Masters of Privacy

Stefan Filipović is a privacy lawyer that began his career at the outset of GDPR enforcement in 2018. Throughout the years, he has built his expertise by working at a law firm focusing on IP and privacy, at a university as a researcher investigating legal challenges in regulating AI-based technology, and as a privacy officer and a counsel for a few Norwegian companies. Today he is a DPO at reMarkable. For several years, he also volunteered at ICANN, and for a period of time, at NIST’s privacy workforce. Beyond his focus on privacy compliance, he maintains a strong passion for information security, computer science, and risk management, as well as corporate governance and finance. References: Stefan Filipović on LinkedIn Black Box Thinking (Matthew Syed) Privacy is hard and seven other myths (Jaap-Henk Hoepman) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Nina Müller and Sergio Maldonado discuss a few recent events across the EU, the UK, and the US: Yahoo/Uber ePrivacy fines, Google Chrome (Incognito Mode) settlement, US Congress Social Media hearing, upcoming UOOM/ Global Privacy Control enforcement across various states, and Spain’s AEPD Guidelines to circumvent cookie consent requirements for high-level Digital Analytics. Please find relevant links and additional updates across all of our usual core sections (ePrivacy and regulatory updates; MarTech and AdTech; AI, competition, and digital markets; PETs and Zero-Party Data; future of media) on the PrivacyCloud website. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Could we re-interpret article 5.3 of the ePrivacy Directive so that the “strictly necessary” (to provide a service) consent exemption gives shelter to the core technical building blocks of advertising solutions making journalism possible? Can we not deal with personal data (should it be involved at all) or behavioral targeting (should it be the case) separately under the GDPR? Peter Craddock helps us answer that question. Our guest is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. Peter is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area. References: Peter Craddock on LinkedIn Maybe no consent needed for advertising under ePrivacy "cookie" rule? (Peter Craddock) EDPB seeks to redefine ePrivacy – Part II: Overbroad notions and regulator activism? IAB Europe Responds to the EDPB Public Consultation on their Draft Guidelines 2/2023 EDPB ePrivacy Guidelines: Comments Highlighting Risks to Businesses with Digital Activities (Keller and Heckman) Romain Robert: Pay or OK in AdTech - How it started and where it’s going (Masters of Privacy) Renzo Marchini: Unintended consequences of the EDPB Guidelines on storage and access under article 5.3 of the ePrivacy Directive (Masters of Privacy) Cristiana Santos and Victor Morel: The problem with CMPs and TCF-based cookie paywalls (Masters of Privacy) Robert Bateman: Consent or Pay (Masters of Privacy) Peter Hense: How first party data will kill CMPs (Masters of Privacy) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Can we take Data Clean Rooms to the next level in terms of baked-in privacy? Damien Desfontaines is a Scientist at Tumult Labs, a startup that helps organizations safely share or publish insights from sensitive data, using differential privacy. Before that, he led the anonymization consulting team at Google, and got his PhD in computer science at ETH Zürich. He maintains a blog that teaches you all about differential privacy. References: Damien Desfontaines on LinkedIn Nicola Newitt: the legal case for Data Clean Rooms (Masters of Privacy) Damien Desfontaines’ blog on Differential Privacy Tumult Labs: Resources and publications on Differential Privacy This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Tejas Manohar is the co-founder and co-CEO of Hightouch. Prior to founding Hightouch, Tejas was an early engineer at Segment, a leading Customer Data Platform (CDP) acquired by Twilio. The following topics have been covered in this interview: Current limitations of Customer Data Platforms (CDP) as a core building block of the marketing data stack The value of composable CDPs and Reverse ETL Privacy compliance challenges of CDPs and customer data integration as a whole Potential overlaps with Data Clean Rooms References: Tejas Manohar on LinkedIn Traditional CDP vs. Composable CDP: What is the difference? Revenge of the silos: How privacy compliance is cutting the customer journey short (Sergio Maldonado) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Molly Martinson is a lawyer at Wyrick Robbins, a Raleigh-based law firm with outstanding privacy compliance credentials. She advises clients on a whole range of applicable privacy frameworks (CCPA, CPRA, FCRA, CAN-SPAM, COPPA, HIPAA), data breaches, laws regulating data brokers, and laws governing website and mobile application privacy policies. She also regularly advises international and U.S.- based clients on the applicability and requirements of the EU General Data Protection Regulation (GDPR). Molly received her B.A., cum laude from Wake Forest University and her J.D. with honors from UNC Schoolors Writing Scholar. She also received the Gressman-Pollitt Award for Excellence in Oral Advocacy. Molly served as a law clerk to the Honorable Robert N. Hunter, Jr. on the Supreme Court of North Carolina and the North Carolina Court of Appeals before entering private practice. References: Molly Martinson on LinkedIn California Consumer Privacy Act Virginia Consumer Data Protection Act Colorado Privacy Act Utah Consumer Privacy Act Summary of the Texas Data Privacy and Security Act (National Law Review) Connecticut Data Privacy Act Florida Privacy Protection Act Montana Consumer Privacy Law Oregon Consumer Privacy Act Global Privacy Control Wyrick Robbins This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Romain Robert is member of the litigation chamber of Belgium’s Supervisory Authority. He worked in various Brussels law firms between 2002 and 2011. Between 2007 and 2011, he was also a researcher at the Research Centre in Law and Society at the University of Namur. In 2011, he joined Belgium’s Supervisory Authority as a legal advisor. He worked as legal officer at the Policy and Consultation Unit of the European Data Protection Supervisor (EDPS) as of 2015 and joined the Secretariat of the European Data Protection Board (EDPB) in May 2018. In April 2020, Romain joined NOYB - an NGO conducting strategic litigation to enforce digital rights - where he was Program Director until July 2023. References: Romain Robert on LinkedIn EDPS Opinion on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content Sergio Maldonado, How the Digital Content Directive will break the GDPR NOYB Robert Bateman: Consent or Pay EDPB Guidelines 05/2020 on consent Giovanni Buttarelli (former EDPS), “Privacy 2030: A Vision for Europe” (IAPP) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Renzo Machini is a London-based partner at Fieldfisher's Data and Privacy team. He holds CIPP/E, CIPT