In this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Outschool bring you a recap of a very busy week in privacy. Earlier this week, we released a special episode on the UK data protection and digital information bill. But today you get the episode we actually intended for you this week, a regular weekend privacy episode, including information on the #Thingy, cookie banners, BCRs, and more.
As always, if you have comments or questions, let us know - LinkedIn, Twitter @podcastprivacy @euroPaulB @heartofprivacy @trustArc and email firstname.lastname@example.org. Please do like and write comments on your favorite podcast app so other professionals can find us easier.
As always, if you have comments or questions, find us on LinkedIn, Twitter @podcastprivacy @euroPaulB @heartofprivacy and email email@example.com. Rate and Review us! #heartofprivacy #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO
S04E08 - Week in Privacy
[00:00:00] Paul: Earlier this week, we released a special episode on the UK data protection and digital information bill. But today you get the episode we actually intended for you this week, a regular weekend privacy episode. Where Kay. And I talk about the EU U S data privacy framework, also known as the thingy.
UN state local developments to key banners and also about a call for updates to the BCR mechanism. Lots to discuss. I was always, my name is Paul Breitbart.
[00:00:40] K: And I'm Kay Royal and welcome to Sirius Privacy. Paul and I are actually, y'all have no idea getting a little late recording today because there is so much going on in the privacy world. We're like, ah, what are we gonna narrow it down to talk to? But I will say, Paul right after we do the serious the serious question, the unexpected question that.
We've had suggestions that at the beginning of each podcast, maybe we should take a minute and just call out the happenings in privacy that week. Don't discuss 'em. Just call 'em out in case someone didn't see 'em and they need to go look at 'em. That might be something we look at doing. I don't know.
[00:01:19] Paul: It could be, if we think about it
actually, and I also don't wanna do the copy paste of what Angelique is doing in her podcast with the four minute weekly
[00:01:29] K: Exactly. No, no, no. Don't wanna do an overview. Just wanna say, Hey, did you catch the story on Amazon this week? Nope, but I saw the one on Facebook. Boom. Done. All right, so unexpected question. How did you start your day?
[00:01:41] Paul: By waking up.
[00:01:43] K: Don't me reach through the phone and slap someone.
[00:01:46] Paul: Oh God. I mean, that's the, that's the honest, the honest
[00:01:50] K: Funny enough. Me too.
[00:01:52] Paul: After that coffee and the edit of last week's
[00:01:56] K: Ah, there you go.
[00:01:59] Paul: because I had not gotten to that over the weekend, which I usually try to do.
[00:02:04] K: I saw that
[00:02:04] Paul: so I started this morning because it needs to go out today.
[00:02:08] K: Yes, and I will dive in after this and do as much as I possibly can. So that's how my morning should have started. But my morning started with oh God, what did I do? Actually, this is my morning. I had breakfast and coffee, and that's, that's about it. So I'm at the beginning of my morning.
I don't like to do anything before 9:00 AM I'm just saying.
[00:02:32] Paul: Yeah, well, on days that I go to the office, I have to do things before 9:00 AM because my train is at 7 33.
[00:02:38] K: well I say that, but I lay in bed on my phones and I answer emails and slack messages and I look up things and everything as well as I'm, you know, reading my Vampire angel romance books cuz
[00:02:53] Paul: Where are the days that people could just start their day with a paper broadsheet newspaper, and a cup of coffee? Right?
[00:03:01] K: Right. That's the perfect start. But it will say, speaking of books, and I won't. Mel Jess on this. I did post that my book is Live on kind as an e-book. It is GDPR in the USA by Me. Just a short guidebook. It doesn't pretend to solve all your problems. It's just a quick reference to opening up if you follow GDPR to say, oh goodness, what do I need to do in the US if I'm dealing with children's data or.
Health data or education data and some of the crossovers there. I am turning it into a paperback, but I'm gonna add more information in the paperback because I want it to be thick enough to have a spine.
So I have to add more pages, so I'll work on that. Maybe I'll have some, I can actually bring to I A P P, but otherwise, if y'all have a question, let me know.
I mean, it's a little bit over $5, maybe, almost $6 is not that expensive. I, I don't expect to get rich on this.
[00:03:58] Paul: Well, you may wanna also look at, at, other options than just the Kindle, the Kindle version other, the Eub version or something like
[00:04:07] K: That is true. I cuz I do have it in the electronic version I think to upload to those. So I'll look and see what that is cuz yes, I've had quite a few people say they, they don't use Kindle, so I'll have to, I.
