Masters of Privacy

Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment. 

Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast.

With Rie we will explore her own tips and tricks to stay sharp and up to date, avoiding a myriad of shallow or confusing sources and digging for the best possible answers at all times - all of it while avoiding clickbait, radical opinions and the avalanche of so-called privacy experts clogging LinkedIn feeds.

References:

• How to stay up to date as a DPO
• The Grumpy GDPR Podcast (NoTies Consulting)
• DPO Hub
• Rie Aleksandra Walle on LinkedIn

Dragos Tudorache is a Member of the European Parliament and Vice-President of the Renew Europe Group. He is the LIBE rapporteur on the AI Act, and he sits on the Committee on Foreign Affairs (AFET), the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA), the Subcommittee on Security and Defence (SEDE), and the European Parliament's Delegation for relations with the United States (D-US). He was the Chair of the Special Committee on Artificial Intelligence in the Digital Age (AIDA).

Dragos began his career in 1997 as a judge in Romania. Between 2000 and 2005, he built and led the legal departments at the Organization for Security and Co-operation in Europe (OSCE) and the UN missions in Kosovo. After working on justice and anticorruption at the European Commission Representation in Romania, supporting the country’s EU accession, he joined the Commission as an official and, subsequently, qualified for leadership roles in EU institutions, managing a number of units and strategic projects such as the Schengen Information System, Visa Information System, and the establishment of eu-LISA1.

During the European migration crisis, Dragos was entrusted with leading the coordination and strategy Unit in DG-Home, the European Commission Directorate-General for Migration and Home Affairs, until he joined the Romanian Government led by Dacian Cioloș. Between 2015 and 2017, he served as Head of the Prime Minister’s Chancellery, Minister of Communications and for the Digital Society, and Minister of Interior. He was elected to the European Parliament in 2019. His current interests in the European Parliament include security and defense, artificial intelligence and new technologies, transatlantic issues, the Republic of Moldova, and internal affairs.

We have addressed the following questions around the new EU AI Act:

• Back story behind the final compromise on foundation models, and the chosen thresholds for a higher regulatory burden
• Interplay between AI models and AI systems
• The “open source” differentiator 
• How and why the AI Act overlaps with the GDPR, copyright law or product liability laws
• Impact of the Data Act on the development of AI

References:

• The EU AI Act (EU Commission’s proposal)
• Dragos Tudorache (EU Parliament’s official website)

Dr. Augustine Fou has nearly three decades of experience in digital marketing, including client-side experience at American Express and agency-side experience at IPG and Omnicom, where he served as Group Chief Digital Officer of eight agencies serving pharma and medical device clients. Dr. Fou also taught digital strategy at Rutgers University's executive education program and NYU's School of Continuing and Professional Studies.

With Dr. Fou we will aim to answer the following questions:

• Does programmatic advertising have to be necessarily bad for privacy?
• Can we once and for all dismantle the fairy tale of marketing attribution? How about advertising fraud controls?
• Is it possible that killing third party cookies is not only better for privacy but also better for business outcomes? 

References:

• Dr Augustine Fou’s recent articles
• Dr. Augustine Fou: How to optimize towards humans and not just away from fraud (LinkedIn)
• Fou Analytics
• Sergio Maldonado: “Analytics CEO makes a passionate case against marketing attribution” (Chief Marketing Technologist, Scott Brinker)

Stefan Filipović is a privacy lawyer that began his career at the outset of GDPR enforcement in 2018. Throughout the years, he has built his expertise by working at a law firm focusing on IP and privacy, at a university as a researcher investigating legal challenges in regulating AI-based technology, and as a privacy officer and a counsel for a few Norwegian companies. Today he is a DPO at reMarkable.

For several years, he also volunteered at ICANN, and for a period of time, at NIST’s privacy workforce.

Beyond his focus on privacy compliance, he maintains a strong passion for information security, computer science, and risk management, as well as corporate governance and finance.

References:

• Stefan Filipović on LinkedIn 
• Black Box Thinking (Matthew Syed)
• Privacy is hard and seven other myths (Jaap-Henk Hoepman)

Nina Müller and Sergio Maldonado discuss a few recent events across the EU, the UK, and the US: Yahoo/Uber ePrivacy fines, Google Chrome (Incognito Mode) settlement, US Congress Social Media hearing, upcoming UOOM/ Global Privacy Control enforcement across various states, and Spain’s AEPD Guidelines to circumvent cookie consent requirements for high-level Digital Analytics. 