and FIP certifications from the IAPP and is well versed in Cloud Computing, Big Data and other technologies overlapping with privacy and GDPR compliance. He has authored "Cloud Computing: A practical introduction to the legal issues" and, prior to becoming a solicitor, he worked for five years as a software engineer at Logica (now CGI), a major independent UK software house. With Renzo we are directly addressing the biggest elephant in the ePrivacy room today: What are the unintended consequences of the EDPB’s recent Guidelines on the technical scope of article 5.3 of the ePrivacy Directive? References: Renzo Marchini on LinkedIn EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive Renzo Marchini, “New Guidance released on the technical scope of Art 5(3) ePrivacy Directive - a landgrab by the EDPB” Renzo Marchini, “Cloud Computing: a practical introduction to the legal issues.” (Cambridge University Press). This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Nina and Sergio run through the most relevant news of the past three months at the usual intersection of marketing, data, privacy, and technology - stopping at a few less commented and yet quite relevant fines, guidelines, or upcoming legal frameworks. In particular, this episode covers: Dark patterns in recent EU enforcement actions EDPB Guidelines on the technical scope of the ePrivacy Directive The 23andMe data breach 40 states suing Meta over Insta/FB’s impact on the mental health of teenagers Best of all, we managed to avoid OpenAI’s drama. With Nina Müller and Sergio Maldonado. References: [ES] AEPD fine resulting from the use of dark patterns in the acceptance of third party recipients (Expansion) Irish watchdog fines TikTok €345M for mishandling kids' data (The Register) 23andMe user data targeting Ashkenazi Jews leaked online (NBC News) EDPB Draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive Dozens of states sue Meta over youth mental health crisis (The Verge) Masters of Privacy - Arielle Garcia: How privacy awareness leads to respectful, effective marketing This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Arielle Garcia combines a really good understanding of the advertising industry with award-winning expertise in privacy and responsible data use. She is the founder of ASG solutions, a consultancy firm specifically focused on helping marketers drive sustainable growth through respectful marketing and was previously UM Worldwide’s Chief Privacy Officer. She holds a JD from Fordham University and has been recognised as a Top Woman in Media and AdTech by AdExchanger in 2023 (as well by others in prior years). In 2021 she was inducted to the American Advertising Federation’s Advertising Hall of Achievement due to her impact on the industry. What we have covered in this episode: The bigger picture of privacy challenges in the digital marketing industry Cookie and pixel inventories Does more data mean better results? Privacy consequences of the new “black box” offerings from the walled gardens Unconsented signals and Conversions APIs US-specific concerns regarding the use of health-related data in programmatic advertising Aligning customer expectations of privacy with business results References: Arielle Garcia, An Industry In Conflict: It’s Time For Tough Questions And Hard Decisions (Ad Exchanger) Arielle Garcia on LinkedIn Arielle Garcia on X This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Jeffrey Bustos is the VP, MAD (Measurement Addressability Data) + Commerce at the IAB where he develops industry standards and guides for measurement and addressability solutions to enable revenue growth, efficiency, and scale with a focus in Retail Media Networks, Video / Advanced Television, and Privacy Enhancing Technology. His projects include: Categorization & Definitions Buyers Guide for Retail Media, Data Clean Rooms and Privacy Preserving Solutions Research, and Attention & Engagement Metrics Standards. Previously, Jeffrey worked at GroupM where he led Data & Audience Strategy for eCommerce clients, assisting them with cookieless solutions, audience strategy & activation, as well as data taxonomy & identity resolution for CDPs and Data Clean Room activations. References: Jeff Bustos on LinkedIn Retail Media Networks Buyer’s Guide (IAB) IAB: Navigating the Privacy landscape (video) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Cristiana Santos is Assistant Professor in Privacy and Data Protection Law at Utrecht University, holding a joint international Doctoral Degree in Law, Science and Technology from the University of Bologna, and a Ph.D. in Computer Science from the University of Luxembourg. She is an expert of the Data Protection Unit at the Council of Europe; expert for the implementation of the EDPB's Support Pool of Experts; and expert of the Digital Persuasion or Manipulation Expert Group. She holds an International Chair Starting Career position at the National Institute for Research in Digital Science and Technology (INRIA, 2023-2026) to work on technical and legal aspects of data protection. Prior to joining academia, Cristiana was a lawyer and worked as a legal adviser and lecturer at the Portuguese Consumer Protection Organization. Victor Morel holds a Ph.D in Computer Science from INRIA and works at the Security & Privacy Lab of Chalmers University in Gothenburg (Sweden). He is working on usable privacy for IoT applications, and his interests encompass privacy, data protection, networks security, usability and Human-Computer Interactions, applied cryptography, and the broad spectrum of ethics in technology. He is also a member of FELINN’s collegiate council, a French association (1901) defending decentralization, privacy, and free software through popular education. Cristiana and Victor have co-authored a recent paper titled “Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls”. With them we are directing our attention to consent walls in the context of publishers and the open market, having already dedicated two recent interviews to the “consent or pay” model as it concerns Instagram and Facebook (ie. Meta). We will also try to understand the challenges and potential conflicts of interest faced by CMP (Consent Management Platform) vendors. References: Cristiana Santos at Utrecht University Victor Morel’s bio and projects Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls (Cristiana Santos, Victor Morel, Viktor Fredholm, Adam Thunberg, 20/9/2023) Upcoming Workshop on Privacy in the Electronic Society - with Victor Morel (Copenhagen, November 26th 2023) EDPB: Report of the work undertaken by the Cookie Banner Taskforce CJEU to consider questions from IAB Europe TCF decision (Techcrunch) German court bans LinkedIn from ignoring “Do Not Track” signals (Townflex) Your Consent Is Worth 75 Euros A Year -- Measurement and Lawfulness of Cookie Paywalls (20/9/2022) IAB TCF 2.2 specification This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Jeff Jockisch is an independent data privacy researcher at PrivacyPlan. He