The Privacy Advisor Podcast

The complexity and significance of international data flows have long been one of the major issues for privacy and digital responsibility professionals. In the last decade, two major frameworks - the EU-US Safe Harbor and EU-US Privacy Shield agreements - were both invalidated by the Court of Justice of the European Union. The EU-US Data Privacy Framework, however, remains intact, though it has faced one legal challenge in the last year. Bill Guidera, who serves as deputy assistant secretary in the U.S. International Trade Administration, leads a team that helps drive policy conditions for US digital, financial, supply chain and other service industries to innovate domestically and abroad. The team plays a significant role in administering and overseeing the DPF and plays a key leadership role on behalf of the US in the Global Cross-Border Privacy Rules Forum. IAPP Editorial Director Jedidiah Bracy caught up with Mr. Guidera to discuss how the DPF is faring, the Latombe legal challenge to the framework, as well as the latest updates to the CBPR Forum, recent reciprocal trade agreements with Argentina and Bangladesh, and the ITA's work in artificial intelligence. Here's what he had to say.

It's no secret that large language models and artificial intelligence systems require massive amounts of data, which often runs up against fundamental privacy principles like purpose limitation and data minimization. Privacy and data protection laws - like the EU General Data Protection Regulation - feature concepts like the right to be forgotten and data subject access requests. But these are often in tension with modern AI systems. Some tools, however, are emerging. One of those methods is "machine unlearning," a suite of approaches to help remedy deletion requests of information that's already been used to train an AI model. Jevan Hutson, acting assistant professor and director of the Tech-Law Clinic at the University of Washington School of Law, recently co-wrote a law review article on machine unlearning and its implications for privacy law. In this episode, Hutson explains the concept of machine unlearning and how its suite of techniques can add to the tool belts practitioners and regulators alike.

The Asia-Pacific region is home to more than half the world's population - at 60% - with approximately 4.75 billion people. In recent years, India and Vietnam, to name just two, have enacted comprehensive data protection laws. Near the end of 2025, India finalized its highly anticipated regulations for the Digital Personal Data Protection Act and Vietnam's Personal Data Protection Law became effective on the first of January this year. Hogan Lovells Partner Charmian Aw has long practiced in the region, specializing in APAC data protection, privacy, AI governance and cybersecurity law and offers developments of the region in the IAPP's Asia-Pacific Dashboard Digest. She also joined the IAPP Publications Advisory Board this year. While attending the UK Data Protection Intensive in London, IAPP Editorial Director Jedidiah Bracy sat down with Charmian Aw to discuss the latest developments in the region, specifically regarding India and Vietnam. Here's what she had to say.

The California Privacy Protection Agency was formed six years ago as mandated by the California Privacy Rights Act. As the first dedicated privacy regulator in the U.S., CalPrivacy - as it's called colloquially - implements and enforces both the CPRA and California Consumer Privacy Act. Under the state's Delete Act, it also oversees California's data broker registry and the Delete Request and Opt-Out Platform, known as DROP. Tom Kemp serves as executive director for CalPrivacy and is almost a year into his tenure after taking on the role in April 2025. On 1 January 2026, the DROP system went into effect and now boasts more than 215,000 registrants with more than 500 registed data brokers. The agency is also implementing a number of regulations in the state, including for automated-decision making, risk assessments and cybersecurity audits. IAPP Editorial Director Jedidiah Bracy caught up with Tom Kemp to learn more about the DROP system and the agency's priorities in the year to come.

Goodwin Partner Omer Tene has long had his finger on the pulse of privacy and AI governance developments and trends. He advises clients on a wide range of issues, from data protection, artificial intelligence, technology, cybersecurity and beyond. As we head into a brave new 2026, IAPP Editorial Director Jedidiah Bracy caught up with Tene to discuss the big issues he sees playing out this year, from a changing geopolitical environment to US state privacy and AI legislative activity, from kids privacy and safety issues to digital reform in the EU.

On November 19, the European Commission unveiled two major omnibus packages as part of its European Data Union Strategy. One package proposes several changes to the EU General Data Protection Regulation, while the other proposes significant changes to the recently minted EU AI Act, including a proposed delay to the regulation of so-called high-risk AI systems. Laura Caroli was a lead negotiator and policy advisor to AI Act co-rapporteur Brando Benifei and was immersed in the high-stakes negotiations leading to the AI regulation. She is also a former senior fellow at the Center for Strategic and International Studies, but recently moved back to Brussels during a time of major complexity in the EU. IAPP Editorial Director Jedidiah Bracy caught up with Caroli to discuss her views on the proposed changes to the AI Act in the omnibus package and how she thinks the negotiations will play out. Here's what she had to say.