Please find relevant links and additional updates across all of our usual core sections (ePrivacy and regulatory updates; MarTech and AdTech; AI, competition, and digital markets; PETs and Zero-Party Data; future of media) on the PrivacyCloud website.

Could we re-interpret article 5.3 of the ePrivacy Directive so that the “strictly necessary” (to provide a service) consent exemption gives shelter to the core technical building blocks of advertising solutions making journalism possible? Can we not deal with personal data (should it be involved at all) or behavioral targeting (should it be the case) separately under the GDPR?

Peter Craddock helps us answer that question.

Our guest is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. Peter is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area.

References:

• Peter Craddock on LinkedIn
• Maybe no consent needed for advertising under ePrivacy "cookie" rule? (Peter Craddock)
• EDPB seeks to redefine ePrivacy – Part II: Overbroad notions and regulator activism?
• IAB Europe Responds to the EDPB Public Consultation on their Draft Guidelines 2/2023
• EDPB ePrivacy Guidelines: Comments Highlighting Risks to Businesses with Digital Activities (Keller and Heckman)
• Romain Robert: Pay or OK in AdTech - How it started and where it’s going (Masters of Privacy)
• Renzo Marchini: Unintended consequences of the EDPB Guidelines on storage and access under article 5.3 of the ePrivacy Directive (Masters of Privacy) 
• Cristiana Santos and Victor Morel: The problem with CMPs and TCF-based cookie paywalls (Masters of Privacy)
• Robert Bateman: Consent or Pay (Masters of Privacy)
• Peter Hense: How first party data will kill CMPs (Masters of Privacy)

Can we take Data Clean Rooms to the next level in terms of baked-in privacy?

Damien Desfontaines is a Scientist at Tumult Labs, a startup that helps organizations safely share or publish insights from sensitive data, using differential privacy. Before that, he led the anonymization consulting team at Google, and got his PhD in computer science at ETH Zürich. He maintains a blog that teaches you all about differential privacy. 

References:

• Damien Desfontaines on LinkedIn
• Nicola Newitt: the legal case for Data Clean Rooms (Masters of Privacy)
• Damien Desfontaines’ blog on Differential Privacy
• Tumult Labs: Resources and publications on Differential Privacy

Tejas Manohar is the co-founder and co-CEO of Hightouch. Prior to founding Hightouch, Tejas was an early engineer at Segment, a leading Customer Data Platform (CDP) acquired by Twilio. 

The following topics have been covered in this interview:

• Current limitations of Customer Data Platforms (CDP) as a core building block of the marketing data stack
• The value of composable CDPs and Reverse ETL
• Privacy compliance challenges of CDPs and customer data integration as a whole
• Potential overlaps with Data Clean Rooms

References:

• Tejas Manohar on LinkedIn
• Traditional CDP vs. Composable CDP: What is the difference?
• Revenge of the silos: How privacy compliance is cutting the customer journey short (Sergio Maldonado)

Molly Martinson is a lawyer at Wyrick Robbins, a Raleigh-based law firm with outstanding privacy compliance credentials. She advises clients on a whole range of applicable privacy frameworks (CCPA, CPRA, FCRA, CAN-SPAM, COPPA, HIPAA), data breaches, laws regulating data brokers, and laws governing website and mobile application privacy policies. She also regularly advises international and U.S.- based clients on the applicability and requirements of the EU General Data Protection Regulation (GDPR). 

Molly received her B.A., cum laude from Wake Forest University and her J.D. with honors from UNC Schoolors Writing Scholar. She also received the Gressman-Pollitt Award for Excellence in Oral Advocacy. Molly served as a law clerk to the Honorable Robert N. Hunter, Jr. on the Supreme Court of North Carolina and the North Carolina Court of Appeals before entering private practice.

References:

• Molly Martinson on LinkedIn
• California Consumer Privacy Act
• Virginia Consumer Data Protection Act
• Colorado Privacy Act
• Utah Consumer Privacy Act
• Summary of the Texas Data Privacy and Security Act (National Law Review)
• Connecticut Data Privacy Act
• Florida Privacy Protection Act
• Montana Consumer Privacy Law
• Oregon Consumer Privacy Act
• Global Privacy Control
• Wyrick Robbins

Romain Robert is member of the litigation chamber of Belgium’s Supervisory Authority. He worked in various Brussels law firms between 2002 and 2011. Between 2007 and 2011, he was also a researcher at the Research Centre in Law and Society at the University of Namur. In 2011, he joined Belgium’s Supervisory Authority as a legal advisor. He worked as legal officer at the Policy and Consultation Unit of the European Data Protection Supervisor (EDPS) as of 2015 and joined the Secretariat of the European Data Protection Board (EDPB) in May 2018. In April 2020, Romain joined NOYB - an NGO conducting strategic litigation to enforce digital rights - where he was Program Director until July 2023.