is also Chief Privacy Officer and partner at Avantis Privacy. Prior to compiling the largest known database of data brokers, he spent many years working with startups, technology, and data. He studied Organizational Behavior at Cornell and holds a CIPP/US accreditation (IAPP). Our primary questions today: Can the (brand new) California "Delete Act" or the GDPR be sufficient to avoid major AI-powered phishing attacks? Is there anything else that we could do as individuals or businesses? References: Jeff Jockisch on LinkedIn California “Delete Act” (2023) FTC: How to Recognize and Avoid Phishing Scams Privacy Plan Avantis Privacy Permission Slip, by Consumer Reports This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Robert Bateman is a data protection writer, trainer, and consultant. He has published innumerable articles on the topic, as well as led panel discussions and interviewed key well-known figures in the space on stage, at well-known privacy conferences. Besides freelancing as content creator, he is an associate with Act Now Training and a Subject Matter Expert with Heward Mills, a data protection consultancy. With Robert we have addressed the recent public outcry about Instagram and Facebook becoming paid services for whoever does not want to see ads or consent to the data processing involved in running them. Given that we have already got used to seeing cookie walls on European news websites (in Germany, France, or Italy), we have aimed to open the wider debate around “Consent or Pay” business models. References: Le Conseil d’État annule partiellement les lignes directrices de la CNIL relatives aux cookies et autres traceurs de connexion Victor Morel, Cristiana Santos, Viktor Fredholm, Adam Thunberg: “Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls” Report of the work undertaken by the EDPB Cookie Banner Taskforce IAB Europe Transparency and Consent Framework 2.2 (stops conflating legitimate interest and consent) EDPB Guidelines 05/2020 on consent under Regulation 2016/679 Robert Bateman on Twitter Robert Bateman on LinkedIn Giovanni Buttarelli (former EDPS), “Privacy 2030: A Vision for Europe” Google Privacy Sandbox This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Cory Underwood is a Privacy and Data Analytics Engineer with a strong marketing data technology background and a good knowledge of both US and EU ePrivacy law. Cory supports the data privacy offerings of Atlanta-based Search Discovery (a data strategy and activation company), leveraging eight years of experience in privacy efforts and multiple privacy related certifications to enable clients to understand the impact of privacy changes. With a combined thirteen years of experience in technology, Cory specializes in speaking and writing on his blog (cunderwood.dev) about upcoming privacy changes, allowing readers to take a proactive approach to compliance challenges. In our second interview with Cory we have looked for answers to the following questions: What does it take for Digital Marketers to comply with State-level Privacy laws in California, Virginia, Colorado, and beyond? Will the US internet suffer the fate of European websites, annoying consumers with user-unfriendly consent pop-ups that mean little and cost millions? Why do some US websites insist on replicating the European ordeal if there are no opt-in requirements? What will be the side effects of large platforms adapting to the EU’s Digital Services Act in terms of transparency and return on investment for SMEs? Where will Topics API, the star framework of Chrome’s Privacy Sandbox fall in terms of consent requirements? References: Cory Underwood on LinkedIn Cory Underwood on X Cory Underwood’s blog Search Discovery: An audit of 500 sites for CCPA and Colorado Privacy Act compliance Global Privacy Control Sephora settlement CNIL’s considerations on the Privacy Sandbox and Topics API, July 2023 (FR) Apple’s Link Tracking Protection and other Privacy features in iOS 17 Meta’s Robyn (open framework for Media Mix Modeling) Apple’s Private Click Measurement specification for privacy-first optimization Masters of Privacy: Cory Underwood on Global Privacy Control and a GDPR-compliant Google Analytics (September 25th, 2022) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Katharine Jarmul is a privacy activist and data scientist focused on privacy and security in data science workflows. She’s a principal data scientist at Thoughtworks and has worked at various companies in the US and Germany before that. She is also a frequent keynote speaker at software and AI conferences. Katharine has recently published “Practical Data Privacy” (O’Reilly, 2023), in which she provides a deep dive of Privacy Enhancing Technologies (“PET”), including detailed answers to increasingly common questions: How can we actually anonymize data? How does federated learning work? Can we already leverage Homomorphic Encryption to run analysis or work with data even while it is encrypted? How can we compare and pick the most appropriate PETs? Can we use open source libraries? In our discussion: Can we bring Privacy Enhancing Technologies down to earth for smaller companies to understand and apply them on a regular basis? Are they otherwise the monopoly of Big Tech, and does this mean that a company like Meta ends up becoming the unlikely poster child for Privacy by Design? Can we really speak of a common ethical framework for AI or GenAI? How does a US/Western Europe ethical framework fit within African or Asian cultures? Can we break the convenience barrier when it comes to individual control? References: Katharine Jarmul, Practical Data Privacy (O’Reilly, 2023) Katharine Jarmul on LinkedIn Katharine Jarmul on X Ethics in eCommerce Summit Shoshana Zuboff, The Age of Surveillance Capitalism This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Jakob Plesner Mathiasen is an attorney with a focus on Intellectual Property and emerging technologies. He serves as the Secretary for the Danish Society for Copyright Law and is the mind behind the Danish Entertainment Law podcast. He also teaches Entertainment Law at the University of Copenhagen. With Jakob we’ll try to better understand the copyright implications of Generative AI, and this should help many DPOs, CPOs, or innovation managers deal with the intellectual property side of their new AI Governance responsibilities. References: Jakob Plesner on LinkedIn Reuters: “Getty Images lawsuit says Stability AI misused photos to train AI” The Washington Post “‘Game of Thrones’ author and others accuse ChatGPT maker of ‘theft’ in lawsuit” Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (Infosoc Directive) Directive on Copyright in the Digital Single Market (DSM Directive) The Wrap: “Adobe Will Reimburse Firefly AI Users Against Copyright Suits” Microsoft announces new Copilot Copyright Commitment for customers David Bowie and Queen vs. Vanilla Ice Copyright law of Japan (in English) Entertainmentretten (Danish Entertainment Law) Podcast (in Danish) Danish Society for