PrivacyPod

In this episode, Milla and Pilvi take a look at the brand new Data Privacy Framework. The discussions include but you bet are not limited to topics such as the sadly-not-so-funky-name of the framework (why not Privacy Trampoline?) and the identity crisis that surely all privacy professionals shall now have to face: who are we without the discussions and work on US transfers? What should one do with all the time saved? How long will this last and should we already start buying toilet paper and canned food and prepare for the downfall of the worl…DPF? We also take a look at the recent Google Analytics cases, discuss if all the issues with Google Analytics disappeared with the DPF and we also sniff the hot and humid air of Doha not forgetting the legendary summer sheepe of Milla.    Links: Adequacy decision: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en   Press release: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721   Data Privacy Framework (DPF) website (check out e.g. faq section Frequently Asked Questions):  https://www.dataprivacyframework.gov/s/   EDPB Information note on EU-US data transfers: https://edpb.europa.eu/our-work-tools/our-documents/other/information-note-data-transfers-under-gdpr-united-states-after_en   NOYB Press Release July 10: https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu   IMY (Swedish DPA) press release on the 4 Google Analytics cases: https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/   Norwegian DPA on Google Analytics: https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/vedtak-i-google-analytics-saken/   https://www.datatilsynet.no/personvern-pa-ulike-omrader/internett-og-apper/rad-for-analyse-og-sporing-pa-nettsted/   Danish DPA on Google Analytics: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2023/jul/brug-af-google-analytics-kraever-ikke-kun-lovlige-overfoersler-til-usa   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

10 Aug 202351min

In this episode of PrivacyPod, Joost and Panu talk to professor Herke Kranenborg who holds a chair in European Data Protection and Privacy Law at Maastricht University. In addition, professor Kranenborg is a member of the European Commission's Legal Service, which serves as an in-house legal counsel to the commission as well as represents the Commission in the Court of European Union in Luxembourg. Professor Kranenborg has a interesting position in the commission as he has taken part in many of the privacy related cases in the European Court of Justice as a commission representative.  You can hear Joost being a bit starstruck with his hero in this episode, but in the end he handles it well. Professor Kranenborg gives us an unique look into what it is like to prepare and argue in the one of the most important privacy cases in this decade from the commission perspective. We also discuss other landmark cases, so get your pencils ready! Or actually, you dont, since all the cases are listed here below. And what is the most important case this year according to professor Kranenborg? Listen in, and you will find out.   Delivered judgments Judgment of 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596 Judgment of 8 November 2007, Bavarian Lager v Commission, T-194/04, EU:T:2007:334 Judgment of 29 June 2010, Commission v Bavarian Lager, C-28/08 P, EU:C:2010:378 Judgment of 9 March 2010, Commission v Germany, C-518/07, EU:C:2010:125 Judgment of 16 October 2012, Commission v Austria, C-614/10, EU:C:2012:631 Judgment of 8 April 2014, Commission v Hungary, C-288/12, EU:C:2014:237 Judgment of 16 July 2020, Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559 Judgment of 6 October 2020, Privacy International, C-623/17, EU:C:2020:790 Judgment of 6 October 2020, La Quadrature du Net and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791 Judgment of 15 June 2021, Facebook Ireland and Others, C-645/19, EU:C:2021:483 - Advocate General Bobek's opinion: https://eur-lex.europa.eu/legal-content/AUTO/?uri=ecli:ECLI:EU:C:2021:5 Judgment of 24 March 2022, Autoriteit Persoonsgegevens, C-245/20, EU:C:2022:216 - Advocate General Bobek's opinion: https://eur-lex.europa.eu/legal-content/AUTO/?uri=ecli:ECLI:EU:C:2021:822 Judgment of 5 April 2022, Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258 Judgment of 20 September 2022, VD and SR, C-339/20 and C-397/20, EU:C:2022:703 Judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369   Pending cases CJEU DPC v EDPB I (Facebook) (T-70/23) CJEU DPC v EDPB II (Instagram) (T-84/23) CJEU DPC v EDPB III (Whatsapp) (T-111/23) CJEU Meta v EDPB I (T-682/22)  CJEU Meta v EDPB II (Instagram) (T-128/23) CJEU Meta v EDPB III (Facebook) (T-129/23) CJEU WhatsApp Ireland v EDPB (C-97/23 P)   CJEU Meta v Bundeskartellamt (C-252/21) CJEU Endemol Shine Finland (C-740/22) CJEU Österreichische Datenschutzbehörde (C-33/22) CJEU LQDN and Others (Personal data and the fight against counterfeiting (C-470/21) - Advocate General Szpunar's opinion: https://eur-lex.europa.eu/legal-content/AUTO/?uri=ecli:ECLI:EU:C:2022:838   Full list of pending cases available at https://digibeetle.eu Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