References:

• Romain Robert on LinkedIn
• EDPS Opinion on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content
• Sergio Maldonado, How the Digital Content Directive will break the GDPR
• NOYB
• Robert Bateman: Consent or Pay
• EDPB Guidelines 05/2020 on consent
• Giovanni Buttarelli (former EDPS), “Privacy 2030: A Vision for Europe” (IAPP)

Renzo Machini is a London-based partner at Fieldfisher's Data and Privacy team. He holds CIPP/E, CIPT and FIP certifications from the IAPP and is well versed in Cloud Computing, Big Data and other technologies overlapping with privacy and GDPR compliance. He has authored 

"Cloud Computing: A practical introduction to the legal issues" and, prior to becoming a solicitor, he worked for five years as a software engineer at Logica (now CGI), a major independent UK software house.

With Renzo we are directly addressing the biggest elephant in the ePrivacy room today: What are the unintended consequences of the EDPB’s recent Guidelines on the technical scope of article 5.3 of the ePrivacy Directive?

References:

• Renzo Marchini on LinkedIn
• EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
• Renzo Marchini, “New Guidance released on the technical scope of Art 5(3) ePrivacy Directive - a landgrab by the EDPB”
• Renzo Marchini, “Cloud Computing: a practical introduction to the legal issues.” (Cambridge University Press).

Nina and Sergio run through the most relevant news of the past three months at the usual intersection of marketing, data, privacy, and technology - stopping at a few less commented and yet quite relevant fines, guidelines, or upcoming legal frameworks.

In particular, this episode covers: 

• Dark patterns in recent EU enforcement actions 
• EDPB Guidelines on the technical scope of the ePrivacy Directive
• The 23andMe data breach
• 40 states suing Meta over Insta/FB’s impact on the mental health of teenagers

Best of all, we managed to avoid OpenAI’s drama.

With Nina Müller and Sergio Maldonado.

References:

• [ES] AEPD fine resulting from the use of dark patterns in the acceptance of third party recipients (Expansion)
• Irish watchdog fines TikTok €345M for mishandling kids' data (The Register)
• 23andMe user data targeting Ashkenazi Jews leaked online (NBC News)
• EDPB Draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive 
• Dozens of states sue Meta over youth mental health crisis (The Verge)
• Masters of Privacy - Arielle Garcia: How privacy awareness leads to respectful, effective marketing

Arielle Garcia combines a really good understanding of the advertising industry with award-winning expertise in privacy and responsible data use. She is the founder of ASG solutions, a consultancy firm specifically focused on helping marketers drive sustainable growth through respectful marketing and was previously UM Worldwide’s Chief Privacy Officer.

She holds a JD from Fordham University and has been recognised as a Top Woman in Media and AdTech by AdExchanger in 2023 (as well by others in prior years). In 2021 she was inducted to the American Advertising Federation’s Advertising Hall of Achievement due to her impact on the industry.

What we have covered in this episode:

1. The bigger picture of privacy challenges in the digital marketing industry
2. Cookie and pixel inventories
3. Does more data mean better results?
4. Privacy consequences of the new “black box” offerings from the walled gardens
5. Unconsented signals and Conversions APIs
6. US-specific concerns regarding the use of health-related data in programmatic advertising
7. Aligning customer expectations of privacy with business results

References:

• Arielle Garcia, An Industry In Conflict: It’s Time For Tough Questions And Hard Decisions (Ad Exchanger)
• Arielle Garcia on LinkedIn
• Arielle Garcia on X

Jeffrey Bustos is the VP, MAD (Measurement Addressability Data) + Commerce at the IAB where he develops industry standards and guides for measurement and addressability solutions to enable revenue growth, efficiency, and scale with a focus in Retail Media Networks, Video / Advanced Television, and Privacy Enhancing Technology. His projects include: Categorization & Definitions Buyers Guide for Retail Media, Data Clean Rooms and Privacy Preserving Solutions Research, and Attention & Engagement Metrics Standards. 

Previously, Jeffrey worked at GroupM where he led Data & Audience Strategy for eCommerce clients, assisting them with cookieless solutions, audience strategy & activation, as well as data taxonomy & identity resolution for CDPs and Data Clean Room activations.

