Episoder
-
We are closing this season with a Spring Newsroom before we officially kick off the summer, summarizing everything that’s happened in the past quarter across our usual five sections: ePrivacy (enforcement, regulatory updates), MarTech/ AdTech, AI/ Competition/ Digital Markets, PETs/ Zero-Party Data, Future of media.
This includes:
EDPB’s ChatGPT Task Force report EU Digital Wallets Privacy Sandbox news EU Commission vs. Apple’s App Store LLM updates (Llama3, GPT 4o, Gemini, Apple Intelligence) Meta AI *not* training on EU user data Mozilla’s acquisition of Anonym Oracle’s exit from AdTech Revolut ads Microsoft Copilot+ Recall retreat The Trade Desk’s curated list of publishers FCC fines to telecom operators for the sale of location data Consent or Pay news TikTok ban.A full transcript with links and additional resources can be found on the PrivacyCloud blog.
-
John Cavanaugh is a founding member of the Plunk Foundation, a non-profit dedicated to empowering individuals and communities so they have autonomy over their digital identities and protect their sensitive information. John is helping promote digital data privacy for women, children, veterans, and marginalized communities.
Our mission today: exploring a grassroots approach to privacy or data protection.
References:
Plunk Foundation John Cavanaugh on LinkedIn Doctor Ruha Benjamin, Race after Technology Village of Evendale (Cincinnati) -
Manglende episoder?
-
Adrian Doerk is co-founder of Lissi GmbH and co-coordinator of the IDunion research project. He has extensive experience in the rollout of digital wallets, specializing in the European digital identity wallet (EUDI-Wallet) under the eIDAS 2.0 Regulation.
Adrian has helped us answer a few important questions on this topic:
How much of our lives will soon be intermediated through digital wallets or digital identities? What is “selective disclosure”? What are the privacy risks? What are the challenges of decentralization?References:
Adrian Doerk on LinkedIn eIDAS 2.0 Regulation Lissi IDunion research project -
Does the inclusion of both a private right of action and a general preemption of overlapping state laws (not limited to privacy, but also including AI or confidential information) condemn the APRA to the fire?
Brian Focht is a cybersecurity and data privacy attorney practicing in Charlotte, North Carolina. His legal practice is focused on helping clients ranging from individuals to international corporations, and involves nearly every aspect of law that touches on cybersecurity and data privacy, including identity theft, internal corporate policies and procedures, data breach response and recovery, and litigation. He is a 2003 Graduate of the University of North Carolina at Chapel Hill, a 2007 Graduate of the Wake Forest University School of Law, and a Certified Information Privacy Professional (U.S.) and AI Governance Professional.
In addition to his legal practice, he is the founder and co-host of the Fearless Paranoia podcast, which attempts to make the world of cybersecurity more accessible and understandable to those not in the IT industry. On top of that, Brian maintains the Resilience Cybersecurity and Data Privacy blog, offering tips and suggestions for keeping yourself safe in the increasingly hazardous digital world.
References:
Law Offices of Brian C. Focht Brian Focht on LinkedIn Updated text of the American Privacy Rights Act (May 2024) Biometric Information Privacy Act (Illinois) My Health My Data: Addressing the collection, sharing, and selling of consumer health data (Washington) EU-US Data Privacy Framework EFF: Sunsetting Section 230 Will Hurt Internet Users, Not Big Tech Colorado’s new AI Act (Hogan Lovells) Vermont Legislature passes data privacy bill that could shape national efforts (Vermont Public) Fearless Paranoia (Podcast)
-
Can Google overcome competition and performance concerns to make the Privacy Sandbox a reality? Does it really matter in terms of privacy compliance, in the face of the EU ePrivacy Directive? How would Universal Opt-Outs affect the Topics API in the US?
Alan Chapell is outside privacy and AI counsel for dozens of AdTech and Mart¿Tech companies. He started his career in the digital space in 1997 at Jupiter Research and is now the principal analyst at The Chapell Report, which is a monthly report focusing on the intersection between privacy, competition, addressability and AI in the digital media space.
Mr. Chapell is board chair of the Network Advertising Initiative, the premier trade association for 3rd party AdTech marketplace. He is also an accomplished musician. His band, “Chapell”, is about to release their 7th album, “The Underground Music Show”, on all major streaming services.
References:
Chapell & Associates and The Chapell Report UK Competition and Markets Authority update report (April 2024) on Google Chrome’s implementation of the Privacy Sandbox Privacy Sandbox (documentation) CNIL’s report on the Privacy Sandbox (July 2023) Global Privacy Control (Universal Opt-Out Mechanism)
Peter Craddock: Could core advertising components fall under the “strictly necessary” exception in the ePrivacy Directive? (Masters of Privacy) Network Advertising Initiative Chapell on Spotify -
“There is a UK AI Regulation - It is called the UK GDPR” (John Edwards, February 2024).
