31:00] Let, let's ask Alexander Hemp.
paul_breitbarth: well, he
probably would say
K: He has a lot to say about cookies and trackers.
paul_breitbarth: Yeah, but it comes down to rubbish. Don't do
K: Yeah. Yeah. You, you really could reduce it to, to that. That's
paul_breitbarth: we'll have in arm in the coming weeks to to talk about this.
You have now reached that 30 minute mark in the series privacy podcast. Should you wish to take a break now, please feel free to do so. And come right back
paul_breitbarth: The, the other point that I find surprising is that revocation, that there is no need for the CLAL button on the first layer. If you look at all the cookie guidance from
paul_breitbarth: authorities, especially the French and the Germans in recent years, if you look at the outcomes of the cookie consent task force
paul_breitbarth: EDPB that was also released this week,
paul_breitbarth: also there, the vast majority of European DPAs state that [00:32:00] a decline all button at the first layer is a requirement.
paul_breitbarth: why would Belgium come to the conclusion that it is not,
paul_breitbarth: I don't understand
K: More information to come, we hope.
paul_breitbarth: at some point when the court case is finalized. But right now we have no idea.
K: that's gonna be interesting. You know, here in the US we have a lot of conversation over cookies as well because of California's law going into effect with, and. and Virginia's that went active on January 1st. California's not gonna be enforced till July 1st, but there's a lot of conversation about not necessarily cookies, but opting in, opting out of selling your data under the various definitions, sharing your data under California's definition, opting out of targeted behavioral advertising and profiling.
Cause Colorado and Connecticut go, go live July 1st. Utah comes up at the very end of the year. The other state laws that are here, they probably won't go active [00:33:00] immediately. Very few laws take the tactic that China did of, oh, we passed a law and in six weeks you need to comply. you know, people are trying to figure out what do they need to do for California, especially with the Sephora decision where the Attorney General really hammered home global privacy control.
paul_breitbarth: Yeah, no, that was certainly
K: what, what do you do? What do you need to do? and, and if you look at it at its very basics, if you don't have any other information that's been shared with the company, you, you haven't given 'em anything else. You haven't signed up for newsletters. You're not a customer, you don't have a loyalty card, you have nothing else, then you should be able to use cookie opt-out.
For the do not selling and do not sharing of your data because they have nothing else of you other than cookies and trackers to sell or share. But if you have done business with them, then it operates more like an individual rights. You have to be able to tell 'em who you are. You can't expect them to recognize you just cause you open your browser.
Not all companies actually [00:34:00] retain the IP addresses to cross reference. So, you know, so that part would act like a individual rights request for do not selling, for opting out, for doing different things like that. So it's interesting. We're gonna see a lot of technology confusion,
K: Here in a while.
And it's gonna be worldwide. Let's be honest. It's gonna be worldwide confusion because Europe's cookies, this confusing statement of decline all on the first layer. I mean, that reminds me of the, you know, z what was it they used to call a cookie blocker?
K: you could get nothing except for the cookie consent.
So different things like that. So it's gonna be a little confusion this year. Hopefully we'll have some information to share. Some developments will happen. We'll be able to talk about that. But I do think this whole cookies and trackers and opting out and profiling and T B A not going away anytime soon,
paul_breitbarth: No. And obviously, I mean, there, there will be more guidance, there will be more enforcement, there will be court decisions.
K: [00:35:00] right?
paul_breitbarth: is certainly a topic to, to be continued. Something else that has really come up in the past couple of weeks is chat, G p T.
paul_breitbarth: I was actually looking at maybe letting chatGPT write the introduction for this episode, but I haven't gotten round to it yet to see if they were able to do it.
K: They could probably write the, the description, you know, that we post. We can see. I haven't used them for anything.
Okay. We tried it. Here's our chatGPT little summary.
Malcom (2): welcome to season 4 of the serious privacy Podcast. This season we will be diving into the latest privacy concerns and developments in the digital age. From government surveillance to data breaches, we'll discuss the impact these issues have on our daily lives and what steps we can take to protect ourselves. join us as we explore the complex and ever evolving world of privacy in the digital age.
paul_breitbarth: It's a scary development
paul_breitbarth: because in they are, Pretty much [00:36:00] on point. I mean, they're not always legally sound obviously. But the way language is, is formulated is pretty impressive
paul_breitbarth: same time. If you look at all the, the training data about 50% apparently is from the us about 20% from Europe. And only I think 5% all in all from the southern hemisphere. So talk about bias in,
paul_breitbarth: you clearly have it there. And the next version is already coming, which has I think, a hundred fold more training data than this version has. So it'll even be more accurate.