[00:04:20] Paul: bad Amazon, right?
[00:04:21] K: Yeah, that's true. I didn't even think about that. I was like, I've only ever read on Kindle for years.
So but the Kindle app on my phone, not an actual Kindle. But speaking of that, here's a very serious question. I want one of the digital notebooks and I've been looking at remarkable super note and the Kindle scribe, even though the Kindle scribe has a lot more storage, I think I'm down to the remarkable and the super.
do you have experience with either one or another suggestion?
[00:04:52] Paul: I have not. So far I've been using a large screen iPad for all those kind of things, with a pencil that also works well. I've seen remarkable. I really like remarkable. The only thing I don't like about it is that it doesn't have a back light.
[00:05:06] K: Mm. The scribe
[00:05:08] Paul: which if, if there is no light or if there is a low light situation,
[00:05:14] K: It's very hard to do that. That makes sense. I'll look and see if the Super Note has that. I don't know. I know the scribe does. okay. And if any of our listeners have any suggestions, let me know. Up until this point, I've been using the the erasable paper notebook, the Rocket Book.
[00:05:30] Paul: Mm-hmm.
[00:05:30] K: So I'm getting a little tired of, I've had it for a few years now of wiping all the pages down, so I thought about something like that.
Y'all holler at me. If y'all have a recommendation, let's dive into a week of privacy. Meanwhile, we'll also see if we can't get hold of Ralph and tie him in here to speak to the UK before we come out. But what else do we have going on in the world?
[00:05:54] Paul: So well there is This thingy
this thingy. And we mentioned in a previous episode that the EDPB opinion is out. We just have not yet really discussed it. So it might be good to start with that.
[00:06:09] K: Okay. Hit us with
[00:06:11] Paul: So the European Data Protection Board issued their opinion on the EU-US data privacy framework, as it is officially called on February 28th. And basically as expected there are positives and there are negatives but they don't fully endorse or embrace the framework. They certainly see substantial improvements such as the introduction of requirements on necessity and proportionality for us intelligence, data gathering and the clarity that's been given.
But there are still concerns, especially because bulk collection is still possible. They are not completely convinced about the oversight mechanism and also on the commercial as aspects. There are still some concerns left that are to some extent still linked to the stratification model.
It is about some definitions that do not match the GDPR. That we have also discussed before. And also still onward transfers is an issue because that has not been ruled out as part of the framework. So also there, what would happen if the date has been transferred?
[00:07:12] K: Right, and the onward transfers is just a big problem for us companies to wrap their heads around.
[00:07:18] Paul: Yeah, and it, I think this is, this is the key problem for almost every adequacy decision that you implement. We know that Japan, as part of the mutual adequacy decision imposed some restrictions. I think Korea did too. And I think this will be an argument for basically every single adequacy decision going.
[00:07:36] K: Yeah, I agree. And even now, when people ask you, or companies ask you to do a transfer impact assessment and they ask you, are you or, or any of your sub-process subject to laws that might cause you to disclose information to the government? Yeah,
[00:07:53] Paul: Yeah, that is for every single company, the answer will always be yes. The question is, what are the circumstances under which you should do so? Is that on the basis of a subpoena that has been approved by a court? Is that just a request from law enforcement to provide information as part of an ongoing inquiry?
[00:08:12] K: Yeah.
and many companies fall under the third party doctrine that law enforcement can go to them to get the information Because third party doctrine, long-standing decisions have held that once a person throws their data away or gives it to someone else, that is no longer their data and they no longer have a right to privacy. Now, this has been limited somewhat when it comes to banks, you know, saying, well, people don't have a choice but to give their information to a bank if they want to have a bank.
It's the same way for pretty much anything. Cell phones
[00:08:49] Paul: and it would be the same for government as we discussed last week with Emma Martins, because you don't have a choice to change government. Well, you have a choice to change government. You usually do that via elections unless you storm the capital or something. But in principle, you do so via elections, but still you only have one government per.
[00:09:10] K: Exact. Well, you hope you only have one or you're in a very bad country.
But yeah, but, it, it is so it's a big problem. And here's the thing. Almost all companies in the US are going to use either Google or Microsoft, especially for things like documents and spreadsheets and PowerPoint slides, which may or may not ever have, you know, other people's information on it.
