PrivacyPod

We are back from summer break with a bunch of positive energy (that lasted through about the first two cases). This episode was recorded by Hannes, Jyri, and Pilvi on the historical day of data transfer anticlimax, despite all the LinkedIn posts preparing to sell you more legal advice. So, in this episode, we cover: The Latombe I that was not meant to be (insert violins and a slow dramatic tear). The court said nothing to see here, move on. Nevertheless, we have opinions. Austria’s Data Protection Authority took five and a half years to order YouTube to give people access to their personal data. Like good art, this stirred up some strong feelings in our hosts. Google was not ordered to sell off Chrome and/or Android, but they were ordered to make the playing field a bit more open. TikTok faces new investigations into their data transfers to China. Listen as our hosts jump into this rabbit hole and end up wondering: who is the true James Bond villain… and could it be… the EU? Are we the baddies? Is the EU becoming authoritarian if it passes a law that will allow it to scan all private and even encrypted messages? More countries are objecting to this. What is at stake here — our European way of life?   Prepare for a rollercoaster of emotions, grab some popcorn, and hopefully, enjoy!   Latombe: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf NOYB vs. YouTube https://www.euractiv.com/section/tech/news/austrias-privacy-watchdog-tells-youtube-to-give-users-access-to-their-data/ https://noyb.eu/en/noyb-win-youtube-ordered-honour-users-right-access Google and antitrust: https://www.bbc.co.uk/news/live/cg50dlj9gm4t China, James Bond, and TikTok: https://cybernews.com/security/tiktok-irish-investigation-eu-data-reached-china/?utm_source=chatgpt.com  EU…the baddie? About screening your messages: https://www.techradar.com/computing/cyber-security/chat-control-the-list-of-countries-opposing-the-law-grows-but-support-remains-strong?utm_source=chatgpt.com   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

10 Sep 58min

This PrivacyPod special episode was recorded on the very day the Latombe decision (T-553/23) was made, capturing the immediacy and raw analysis of a pivotal moment in EU–US data privacy law. Host Joost Gerritsen, together Prof. Dr. Gloria González Fuster (VUB, LSTS Director) and Pablo Trigo Kramcsák (PhD researcher, LSTS) delves into the EU General Court’s ruling and its implications for the EU–US Data Privacy Framework. With the judgment only hours old, the discussion is lively and unfiltered, blending critical legal insight with candid questions from the privacy community. Gloria and Pablo examine the court’s highly formalistic approach, questioning whether the decision provides real legal certainty or simply upholds the status quo on paper. They discuss the ruling’s weaknesses, including unresolved issues of admissibility and standing, and debate whether the judgment genuinely protects fundamental rights or merely recirculates official arguments without genuine scrutiny. The conversation also covers hot topics like Article 22 GDPR, the functioning of US oversight mechanisms, and the political climate that influences data transfers between Europe and the US. Throughout the episode, the panel answers audience queries, reflecting the pulse of the privacy profession as it digests the breaking news. These real-time reactions make this episode a unique snapshot of expert opinion as legal history is being written, offering essential listening for privacy professionals, legal scholars, and anyone following the saga of cross-border data flows.     If you would like to learn how this case relates to previous rulings and documents from supervisory authorities, please visit Digibeetle: https://digibeetle.eu/latombe  Press release on the Latombe case: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