K: It's fascinating and terrifying.
paul_breitbarth: it is and from that perspective, I think it's good that we'll see some more legislation on artificial intelligence
paul_breitbarth: for a long time. I've been wondering whether we actually need
K: I would expect that before I would expect omnibus privacy laws. Frankly,
paul_breitbarth: Yeah. And certainly in the US probably that, that, I think that that's true. for a long time I wondered whether we would actually need artificial intelligence [00:37:00] legislation because we have data protection laws, we have the fairness principles. We have other data laws.
K: they don't cover it all.
paul_breitbarth: but I think in the end it might actually be good to have some laws that specifically direct their attention to artificial intelligence.
K: That way the attorneys for artificial intelligence can't wiggle their way through the law and say, well, this doesn't apply to AI because blah, blah, blah.
paul_breitbarth: there's always attorneys that wiggle their way through the law but maybe even help by their own artificial intelligence. I don't know.
K: Who knows? But you're right. You're right. It's terrifying. It's fascinating. People are playing with it left or right, which gives it even more training data. I, I don't know if I'm eager to see the next iteration or not, but it's worth having the conversation because again, like other technology that's been coming out in the past two decades, the conversation is yet again, is this going to replace privacy officers?
Is [00:38:00] this going to replace lawyers? Is this going to have people lose their jobs? Maybe on some level there, there might be a grain of truth in there, but it's going to create more jobs too, because it's just gonna make it a little bit more complex. Exactly. Just gonna change the scope of what we, of what we focus on and what we handle.
And that's, wow. But as you mentioned, the southern hemisphere, I mean, that's one thing I don't want to look over. We do have legislation being proposed in a lot of southern hemisphere countries, especially in Africa. we've got Namibia,
we've got United Republic of Tanzania.
I think that one was fairly recent. We've got Ethiopia with some draft legislation, and then we move further north. We've got Saudi Arabia and Iraq coming out. I don't think you and I discussed the Iraq one last year and all, and we've got draft legislation in Pakistan.
and we still have India , and we still have India, which is of course [00:39:00] still pending.
paul_breitbarth: big move away from the previous bill. This one might actually be more, more successful also because in the will hold the G 20 presidency this year. And the G 20 is actually also very much advocating stronger data protection goals and working on cross-border data protection rules together with the G seven and
paul_breitbarth: D as also Gabriela Zia notes in her yearly lookout. We have Argentina, also Southern Hemisphere,
paul_breitbarth: working on their updated data protection laws. and also Australia is looking to
K: Revising theirs.
K: keep an eye on Canada. They constantly try to change something there. Not necessarily that it moves forward, but they are trying to change, they are trying to update. And so if you go to any of the maps that show you what legislation is in place, I love the map at the United Nations Conference on Trade and Development.
That's one of the resources that I go to. [00:40:00] But on that map, keep in mind that the countries that already have privacy or data protection legislation in place, and they're looking at amending it, aren't necessarily called out on this. That's one things that I missed from this map. I wish it did track the ones that are looking at amending.
Or, or I guess amending’s the word, the ones that are amending their laws. I'd love to be able to see those tracked as easily. There's lots of different trackers you can go to that can show you. This just happens to be one of my favorites and I always recommend it to the law students. Just on that line, some of my other go-to resources.
I love the DLA Piper Global Privacy Laws chart, and how you can compare. I love how they break it down. Phenomenal job there. And then for the US state data breaches, there's a lot of really good ones out there. Don't get me wrong, there's a ton, but I fell in love with Mintz Levin years ago, so it's still my go-to for us State data breach laws, and so there are some really good resources out there.
I was just talking to [00:41:00] someone else about how do you stay on top of data privacy laws. Well, my resource was always anonymity. That's how you stay on top.
paul_breitbarth: one of them.
paul_breitbarth: social media also is for.
K: LinkedIn is the big one.
paul_breitbarth: LinkedIn is a, is a big one for all EU enforcement cases. It's GDPR Hub, EU which has a whole range of volunteers that outline also court cases and regulator decisions in English. That works really well. GDPR be l is a great resource for all depending cases before the Court of Justice of the
paul_breitbarth: Well over 60 cases at the moment, 60 that are pending. Who talks about lack of case law now,
paul_breitbarth: So yes, those are all amazing resources. Twitter was actually a very big resource for me. And
K: Yeah. I dunno about now.
paul_breitbarth: no, well, it's, it's annoying.
paul_breitbarth: annoying because an, an egomaniac attack, billionaire just ruined it for everybody.
K: Yeah, and I [00:42:00] wasn't a big Twitter user to begin with. I automatically repost some, some accounts I like. But you know, I, I might go check it once, once a week or something to go look at it. So I was never a really big Twitter user, but of course carried the presence. But yeah, LinkedIn Nymity some of these wonderful sites that I trust and I go to.