20 Juni 20231h 27min

In this episode, Milla, Pilvi, and Panu take a look at the Meta case on the US transfers that ended up costing Meta 1.2 billion euros. We explore the depths of the case, such as how Meta justified their transfers, what supplementary measures were used that were not deemed sufficient, and debate a bit on the politics intertwined with the case. But hold on! We have more! We also take a look at the finger-licking KFC case, where the AEPD ordered a fine of 5000 euros for violating Article 13 by using undefined expressions such as "we can use…" in the privacy policy. The AEPD also ordered a fine of 20 000 euros for not appointing a Data Protection Officer. We also discuss Panu’s career plans as he is open for hire (wink wink!)! Links:  Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR): https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-12023-dispute-submitted_en Meta’s Response to the Decision on Facebook’s EU-US Data Transfers by Nick Clegg, President, Global Affairs & Jennifer Newstead, Chief Legal Officer : https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/ KFC case, AEPD (Spain) - PS/00140/2022: https://www.aepd.es/es/documento/ps-00140-2022.pdf (spanish)   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

7 Juni 202358min

In this week’s episode Floora, Milla and our guest host Joost discuss how to look at AI through the lenses of privacy and data protection. With so much hype around the topic, we go through the most important developments in the past weeks. On one hand, proponents of AI regulation argue that without proper oversight, AI could cause harm to privacy, whether intentionally or unintentionally. For example, if AI systems are used to make important decisions that affect people's lives, such as hiring decisions or medical diagnoses, there is a risk of bias or errors that could lead to unfair outcomes. On the other hand, opponents of AI regulation argue that too much regulation could stifle innovation and hinder progress in the field. They argue that AI is still in its early stages of development and that it is not yet clear what the long-term impacts of AI will be. The main reason for all the discussion is that service providers have been very opaque about the collection and usage of personal data in the AI models. Do they even use personal data? Are they processing it actively? And thats where the Italians come along, as the Italian DPA already has taken a stance against Chat GPT and a "virtual friend" chatbot named Replica. What were the main issues according to the Italian DPA with ChatGPT? Why should you re-read the Google Spain decision to understand how ChatGPT might comply (or not comply) with the GDPR? We also shortly touch on the upcoming AI Act.   Links:  Google Spain (Case C‑131/12) https://curia.europa.eu/juris/document/document.jsf?docid=152065&doclang=en  Italian DPA Garante on ChatGPT: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9870847#english  Norwegian DPA Datatilsynet: Artificial intelligence and privacy https://www.datatilsynet.no/globalassets/global/english/ai-and-privacy.pdf    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