Stephen Almond is Executive Director for Regulatory Risk at the UK’s Information Commissioner’s Office (ICO), leading the teams charged with engineering information rights into the fabric of new ideas, technologies and business models as part of our dynamic digital economy, including through the Digital Regulation Cooperation Forum.
Prior to joining the ICO, Stephen led a World Economic Forum initiative to promote the adoption of a more agile, innovation-enabling approach to regulation with governments and tech firms worldwide. He previously worked in leadership roles across the UK Government, including creation of the White Paper on Regulation for the Fourth Industrial Revolution and roll-out of the Regulators’ Pioneer Fund, which invested in regulatory sandboxes and similar initiatives to unlock technological innovation.
References:
Technology and Innovation Directorate at the ICO ICO: Guidance on AI and data protection ICO: Draft Guidance on Privacy Enhancing Technologies (PETs) Dragos Tudorache: dealing with foundation models, data protection and copyright in the AI Act (Masters of Privacy) -
Amy Worley is Managing Director at BRG, a global leader in data protection, information security, and AI governance. A licensed attorney, certified privacy professional, and certified information systems security professional, Amy formerly served as the Chief Privacy Officer for a billion-dollar pharmaceutical and medical device company and now serves as a fractional Data Protection Officer for several multinational companies.
Amy’s consulting practice is focused on helping clients implement sustainable programs that result in meaningful compliance with state, national, and regional laws and build corporate trust. She is passionate about the intersection of data, people, and power.
References:
Amy Worley on LinkedIn BRG: Privacy and Data Protection services Draft: American Privacy Rights Act 2024 Dragos Tudorache: Dealing with foundation models, data protection, and copyright in the EU AI Act (Masters of Privacy) EDPB Guidelines 8/2020 on the targeting of social media users -
Luke Mulks is VP of Business Operations at Brave Software, makers of the Brave browser. He has previously worked in AdTech and print publishing, and he has also founded a few businesses. He is in charge of new business initiatives and strategic revenue growth and oversees the BAT community.
Our wide-range conversation has encompassed new business models for media owners, privacy-preserving ads, putting a price on personal data, the manner in which Apple’s bottleneck asphyxiates bolder or more creative approaches to monetizing people’s attention, and Google’s Privacy Sandbox.
References:
Basic Attention Token Brave Ads Manager Brave: Blocking annoying and privacy-harming cookie consent banners Brave: Privacy And Competition Concerns with Google’s Privacy Sandbox How we tried to fix advertising, ecommerce, and media by putting people in control of their data — from WeRule to PrivacyCloud -
What is Homomorphic Encryption? Can it be leveraged in the context of cross-vertical challenges?
Dr. Ellison Anne Williams is the Founder and CEO of Enveil, the pioneering data security startup protecting Data in Use. She has more than a decade of experience spearheading avant-garde efforts in the areas of large scale analytics, information security and privacy, computer network exploitation, and network modeling at the National Security Agency and the Johns Hopkins University Applied Physics Laboratory. In addition to her leadership experience, she is accomplished in the fields of distributed computing and algorithms, cryptographic applications, graph theory, combinatorics, machine learning, and data mining and holds a Ph.D. in Mathematics (Algebraic Combinatorics), a M.S. in Mathematics (Set Theoretic Topology), and a M.S. in Computer Science (Machine Learning).
References:
Dr. Ellison Anne Williams (full profile), Enveil Enveil Drives Data Value Across Silos with Enhanced Encrypted Search Offering ICO Guidance on Privacy Enhancing Technologies Matthias Eigenmann: Confidential Computing, contractual relationships, and legal bases for Data Clean Rooms (Masters of Privacy) Damien Desfontaines: Differential Privacy in Data Clean Rooms (Masters of Privacy) -
Is there a sweet spot between privacy compliance and marketing outcomes? What is “progressive consent”?
Radha Gohil is a Data Governance and Privacy leader at Shell. She works on AdTech and MarTech data flows, as well as digital and programmatic supply chains, applying privacy compliance requirements to marketing-related practices. This includes consent management and, in general, acting as a bridge between Marketing, IT, CDO and legal. On top of that, Radha chairs the Digital Governance Steering Group at the ISBA (Incorporated Society of British Advertisers). She has previously worked at PwC and The Telegraph.
With Radha we have covered the manner in which marketing teams navigate privacy compliance or even leverage a privacy-first approach as a competitive advantage. This includes dealing with transparency requirements or the difficult trade-offs involved in gathering proper consent when required to do so.