I hate newsletters. Let me just be honest. Let me do it once again. I hate newsletters. Have I been part of a company or an effort that put out newsletters? Yeah,
paul_breitbarth: everybody has, and
K: but I hate them.
paul_breitbarth: why newsletters are there. But indeed, in, in, except for the daily compliance order from anonymity,
paul_breitbarth: I hardly read them. Political, that's the other one that I do
Law 360 always has some really good stories, but I, I don't like actually going there using that. It's, it's interesting that, you know, if you find a resource you really love that does a newsletter, maybe [00:43:00] you love that newsletter. But otherwise, I mean, okay. Here's another one and I usually keep up with it on LinkedIn, the Hintze Privacy Law Firm.
I usually watch what they post and what they're doing. They may actually do a newsletter, so I apologize Susan and Mike, but you are one of the resources I go to. So it is interesting how people pick and choose, and that's one thing I'd love to hear from our fans or our listeners, is what are your favorite resources?
I. There's a lot going on. What are, what are your favorite resources you have? Maybe we can share some resources out with other people. I will say that there was a post on LinkedIn the other day that was talking about a particular company and they didn't like 'em. And I'm like, I don't either. And someone came back and said, well then what do you like?
And so I was able to, I'm a raving fan of TrustArc I love what they do. That's never gonna change. I think Paul is the same way. We're raving fans. That's just a fact. If they ever turn out to where they're not good, we may just be like, oh, poo poo on [00:44:00] you. But mm. The expertise that they bake into it, I mean,
paul_breitbarth: So far so good. In any case,
K: Yeah, exactly.
Moving on. There was something else I wanted to talk about and that was just some of the tips and tricks as you're going into 2023. It's January. If you don't have your standard contractual clauses figured out yet that you could only use. The old ones up through December 27th of last year. You really need to get on that.
And I'll be honest, most of the time the vendors have their own prepared. You may not even need your own template. You just need to reach out to your vendors and see what they have. Some of the smaller ones might not.
paul_breitbarth: I'm in a lot of fights with tech vendors on this, because they say, oh yeah, but if you just accept our DPA then you have also immediately automatically accepted a new standard contractual clauses. And that is not something that I'm willing to do. I'm not willing to accept a DPA that is not negotiated. And I'm not in favor of accepting standard [00:45:00] contractual clauses by reference with dynamic annexes that are not fixed in time. So I'm, I'm actually becoming more and more annoyed with the way that a lot of companies are
paul_breitbarth: standardized approach.
K: And they're just trying to make it easy. But that was one of the things that the board said when they issued them is they should never be templates. They should always be individualized.
paul_breitbarth: It's case by case. Yeah. And they need to be specific because you need to be able to read the contract. Because standard contractual clauses are a contract, you need to be able to read the contract and understand what the data processing is about.
paul_breitbarth: about what personal data is involved, I wanna see a full list and not think such as a name and an email address.
No, I want the full list, including all the technical data that you might collect behind the scenes. When we talk about, which is the competent supervisory authority, I want to [00:46:00] agree on that. When we sign the contract
paul_breitbarth: repeat the language from the sacs, that can become contentious at a later stage.
When we talk about sub-processes, I want to have the list that applies at the moment of signing and not just a reference to a dynamic list. And there are parts where I'm willing to compromise, depending on the contract, depending on the type of data. but I have my, of course, European inspired, DPA inspired compliance approach.
paul_breitbarth: and American companies are just like, oh yeah, but that doesn't work for us because we are too big for that.
K: Yeah. And you don't have bargaining power.
paul_breitbarth: and because you are big, you don't have to comply with the law.
K: I expect at some point that there will be a complaint made to the supervisory authorities over some of this approach. But I can see both sides. They're like, yeah, but we have thousands and hundreds of thousands of customers. How can we possibly, you know, personalize each one? I get it. I get it. [00:47:00] It's, it's trying to comply with the law, but on a practical implementation basis, it's really, really difficult.
paul_breitbarth: And the vast majority of companies doesn't care about individualization. So you are maybe talking a handful. Of companies that do
paul_breitbarth: make a request to, for personalization
K: that is true.
paul_breitbarth: for personalized execution.
paul_breitbarth: just put a signature on it.
K: You should have a process to accommodate that. And I will say that, you know, I do redline DPAs when I get 'em, what I would, what I meant was when you get the standard contractual clauses from the vendor,
K: should have theirs.
You don't necessarily have to worry about, you know, building your own. They should have and their, their templates, the SCCs are standardized.
paul_breitbarth: they are but even if they are templated by a lot of companies, they are lacking because they are not, they are not in full detail.