28 Apr 20231h 17min

In this episode of PrivacyPod with Anja Wyrobek, a Legal Policy Advisor and European Parliament, we will dive into lengthy development of ePrivacy Regulation, its impact on cookies (one may not forget cookies), encryption and impact of combat against child sexual abuse material thereto. Eprivacy, the troublesome uncle of GDPR who just doesnt seem to get its act together, is on the talks, again. Eprivacy was expected to be adopted shortly after the GDPR, but the lingering conflicts has dragged the regulation in jeopardy, in an sort of  EU legal limbo, a void of Nothing. Five years later, no regulation is still the news. Some say the future of the internet depends on it, others think the changes arent that big in the end. Many presidencies have tried to forcefully either bury it or unlock it, to no avail. Will the hard working regulators in Brussels get to finally push this Sisyphean rock on the top of the privacy hill?  The key questions relate to the way communications are regulated, trying to bring OTT players, such as electronic communication services providers WhatsApp, Facebook messenger and Skype (yes, the proposal is THAT old) into the realm of regulation. The other goal is to stenghten regulation to protect consumers, but this has greatly fluctuated between revised proposals of the regulation. Cookies are also a central question and thats also what is the issue here. As Anja reminds, its not the cookie banners that are striclty required by the current eprivacy directive, instead its the market players who have selected to solve the underlying issue with a terrible solution. It is not clear whether or not the new proposal clarifies the cookie situation, but people do have their hopes up. Dial in to listen how Anja, Milla Keller and Hannes Saarinen dissect the legislative proposals impacting the future of our communications. Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

11 Apr 202358min

This week we discuss everything around U.S. privacy with a special guest, Odia Kagan! Odia is a Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild, a US-based law firm with 29 offices across the United States. What was that last week’s discussion on banning TikTok all about? What is happening with U.S. privacy legislation right now, and how is FTC enforcing privacy requirements? If you gave up on following U.S. privacy updates after the California Consumer Privacy Act, this episode is for you.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

31 Mars 202355min

Have you ever felt bad about clicking ”decline all” on a cookie consent? Has that button been difficult to find? And if you finally find it, has the website spawned a pop up message trying to tell you how they will go bankrupt and the world will end if you do not accept all? If you answered yes to any of the previous questions, congratulations -- you have been subjected to dark patterns.  In this episode, we venture into the dark side and discuss this issue with Marie Potel-Saville, a very well known figure in the world of legal innovation and the founder and CEO of Amurabi, a legal innovation agency. Before founding Amurabi, Marie has worked at Allen & Overy, Chanel and as a VP for legal at Estee Lauder EMEA.  Almost the whole internet is full of dark patterns trying to nudge you into doing things you actually do not want to do by utilizing your humanity and the fact that you do not use your full brain capacity in every second you browse the wonderful world of the World Wide Web.  But why is this a problem? What harm does this actually cause to individuals, companies, societies and well, democracy? And what about the children (1/3 of the web users are under age)? Is there a better way? What does the GDPR say about dark patterns -- is it really compliant to use dark patterns? What is the solution?  Did we find the light at the end of the tunnel at all? Listen in to find out! Links: The Helmet decision by the Finnish Data Protection Ombudsman: https://tietosuoja.fi/en/-/deputy-data-protection-ombudsman-issues-reprimand-for-conveying-library-search-information-to-us-based-google European commission: Consumer protection: manipulative online practices found on 148 out of 399 online shops screened https://ec.europa.eu/commission/presscorner/detail/en/ip_23_418 We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

15 Feb 20231h 3min

This week, we talk with Romain Robert, a Program Director and a senior lawyer working at NOYB. For the few who might not know, NOYB is a Austrian NGO founded by Max Schrems, who is probably a familiar name to everyone in the privacy world (heard of Scherms I or Schrems II anyone?). Romain has extensive and interesting background and can claim a rare feat of actually taking part in writing the GDPR. We talk about three groundbraking cases delivered by the Irish DPA by just the beginning of the privacy year 2023 concerning Instagram, Facebook and Whatsapp, all Meta owned platforms (yeah, those ones, everybody is talking about them, right?). The complaints against these three companies were made on 25th of May 2018, on the day GDPR entered into force, and concerned their legal basis for processing the personal data of their users. The legal basis used for multiple different purposes, such as behavioural advertising and service improvement, was claimed to be contract, and this ultimately did not go through with the DPC. However, the case is more complicated than it sounds and included many twists and turns between the parties as well as between the DPC and other Member State DPAs- and ultimately the EDPB). We also talk to Roman about working with NOYB, their future agenda, consent or pay -solutions and GDPR enforcement. Please tune in and learn more about the inside world of the most talked-about privacy NGO in Europe (or the world)!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

2 Feb 20231h 9min