References:

• Jeff Bustos on LinkedIn
• Retail Media Networks Buyer’s Guide (IAB)
• IAB: Navigating the Privacy landscape (video)

Cristiana Santos is Assistant Professor in Privacy and Data Protection Law at Utrecht University, holding a joint international Doctoral Degree in Law, Science and Technology from the University of Bologna, and a Ph.D. in Computer Science from the University of Luxembourg. She is an expert of the Data Protection Unit at the Council of Europe; expert for the implementation of the EDPB's Support Pool of Experts; and expert of the Digital Persuasion or Manipulation Expert Group. She holds an International Chair Starting Career position at the National Institute for Research in Digital Science and Technology (INRIA, 2023-2026) to work on technical and legal aspects of data protection. Prior to joining academia, Cristiana was a lawyer and worked as a legal adviser and lecturer at the Portuguese Consumer Protection Organization.

Victor Morel holds a Ph.D in Computer Science from INRIA and works at the Security & Privacy Lab of Chalmers University in Gothenburg (Sweden). He is working on usable privacy for IoT applications, and his interests encompass privacy, data protection, networks security, usability and Human-Computer Interactions, applied cryptography, and the broad spectrum of ethics in technology. He is also a member of FELINN’s collegiate council, a French association (1901) defending decentralization, privacy, and free software through popular education.

Cristiana and Victor have co-authored a recent paper titled “Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls”. With them we are directing our attention to consent walls in the context of publishers and the open market, having already dedicated two recent interviews to the “consent or pay” model as it concerns Instagram and Facebook (ie. Meta). We will also try to understand the challenges and potential conflicts of interest faced by CMP (Consent Management Platform) vendors. 

References:

• Cristiana Santos at Utrecht University
• Victor Morel’s bio and projects
• Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls (Cristiana Santos, Victor Morel, Viktor Fredholm, Adam Thunberg, 20/9/2023)
• Upcoming Workshop on Privacy in the Electronic Society - with Victor Morel (Copenhagen, November 26th 2023)
• EDPB: Report of the work undertaken by the Cookie Banner Taskforce
• CJEU to consider questions from IAB Europe TCF decision (Techcrunch)
• German court bans LinkedIn from ignoring “Do Not Track” signals (Townflex)
• Your Consent Is Worth 75 Euros A Year -- Measurement and Lawfulness of Cookie Paywalls (20/9/2022)
• IAB TCF 2.2 specification

Jeff Jockisch is an independent data privacy researcher at PrivacyPlan. He is also Chief Privacy Officer and partner at Avantis Privacy. Prior to compiling the largest known database of data brokers, he spent many years working with startups, technology, and data. He studied Organizational Behavior at Cornell and holds a CIPP/US accreditation (IAPP).

Our primary questions today:

Can the (brand new) California "Delete Act" or the GDPR be sufficient to avoid major AI-powered phishing attacks? Is there anything else that we could do as individuals or businesses?

References:

• Jeff Jockisch on LinkedIn
• California “Delete Act” (2023)
• FTC: How to Recognize and Avoid Phishing Scams
• Privacy Plan
• Avantis Privacy
• Permission Slip, by Consumer Reports

Robert Bateman is a data protection writer, trainer, and consultant. He has published innumerable articles on the topic, as well as led panel discussions and interviewed key well-known figures in the space on stage, at well-known privacy conferences. Besides freelancing as content creator, he is an associate with Act Now Training and a Subject Matter Expert with Heward Mills, a data protection consultancy. 

With Robert we have addressed the recent public outcry about Instagram and Facebook becoming paid services for whoever does not want to see ads or consent to the data processing involved in running them. Given that we have already got used to seeing cookie walls on European news websites (in Germany, France, or Italy), we have aimed to open the wider debate around “Consent or Pay” business models.

References:

• Le Conseil d’État annule partiellement les lignes directrices de la CNIL relatives aux cookies et autres traceurs de connexion
• Victor Morel, Cristiana Santos, Viktor Fredholm, Adam Thunberg: “Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls”
• Report of the work undertaken by the EDPB Cookie Banner Taskforce
• IAB Europe Transparency and Consent Framework 2.2 (stops conflating legitimate interest and consent)
• EDPB Guidelines 05/2020 on consent under Regulation 2016/679
• Robert Bateman on Twitter
• Robert Bateman on LinkedIn
• Giovanni Buttarelli (former EDPS), “Privacy 2030: A Vision for Europe”
• Google Privacy Sandbox

Cory Underwood is a Privacy and Data Analytics Engineer with a strong marketing data technology background and a good knowledge of both US and EU ePrivacy law.