Copyright Law Adrian Sterling: World Copyright Law This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Ito Onojeghuo works with a number of global establishments as an independent Data Protection Consultant, Group Data Protection Officer, and EU Representative. She is also the CEO at ALLNETLAW, which is a leading UK-based IAPP Training Partner. Besides holding an LL.M in Internet law and policy, Ito is a Fellow of Information Privacy (FIP), a Certified Information Privacy Professional, and an Independent Conformity Assessment Advisor for the UK Age Check Certification Scheme (ACCS). With Ito we have addressed a very important topic sitting at the heart of data protection or privacy compliance for every business: Effective Privacy Notices (or “Privacy Policies”). References: ALLNETLAW, an IAPP Training Partner Ito Onojeghuo on LinkedIn Spotify’s recent fine (Sweden) concerning an insufficient privacy notice (in direct connection with the Transparency Principle) Criteo’s recent fine (France), partly based on an insufficient privacy notice (breaching articles 12, 13 GDPR) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Have you spent the past three months isolated from the world? We are bringing you up to speed with a long list of updates and news at the intersection of marketing, data, privacy, and technology. Visit this episode's blog post on Masters of Privacy for a long list of references and notes. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Nick Baskett is DPO at Holland & Barrett. He has a personal interest in ethics and philosophy, encryption and AI, and he once published a book on Data Protection Impact Assessments. He was also the founder of one of the early Cyber Security consultancies in the UK (Matta). With Nick we have discussed best practices around Data Protection Impact Assessments or Privacy Impact Assessments, including their management at scale in the context of privacy operations, as well as risk assessment efforts associated with Generative AI projects. References: Nick Baskett on LinkedIn EDPB Guidelines on Data Protection Impact Assessments ICO: Data Protection Impact Assessments (guidelines and templates) ICO: Eight questions to ask ourselves in order to manage Generative AI This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Catherine King is a content creator, moderator, enabler and instructor in the fields of data ethics and also the broader data and analytics space. She is currently global head of brand engagement at Orbition. Catherine was recently a speaker at the Ethics in eCommerce Summit in London (put together by the Ethical Commerce Alliance) in which we coincided. With her we have explored a more controversial and practical approach to data ethics, under the acceptance that morals reflect a particular stance in a wide range of really important social issues, rather than a universal truth applicable to all. References: Orbition Group Catherine King on LinkedIn Ethical Commerce Alliance Courtnie Abercrombie: AI Truth and books Decoding Data Ethics to inspire concrete business decisions (Sergio Maldonado) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ Notes: A more comprehensive coverage of all relevant updates can be found on our blog. The topics below have been specifically addressed during this recording: GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union. LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018. The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios). TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024. The EU Commission announced that it would stress-test Twitter’s ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct. Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France’s CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario - in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available. CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website’s consent banner. FTC enforcement actions involving the use website/app user data for digital marketing purposes (healthcare, children): GoodRx, Betterhelp, Edmodo, Premom. The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421 EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions: 68% of French internet users consider that the information provided by the advertising ecosystem is insufficient or non-existent 39% are now rejecting

Adam Klee has an impressive resume in the AdTech world, having worked at Disney, Google, NBC, Twitter, Polar, or Spotify. He is the founder of Licorice, a platform that “gives consumers the privacy they want and publishers the data they need”. Adam’s passion for solving this problem comes from both his years developing new ways to help drive better yield for publishers, and his experience as a consumer, where he thinks privacy should come standard. We are covering: Why email-based identity solutions (as an alternative to cookies) are flawed What consumers expect in the media monetization trade-off (ad blockers!) Different degrees of control and convenience, and how consent banners are the opposite of both A formula to rely on other legal bases (such as the GDPR’s legitimate interest) when no individual deduplication is involved. References: Adam Klee on LinkedIn Licorice Licorice featured on AdExchanger: Programmatic Vets Are Behind A Wave Of New Startups Built For A Privacy-First Web Topics API (Chrome Privacy Sandbox) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Eve-Christie Vermynck is a dual-admitted lawyer (civil law, common law) working at Skadden, Arps, Slate, Meagher & Flom. She advises clients on Cybersecurity, Privacy, IT/IP, blockchain and related topics. She is also a member of the Data Law Committee at The City of London Law Society. With Eve-Christie we are going to discuss the specific practical steps when it comes to dealing with personal data breaches in the UK or the EU. References: Eve-Christie Vermynck on LinkedIn Eve-Christie Vermynck’s full profile (Skadden) Twitter’s 2023 data breach Aftermath of the Royal Mail’s cyber-attack ICO’s guidance on personal data breaches This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