K: Yeah. And I will say I came across one where when you chose the supervisory authority, they selected all three options. [00:48:00] I was like,
paul_breitbarth: That's not
K: there's one of three options that applies based on your circumstances and you can't be all three. So that was it. But it will say, I do modify a lot of DPAs and because of doing that, I'm actually writing a handbook for GDPR, let's say European companies who comply with the GDPR, who are now vendors.
To companies in the US and when they're asked about their Kapa compliance or their HIPAA compliance, heaven forbid it might be FERPA compliance which is education they usually come back with, we're compliant with the GDPR is the strongest law in the world. We're good. Mm, no you're not. HIPAA as a sectoral law is probably stronger.
But we also tend to dictate specifics,
K: specific wording you need to have in a contract, specific rights. You need to do specific steps you need to follow. And I'm gonna have to quit saying specific because that's [00:49:00] putting a lot of hisses in my word that I'll have to try to take out on audio. But, . I have found this a problem One of the ones that I've seen when I wrote back and said, your D P A is not compliant with California's requirements, cuz California has some very specific requirements that you need to have in contract. They had 'em already under the CCPA. The CPRA added some new requirements.
And these are things your contract actually has to say. It has to have that language. Now, could you say storing rather than retaining You could, you could say that. Could you say processing which encompasses everything rather than using Probably.
paul_breitbarth: But the
sale of data is of course, very California specific.
K: Exactly. The selling. The sharing. And you have to specifically say that you will not sell or share the data for any other purposes outside the business purpose of the contract or the business relationship.
You have to qualify [00:50:00] those. And probably the biggest ones that I see that's missing is you have to say that you certify that you understand the requirements that certification has to be in there. Will California go by if you say, I agree to comply, not a certification.
You have to certify.
paul_breitbarth: That's the point that annoys me most when dealing with US companies in GDPRcontract negotiations. Typically one of their first provisions in the DPA is that as a data controller, you are responsible for full compliance with the GDPR which is understandable, acceptable. And then you can sign at the dot of their DPA, and then I tell them, so explain to me if you want me to be fully compliant, how do I give you instructions? If you prescribe all the instructions that I give you?
K: Right, and that, that's a problem with the standard contractual clauses in the GDPR that Paul and I have argued from the beginning. There are [00:51:00] processors out there that the reason you hire them is they have the expertise. It is very difficult for you to give them anything other than a general instruction of, I want you to process our credit cards.
You don't tell them how to process it, what to store, where to send it, what kind of hashing that you, you don't prescribe all that. You tell 'em, I want you to process the credit cards, or I want you to transform this list of people into a blankety blank blank. You're hiring them for their expertise because they have the expertise and you don't.
K: So I agree that that one, there is a problem. You have very little alternatives for being able to, to prescribe what they are. And I think we're hitting an hour.
So let's see if we need to close this down. If we are at an hour, we may break it into two 30 minute segments. Heck, we may po we may publish it both ways.
You can have one at an hour, or you can have two 30 minute segments. That way you can walk the dog or you can exercise.
paul_breitbarth: let's just release [00:52:00] it as one that's easier and people can enjoy. They can listen in stages and then from a episode two will be, will be in regular cadence of the 30, 35 minutes an episode.
K: We'll, we'll also get better at our descriptions and putting the little stops in or whatever. I did suggest to Paul that we do this episode as a LinkedIn Live and we just record this as we were on LinkedIn just to honor data protection date. Paul wasn't about that.
paul_breitbarth: no. For many reasons, I
paul_breitbarth: And also the audio quality from LinkedIn live is not something that is reliable.
K: I figured we could keep 'em both running. We could do LinkedIn Live and Riverside.
paul_breitbarth: No, I think computers would
K: It won't share the camera Two computer. Anyway. That's the end of our show. Paul, give our closing. Find us like us, share us
paul_breitbarth: you for listening to get another episode of Serious Privacy Season four, who
K: season four.
paul_breitbarth: If you like the episodes, do tell your friends and colleagues about us [00:53:00] and share the episode with them or share your favorite episodes with them, like and subscribe in your favorite podcast app or on your favorite podcast platform. Join the conversation on LinkedIn via serious privacy. You'll just type in, in the search bar Serious Privacy, and you'll find the podcast page. K is still on Twitter as hard of privacy. I'm still on Twitter as at europol B, but you'll also find me on Master Sedan as at Europol email@example.com.
K: I think I joined a Mastodon.
paul_breitbarth: probably if you look for Euro Paul B on mastadon, you'll, you'll find me too. Shout out to the folks at Tap Bots for Creating Ivory, which is a great app on iPhone to use. What else?
Reach out via email, via podcast@Seriousprivacy.eu, and that's all for this week. Until next week, goodbye.
K: Bye, y'all.