References:
Radha Gohil on LinkedIn Incorporated Society of British Advertisers ICO: Upcoming action on making advertising cookies compliant -
Will Data Clean Rooms help us avoid consent, or personal data altogether, and make the most of first-party data for data collaboration and addressability purposes?
Matthias Eigenmann is a Swiss lawyer with over 10 years of practical experience in technology and data protection law. He currently works as legal counsel and DPO at Decentriq (a Data Clean Room), and is also an advisor on data protection matters to a large hospital in Switzerland. Prior to this, he spent several years working in tech and data protection law at a law firm, as well as as an in-house counsel for IT contracts and data protection at PwC Switzerland.
References:
Matthias Eigenmann, Enhanced Privacy for Data Analytics Matthias Eigenmann on LinkedIn Decentriq, a Data Clean Room Damian Desfontaines: Differential Privacy in Data Clean Rooms (Masters of Privacy) Nicola Newitt: The legal case for Data Clean Rooms (Masters of Privacy) -
Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment.
Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast.
With Rie we will explore her own tips and tricks to stay sharp and up to date, avoiding a myriad of shallow or confusing sources and digging for the best possible answers at all times - all of it while avoiding clickbait, radical opinions and the avalanche of so-called privacy experts clogging LinkedIn feeds.
References:
How to stay up to date as a DPO The Grumpy GDPR Podcast (NoTies Consulting) DPO Hub Rie Aleksandra Walle on LinkedIn -
Dragos Tudorache is a Member of the European Parliament and Vice-President of the Renew Europe Group. He is the LIBE rapporteur on the AI Act, and he sits on the Committee on Foreign Affairs (AFET), the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA), the Subcommittee on Security and Defence (SEDE), and the European Parliament's Delegation for relations with the United States (D-US). He was the Chair of the Special Committee on Artificial Intelligence in the Digital Age (AIDA).
Dragos began his career in 1997 as a judge in Romania. Between 2000 and 2005, he built and led the legal departments at the Organization for Security and Co-operation in Europe (OSCE) and the UN missions in Kosovo. After working on justice and anticorruption at the European Commission Representation in Romania, supporting the country’s EU accession, he joined the Commission as an official and, subsequently, qualified for leadership roles in EU institutions, managing a number of units and strategic projects such as the Schengen Information System, Visa Information System, and the establishment of eu-LISA1.
During the European migration crisis, Dragos was entrusted with leading the coordination and strategy Unit in DG-Home, the European Commission Directorate-General for Migration and Home Affairs, until he joined the Romanian Government led by Dacian Cioloș. Between 2015 and 2017, he served as Head of the Prime Minister’s Chancellery, Minister of Communications and for the Digital Society, and Minister of Interior. He was elected to the European Parliament in 2019. His current interests in the European Parliament include security and defense, artificial intelligence and new technologies, transatlantic issues, the Republic of Moldova, and internal affairs.
We have addressed the following questions around the new EU AI Act:
Back story behind the final compromise on foundation models, and the chosen thresholds for a higher regulatory burden Interplay between AI models and AI systems The “open source” differentiator How and why the AI Act overlaps with the GDPR, copyright law or product liability laws Impact of the Data Act on the development of AIReferences:
The EU AI Act (EU Commission’s proposal) Dragos Tudorache (EU Parliament’s official website)
-
Dr. Augustine Fou has nearly three decades of experience in digital marketing, including client-side experience at American Express and agency-side experience at IPG and Omnicom, where he served as Group Chief Digital Officer of eight agencies serving pharma and medical device clients. Dr. Fou also taught digital strategy at Rutgers University's executive education program and NYU's School of Continuing and Professional Studies.
With Dr. Fou we will aim to answer the following questions:
Does programmatic advertising have to be necessarily bad for privacy? Can we once and for all dismantle the fairy tale of marketing attribution? How about advertising fraud controls? Is it possible that killing third party cookies is not only better for privacy but also better for business outcomes?References:
Dr Augustine Fou’s recent articles Dr. Augustine Fou: How to optimize towards humans and not just away from fraud (LinkedIn) Fou Analytics Sergio Maldonado: “Analytics CEO makes a passionate case against marketing attribution” (Chief Marketing Technologist, Scott Brinker) -
Stefan Filipović is a privacy lawyer that began his career at the outset of GDPR enforcement in 2018. Throughout the years, he has built his expertise by working at a law firm focusing on IP and privacy, at a university as a researcher investigating legal challenges in regulating AI-based technology, and as a privacy officer and a counsel for a few Norwegian companies. Today he is a DPO at reMarkable.
For several years, he also volunteered at ICANN, and for a period of time, at NIST’s privacy workforce.