As a lawyer turned entrepreneur, Dr. Mattia Fosci combines privacy and AdTech expertise. He is the founder and CEO of Anonymised, an advertising platform that helps publishers understand and monetise their audiences at scale across all browsers and devices, using only anonymous data. We have covered or touched on: The many limitations of contextual advertising and why it will not solve the most pressing issues How ID-based alternatives are worse than cookies The manner in which browsers are exercising greater control over the open web The deafening noise in the AdTech market when it comes to cookieless solutions, and how overwhelming this is for publishers with limited technical resources The competitive issues arising from cross-site interest-based cohorts (à la Topics API in the Google Privacy Sandbox) How to get advertisers and their media agencies to dare turn their backs on a highly defective status quo - thus allowing publishers to move away from their own mouse wheel. References: Mattia Fosci on LinkedIn Mattia Fosci on Twitter Anonymised This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ This was a pretty active season in terms of regulatory updates and decisions or guidelines coming out of supervisory bodies: Spain’s AEPD issued a decision on the use of Google Analytics by the Royal Academy of Spanish Language (“RAE”), becoming the first EU Data Protection Agency to see the glass half full in the use of the widespread digital data collection service (having been considered high-risk in Denmark, Italy, France, the Netherlands and Austria). It must however be noted that the RAE was only using the most basic version of the tool, without any AdTech integrations or individual user profiling - and in this regard aligned with the CNIL’s long-standing guidelines for the valid use of the tool. At EU level, the Artificial Intelligence Act (which we have covered this quarter in a couple of Masters of Privacy interviews) made fast progress with the Council adopting its final position. At the same time, new common rules on cybersecurity became a reality with the approval of the NS2 Directive (or v2 of the Network and Information Security Directive) on November 28th. The updated framework covers incident response, supply chain security and encryption among other things, leaving less wiggle room for Member States to get creative when it comes to “essential sectors” (such as energy, banking, health, or digital infrastructure). Across the Channel, the UK’s Data Protection Agency (ICO) issued brand new guidelines on international data transfers, providing a practical tool for businesses to properly carry out Transfer Risk Assessments and making it clear that either such tool or the guidelines provided by the European Data Protection Board will be considered valid. Already into the new year, the European Data Protection Board (EDPB) issued two important reports, on valid consent in the context of cookie banners (in the hope to agree on a common approach in the face of multiple NOYB complaints across the EU) and the use of cloud-based services by the public sector. The former concluded that the vast majority of DPAs (Supervisory Authorities) did not accept hiding the “Reject All” button in a second layer - which most notably leaves Spain’s AEPD as the odd one out. They did all agree on the non-conformity of: a) pre-ticked consent checkboxes on second layer; b) a reliance on legitimate interest; c) the use of dark patterns in link design or deceptive button colors/contrast; and d) the inaccurate classification of essential cookies. The latter concluded that public bodies across the EU may find it hard to provide supplementary measures when sending personal data to a US-based cloud (as per Schrems II requirements) in the context of some Software as a Service (SaaS) implementations, suggesting that switching to an EEA-sovereign Cloud Service Provider (CSP) would solve the problem and getting many to wonder whether it also refers to US-owned CSPs, which would leave few options on the table and none able to compete at many levels in terms of features or scale. All of which can easily lead us to the latest update on the EU-US Data Privacy Framework: The EDPB released its non-binding opinion on the status of the EU-US Data Privacy Framework (voicing concerns about proportionality, the data protection review court and bulk data collection by national security agencies). The EU Commission will now proceed to ask EU Member States to approve it with the hope of issuing an adequacy decision by July 2023. This would do away with all the headaches derived from the Schrems II ECJ decision (including growing pressure to store personal data in EU-based data centers), were it not for the general impression that a Schrems III challenge looms in the horizon. In the United States, long-awaited new privacy rules in California (CPRA) and Virginia (CDPA) entered into force on January 1st. Although both provide a set of rights in terms of ensuring individual control over personal data being collected across the Internet (opt-out, access, deletion, correction, portability…), California’s creates a private right of action that could pave the way for a new avalanche of privacy-related lawsuits.In any case, only companies meeting a minimum threshold in terms of revenue or the amount of consumers affected by their data collection practices (both of them varying across the two states) will have to comply with the new rules. Lastly, Privacy by Design will become ISO standard 31700 on February 8th, finally introducing an auditable process to conform to the seven principles originally laid out by Anne Cavoukian as Ontario(Canada)’s former Data Protection Commissioner. Enforcement updates It’s been interesting to see how continental Data Protection Agencies (“DPAs”) keep milking the cow of the ePrivacy Directive’s lack of a one-stop-shop for US or China-based Big Tech giants. The long-awaited ePrivacy Regulation never arrived to keep this framework

Nicola Newitt is a UK qualified lawyer who trained in private practice and worked at Slaughter and May before moving in-house to start her privacy career in Bupa’s international health insurance business. She is now Senior Privacy and Product Counsel at InfoSum, a leading Data Clean Room. With Nicola we have covered a very hot topic for anyone in the Marketing Technology or AdTech spaces. Our discussion included the following questions: Who’s the controller and who’s the processor in a Data Clean Room scenario? Do we have a joint controllership when for instance a publisher or a retailer partners with a consumer brand? Which legal basis do we rely on for each of its three main use cases? Can different options at data activation level alter our legal approach or safeguards? How does an independent Data Clean Room compare to a Walled Garden Clean Room from a privacy point of view? References: InfoSum documentation FashionID case EDPB Guidelines on targeting of social media users EDPB Guidelines on the concept of controller and processor Experian vs. Information Commissioner’s Office This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Joana is Partner at Cuatrecasas, where she leads the Technology, Media and Telecom team. She has also worked for 3 years at ANACOM, Portugal's telecom and media regulator and one of the two supervisory authorities when it comes to the ePrivacy Directive in Portugal, the other being the Portuguese Data Protection Authority. Besides being fully versed in the opportunities presented by blockchain technologies, and having advised startups in the crypto space, Joana is co-author of the chapters on Portugal in The Privacy, Data Protection and Cybersecurity Law Review, 7th Edition (2020) as well as other relevant publications and I was happy to find out that she is also a Queen Mary’s University alumni (as I am myself). With Joana we will cover: Challenges of decentralized