8 Sep 1h

In this episode, Jyri and Pilvi have been fished out from the pool and summer vacays to discuss privacy–and they desperately try to be optimistic, it’s summer, after all. Whippii. In this episode, we wallow in the following cases: TikTok Class Action in Germany (2000€ for the innocence of a child? How does that work? ) What is happening in the USA… (DOGE access to personal data, Palantir, migrant children’s data collected in data banks…Privacy and Liberties Oversight Board (PCLOB) in crisis?) …and should folks in the EU be taking steps to prepare for the fall of DPF and should the EU start to become  independent from the US tech giants? Denmark is leading the way? Spotify SEK 58 million fines remains, no luck with appeals. Japan gets a new AI law – with no penalties – innovation first. Meta replaces people with AI to oversee privacy A Dentist in France gets 50 000€ in damages from Google as they failed to remove negative reviews and their classic argument based on freedom of expression fails.   So crack open a cold one, forgive us for our damaged personalities, and hit play.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com   LINKS: USA (below or open any news site): https://www.cnn.com/2025/06/06/politics/supreme-court-restores-doges-access-to-sensitive-social-security-data https://www.wired.com/story/cbp-dna-migrant-children-fbi-codis/ https://www.nytimes.com/2025/05/30/technology/trump-palantir-data-americans.html   Denmark says no more: https://www.thelocal.dk/20250603/danish-cities-drop-microsoft-over-trump-policies-and-financial-concerns   Spotify fines: https://www.imy.se/tillsyner/spotify-ratten-till-tillgang/   Japan and new AI law: https://www.japantimes.co.jp/news/2025/05/28/japan/japan-ai-law/   META and AI: https://www.npr.org/2025/05/31/nx-s1-5407870/meta-ai-facebook-instagram-risks   Dentist got dough out of Google: https://gdprhub.eu/index.php?title=CA_-_RG_n%C2%B0_22/01814&mtc=today

18 Jun 1h 1min

In this Joost’s Case Corner episode Joost, Pilvi and Jyri discuss running and privacy. In fact, the cases on our chopping block today highlights that no matter how complex privacy is, it always comes back to the basic simple questions—that are anything but simple.   The chopping block serves you today the following cases: Meta v EDPB [T-319/24, 29 April 2025] → Meta challenged the EDPB’s opinion about consent or pay and asked some dough for it as well–did they really think they would get some cash out of it? And how legally binding are these opinions? CJEU Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23, C-332/23, 30 April 2025] → Corruption and anti-corruption: Can national courts intervene in how supervisory authorities work? CJEU Amt der Tiroler Landesregierung [C-638/23] → can *something* be a controller without it being a legal entity? This case’s decision is a pot of gold for all litigators. CJEU Russmedia Digital and Inform Media Press [C-492/23] → case about an ad that advertised someone selling sexual services without the knowledge of the said someone who absolutely did not sell sexual services. Who is the controller here?  So push play and enjoy! Also a massive shout out to Sean Quinn who supported our podcast by buying us coffee.. You made our day, week, and year! Be like Sean, click the link below.   Links: Meta v EDPB [T-319/24, 29 April 2025] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62024TO0319 Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23, C-332/23, 30 April 2025] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62023CJ0313 Amt der Tiroler Landesregierung [C-638/23] https://curia.europa.eu/juris/document/document.jsf;jsessionid=5A19CB5FFBBA10630CAA5E780ED68940?text=&docid=297537&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=54213 CJEU Russmedia Digital and Inform Media Press [C-492/23] https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-02/cp250014en.pdf   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

19 Mai 1h 5min

In this Joost’s Case Corner episode Joost, Jyri, and Pilvi discuss why Netherlands you should go to Netherlands as well as some of the latest CJEU cases. On our chopping block today, are: CJEU Deldits [C-247/23] aka. Hungary v. GDPR and LGBTQ+ rights: GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery. Spoiler alerts: we are still proud to be Europeans as the GDPR stood for the side of the good. CJEU Dun & Bradstreet Austria [C-203/22] Automated credit assessment: the data subject is entitled to an explanation as to how the decision was taken in respect of him or her. What about where and how to draw the line for the trade secrets?   These, and an excellent conversation about why carrots are orange (spoiler alert: it has all to do with Netherlands) awaits you!    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com Joost’s Case Corner–why the carrots are orange