Lorrie Cranor has long been a leader in the privacy space. As Director and Bosch Distinguished Prof. in Security and Privacy Technologies at Carnegie Mellon's CyLab Security and Privacy Institute, Prof. Cranor is on the cutting edge of usable privacy and security. Her work has influenced researchers to view privacy as a fundamental design standard rather than an abstract ideal and has helped reshape the technology field with more than 200 co-authored research papers on online privacy and security. She has also served as chief technologist at the US Federal Trade Commission and co-founded Wombat Security Technologies, among many other initiatives. Much of her work has focused on understanding how people interact with digital systems and where those systems failed. But, Prof. Cranor is also a mom and has raised three children. She has published new, illustrated book, called Privacy Please!, which Is geared for children aged 4-6, to help them and their parents understand what privacy means and why it matters. IAPP Editorial Director Jedidiah Bracy caught up with Prof. Cranor to discuss her new book, what inspired it, and how this book can help children develop a sense of privacy, autonomy and expression. We also discuss some of the broader children's privacy issues that are emerging in jurisdictions around the world, including through social media bans and age verification laws. Here's what she had to say.

Anu Talus was elected Chair of the European Data Protection Board in May of 2023. The EDPB, which was established in 2018, ensures that the EU General Data Protection Regulation and Data Protection Law Enforcement Directive are consistently applied in the EU. It also provides general GDPR guidance, adopts findings to ensure the GDPR is implemented consistently across member nations, advises the European Commission on data protection matters, and encourages DPAs to work together. In other words, leading the EDPB is no small task, especially in an increasingly complex digital marketplace during the dawn of the AI Era. While here in Brussels, IAPP Editorial Director Jedidiah Bracy sat down with Chair Talus during an especially significant week in EU data protection on the eve of the release of the EU's Digital Omnibus package, which proposes to amend parts of the GDPR and other EU digital regulations. In this wide-ranging conversation, Bracy and Talus discuss the EDPB's priorities and work in these transformative times.

As artificial intelligence continues to coalesce in the modern economy, AI governance only grows in significance. Brenda Leong, director of ZwillGen's AI division, and Andrew Burt, CEO of Luminos, have long been on the front lines of AI's emergence and busy helping organizations navigate this space. In a first for The Privacy Advisor Podcast, we're featuring a guest host, my colleague Alex LaCasse, a staff writer here for the IAPP. LaCasse has been covering compliance technology for the IAPP in recent years and recently caught up with Leong and Burt to learn more about their work in AI governance and the strategies and tools they leverage to help companies maintain customer trust.

On 4 Sept., the Court of Justice of the European Union gave its highly anticipated decision in the EDPS v. SRB case. In its landmark ruling, the CJEU clarified the definition of personal data under the EU General Data Protection Regulation, and, in essence, the scope of EU data protection law. For Ulrich Baumgartner, a partner at Baumgartner Baumann and IAPP Country Leader for the DACH region, the ruling demonstrates a continued "relative approach" by the court, but it also provides a significant clarification against what he believes has been an "absolutist" approach by the European Data Protection Supervisor and other EU data protection authorities. Though the ruling provides important clarity for personal data, pseudonymity and anonymity, it also raises other questions. Either way, there are concrete takeaways for data protection professionals. IAPP Editorial Director Jedidiah Bracy recently caught up with Baumgartner to discuss the implications of the ruling, including what it can mean for the Data Act, data processing agreements and more.

Ruby Zefo has long been a leader in the fields of privacy, data protection and cybersecurity. She was the first chief privacy officer at Uber, where she served from 2018, helping lead the company's efforts to protect and enable user data. She has done so while Uber continues to innovate its technology amid a dramatic increase in digital laws around the world. Earlier this year, Zefo announced her retirement from Uber and her next move as a fellow at Stanford University's Distinguished Careers Institute. IAPP Editorial Director Jedidiah Bracy caught up with Zefo to discuss her work building a privacy team at Uber and how she has navigated—and led—in an increasingly complex and challenging world.

Nearly a year ago, the IAPP expanded its mission in response to a rapidly changing digital environment to include AI governance, digital responsibility and cybersecurity law. The mission expansion took place a year after the IAPP hired Ashley Casovan to lead its first-ever AI Governance Center. Since then, Casovan has led the development of the center, which includes work helping to inform AI governance training and certification, a forthcoming AI governance textbook, and the AI Governance Global conferences. Casovan came to the IAPP after leading the Responsible AI Institute as its executive director and previously worked for the Canadian government as director of data architecture and innovation. She's currently drafting a skills competency framework for AI governance. Situated in Montreal, Casovan trekked south to spend time at IAPP headquarters in Portsmouth, NH. While here, she and IAPP Editorial Director Jedidiah Bracy discussed the makings of an AI governance professional. What skills are required and what is she seeing in this evolving profession? Here's what she had to say.