Beyond his focus on privacy compliance, he maintains a strong passion for information security, computer science, and risk management, as well as corporate governance and finance.
References:
Stefan Filipović on LinkedIn Black Box Thinking (Matthew Syed) Privacy is hard and seven other myths (Jaap-Henk Hoepman) -
Nina Müller and Sergio Maldonado discuss a few recent events across the EU, the UK, and the US: Yahoo/Uber ePrivacy fines, Google Chrome (Incognito Mode) settlement, US Congress Social Media hearing, upcoming UOOM/ Global Privacy Control enforcement across various states, and Spain’s AEPD Guidelines to circumvent cookie consent requirements for high-level Digital Analytics.
Please find relevant links and additional updates across all of our usual core sections (ePrivacy and regulatory updates; MarTech and AdTech; AI, competition, and digital markets; PETs and Zero-Party Data; future of media) on the PrivacyCloud website.
-
Could we re-interpret article 5.3 of the ePrivacy Directive so that the “strictly necessary” (to provide a service) consent exemption gives shelter to the core technical building blocks of advertising solutions making journalism possible? Can we not deal with personal data (should it be involved at all) or behavioral targeting (should it be the case) separately under the GDPR?
Peter Craddock helps us answer that question.
Our guest is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. Peter is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area.
References:
Peter Craddock on LinkedIn Maybe no consent needed for advertising under ePrivacy "cookie" rule? (Peter Craddock) EDPB seeks to redefine ePrivacy – Part II: Overbroad notions and regulator activism? IAB Europe Responds to the EDPB Public Consultation on their Draft Guidelines 2/2023 EDPB ePrivacy Guidelines: Comments Highlighting Risks to Businesses with Digital Activities (Keller and Heckman) Romain Robert: Pay or OK in AdTech - How it started and where it’s going (Masters of Privacy) Renzo Marchini: Unintended consequences of the EDPB Guidelines on storage and access under article 5.3 of the ePrivacy Directive (Masters of Privacy) Cristiana Santos and Victor Morel: The problem with CMPs and TCF-based cookie paywalls (Masters of Privacy) Robert Bateman: Consent or Pay (Masters of Privacy) Peter Hense: How first party data will kill CMPs (Masters of Privacy) -
Can we take Data Clean Rooms to the next level in terms of baked-in privacy?
Damien Desfontaines is a Scientist at Tumult Labs, a startup that helps organizations safely share or publish insights from sensitive data, using differential privacy. Before that, he led the anonymization consulting team at Google, and got his PhD in computer science at ETH Zürich. He maintains a blog that teaches you all about differential privacy.
References:
Damien Desfontaines on LinkedIn Nicola Newitt: the legal case for Data Clean Rooms (Masters of Privacy) Damien Desfontaines’ blog on Differential Privacy Tumult Labs: Resources and publications on Differential Privacy -
Tejas Manohar is the co-founder and co-CEO of Hightouch. Prior to founding Hightouch, Tejas was an early engineer at Segment, a leading Customer Data Platform (CDP) acquired by Twilio.
The following topics have been covered in this interview:
Current limitations of Customer Data Platforms (CDP) as a core building block of the marketing data stack The value of composable CDPs and Reverse ETL Privacy compliance challenges of CDPs and customer data integration as a whole Potential overlaps with Data Clean RoomsReferences:
Tejas Manohar on LinkedIn Traditional CDP vs. Composable CDP: What is the difference? Revenge of the silos: How privacy compliance is cutting the customer journey short (Sergio Maldonado) -
Molly Martinson is a lawyer at Wyrick Robbins, a Raleigh-based law firm with outstanding privacy compliance credentials. She advises clients on a whole range of applicable privacy frameworks (CCPA, CPRA, FCRA, CAN-SPAM, COPPA, HIPAA), data breaches, laws regulating data brokers, and laws governing website and mobile application privacy policies. She also regularly advises international and U.S.- based clients on the applicability and requirements of the EU General Data Protection Regulation (GDPR).
Molly received her B.A., cum laude from Wake Forest University and her J.D. with honors from UNC Schoolors Writing Scholar. She also received the Gressman-Pollitt Award for Excellence in Oral Advocacy. Molly served as a law clerk to the Honorable Robert N. Hunter, Jr. on the Supreme Court of North Carolina and the North Carolina Court of Appeals before entering private practice.
References:
Molly Martinson on LinkedIn California Consumer Privacy Act Virginia Consumer Data Protection Act Colorado Privacy Act Utah Consumer Privacy Act Summary of the Texas Data Privacy and Security Act (National Law Review) Connecticut Data Privacy Act Florida Privacy Protection Act Montana Consumer Privacy Law Oregon Consumer Privacy Act Global Privacy Control Wyrick Robbins - Vis mere