30 Apr 44min

In this episode Jyri and Pilvi try to overcome their urge to discuss anything else but privacy and just be negative and tired of how the world is going, and after a while they actually somewhat succeed in that–or perhaps succeed is a bit of a strong word.  In any case, we discuss the current world politics situation and how it might affect the DPF and data transfers to China, not to mention that Latombe I had its day in court. The political situation might also affect the coming GDPR revamp, but in which way? We also discuss the following cases: Meta’s and X’s decisions to teach their AIs with public posts by its users and what the Hamburg, Irish, and Norwegian DPAs have to say about it; A case from ireland: Is the employer a controller for the employee’s personal life data in their work phone? Amazon losing the appeal for MEUR 746 GDPR fines; Spanish DPA giving out EUR 500K fine for the processor that added sub-processors without a proper authorization by the controller. This, and much more that you never wanted to hear on this episode!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com   LINKS: Meta & X’s AI decisions: https://datenschutz-hamburg.de/news/meta-starts-ai-training-with-personal-data   https://techcrunch.com/2025/04/14/meta-to-start-training-its-ai-models-on-public-content-in-the-eu/ https://www.reuters.com/technology/irish-regulator-investigates-x-over-use-eu-personal-data-train-grok-ai-2025-04-11/?utm_source=chatgpt.com   Hypothetical damages: https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&Datum=Aktuell&Sort=12288&nr=140810&anz=1159&pos=12 https://gdprhub.eu/index.php?title=BGH_VI_ZR_109/23&mtc=today Work phone: https://gdprhub.eu/index.php?title=High_Court_-_McShane_v_Data_Protection_Commission_(2025)_IEHC_191&mtc=today   Amazon fines: https://www.reuters.com/technology/amazon-loses-court-fight-against-record-812-mln-luxembourg-privacy-fine-2025-03-19/?utm_source=chatgpt.com   Spanish fines: https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202307719&mtc=today

24 Apr 1h 23min

Once again, Pilvi and Jyri are joined by the legendary Joost, in another episode of Joost Case Corner and the magic of European Court of Justice (and Court of First Instance) case law!   In this episode, Pilvi and Jyri (with some connection issues but not to worry Phil and all Jyri fans–he’s there!) discuss the following cases with Joost Gerritsen: Case T-354/22: Judgment of the General Court in Bindl v. Institutions, commission (Can an unlawful data transfer to the USA be annulled? Also, 400€ damages for an unlawful transfer of IP Address via Facebook by the EU. A case that highlights the importance of DPF and the difficulties to function if it should fall.) Case C-394/23: Mousse Jan 9 2025 Association Mousse v Commission nationale de l'informatique et des libertés (CNIL) and SNCF Connect. (A data subject was forced to pick a salutation (monsieur/madame) when buying a train ticket because the train company wanted to send marketing, this case made us happy to live in Europe in these st/o+range times.) Case C‑416/23, Österreiche Datenschutzbehörde (Can a Data Protection Authority tell a data subject to stop filing complaints and stick to no more than 2 complaints per month?) We also take a look at what court cases are cooking in the Court of Justice of the European Union and ready for us to enjoy soon!‘   This episode will be a great treat while prepping for the end of the world, so do listen in!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com       Links: Case T-354/22: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-01/cp250001en.pdf Case C-394/23: https://eur-lex.europa.eu/legal-content/fi/TXT/?uri=CELEX:62023CJ0394 Case C‑416/23: https://www.euractiv.com/section/tech/news/eu-court-rules-gdpr-complaints-cant-be-rejected-based-on-frequency/

10 Feb 45min

It’s 2025 and the world is a little crazier… and more orange. So the tea is hot in the global privacy scene indeed, and Jyri and Pilvi are totally here for it.  Not to worry, we don’t want to cause extra heartbeats this early in the year by speculating if the DPF will stand through this new orange era of madn…interesting times, but it is absolutely the right time to take a look at China.  We start with discussing the drama regarding TikTok and where we are with that and continue with the news that shook the markets and tech world: DeepSeek. Both cases are closely related to privacy concerns and international politics: what does this all look like from the EU’s perspective? The Italian Data Protection Authority is already on the case DeepSeek: what could possibly be their concerns? And how is NOYB after controllers connected to China? We also discusst the power struggle between the Irish authority DPC and European Data Protection Board (EDPB) regarding a NOYB case where the EU Court had to intervene, the new EDPB position paper on the crossroads of competition law and privacy as well as the guideline on pseudonymisation. Oh, and we also go through some latest fines from France.  All this and much more from this disturbingly optimistic episode!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

2 Feb 49min