Cory supports the data privacy offerings of Atlanta-based Search Discovery (a data strategy and activation company), leveraging eight years of experience in privacy efforts and multiple privacy related certifications to enable clients to understand the impact of privacy changes.  With a combined thirteen years of experience in technology, Cory specializes in speaking and writing on his blog (cunderwood.dev) about upcoming privacy changes, allowing readers to take a proactive approach to compliance challenges.

In our second interview with Cory we have looked for answers to the following questions: 

• What does it take for Digital Marketers to comply with State-level Privacy laws in California, Virginia, Colorado, and beyond?
• Will the US internet suffer the fate of European websites, annoying consumers with user-unfriendly consent pop-ups that mean little and cost millions? Why do some US websites insist on replicating the European ordeal if there are no opt-in requirements?
• What will be the side effects of large platforms adapting to the EU’s Digital Services Act in terms of transparency and return on investment for SMEs?
• Where will Topics API, the star framework of Chrome’s Privacy Sandbox fall in terms of consent requirements?
  

References:

• Cory Underwood on LinkedIn
• Cory Underwood on X
• Cory Underwood’s blog
• Search Discovery: An audit of 500 sites for CCPA and Colorado Privacy Act compliance
• Global Privacy Control
• Sephora settlement
• CNIL’s considerations on the Privacy Sandbox and Topics API, July 2023 (FR)
• Apple’s Link Tracking Protection and other Privacy features in iOS 17
• Meta’s Robyn (open framework for Media Mix Modeling)
• Apple’s Private Click Measurement specification for privacy-first optimization
• Masters of Privacy: Cory Underwood on Global Privacy Control and a GDPR-compliant Google Analytics (September 25th, 2022)

Katharine Jarmul is a privacy activist and data scientist focused on privacy and security in data science workflows. She’s a principal data scientist at Thoughtworks and has worked at various companies in the US and Germany before that. She is also a frequent keynote speaker at software and AI conferences.

Katharine has recently published “Practical Data Privacy” (O’Reilly, 2023), in which she provides a deep dive of Privacy Enhancing Technologies (“PET”), including detailed answers to increasingly common questions: How can we actually anonymize data? How does federated learning work? Can we already leverage Homomorphic Encryption to run analysis or work with data even while it is encrypted? How can we compare and pick the most appropriate PETs? Can we use open source libraries?

In our discussion:

• Can we bring Privacy Enhancing Technologies down to earth for smaller companies to understand and apply them on a regular basis? Are they otherwise the monopoly of Big Tech, and does this mean that a company like Meta ends up becoming the unlikely poster child for Privacy by Design?
  
• Can we really speak of a common ethical framework for AI or GenAI? How does a US/Western Europe ethical framework fit within African or Asian cultures?
  
• Can we break the convenience barrier when it comes to individual control?

References:

• Katharine Jarmul, Practical Data Privacy (O’Reilly, 2023)
• Katharine Jarmul on LinkedIn
• Katharine Jarmul on X
• Ethics in eCommerce Summit
• Shoshana Zuboff, The Age of Surveillance Capitalism

Jakob Plesner Mathiasen is an attorney with a focus on Intellectual Property and emerging technologies. He serves as the Secretary for the Danish Society for Copyright Law and is the mind behind the Danish Entertainment Law podcast. He also teaches Entertainment Law at the University of Copenhagen.

With Jakob we’ll try to better understand the copyright implications of Generative AI, and this should help many DPOs, CPOs, or innovation managers deal with the intellectual property side of their new AI Governance responsibilities. 

References:

• Jakob Plesner on LinkedIn
• Reuters: “Getty Images lawsuit says Stability AI misused photos to train AI”
• The Washington Post “‘Game of Thrones’ author and others accuse ChatGPT maker of ‘theft’ in lawsuit”
• Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (Infosoc Directive)
• Directive on Copyright in the Digital Single Market (DSM Directive)
• The Wrap: “Adobe Will Reimburse Firefly AI Users Against Copyright Suits”
• Microsoft announces new Copilot Copyright Commitment for customers
• David Bowie and Queen vs. Vanilla Ice
• Copyright law of Japan (in English)
• Entertainmentretten (Danish Entertainment Law) Podcast (in Danish)
• Danish Society for Copyright Law
• Adrian Sterling: World Copyright Law