technologies in the management of personal information The web3 opportunity for increased individual agency and control Specific issues: right to be forgotten, international data transfers, roles (who is a data controller?), data breaches The European Digital Identity References: Joana Mota Agostinho on LinkedIn Chris Topalis (2021): Web3 & DAOs, What are they? Elizabeth Renieris (2019): Forget erasure. Why blockchain is really incompatible with the GDPR Introduction to the European Digital Identity initiative This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Sunny Seon Kang is Global Privacy Counsel at VISA, specializing in AI Governance and Privacy Enhancing Technologies. She is well versed in comparative privacy law across the US, the EU and the UK. She has studied at Stanford and Berkeley in the US, as well as UCL in London, and is a member of the New York Bar. With Sunny we are discussing a highly complex but very exciting topic: Privacy-Preserving Machine Learning, as well as a more generic understanding of Privacy Enhancing Technologies. References: Sunny Seon Kang on LinkedIn US Algorithmic Accountability Act (Proposal) EU AI Regulation (Proposal) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Tim Walters is a strategist, analyst, advisor, and speaker sitting at the intersection of data privacy, customer experience, and marketing strategy. Privacy Lead at Content Advisory, as well as founder of Zero Theory, Tim previously founded The Digital Clarity Group. He has also been a Senior Analyst at Forrester Research. Some of his keynotes and publications include: “The Total Impossibility of Customer Experience Management”, “Data Privacy Goes Mainstream: An Unexpected Opportunity For Customer Experience”, and “Trust Is Imperative in the Customer Experience Era.” References: Tim Walters on Twitter Tim Walters on LinkedIn Ireland’s Data Protection Commissioner decisions on Facebook and Instagram An analysis of the DPC decisions, the options on the table, and some potential consequences (Sergio Maldonado) Peter Hense on Masters of Privacy: How first-party data will kill CMPs This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Jose Belo (FIP, CIPP/E, CIPM) is a legal professional and Data Protection Officer, specialized in data protection, privacy and compliance. Jose is currently an International Research Fellow at the ISLC at the University of Milan (Italy). His last professional engagement was as Head of Data Privacy at Valuer.ai, an AI-powered tech company from Copenhagen, Denmark. Since January 2022, Jose has been appointed as a Member of the IAPP European Advisory Board. Jose is also, currently, co-chair of the IAPP Copenhagen Chapter. Formerly, Jose was co-chair of the Portugal and Luxembourg Chapters of the IAPP. We cover, in this order: The need for data protection professionals to take on AI-related compliance challenges How to address upcoming AI-powered MarTech and AdTech scenarios References: Jose Belo on LinkedIn Jose Belo at PrivSec Global IAPP Contributions by Jose Belo This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Sandy Tsakiridi is a ​​dual-qualified Senior Legal Counsel in HSBC's global Data Privacy team. As part of her responsibilities, she provides advice on privacy-related matters, including privacy risk management across all customer-facing lines of business and internal functions of the HSBC Group. Prior to her current role, Sandy worked as an external legal counsel in leading international law firms and one of the Big Four in Brussels and London. Sandy holds a Bachelor and four postgraduate degrees in law from University College London (UCL), the London School of Economics & Political Science (LSE), Université Paris 1 - Panthéon Sorbonne and the Brussels School of Competition. She is an Advisory Board Member of the International Association of Privacy Professionals (IAPP). We cover, in this order: What can we expect from the upcoming EU Artificial Intelligence Act? What does it take to deploy an AI Governance Framework in the Financial Services sector? References: Draft EU AI Act Sandy Tsakiridi on LinkedIn Recorded contents of the Legal AI Summit (Sandy was a speaker in 2022) Upcoming changes to UK Data Protection laws This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Brendan Quinn (Esq.) is a qualified Irish Solicitor, New York Attorney, and Fellow of the Chartered Certified Accountants (FCCA), holding an LL.M from University College Dublin and Higher Diplomas in Computer Science and Data Analytics, as well as a postgraduate in Financial Technology. He is also the author of Data Protection Implementation Guide: A Legal, Risk and Technology Framework for the GDPR (Wolters Kluwer, September 2021). Among other things, our guest helps innovative software companies in their compliance with Privacy by Design and data security requirements, including data anonymization research and DPIAs. We cover, in order: Things that tend to be missing in Data Protection Impact Assessments (DPIA) New avenues for GDPR enforcement stemming from the Whistleblower Directive and the Collective Redress Directive Interplay between the GDPR and data protection provisions contained in the new Digital Services Act and Digital Markets Act. References: Data Protection Implementation Guide: Discount code for 25% off on the Wolters Kluwer website (valid until December 31st 2022): 25EOY2022 Brendan Quinn on LinkedIn EU Whistleblower Directive EU Collective Redress Directive This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. References: Full Newsroom (Fall 2022) Tara Taubman-Bassirian on the Instagram fine Peter Hense on valid consent Cory Underwood on Google Analytics and Sephora Derek A. Lackey on Joe Biden’s Executive Order (a marketer’s perspective) Stephan Grynwajc on Joe Biden’s Executive Order (a lawyer’s perspective) Selected updates: Enforcement Starting with Europe, the most discussed recent case, and perhaps the most complex, is Ireland’s 405m EUR fine to Meta for the manner in which it exposed contact details for 13-17 year olds on Instagram business accounts. At its core: the European Data Protection Board (EDPB)’s intervention to find a compromise between the Data Protection Commissioner (leading supervisory authority for most US tech giants) and other Data Protection Agencies accusing it of resting on its laurels. Perhaps even more relevant to the interplay that we mostly care about (MarTech/AdTech + Privacy) was the French DPA’s announcement of a potential 60m EUR fine for Criteo. All hints point to a lack of proper oversight in the obtention of valid consent through publishers and advertisers. The role of these two was instrumental in building what the company had once claimed were “IDs and interests for 72% of all internet users”, so this case could bring us full circle into the Consent Management Platforms debate and whether they can be relied upon. All in all, it is no wonder that Criteo has moved firmly into first-party data territory, now calling itself a Commerce Media platform. The