As the privacy profession surpasses the quarter-century mark and enters into a brave new world of artificial intelligence and digital entropy, it's worth taking a look back to assess how far the profession has come. That's exactly what long-time privacy pro Stephen Bolinger embarked upon when he decided to film a documentary on the rise of the privacy profession. "Privacy People" explores the veritable plethora of interpretations of the privacy concept through the voices of some of the profession's most seasoned and respected privacy leaders. Bolinger said he felt there was a really compelling story to tell. By juxtaposing on-the-street interviews with individuals to sit down discussions with some of privacy's luminaries in government, industry, civil society and academia, "Privacy People" looks at how this dynamic profession has grown and changed over the years, as well as recognizing the prominent role women have played throughout its evolution. Earlier this year, IAPP Editorial Director Jedidiah Bracy sat down with Bolinger to discuss the impetus for his documentary and how he went about filming "Privacy People."

As chief privacy officer of the biggest city in the United States, it's safe to say that Michael Fitzpatrick doesn't have your normal, run-of-the-mill job. As part of New York's Office of Technology and Innovation, the Office of Information Privacy provides guidance to more than 175 agency privacy officers across the city. It also works closely with the city's Cyber Command and has partnered with the Cities Coalition for Digital Rights and the Biometrics Institute. IAPP Editorial Director Jedidiah Bracy caught up with Fitzpatrick to learn more about his work as CPO of New York City, how his office works across government and what he sees as some of the biggest challenges in privacy and cybersecurity.

Autonomous robots with embedded artificial intelligence are growing more common across industry sectors. So-called "embodied AI," collects vast amounts of data through its sensors and changes how humans interact with technology. As embodied AI becomes more common and continues to drive innovation, it also creates new challenges for ethical uses of data and personal privacy. Erin Relford is a privacy engineer at Google and has worked in the embodied AI space. In a recent article for the IAPP, she wrote that "existing privacy mitigations may be insufficient for human-robot interactions." That's why she helped create a robotics privacy framework to "promote privacy-preserving design" in the "responsible deployment of robotics with embedded AI. IAPP Editorial Director Jedidiah Bracy caught up with Erin to discuss her work in this vanguard space.

Privacy law and technological advancements have a deep and intertwined history that go back to at least the 1890s with Samuel Warren and Louis Brandeis's article "The Right to Privacy," which was prompted by camera technology. George Washington University Law Professor Dan Solove has long studied and written about privacy law. He published several well-known books including "Nothing to Hide: The False Trade Off Between Privacy and Security" and co-authored "Privacy Law Fundamentals," which is published by the IAPP. Solove recently published a new book, "On Privacy and Technology." IAPP Editorial Director Jedidiah Bracy caught up with Solove just before the book was published to discuss it and whether the regulation-versus-innovation trade-off is a fallacy, why the notice-and-choice paradigm hasn't worked for consumers, and where the future will take privacy, AI, and cybersecurity law and regulation.

Australia made waves in 2024 after it passed an amendment to the Online Safety Act of 2021, which introduces a legal minimum age of 16 to create and use an account for certain social media platforms in Australia. It also requires platforms within scope to implement age-gating practices. As Australia's first eSafety Commissioner, Julie Inman-Grant, whose agency administers the Online Safety Act and the Social Media Minimum Age amendment, has been at the forefront of regulating online safety since her appointment in 2017. With a background in the private sector, including stints at Microsoft, Twitter and Adobe, Inman-Grant has a wide-ranging view of the online space and the harms within it. IAPP Editorial Director Jedidiah Bracy recently caught up with Commissioner Inman-Grant to discuss her work in online safety, what's currently underway regarding age-gating requirements for social media and the effects AI will have for online safety and harms.

Though it came close in recent years, federal privacy legislation is not likely top of mind as a new administration takes the reigns in Washington, DC. The same likely goes for federal AI governance and safety legislation with a divided Congress and executive branch that promotes a deregulatory posture. That means state-level privacy and AI bills will proliferate in 2025. Connecticut was the 5th U.S. state to a pass comprehensive privacy law, and Connecticut State Senator James Maroney played a large role in crafting his state's bill. Maroney is now working on AI legislation and takes part in the Future of Privacy Forum's Multistate AI Policymaker Working Group, which comprises more than 200 bipartisan state lawmakers and other government officials, with the aim to "foster a shared understanding of emerging technologies and related policy issues." IAPP Editorial Director Jedidiah Bracy recently caught up with Maroney to discuss his work on privacy, his experience working with other policymakers in the multistate working group, and what to expect from AI legislation in Connecticut this coming year.

It's hard to believe we've reached the final weeks of 2024, a year filled with policy and legal developments across the map. From the continued emergence of AI governance, to location privacy enforcement, children's online safety to novel forms of privacy litigation, no doubt this was a year that kept privacy and AI governance pros very busy. One such professional in the space is Goodwin Partner Omer Tene. He's been immersed in many of these thorny issues, and as always, has thoughts about what's transpired in 2024 and what that means for the year ahead. I caught up with Tene to discuss the year in digital policy. Here's what he had to say.