But regardless, they have so, That they use to create communications on, be it email, documents, whatever. And so most all companies use one or the other. I mean, you have very few options otherwise. And the same thing of backing up in either the OneDrive or the Google Drive. And yes, there are corporate accounts for Google and everything, so yes, your sub-process are subject.
That doesn't mean that your data falls under that.
[00:10:06] Paul: Absolutely not. And I mean the, the EDPB also has some concerns about the oversight on the US side. The lack of prior authorization, for example, for, for both collection.
[00:10:19] K: oh, why would they worry about
[00:10:21] Paul: Well, because it's fairly common to have such prior authorizations in some EU member states. So, I think that's why it's there. And also about the effectiveness of the, the, the PCLOB.
I think in general they are okay with P C L O B oversight.
[00:10:35] K: They just have to get better.
[00:10:36] Paul: yeah, they just have to get better and, and basically do more. And of course we know that there is always the risk every time there is a change of administration that the P C L O B goes without members for a couple
of years and then cannot do anything because they don't have a.
[00:10:53] K: and they're not Viewed as being an active body.
They're viewed in a lot of ways as being a very passive body. So, so I get it. Yeah.
[00:11:06] Paul: So this is, this is the opinion of, the E D P B. Not completely unexpected, I would say. It's also fairly in line with. What we, what the E D P B said, or the working party 29 said. About the privacy shield, when that was discussed in draft. And I can only hope actually that the European Commission this time around will actually listen to the criticism because they don't tell the European Commission, go back to the negotiation table and start from scratch.
They ask for certain clarifications for better explanations. They worry that the whole set of documents. I dunno. It's about a dozen different documents with cross references and, and this goes together with that and that it is not transparent enough. So they call for better transparency in how the framework is presented and, and listing what are the criteria for people to work with it actually on a daily basis.
All those kind of things. can be done. That wouldn't require a whole new series of, of fights between parentheses with the United States. It is just something that the commission can work on to clarify,
and I really hope that they do. Because otherwise we have the list of arguments for the court already ready on why also the thingy, the, the, the data privacy framework would not be sufficient to stand the adequacy.
[00:12:29] K: it's kind of like giving them a roadmap to what they need to do to improve it in order to avoid
[00:12:38] Paul: Yes, I think so. I think so. And while we are on the page of the B C L O B I think there is some, some important movement also on the US side with Travis LeBlanc calling for better common sense protections, especially with regard to section 7 0 2 in FISA, with the forthcoming reauthorization.
He apparently said that earlier this week at cybersecurity 2 0 2, the Washington Post quotes him on that. And I think that is an important it would also be an important step, even though he mainly calls for better protection of US persons. I think an overall higher level of protection of Pfizer 7 0 2 will also have its impact on non-US persons.
[00:13:23] K: Agreed. Agreed. We like Travis LeBlanc.
Yes, we do. He seems to bring a good common sense, practical approach to things and doesn't put it in language that most people can't understand.
[00:13:36] Paul: If you have no idea who Travis is, listen to one of the episodes from season one. We'll link into show notes,
[00:13:42] K: Absolutely.
[00:13:43] Paul: when Travis was still at the FCC.
[00:13:46] K: Exactly, and that's how I remember him most is my first. I don't, I can't all at a meeting, my first time that I'd really seen him was on stage, I think it was him and Julie Brill, and he wore these really crazy socks that I absolutely loved.
And you couldn't help but, but notice them cuz you know, he was right up on stage sitting down.
But someone asked him the difference between the FCC and the FT C when it comes to privacy enforcement and F C C used to be pretty strong in it, but again, things change from administration to administration, their priorities and where they focus. And he said it's kind of like the Justice League and I don't know what's, what's the other, it's like DC and.
they're both out to fight evil.
[00:14:34] Paul: See my blank face
[00:14:36] K: I was seeing your,
[00:14:37] Paul: This is, this is comic books,
[00:14:39] K: yep. Yep. It's Superman, Batman, you know, all that good stuff is
[00:14:44] Paul: Those names ring a bell. That that actually helps
[00:14:46] K: is the two big sides and yeah, it's, it's really good. Superman and Batman are both on the, on the same team, by the way. There's
[00:14:56] Paul: Okay. but, and both, both sides have good ones and bad ones, right? It's not, that one is all good and the other is all
[00:15:03] K: Yeah. Both sides have their heroes. Both sides have their villains, and then of course there's Disney, which seems to own every genre out there.
[00:15:12] Paul: and it's generally perceived as villainous or not
[00:15:16] K: Disney, it depends because the princesses are considered the, they're most famous, the princesses and Mickey Mouse and Donald Duck are all considered, you know, the, the good side, but they're the ones that also have maleficent. And Star Wars.
So yeah, there's a lot of villains in there. I like it. I like it. So, yeah.
What else you got going on that side of the world?
[00:15:40] Paul: Oh, well you know, these, these cookie banner
[00:15:42] K: Oh God.
[00:15:43] Paul: and
You remember the discussion we had back in January of 2022 on the IAB B transparency and consent framework.
Well, that discussion is back. I think.
[00:15:58] K: why is it back
[00:16:00] Paul: Well, as we discussed already a couple of weeks ago apparently there is an agreement or at least there is an updated version of the TCF that the I A B has submitted to the Belgian d p a as part of the whole enforcement process.
IAB claims sign off the Belgian DPA says, no, we do not sign off, but we have said that we see the improvement and for the rest, we'll wait for the court to decide. But ib, apparently behind the scenes is, is starting to talk about this and push this out. So there are consultancies on on, on consent management platforms now also talking about it on social media more.
And the one thing that strikes me is that there is still discussion about legitimate interest with relation to cookie
[00:16:43] K: And I don't get that.
I mean, you broke it down for me very simply years ago into why the T C F and legitimate interest is completely unfounded and unworthy and should never even be a thought when it comes to cookie banners.
[00:17:00] Paul: So let's see if you paid attention,
You either consent or you don't consent to be tracked or analyzed. Or whatever the heck it is, these cookies do other than what is strictly necessary to run the website. Some of the functional ones are a little questionable too, because they're not necessarily strictly limited to function, but you should have the option whether or not you want to be tracked and you want them to deposit a piece of software Deposited without your consent in order to track all this. And I agree, legitimate interest should never be a basis of it because you're eventually, you're essentially taking away people's rights to how they want their information to be tracked and
Well, I mean, I saw a tweet from the, the European Parliament repre last week.
who really, it was clearly, she had a very deep sign, said, I'm working continuously to get this done, but the member states are not willing to play. you know, there is no pricy regulation. And also there for legitimate interest, the Rapporteur has said, over my dead body that legitimate interest will be included.
So also in the future, there will not be legitimate interest for cookies.
[00:18:40] K: As long as anybody with the same mind has any say over it. There is an pricy directive. Don't get us wrong. There is a directive, but they're trying to modify it, turn it into the pricy regulation, so it will have the same general effect that the GDPR does, which came from directive 95. But I agree legitimate interest should never be a basis when it comes to tracking people especially if it's across websites
[00:19:06] Paul: Yeah. And there are these consultants now that say, Hey, maybe you should do a legitimate interest assessment for cookies, because then you find out that legitimate interest is not possible. Why do an assessment for something that isn't a legal basis in the first place? . It really, it, it's really mind boggling and
[00:19:25] K: But you know, it kind of has a crazy sense of logic because he is saying, all right, you companies who think you have a legitimate interest in it, if you won't accept our fundamental tenants that there isn't fine, then go down the route and do your legitimate interest. But if you do it right, it won't be allowed.
Come at it from every direction possible. Right. But no, it's true. It boggles the mind what it is. And of course our old friend Alexander Ha, is on the war path on cookies anyway, so
if you, if you.
[00:19:55] Paul: And then you have, you have the whole discussion. Some people claim in, in that the IAB intends that legitimate interest only is about deferred processing after cookie data. Once you have obtained the user consent to, to set the cookie in the first place.
[00:20:11] K: that you have a legitimate interest for secondary use of the data.
[00:20:14] Paul: Yeah, look at the, look at the provision on secondary use. Also, there is no legitimate interests,
[00:20:22] K: interesting.
[00:20:22] Paul: creating legal basis out of thin air, and I have no idea how they
[00:20:27] K: Well, and I wonder if it comes from the fact that secondary use is allowed, if it is
primarily, well, I can't say primarily cuz it's not, what's the word for it? If it's essentially related to the same purpose and a natural derivative of the same person, the person gave you the con same purpose the person gave you the consent for to begin with, that's not legitimate.
You may actually have a legitimate interest in it, but not as a legal basis.
But there we go. There we go. Okay,
[00:20:59] Paul: so that was my rant for this week on a very familiar topic, of course.
[00:21:04] K: Well, you know, let's go on and look at,
Let's go on and look and see what we have in the us. We've got a very, very busy legislative season right now. Of course, we know that there is always talk on the Federal Hill about a federal privacy law. I don't remember what the latest acronym was that they came up with, but it apparently has been a hot topic in some very major committees.
It's, I believe, passed out a committee. They're looking at it. It's still. A bipartisan bill. So, but it's getting hung up.
[00:21:37] Paul: Could it, could it be the N G H?
[00:21:39] K: It might be,
[00:21:41] Paul: The never Gonna Happen.
[00:21:42] K: I'm thinking. So it could very well be watch 'em come up with an acronym to actually make that fit. But regardless, they're trying, but guess what's hanging them up?
Preemption. Preemption and a private right of action. Ah, who would've thought that those two would've been important aspects, but
[00:22:07] Paul: I think. I mean, I'm in privacy for about 15
[00:22:10] K: something like that.
[00:22:11] Paul: been hearing those two topics as the core issue in the US for those 15 years.
[00:22:17] K: Forever. So yeah. So that's what we have. But right now we have 20 states
[00:22:24] Paul: Sorry, what? What, what is it? What is it that the US is actually scared of when it comes to preemption?
Why is it that the US is scared about preemption, where Europe is?
[00:22:35] K: I don't know, the wild, wild west?
[00:22:38] Paul: Because we allow Germany to be more strict. We allow Italy and France to make their, their additional rules when they think there is a real need to do.
So why shouldn't California be able to, or why shouldn't New York or Washington, or Alaska for, for that matter, be able to, to say, well, we think this is in our local situation, really important, so we want to have some additional rules.
[00:23:04] K: Well actually they don't prevent that. And a great example of that is HIPAA. In the US with healthcare and the California medical records confidentiality law you, the states are allowed to have laws that are more protective than the federal as long as they. addressing the exact same thing. So California has it because it addresses companies that might not qualify as covered entities or business associates because they don't do the 11 transactions.
They protect it just based on healthcare. So it's not the exact same basis for the law. The, I just wonder when they line up and, and people have done this before, they've lined up the aspects of the, the ADPPA, the ADPPA thing with the California, with the C C P A and have shown where the differences are.
The problem is they're speaking to the same controls, they're just taking different levels of protection to them, and that's what's not.
[00:24:03] Paul: Hmm.
[00:24:05] K: So, yeah, so it's, it's interesting how it works, but yeah, all I can say is it's, it's gotta be the wild, wild west.
We just like to be very independent. Our, our states are as big as other multinational areas, countries, and they just like to.
to do their own thing for their own people. But I have a faith, I have faith that something will come out of it. It's the problem is it's gonna be something that's weak and watery and it's not really gonna matter, which is California's concern. If, if the AD PPA provided the same level of protection that the C C P A did in every category and in every way, there would probably be no argument.
[00:24:47] Paul: Mm-hmm.
[00:24:48] K: But the federal is not gonna do that. So it's gonna be interesting. But we do have 20 states that have laws proposed which is interesting because, you know, one of them's already killed in session. That's Mississippi. I have to go in and eventually figure out why it was already killed. But I think it was essentially the same thing that was proposed the last time that eventually died.
So they just killed it early this time. But we do have others that we're watching and one of the ones that's really making the. Is Washington and not for its omnibus bill, but because it actually has a bill to protect healthcare data. And this comes specifically in response to the Dobbs decision.
And so they really want to protect the healthcare data, especially that of the cell of private reproductive healthcare data. Kind of like what Texas is restricting. So it wants to present tax on that because they say right now from the data brokers you can, you know, pay $160, for a woman's search history from a data broker.
So if she was on her private computer or phone and was searching it, you would be able to buy that search history. And I agree that stinks. So that is interesting. And that data is usually not protected under HIPAA. A lot of people are like, but you have a law that protects healthcare data. Not that healthcare data.
Not healthcare data in general. Healthcare data that's used by covered entities and by business associates through those covered entities, yes. But if they don't qualify under HIPAA, which as someone's search engine history would not than it would be. But speaking of that, that does remind me of. The lawsuits against meta the megapixel and how it is transitioning, and there was a decision that just came down about a, an app that allowed.
The me, I think it was the megapixel to scrape up the data. from that it was either an app or a website from that, and I'll get the details of that one, but it allowed you to scrape up that data and it contained very sensitive health information. And cause the company allowed these trackers on their app or their website when they should have known that it was gonna transition, which was actually protected health information to Facebook that they're held account.
So, so that was good. So we are starting to see a few more things. One of the other ones that I will say is, let's see,
[00:27:13] Paul: So when we talk about other ones, how many are we talking about?
[00:27:17] K: what do you mean?
[00:27:18] Paul: How many, how many state laws are in progress
[00:27:21] K: Oh, We have 20 we have got bills proposed in 20 states and they range from west coast to east coast. I can list off the names real quickly.
It's Washington, Oregon, Montana, Texas, Hawaii, Oklahoma, Minnesota, Iowa, Illinois, Indiana, Kentucky, Tennessee, West Virginia. Then you're moving into the Northeast, the dc, Maryland, Delaware, New Jersey, Connecticut, Rhode Island, Massachusetts, Vermont, New Hampshire, and New York.
[00:27:46] Paul: So which are the 30 that are missing
[00:27:49] K: They're the ones in gray on the map, , and you can track these real easily too. Really great sources here. We've got the I A P P that does their state tracking, but you've also got hush Blackwell, which does a wonderful tracking as well year after year. They have that too. So you do have that. Two great resources.
We'll make sure to list there in there
[00:28:10] Paul: So any, any of those that.
Have been adopted yet. I know it's early. It's it's still early. It's March,
[00:28:18] K: I don't think so. Let's see, so no,
[00:28:23] Paul: killed for that matter.
[00:28:24] K: the ones that have that are yellow are the ones that we already have passed. The Virginia, Connecticut, Colorado, Utah, and California.
So we do have some interesting things going on with the Texas law as well. There have been some decisions and some lawsuits filed. So this is really interesting.
there are, and by the way, I wanna come out, come back to a couple of stories that I also saw in the news.
But under Texas, there was a decision, that.
the, the funds that are available that have been available from reproductive clinics, things like that to help someone get out of state in Texas so they can have it, are probably safe from prosecution. We did have a federal judge on that one, ruled that the abortion funds.
The, the people who provide the funds cannot be criminally charged. And I know a lot of employers had looked into that issue as well, that if their insurance benefits paid for someone to travel outta state, would they be held criminally liable? So, looks like they're gonna be safe there. However, there are five women who have filed a lawsuit in Texas because they were denied abortions, even though it was medical reasons, but they have filed a suit for that because there should be some sort of,
Protection there. They were wanted, they were not elective abortions that needed to happen. There were medical.
Reasons, and in at least one case, because of the medical emergency she was under, there was no chance the fetus would survive her emergency condition, but they still would not let her abort.
They force her to go through it for her body.
[00:29:58] Paul: I think that's, that's really, really sad.
[00:30:00] K: and then there is a new bill saying that abortion websites would be blocked in Texas under a new bill. It would require the internet service providers to block sites that provide abortion information, as well as making it illegal to host or provide domain registration for sites that help people obtain or pay for abortions.
If that one passes, there is something wrong with the democratic system
because that just
seems wrong, but there we go. They would be required to make every reasonable and technologically feasible effort to block internet access to information intended to assist or facilitate efforts to obtain an elective abortion or an abortion inducing drug.
And it lists out places they have to. Aid access. Hey Jane. Plan C Chos, just the pill and Caram.
And there are others that it would as well, and it provides legal immunity for denial of service to people who aid or abbet abortion.
Encouraging ISPs to kick users offline as well as they are taking a Bounty hunter approach to finding websites and apps that help this.
So this is
[00:31:14] Paul: This is sad.
[00:31:16] K: our nation right now.
[00:31:17] Paul: This is really, really sad.
[00:31:20] K: So yeah, so that, that's something that's really happening here in the United States.
Sometimes crazy. And we try not to get into very political, controversial topics here, despite the fact that privacy is apparently a very politically controversial topic in some areas. But yeah, it,
so we'll keep a watch on what that's doing. One of the stories I wanted to go back to was, Bo Bella.
Who we've had on the show before wrote an op-ed saying that maybe it's time to rethink binding corporate rules, which surprised me I had to go read it. it surprised me because binding corporate rules are considered. You know, the gold standard of protection and I was the first person with the company that filed a dual application for binding corporate rules for pro processors and controllers.
Processors technically called binding safe processor rules, but essentially the same thing. So I'm intimately familiar with the effort it takes for the BCRs, but she said that. The E D P B missed an opportunity to address BCRs in a systematic, strategic and forward thinking way, and to enable this important transfer mechanism to evolve into a more scalable, powerful, and globally relevant tool for sustainable international data transfers.
[00:32:40] Paul: I am not sure what Iran convinced this is a new message.
[00:32:45] K: Ah, you think this has been a long standing message, huh?
[00:32:49] Paul: I'm not completely convinced this is a new message. The center for Information Policy Leadership has been looking at BCRs for a long time, advocating their use not just as a transfer mechanism, but also as an accountability mechanism. And I agree it is a great accountability mechanism. It is much more than just a transfer tool.
But by just saying, well, BCRs are great, and look at how good the companies that have BCRs are doing privacy. Sure. that is, that is true, but that doesn't make it more easy to use BCRs as a transfer tool or in, in business to business relationships. And let's not
[00:33:27] K: Or even to get an approval.
[00:33:29] Paul: even to get an approval.
Many DPAs are back, back lucked on, on approving BCRs. And let's also not forget, BCRs are very
[00:33:38] K: They are, they are very expensive.
[00:33:41] Paul: they are suitable for a handful of very large
[00:33:46] K: There's only like over a little over a hundred companies that have ever gotten it.
About 200 now. Okay. So still a handful, 200 c.
that, that's a handful. And she says that to fully recognize the potential of BCRs policymakers need to promote, incentivize, and recognize their special nature. As Paul was just saying, BCRs are expensive, they're hard to implement.
They take a lot of time and attention and focus to do essentially an enforceable corporate code of conduct. And I absolutely agree with that. My problem is, and you and I have talked about this before, now that companies have gone through these extensive negotiations for DPAs, you know, to put in SCCs in place, and the apex cross border privacy rules and all of that.
are they gonna let go of it and just say, oh, companies who have BCRs, you're fine. In. In my experience, I've seen they still want to negotiate the heavy DPAs and everything, rather than saying that, we'll, abide by your BCRs. They they need to be simplified and transform the approval process. Yes, the approval burden on it.
They did simplify it back when we were doing it. It went to your primary. Authority and two secondary ones, but still it was, it's crazy. Ensure a risk-based approach to risk assessment. Something that I believe in, something that Paul believes in. We've heard other privacy experts say, you should not take a risk-based approach.
That seems to be bonkers to me. You should always take a risk-based approach make VCRs interoperable and mutually recognized across jurisdictions that I do like, but I think, I feel that that piece in particular is in direct response to trying to globalize the cprs. as a global standard of data transfer.
So I think that's interesting. How they work together should be good. There is a wonderful crosswork out there between CBPR and BCRs compares if you have one, what you need to have in place to do the other. It has been historically easy in my easy, in my experience, to get the CBPR first and then crosswalk over to the bcr.
But companies take different approaches and then recognize transfers from BCR to BCR approved companies.
[00:36:03] Paul: It's not in the gdpr,
[00:36:04] K: Yeah,
[00:36:05] Paul: so the board can say all at once, but it is not there as a legal basis.
[00:36:10] K: yeah
[00:36:11] Paul: I don't know how you want to do that without legislative change.
[00:36:14] K: exactly. So it's interesting. I do
I do appreciate that there's a lot of moving elements in this, and as big of a commercial player as the US is, it's not playing the role it should when it comes to cross-border transfers of personal data.
[00:36:33] Paul: No, not as as we would like to see
[00:36:35] K: No.
[00:36:35] Paul: And the, the cbpr, I mean, they've existed for what also well over a decade. And also there is just a handful of companies that adhere to the mechanism.
[00:36:46] K: Yeah,
[00:36:47] Paul: So yeah, we'll see to be continued.
So that's that's what we have this week in privacy. It's it's quite a lot. And, for now, thank you very much for listening to yet another episode of Serious Privacy Like, and review us in your favorite podcast app. We see some very nice reviews coming in, so thank you for that.
Join the conversation on LinkedIn. Look for serious privacy. Find us on social media elsewhere. Kay, as hard of privacy, myself as Gerald Pauly. Until next week, goodbye.
[00:37:15] K: Bye.