Masters of Privacy
Interviews and updates at the intersection of marketing, data, privacy, and technology. With an eye on a human-centric, demand-led future in which transparency, control, and personal agency play a crucial role. Sergio Maldonado (host) is a dual-qualified lawyer, entrepreneur, investor, guest lecturer at various universities. LL.M in IT & Internet Law, FIP, CIPP/E/US, CIPT.
info_outline
Daniel Barber (DataGrail): Privacy Tech spotlight II - widespread non-compliance, opt-out challenges, and shadow AI
05/11/2025
Daniel Barber (DataGrail): Privacy Tech spotlight II - widespread non-compliance, opt-out challenges, and shadow AI
Is it possible that a whole generation of consent-management solutions built for the EU-driven opt-in world are unsuitable for the opt-out scenario predominant in the US? How are DPOs and AI Governance professionals to deal with “shadow AI” and “shadow IT”? Daniel Barber is DataGrail’s CEO and co-founder. Prior to DataGrail Daniel led revenue teams at DocuSign, Datanyze (acquired by ZoomInfo), ToutApp (acquired by Marketo) and Responsys (acquired by Oracle). He also advises several high-growth startups. References: (Chrome Web Store) (Masters of Privacy, April 2025)
/episode/index/show/privacycloud/id/36526115
info_outline
Georgia Voudoulaki: beyond compliance - embedding ethical considerations into AI and data governance frameworks
05/04/2025
Georgia Voudoulaki: beyond compliance - embedding ethical considerations into AI and data governance frameworks
Georgia Voudoulaki is Senior Legal Counsel at Bosch, certified Compliance Officer, and adjunct professor at the University of Applied Sciences in Ludwigsburg and the Cooperative State University of Baden-Württemberg in Germany. In addition to her legal and academic roles, Georgia regularly publishes articles in leading legal journals and magazines, contributing valuable insights to the evolving conversation around compliance, digital innovation, and responsible AI. References:
/episode/index/show/privacycloud/id/36429995
info_outline
Gam Dias: Agents Unleashed, understanding the Agentic AI stack
04/27/2025
Gam Dias: Agents Unleashed, understanding the Agentic AI stack
Gam Dias is a seasoned technologist and entrepreneur with a rich background in software engineering, AI, and product innovation. As a consultant, he has helped write the data strategy for Fortune Global 500 companies, innovative startups, and ambitious non-profits. He has a degree in Computer Science from the University of Liverpool and an MBA from Warwick Business School. Gam has lived in London, Leeds, Salt Lake City, Santa Cruz, San Francisco, and he currently lives in and works from Madrid, Spain. Gam’s latest work, Agents Unleashed, distills years of experience into a compelling look at the rise of autonomous AI agents and their growing role in marketing, sales, and beyond. References: (Amazon) (Masters of Privacy, 2021) (Stanford Law School)
/episode/index/show/privacycloud/id/36330955
info_outline
Max Anderson (Ketch): Privacy Tech spotlight I - the future of CMPs, value vs. hype in privacy compliance SaaS
04/13/2025
Max Anderson (Ketch): Privacy Tech spotlight I - the future of CMPs, value vs. hype in privacy compliance SaaS
What is the practical case for combining CMPs and DSAR automation under a single technical solution or software provider? What do DPOs and CPOs struggle the most with when implementing effective privacy programs? Which Privacy Tech features are overvalued or undervalued? Max Anderson is a seasoned product executive with a proven track record of bringing successful technology products to market in the consumer privacy, data management, and marketing space. Prior to Ketch, Max was the Director of Product Management at Krux. After joining Salesforce as part of the Krux acquisition, he ran data privacy and consumer identity products at Salesforce, including the rollout of their industry-leading GDPR solution set. Prior to Krux, Max was a Product Manager at IPG Mediabrands, where he was responsible for multiple successful advertising measurement products. Max holds a BS in Chinese Literature from the University of Colorado. References: Max Anderson, (Masters of Privacy) (Masters of Privacy)
/episode/index/show/privacycloud/id/36115065
info_outline
Andy Dale: DPO vs. CPO, present and future value of Privacy Tech, and the new US administration’s impact on the regulatory landscape
04/06/2025
Andy Dale: DPO vs. CPO, present and future value of Privacy Tech, and the new US administration’s impact on the regulatory landscape
Today we are taking a look at the difference between DPO and CPO roles in the US, the present and future impact of Privacy Tech in the management of privacy programs, the evolution of privacy regulation under the new US administration, and a potential Schrems III scenario. Andy Dale serves as General Counsel and Chief Privacy Officer at OpenAP and holds the position of Executive Board Member at The L Suite (TechGC). With extensive experience as an advisor to various companies, Andy previously worked as General Counsel and Chief Privacy Officer at Alyce, a company acquired by Sendoso in 2024, and as General Counsel and VP of Global Data Privacy at SessionM, which was acquired by Mastercard in 2019. Andy Dale earned a JD in Law from the University of Baltimore School of Law (2003-2006) and a degree from Colgate University (1996-2000). References: (Masters of Privacy) (Masters of Privacy) (Masters of Privacy)
/episode/index/show/privacycloud/id/36025080
info_outline
Tim Turner: UK news spotlight - advertising, reforms, AI
03/30/2025
Tim Turner: UK news spotlight - advertising, reforms, AI
Where is the UK data protection reform headed? How are we to deal with behavioural advertising in the context of sports betting and gambling? Will the UK stay clear of regulating or supervising AI à la EU? Tim Turner has worked on Data Protection, Freedom of Information (FOI) and Information Rights law since 2001. He started at the Information Commissioner’s Office as a Policy Manager on FOI issues. After that, he was a Data Protection & FOI Officer for two councils and then an Information Governance Manager for an NHS (National Health Service) organisation. He has been offering data protection training and consultancy since 2011. Also, Tim is the author of the very popular DPO Daily newsletter and LinkedIn feed. References: ICO: (The Guardian) (Bird & Bird) (Masters of Privacy)
/episode/index/show/privacycloud/id/35923150
info_outline
Theodore Christakis: the GDPR meets Generative AI - trust, hallucinations, and how not to crash your BBQ party
03/22/2025
Theodore Christakis: the GDPR meets Generative AI - trust, hallucinations, and how not to crash your BBQ party
Theodore Christakis is Professor of International and European Law at University Grenoble Alpes (France), Director of the Centre for International Security and European Law (CESICE), Director of Research for Europe with the Cross-Border Data Forum, Senior Fellow with the Future of Privacy Forum and a former Distinguished Visiting Fellow at the New York University Cybersecurity Centre. He is also Chair on the Legal and Regulatory Implications of Artificial Intelligence with the Multidisciplinary Institute on AI, and has been a member of the French National Digital Council, currently serving as a member of the French National Committee on Digital Ethics as well as a member of the International Data Transfers Experts Council of the UK Government. With Theodore we have gone through “the good”, “the bad”, and “the ugly” in the EDPB Opinion on LLMs and personal data. We have also examined the Deepseek affair, as well as the challenges posed by hallucinations in generative AI. References: (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) (Masters of Privacy) Théodore Christakis, Théodore Christakis, .
/episode/index/show/privacycloud/id/35820605
info_outline
Newsroom: Winter 2025. SDKs under fire, AI Agents everywhere, AI Act-GDPR overlaps, major cases and serious fines
03/16/2025
Newsroom: Winter 2025. SDKs under fire, AI Agents everywhere, AI Act-GDPR overlaps, major cases and serious fines
It is time for a seasonal update at the intersection of Marketing, Data, Privacy and Technology. As usual, this Newsroom is divided into five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, Competition and Digital Markets; PETs and Zero-Party Data; and Future of Media. TL;DL: The use of SDKs for data collection/sharing has been a common factor in various fines and lawsuits on both sides of the pond. The EDPB sparked an important debate on personal data-powered AI in the EU. Texas and California went after Allstate and Honda respectively. La Liga (ES), Netflix (NL), Meta (IR), and others received fines. The FTC put an end to personal data sales by General Motors. The My Health My Data Act (WA) was put to the test. AI “reasoning” models exploded, and then AI Agents followed. Garante (IT) blocked DeepSeek and a class action in Germany could have a major impact across the EU. Australia updated its legal framework. The biggest CDP players dissolved into adjacent markets and Google kept marching towards PET-powered AdTech. All references and links can be found in .
/episode/index/show/privacycloud/id/35711880
info_outline
Daniel Solove: On Privacy and Technology
03/09/2025
Daniel Solove: On Privacy and Technology
Daniel Solove has just published a new book, On Privacy and Technology. We went through a few key concepts from it, and also had a chance to revisit other core ideas in the author’s work. Professor Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove is the author of more than 10 books and 100 articles about privacy. He has also written a children’s fiction book about privacy. He is one of the most cited law professors in the law and technology field. Professor Solove has been interviewed and quoted in hundreds of media articles and broadcasts and has been a consultant for many Fortune 500 companies and celebrities. It is to him that we owe the famous taxonomy of privacy harms, as well as very recent papers on Privacy and AI or Privacy and Data Scraping. References: : , .
/episode/index/show/privacycloud/id/35592150
info_outline
Mark Jaffe (Rivian): connected cars, assisted driving, and Privacy by Design
03/02/2025
Mark Jaffe (Rivian): connected cars, assisted driving, and Privacy by Design
What is the best way to address privacy risks in the context of connected cars? Is data minimization compatible with assisted driving? What is the meaning of “Core Vehicle Data”? Mark Jaffe leads the Rivian ethics, compliance and privacy program. This includes ethical culture, compliance oversight, privacy, and investigations. Prior to joining Rivian, Mark was Senior Vice President for Privacy at Teleperformance, a global business process outsourcer with over 400,000 employees operating in over 80 countries, spending almost two years in Singapore managing privacy issues in the Asia Pacific region. He has also dealt with data protection compliance in Europe, Middle East, and Africa. Prior to that, Mark spent 17 years at AT&T in global privacy roles as well as global compliance and ethics roles. Our guest is a frequent speaker on a variety of topics related to privacy compliance and data ethics. Mark earned his B.A., cum laude, from Duke University and his J.D., cum laude, from Northwestern University. References: (9to5Mac, January 2025) (The Register, January 2025) (“It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy”, September 2023) (IAPP, 2023) (Reuters, 2022)
/episode/index/show/privacycloud/id/35503545
info_outline
Mike Hintze: My Health My Data updates, international transfers of US personal data
02/23/2025
Mike Hintze: My Health My Data updates, international transfers of US personal data
An update was due at the intersection of MarTech/AdTech and the My Health My Data Act, with a Washington Consumer Protection Act case against Costco paving the way for the recent class action lawsuit involving the Amazon Ads SDK. Also, the date is approaching for compliance with restrictions on international transfers of US personal data. Mike Hintze is a well-known leader in the field with more than 20 years of experience in privacy and data protection. He has been a partner at Hintze Law since 2016 and prior to that was Chief Privacy Counsel at Microsoft for 18 years. He also teaches privacy law at the University of Washington school of law and has served on multiple advisory boards. He has also testified before Congress, state legislatures or European regulators. References: (Hintze Law) (Masters of Privacy) Written summary: .
/episode/index/show/privacycloud/id/35398915
info_outline
Daniel Rosenzweig: OK, fingerprinting
02/16/2025
Daniel Rosenzweig: OK, fingerprinting
As of today, February 16th, Google’s platform policies allow the collection, sharing and usage of IP addresses and other signals across websites, apps, gaming consoles or Connected TV. This has been perceived as a direct contradiction of the company’s long-term anti-fingerprinting policy. The company is expecting that a growing reliance on Privacy Enhancing Technologies will do away with the resulting privacy risks. Daniel B. Rosenzweig is the Founder & Principal Attorney at DBR Data Privacy Solutions. He advises clients on legal and technical compliance with data privacy and AI laws, and counsels companies on industry mobile app store requirements, AdTech, and privacy-enhancing technologies (PETs). Daniel’s legal practice is unique in that he develops and codes technical solutions to help serve as a bridge between legal, marketing, and technical teams, in addition to providing clients the usual legal services. References: (Masters of Privacy) Sergio Maldonado on PETs and AdTech:
/episode/index/show/privacycloud/id/35305865
info_outline
Markus Wünschelbaum: ripple effects of the new AI Act prohibitions on AdTech and the broader digital economy
02/09/2025
Markus Wünschelbaum: ripple effects of the new AI Act prohibitions on AdTech and the broader digital economy
This was a really eventful week for AI regulation, with the first rules of the AI Act starting to apply on Sunday, February 2nd and the EU Commission releasing Guidelines on Tuesday (prohibited practices) and Thursday (scope of AI systems). To cap it all, a first-ever class action under the new framework (alongside the GDPR and the Digital Services Act) was filed on Wednesday against X-Twitter and TikTok. The following conversation with Markus Wünschelbaum, with a particular focus on digital advertising and AdTech, preceded and rightly anticipated these developments. Dr. Markus Wünschelbaum currently serves as Policy and Data Strategy Advisor to Hamburg’s Data Protection Commissioner Thomas Fuchs. In this role, he advises on key data protection & AI policies and strategic initiatives. Previously, he was responsible for imposing fines, fundamental GDPR issues, and freedom of information. He began his career focusing on the intersection of labor law and data protection, having published an acclaimed doctoral thesis on this topic and working at an international law firm. References: (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) (EU Commission) (EU Commission) (Spirit Legal - Peter Hense)
/episode/index/show/privacycloud/id/35210900
info_outline
Alex Dittel: recent developments in Australian data privacy
02/03/2025
Alex Dittel: recent developments in Australian data privacy
Alex Dittel leads KHQ’s Data Privacy, Cyber and Digital legal practice. He brings over 15 years of experience in data protection, information security and technology commercial matters acquired during his time working for big and small technology companies and law firms in the United Kingdom and Australia. As a passionate GDPR-native data privacy lawyer, he advises on Australian as well as international data privacy matters. He holds CIPP/A, CIPP/E and CIPP/US certifications from the IAPP. References:
/episode/index/show/privacycloud/id/35120605
info_outline
Data Protection vs. Privacy and Data Privacy: a January 28th conundrum
01/28/2025
Data Protection vs. Privacy and Data Privacy: a January 28th conundrum
What should we celebrate on January 28th? What is the difference between Privacy and Data Protection? What about Data Privacy? Will Data Protection (or Data Privacy) evolve to encompass many of the things we now discuss in the context of AI regulation? We have asked Carissa Véliz (Oxford University), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Markus Wünschelbaum (Advisor, Hamburg Data Protection Authority), Brendan Quinn, and Tim Turner. What do you think? Feel free to participate in the conversation by finding this episode’s post on: Our Spotify feed: Our LinkedIn channel: Our YouTube channel: References:
/episode/index/show/privacycloud/id/35037755
info_outline
NextAI 2025: pondering new ideas at the heart of the Pyrenees (with Alberto Lopez Valenzuela)
01/22/2025
NextAI 2025: pondering new ideas at the heart of the Pyrenees (with Alberto Lopez Valenzuela)
This special mountain retreat will bring together a unique combination of backgrounds and nationalities. NextAI is an initiative of Alberto Lopez Valenzuela and we have asked him to share more details. Alberto Lopez Valenzuela is an entrepreneur with over 25 years of experience in the decision intelligence sector, mainly in the UK and the US. He founded alva in 2009, a London-based AI analytics firm that ended up working with hundreds of blue-chip clients, expanding to New York and establishing the company as an industry leader. In 2021 alva was acquired by US private equity firm Falfurrias Capital Partners and this, together with the incorporation of other companies, resulted in the creation of Penta. Alberto was the Managing Director of its AI division until 2023. In 2024, he founded Ordino Partners, incubating and investing in AI tech startups with a meaningful social impact. As an author, Alberto published The Connecting Leader in 2018. Masters of Privacy is a NextAI partner and Sergio Maldonado (your host) will be attending the event. References: (use this voucher code for an additional 15% discount: PRINXT25)
/episode/index/show/privacycloud/id/34962935
info_outline
Matthew Niederberger: Customer Data Platforms in the face of consolidation, modularization, and privacy compliance
01/19/2025
Matthew Niederberger: Customer Data Platforms in the face of consolidation, modularization, and privacy compliance
What is the future of Customer Data Platforms in the context of recent acquisitions, the modularization of their offerings, and the privacy compliance challenges of first party data activation? Matthew Niederberger is a seasoned Martech consultant with years of experience helping global organizations unlock the full potential of their marketing technology investments. As the founder of MarTech Therapy, his mission is to guide companies in optimizing their Martech stacks to drive better customer experiences and business outcomes. With a deep understanding of Customer Data Platforms and a passion for bridging technology with strategy, Matthew brings both technical expertise and creative insights to the table. Beyond consulting, he shares his knowledge through his podcast and short-form videos, making complex topics accessible and engaging. References: (Masters of Privacy) (Masters of Privacy) (The Register) (Masters of Privacy)
/episode/index/show/privacycloud/id/34915805
info_outline
Dan Stone: how to own our identity, protect personal data, and escape LinkedIn
01/12/2025
Dan Stone: how to own our identity, protect personal data, and escape LinkedIn
Can we introduce greater individual agency in the management of identity? Will that lead to better controls over personal data and less privacy risks? What is the problem with LinkedIn? Are we turning a page in the evolution and potential mass adoption of cryptographic solutions? How can we avoid storing personal information on the blockchain? Dan has spent his career building products from 0-1 at the intersection of predictive analytics, AI/ML, and privacy. He most notably served as a Group Product Manager at Google, where he built Google’s most sophisticated personalized marketing and cross-identity measurement products, Google Analytics and Google Signals, respectively. Prior to co-founding Icebreaker, he served as a Group Product Manager at Coinbase, where he led Consumer Trading, earning a patent for AI-assisted multi-chain intent orchestration. He holds a BS in Management Science from the Massachusetts Institute of Technology. References: (Masters of Privacy) (Masters of Privacy) (Masters of Privacy) (Masters of Privacy) (Berkman Klein Center, Harvard University)
/episode/index/show/privacycloud/id/34824455
info_outline
Carey Lening: Privacy Disasters, Bluesky’s firehose, and the EDPB opinion on LLMs and personal data
01/06/2025
Carey Lening: Privacy Disasters, Bluesky’s firehose, and the EDPB opinion on LLMs and personal data
Carey Lening, JD, CDPP writes, speaks, and consults on data protection, law, technology, and fractal complexity in systems. Currently based in Ireland, Carey has over 20 years of experience in thinking about hard problems and helping people arrive at practical solutions. Besides providing data protection compliance support to select clients, Carey runs Privacat Insights, a newsletter that offers a paid tier with exclusive content, members-only Q&A, a slack channel and a yearly meetup. References: (Jeffrey Pfeffer)
/episode/index/show/privacycloud/id/34730535
info_outline
Lokke Moerel: using personal data in the development and deployment of AI models
12/22/2024
Lokke Moerel: using personal data in the development and deployment of AI models
Lokke Moerel is a leading global expert on new technologies, Artificial Intelligence (AI), Big Data, and the Internet of Things, as well as Morrison & Foerster’s lead counsel on Binding Corporate Rules (BCR), with vast experience advising multinational companies in obtaining their BCR approvals throughout the EU. She has also authored the leading textbook on the subject, published by Oxford University Press. We recorded this interview prior to the publication of the European Data Protection Board’s opinion on AI models and GDPR principles, following both a discussion paper issued by Hamburg’s Supervisory Authority (“Do LLMs contain personal data?”) and an announcement by the Irish Data Protection Commissioner that it would open an investigation into Google’s PaLM model. A separate interview on the same topic, with Jorge Garcia Herrero, was released last week on our Spanish-language channel. References: (Lokke Moerel, Marijn Storm) (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) (PrivacyPod) (DPC) (NOYB) (May 2024) [ES] (Masters of Privacy)
/episode/index/show/privacycloud/id/34572850
info_outline
Jamie Smith: AI Agents, digital identity, wallets and personal data
12/16/2024
Jamie Smith: AI Agents, digital identity, wallets and personal data
Are Personal AI Agents the future of individual empowerment? How can the evolution of digital identity make them a reality? Jamie Smith is the CEO and Founder of Customer Futures, a company focused on digital identity and customer-controlled personal data. He has been working at the forefront of digital transformation for nearly 15 years, helping deliver innovative solutions for some of the world's largest organizations. Jamie has previously worked at Evernym, Ctrl-Shift, BT and Deloitte, before embarking on various recent projects, always in the same space. References: (Masters of Privacy) (Masters of Privacy) (Techcrunch) (Privado.id)
/episode/index/show/privacycloud/id/34461355
info_outline
Rie Aleksandra Walle: revisiting legitimate interest for marketing or analytics after KNLTB, privacy fundamentalism, and how the GDPR lost its sparkle
12/08/2024
Rie Aleksandra Walle: revisiting legitimate interest for marketing or analytics after KNLTB, privacy fundamentalism, and how the GDPR lost its sparkle
Has honour been restored to the Legitimate Interest legal basis after the CJEU Royal Dutch Tennis Association decision and subsequent EDPB Guidelines? Is the GDPR showing signs of rustiness? Has it instead become a new religion? Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment. Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast. References: (CJEU decision) Serious Privacy (Podcast): (Masters of Privacy) (Masters of Privacy)
/episode/index/show/privacycloud/id/34333790
info_outline
Matthew Junod: the US-based DPO in the face of AI governance
12/01/2024
Matthew Junod: the US-based DPO in the face of AI governance
How is the role of the DPO (Data Protection/Privacy Officer) evolving in the US? What is the best approach to managing AI governance once a privacy program has been implemented? Matt Junod is a US privacy attorney and Florida native with a prior background in network engineering and security. He has worked in-house, rolling out and managing data protection programs as well as dealing with security and privacy compliance issues. Our guest has also served in privacy leadership roles since 2018, including the DPO position for a large technology services firm, and most recently a leading Internet job board. References:
/episode/index/show/privacycloud/id/34219455
info_outline
Robert Bateman: the EDPB’s Opinion on auditing subprocessors and the future of Meta’s unskippable ads
11/25/2024
Robert Bateman: the EDPB’s Opinion on auditing subprocessors and the future of Meta’s unskippable ads
Robert Bateman is a data protection writer, trainer, and consultant. He has published innumerable articles on the topic, as well as led panel discussions and interviewed key well-known figures in the space on stage, at well-known privacy conferences. Besides freelancing as content creator, he is an associate with Act Now Training and a Subject Matter Expert with Heward Mills, a data protection consultancy. With Robert, who’s here for a second time, we are going to revisit recent EDPB (or European Data Protection Board) opinions on data processor auditing requirements and Meta’s Consent or Pay model, with its latest twist in mind (a brand new third option with generic, unskippable ads). References: (Masters of Privacy, October 2023)
/episode/index/show/privacycloud/id/34130321
info_outline
Newsroom: Fall 2024
11/18/2024
Newsroom: Fall 2024
Time for a Newsroom summarizing everything that’s happened in our usual areas of focus, although we are dropping the last two (Zero-Party Data and Future of media) this time around. ePrivacy & Regulatory Updates Enforcement On September 5th, . The healthcare software provider collected sensitive personal information, assigning a unique identifier for each patient of the same doctor. This method was considered sufficient to ensure that personal data remained anonymous in order to put together certain comparative studies, but the CNIL concluded that, given the risk of re-identification, it could merely be considered pseudonymized, exposing a breach of the GDPR as a result (for starters, patients had not been informed of additional purposes). A Reference was made to the . On September 27th for storing certain user passwords in plain text files. On October 22nd, alleging that the company relies on legitimate interest to underpin its behavioral advertising practices, in contravention of the CJEU Bundeskartellamt decision. The social network has also been accused of breaching the transparency principle and not responding to data subject requests appropriately. On October 24th, the Irish . The professional social network is not properly applying a valid legal basis for targeted ads and the processing of first party data about their members, despite referring to three separate grounds: consent, legitimate interest and contractual necessity. This has also resulted in a breach of the fairness principle. On October 30th, the California Privacy Protection Agency announced an . This law requires data brokers to register with the CPPA and pay a fee annually. On November 6th, . Citizens are however allowed to keep using the app, as this is considered a personal choice. Legal updates and guidelines On October 4th, the . The latter had imposed a fine on KNLTB for relying on legitimate interest for sharing data with its sponsors for purposes of direct marketing. Five days later, the EDPB requested comments on its draft : It is made clear that this legal basis should not be treated as a “last resort” as it is of equal value to the rest, and a differentiation is made between an interest (or broader benefit that a controller may have) and a purpose (or specific reason why the data is processed). The Opinion has also stated that an interest must be related to the data controller’s activities. On the same day (October 9th), the EDPB adopted its : every controller should extend the diligence they currently have over direct processors to the entire chain of custody, no matter how many degrees apart. On October 16th, the EDPB adopted new : given that very little has changed since they opened up an initial draft for comments, we recorded a pondering the far reaching implications of these Guidelines. Turning our attention to the UK, on October 7th the UK ICO launched its own including self-assessment toolkits and other practical resources. Also, the UK Data Protection reform is back, now with a (with a second reading announced on November 1st). It maintains an exception for analytics cookies that will not require consent. DPOs are back on the table (the previous reform proposal was getting rid of the role). On November 5th EDPB adopted its and a statement on the recommendations on access to data for law enforcement. The redress mechanism has been implemented successfully but it is yet not being widely used. The EDPB has voiced concerns about recent changes to Section 702 FISA and how that could expand the role of private companies in gathering data about EU citizens. MarTech and AdTech On November 12th, , having been told by the EDPB that the current proposal would not be acceptable. A third option (besides paying and relying on behavioral ads) is now available which will use less data and remain mostly contextual. It will also compensate its decreased targeting capabilities with increased audience reach by showing ads (“ad breaks”) that become unskippable for a few seconds. A study conducted by Boston University has concluded that the Protected Audiences API (building on the formerly called FLEDGE protocol, a part of Chrome’s Privacy Sandbox), in the context of retargeting campaigns. On November 5th, David Raab, who back in the day had coined the label CDP (Customer Data Platform), published a provocative piece titled “”. In summary the author argues that all CDPs have already caught up with the modularization that came from sitting on top of more flexible data warehouses, so every single CDP has either become a niche modular component or an all-encompassing, highly-modularized software suite. In sum, the term will not help a Hightouch differentiate itself uniquely any longer. We suggest that you listen to our interviews with and , CEOs of Hightouch and Neuralift AI respectively, for further context. AI, Competition and Digital Markets The community is still recovering from Hamburg’s DPA’s opinion (adopted on July 15th) stating that . The supervisory authority made three key points that we will be covering with some future guests: a) No personal data is stored in LLMs; b) Data subject rights as defined in the GDPR cannot relate to the model itself, but they can be exercised against the provider or deployer of a system built on top of such models, with regards to the input or output of such system; c) The training of LLMs using personal data must comply with data protection regulations. (PaLM 2) on September 12th, with a focus on the DPIA that Google is expected to have undertaken. An released on November 8th found that AI recruitment technologies can filter candidates according to protected characteristics including race, gender, and sexual orientation. On November 13th, in the bundling of its Marketplace feature with the primary Facebook application. So, they have leveraged their control over one market to take control of another, adjacent market, in this case threatening pretty large companies in the classified ads space. That’s it for today! Thanks again for listening.
/episode/index/show/privacycloud/id/33967622
info_outline
Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing
11/10/2024
Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing
The EDPB has finally adopted its much feared Guidelines on the scope of article 5.3 of the ePrivacy Directive, but consent may still be avoided in some cases not specifically covered by an exemption (e.g., analytics). Absent such an exception, and in light of dismal consent rates, publishers and platforms have embraced highly controversial “Consent or Pay” models. Plan C? Server-side processing (Conversion APIs, Enhanced Conversions, Data Clean Rooms…), not without its own challenges. We have gone through all of it with Peter Craddock in his second appearance on Masters of Privacy. Peter Craddock is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. He is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area. References: (Peter Craddock) Peter Craddock: (including links to more in-depth comments on those guidelines) EDPB (ES) Peter Craddock on Masters of Privacy (February 2024): (Masters of Privacy) (Masters of Privacy) (Masters of Privacy) (Masters of Privacy) (Masters of Privacy)
/episode/index/show/privacycloud/id/33868892
info_outline
Lukasz Olejnik: Propaganda, misinformation, the DSA, Section 230, and the US elections
11/03/2024
Lukasz Olejnik: Propaganda, misinformation, the DSA, Section 230, and the US elections
Dr Lukasz Olejnik (@lukOlejnik), LL.M, is an independent cybersecurity, privacy and data protection researcher and consultant. Senior Visiting Research Fellow of the Department of War Studies, King’s College London. He holds a Computer Science PhD at INRIA (French Institute for Research in Digital Science and Technology), and LL.M. from University of Edinburgh. He worked at CERN (European Organisation for Nuclear Research), and was a research associate at University College London. He was associated with Princeton's Center for Information Technology Policy, and Oxford's Centre for Technology and Global Affairs. He was a member of the W3C Technical Architecture Group. Former cyberwarfare advisor at the International Committee of the Red Cross in Geneva, where he worked on the humanitarian consequences of cyber operations. Author of scientific articles, op-eds, analyses, and books Philosophy of Cybersecurity, and “Propaganda”. He contributes public commentary to international media. References: (on Medium) , by Lukasz Olejnik (Newsletter) Doppelganger in action: (“Journalist or Russian spy? The strange case of Pablo González”), The Guardian (mentioning Chris Lehane’s campaigns), The New Yorker Financial Times: “Pseudo-media”:
/episode/index/show/privacycloud/id/33764522
info_outline
Ben Winokur: data anonymization through AI-generated synthetic data
10/27/2024
Ben Winokur: data anonymization through AI-generated synthetic data
Can we leverage AI-generated synthetic data as a privacy-enhancing or data anonymization solution? How compatible is it with Data Clean Rooms? Will there be a path to effectively anonymize unstructured data? Ben Winokur is the co-founder and CEO of Subsalt, the leading platform for anonymous synthetic data. Prior to Subsalt, Ben worked in a variety of legal, product, and operational roles at Passport, where he first encountered the problem Subsalt solves: privacy and security risks have made it too expensive and difficult to access, share, and analyze sensitive private data. References:
/episode/index/show/privacycloud/id/33632762
info_outline
Monica Meiterman-Rodriguez: automation, data minimization and comparative law in DSRs (US focus)
10/20/2024
Monica Meiterman-Rodriguez: automation, data minimization and comparative law in DSRs (US focus)
Monica Meiterman-Rodriguez is a Partner at Tueoris, an international privacy and security consulting firm, currently residing in Barcelona. She utilizes her US law degree and her experience in data protection and privacy to assist global clients in developing, maintaining, or growing their privacy programs. She has experience supporting compliance across global regulations including US state and federal requirements, EU/UK GDPR, PIPEDA, LGPD, etc. in addition to advising on specialized matters in the AdTech space such as targeted advertising, data analytics, AI and growing industry guidance (e.g., IAB, DAA, etc.). Monica is a member of the New York State Bar, New Jersey State Bar, as well as a Certified Information Privacy Professional (CIPP/US/E) and the Chapter Chair of the IAPP in Barcelona (Spain). References: GDPR Violation: Telecom(BankInfoSecurity) : the DPC finds that Groupon infringed Article 5(1)(c) GDPR by having initially required the complainant to provide a copy of their ID in order to verify their identity for the purposes of their access and erasure requests.
/episode/index/show/privacycloud/id/33537952
info_outline
Simon Hania (Uber): Uber Ads, vendor audits, location data, AI, and the role of the DPO
10/13/2024
Simon Hania (Uber): Uber Ads, vendor audits, location data, AI, and the role of the DPO
Simon Hania is Global Data Protection Officer at Uber, heading the team that independently advises on and monitors Ubers compliance with data protection laws. In the past Simon held the position of VP Privacy & Security at TomTom and before that various positions in IT service management. Simon is a trained engineer who has learned to love the law. References:
/episode/index/show/privacycloud/id/33435967