Digital Analytics space got its own share of excitement too. Denmark became (with Austria, France, and Italy) the fourth country to make it clear that Google Analytics breached the GDPR unless additional measures are taken. As explained in detail by France’s CNIL, the only way to avoid scrutiny was using a reverse proxy (a company’s own EU-based server, filtering out important pieces of information prior to forwarding calls to Google’s servers). As many will remember, this was only the tip of the iceberg of the 101 complaints filed by NYOB against companies using either Google Analytics or the Facebook pixel. Next in line was TikTok, quickly catching up with Meta/Facebook and Google in terms of privacy violations, penalties, privacy lawsuits and privacy-related scandals. Its latest trophies: the UK’s DPA (ICO)’s proposed 27m GBP fines for its mishandling of children’s data (they were allowed to sign up without parental consent, information provided was insufficient, and special categories of data were being processed), a 92 million settlement in Illinois (under the State’s Biometric Information Privacy Law on which every major social media platform has stumbled before) and recent coverage of the manner in which its tracking pixels follow everyone around the web. Legal updates It may not be a new law or court case, but Joe Biden’s Executive Order to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) is the biggest piece of news on this front. All going well in Brussels, it could put an end to the nightmare currently faced by the millions of customers of US-based SaaS MarTech and AdTech solutions that happen to process data on US soil, including Google Analytics, Mailchimp, HubSpot, or Salesforce Marketing Cloud. For its part, the UK wants out of the GDPR and this could actually result in a more dynamic environment (it relied on an Oxford University research that claimed that the GDPR is costing UK businesses 8% of their profits). For one thing, they are proposing to let small businesses get on with their lives. Future of media Elon Musk completed his acquisition of Twitter, announcing monthly charges to its heaviest users - starting with those displaying a “verified” blue icon, who happen to be the ones caring the most about the status their identity or following confers to them. This was criticized as a “misinformation nightmare”, in very timely Halloween fashion. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Stephan Grynwajc is admitted as a lawyer in the EU, the UK, the US and Canada, having worked as a privacy practitioner and DPO in both Europe and North America for the last 20 years. His own law firm offers external DPO services to EU/UK and US/Canada-based companies. Stephan is also a partner specialized in international privacy at Outside GC, a bicoastal US law firm. Stephan publishes regularly on various privacy topics, including for the IAPP Privacy Advisor. He is also an Adjunct Professor on privacy and data protection at various universities. References: Privacy at the Crossroads: A Comparative Analysis of Regulation in the U.S., the EU and Canada Joe Biden’s Executive Order Summary of Privacy laws in Canada Law Office of S. Grynwajc (and LinkedIn Page) Outside GC IAPP Privacy Advisor This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Derek A. Lackey is Managing Director of Newport Thomson, a Privacy Agency based in Toronto. With more than 30 years of marketing, advertising and privacy experience, he is focused on data protection & privacy and its effect on the brand. Derek is the author of “CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians”, and looks to simplify the implementation of new data management practices within organizations. This will be the first of two separate perspectives on the basic premises that make EU-US data transfers so difficult (in the aftermath of Joe Biden’s Executive Order paving the ground for the Data Privacy Framework). We will also get a first impression of the Canadian scenario as an interesting blend of both approaches. References: Newport Thomson Derek A. Lackey on LinkedIn Joe Biden’s Executive Order Max Schrems’ first reaction to the EO CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Peter Hense is a partner at Spirit Legal, Germany. He specializes in data privacy litigation, particularly in the area of Advertising Technology. In this episode we discuss the uselessness and potential demise of Consent Management Platforms (CMPs) in a first-party data future. We will also touch on Data Clean Rooms and whether they actually deserve the label. References: Peter Hense on Twitter Spirit Legal Introductory article (Sergio Maldonado) Brave’s announcement: Automated removal of consent pop-ups Consent-O-Matic: OneTrust files patent to circumvent CMP blockers (Vice Media) Tilman Herbrich on Data Clean Rooms This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Tara Taubman-Bassirian is a French lawyer specialized in Privacy, Internet law and Intellectual Property. She is a published author, for many years raising awareness of privacy, data protection and cybersecurity issues. Tara has also launched an initiative, Fly A Kite, to raise cybersecurity awareness especially to keep kids safe online. She also holds an LLM from Queen Mary University. References: EDPB’s binding decision on the Instagram case Instagram’s 405m EUR fine Tara’s website: Datarainbow Tara on LinkedIn This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Cory Underwood combines in-depth technical expertise in the MarTech and Analytics space with a thorough understanding of the ePrivacy legal framework. He has hands-on experience in Distributed System Design, A/B Testing, Tag Management or Analytics - and writes extensively about the intersection of digital analytics and cross-border privacy compliance. References: Cory Underwood’s blog Global Privacy Control Sephora settlement CNIL’s suggestions for a GDPR-compliant Google Analytics deployment California Age-Appropriate Design Code Act American Data Privacy and Protection Act This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Mike J. Schmidt has extensive experience as an Advisor and Solutions Architect working worldwide in Identity Access Management (IAM), Data Privacy, and AI. He was one of the founders of MyData Global’s Canada Hub and has recently relocated to Spain. Together we are revisiting a few key topics: personal agency, identity, informed consent, MyData Operators, and AI. References: Celine Takatsuno on MyData business models Paloma Llaneza on Consent Commons (Spanish) MyData 2022 MyData Operators Privacy Identity Protection Service This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Hi again! We are bringing our regular “Newsroom” updates to this channel, covering quarterly news on five particular topics: ePrivacy and regulatory framework MarTech and AdTech in a Privacy-First world Competition and digital markets Zero-Party Data and Customer Centricity The future of media We will add relevant links on a subsequent blog post. Please find more information and resources on mastersofprivacy.com This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Maciej Zawadziński is an AdTech and MarTech expert, founder of several successful companies and online privacy rights advocate. Striving towards more conscious data use and a healthier digital advertising ecosystem, Maciej is currently devoting his knowledge and skills to developing Piwik PRO – a privacy-focused analytics platform, the perfect alternative to Google Analytics. We have debated the immediate consequences of recent developments concerning the use of Google Analytics in the European Union, as well as other important topics for Marketing Technology and Digital Analytics professionals: valid consent, sample sizes, the avoidance of cookie banners altogether, and the future of data-driven marketing. References: Maciej on Twitter Marketing, Technology, and Privacy: Forecast for 2022 Austrian decision on Netdoktor’s use of Google Analytics CNIL’s guidelines to avoid cookie banners when using web measurement tools (FR) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Celine Takatsuno is our most recent addition to the PrivacyCloud team. We have asked her to help us understand the current status of the various business models falling under the umbrella of a set of principles that the MyData Global organization has come to embody: human-centric control of personal data, individual empowerment, transparency, interoperability, etc. More specifically, we have gone through the same list I had put together in a 2019 article, “MyData Business Models”: Privacy Enhancement Tools, User Rights Management platforms, Self-Sovereign Identity tools, Personal Data Stores, Brand Relationship Management tools, Declared Data Platforms, Attention Management and survey-based market research tools, and Personal Data Marketplaces. About M Celine Takatsuno Celine's been working in data, technology, and privacy spaces for more than a decade. Before joining us at PrivacyCloud, she was working on a couple of personal data projects, one in healthcare and one in e-commerce. She's founded three startups, consulted with a dozen more in media, marketing, and 'tech for good', and early on, led business and strategy teams for industry pioneers like Commission Junction. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

As an answer to the obvious legal challenges of ID-based, cross-media deduplication (currently greater than those faced by third-party cookies), Google Chrome’s Privacy Sandbox, and its related W3C Working Group, provides a framework for advertisers and publishers to leverage a browser-level interest graph while preserving anonymity, through the use of aggregate data and minimum audience thresholds. As key drawbacks, there is little control on the consumer side, and local storage could result in data leaks when coexisting with either shared-identity, third-party cookies, and platform-specific IDs or walled gardens. We will address these and other issues from a legal perspective (ePrivacy + GDPR, mostly), and your humble host (Sergio Maldonado) will be on his own for this particular mission. References: The State of Cookieless (on Medium) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Gabriela Zanfir-Fortuna is a Senior Counsel for Global Privacy and EU data protection law at the Future of Privacy Forum and former legal officer for the EDPS (Brussels). She holds a PhD in data protection law. References: Dr. Gabriela Zanfir-Fortuna on Twitter Proposal for an EU Regulation on Artificial Intelligence Japan’s Personal Information Protection Commission Kenya Data Protection Act (PDF) Brazilian Data Protection Law (as translated into English and made available by the IAPP) South Africa’s Data Protection Law (POPIA), as summarized by the National Law Review Training courses at the Future of Privacy Forum: Understanding Digital Data Flows This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Lisa LeVasseur is an MBA technologist with a background in Computer Science and Philosophy. Lisa began strategic work in cellular telecom industry standards in the late ‘90s while at Motorola. Since then, she has participated in 3GPP, 3GPP2, MEIF, WAP Forum, IETF, W3C, IEEE and Kantara Initiative. The Me2B Alliance is setting the standard for respectful technology. It is backed by a group of software engineers, policy analysts, UX experts, business and philanthropic leaders who are committed to giving individuals more say in how technology treats people. References: Me2B Alliance Me2B Principles and explanatory video Lisa LeVasseur on LinkedIn Digital Harms Dictionary This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Katharina Weimer is a partner in the privacy team of Fieldfisher and located in the Munich office. She has been advising her clients in the data protection landscape for more than 12 years with a focus on international companies. Kirsten Ammon is a lawyer of Fieldfisher's IT and privacy team in the Hamburg office. She develops practical privacy solutions for her clients that are mainly located in Europe and the US. References: Latest draft of the EU ePrivacy Regulation (EU Council mandate, February 10th 2021) EDPB’s Statement 3/2021 on the ePrivacy Regulation (European Data Protection Board, March 9th 2021) Planet 49 ruling (Court of Justice of the European Union, October 2019) Katharina A. Weimer LL.M. (Fieldfisher) Kirsten Ammon (Fieldfisher) This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional and serves as the outsourced privacy office for companies. References: Red Clover Advisors Jodi Daniels on LinkedIn International Association of Privacy Professionals California Consumer Privacy Act This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Sille Sepp serves as the Programmes Lead for MyData Global, an international nonprofit aiming to empower individuals by improving their right to self-determination regarding their personal data. With a background in Sociology and Urban Governance, Sille is especially keen to explore the MyData concept in the urban context, and the implications of digital technologies and the data economy on society. References: Sille Sepp on Twitter MyData Global Declaration EU Data Governance Act This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Elizabeth Renieris is the Founding Director of the Notre Dame IBM Technology Ethics Lab, a Technology and Human Rights Fellow at the Carr Center for Human Rights Policy at the Harvard Kennedy School, and a Fellow at Stanford's Digital Civil Society Lab. She's an expert in cross-border data governance, and the ethical and human rights implications of emerging technologies. References: Elizabeth Renieris on Twitter Notre Dame IBM Technology Ethics Lab Harvard’s Carr Center for Human Rights Policy Stanford’s Digital Civil Society Lab Laura DeNardis, The Internet In Everything, Freedom and Security in a World with No Off Switch Sun-ha Hong, Technologies of Speculation This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe