Serious Privacy
For those who are interested in the hottest field in a technology world. Whether you are a professional who wants to learn more about privacy, data protection, or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity to social justice and data ethics and AI. In-depth information on serious privacy topics.
This podcast, hosted by Dr. K Royal and Paul Breitbarth, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on Twitter: @PodcastPrivacy or LinkedIn
Serious Privacy
Privacy Live - a week (a day...) in Privacy
In this episode of Serious Privacy,Paul Breitbarth of Catawiki and Dr. K Royal catch up on a busy 48 hours in the world of privacy and data protection. Their conversation goes from a new landmark decision by the Court of Justice of the European Union to updates on the Thingy to new FTC nominations to a proposed EU law on the cooperation between data protection authorities. They also touch on China, Nigeria, India, Ireland, Argentina, and in the U.S. ... Delaware. Whew.
Links:
- Meta v Bundeskartellamt
- Draft EU law on DPA cooperation
- The ICCL comments on the draft EU law
- The EU-U.S. Data Privacy Framework (as adopted)
- The Irish gag order for data protection investigations
- UK-US Data Bridge
- FTC Nominations
- France TikTok Law
- 50 Years of FIPPs
If you have comments or questions, find us on LinkedIn and IG @seriousprivacy, and on Blue Sky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/
#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO
S04E25 - Week in Privacy
Please note this is largely an auto-transcription. For accuracy, listen to the audio.
[00:00:00] Paul: A new landmark decision by the court of justice of the European union. The final preparations for, to thingy, including some ground predictions on unexpected timeline. A new EU law on DPA cooperation. FTC nominations adopted to us state laws and much, much more in this week's episode. And it is the 4th of July when we record this. And just before we hit record,
K. And I actually just talked about the Broadway show Hamilton. But it's amazing character king George, the third. So, yes, they are Americans. I will say it. You'll be back.
[00:00:51] k: There's a reason I love you.
[00:00:52] Paul: My name is Paul Breitbarth
[00:00:53] k: and I'm K Royal and welcome to Serious Privacy. Paul and I were just saying there is so much that has happened in the last 24 or 48 hours that, oh my gosh, we're just gonna jump in here and get started. But first,
Happy 4th
Happy 4th of July exactly our Independence Day
I should have to have the question around the holiday, but I don't, so here we go. This one, well, this one should be appropriate. Do you need a cold shower?
[00:01:23] Paul: In general or just right now?
[00:01:26] k: I'm taking it as right now cause Arizona's under a heat advisory at 110 or something. So, which is, hold on for most people. Let me convert that to Celsius for you. I think it's somewhere around 38, 39, or maybe 37. Oh, it's 43. Excuse me. It's 43 degrees Celsius.
[00:01:45] Paul: that means that I would need a cold shower for sure. In general, I could do with one right now as well because I dress too warm to the office today because this morning it was cold and windy and stormy and rainy, and now suddenly it's warm.
[00:01:59] k: layers
[00:01:59] Paul: welcome to Dutch Summer. But yeah, no, in, in general, I'm not the biggest fan of cold showers. I prefer tepid at the most
[00:02:07] k: at the tip it at the coldness. I like that. Same way. I don't even take cold showers.
[00:02:13] Paul: You don't do cold,
[00:02:14] k: don't do cold, I don't do cold showers. I see people posting about these ice baths. They take that,they buy 'em deliberately. Maxim one of the dancers off Dancing With the Stars and I think he's from the Ukraine. I started following 'em when he was posting updates to the Ukraine, cuz I think he was over there. But anyway, he was just posting about buying this fabulous ice bath thing that you, and I'm like, no, why?
[00:02:41] Paul: Well, apparently you can. You can learn it, you can train it. A friend of mine always really hated the cold. He couldn't stand it. And he took a course actually with one of the ICE masters. That we, that we have here in the Netherlands Zoo is also training people to take these cold baths. And apparently it is something you can get used to.
I'm not sure whether I would like it,
[00:03:03] k: I, I hear it is, and I hear that it has phenomenal health benefits, but yeah, I don't think that's gonna be one of the things you're gonna convince me to try. So, all righty. So tons of stuff happening in the past 24, 4, 8 hours. My brain is exploding with it. So this is one of those weeks in privacy that it's just gonna come at you hard and heavy. Last week had a lot of stuff that was happening as well. But this is, this is like bam, bam, bam, bam, bam. So let's start on your side of the pond this time.
[00:03:34] Paul: Well, okay. So this morning I, again, it's the 4th of July, so people will listen to this a bit later. But this morning we sold the release of first a decision by the Court of Justice of European Union. In the Bundes case against Meta which is the German competition case, and about 30 minutes later we saw the new GDPR procedural Rules proposal also being published.
So those two came immediately back to back and are both massively influential in the application of the GDPR. So where do you wanna start?
[00:04:12] k: Let's start with meta because that one's interesting. Because it goes against their personalized advertising again, which I think this one hits them pretty hard about. They can't have any basis except consent is essentially what I believe it comes down to.
[00:04:28] Paul: Yeah, that is one of the many things that the court says in this decision. Again I have read it only once. So much more fine tuning and digging that I need to do. But it's true first of all, that this was a case from. The German Federal Cartel Office. Looking at Facebook's profiling and advertising practices for private users.
The German Federal Cartel office has helped Before that they are competent because Facebook, by ignoring data protection rules compliance basically has a market share. That they shouldn't have, if they would play by the rules or at least their market power would be different if they would play by the rules.
So in in US lingo, basically the German federal cartel office said these are unfair and deceptive practices. Like the FTC could say I. The question, first of all was before the court, can the German Federal Cartel office actually say that because this is a data protection case. This is
[00:05:29] k: Right.
[00:05:30] Paul: The court, the court says, well, in this case they can because the focus of the case was not so much. About GDPR compliance or imposing restrictions on interferences with the GDPR. They were drawing conclusions on the application of the GDPR for the market power of Meta, in this case, Facebook. And in that light, yes.
The Cartel office was able to also include the GDPR and the consistent application of the GDPR into their considerations about market power and, and, and compliance or, or possible abuse. At the same time, the Court of Justice also said, should there have been already another case in Germany or in the European Union for that matter on the same merit.
Then that should be taken into account. Then the cartel office could not just ignore that case and draw their own conclusions. So they are to some extent, bound by that one sub shop under the GDPR that if there is a decision already they cannot just ignore that. But they can use it of course in their findings on a dominant market position.
When it comes specifically to the processing of data for behavioral advertising and personalized advertising in general. Also there, the court has said, indeed, as you already mentioned you cannot just do that on the performance of a contract and you cannot do that likely on the basis of a legitimate interest.
I mentioned the likely because the court leaves open some very small margins of maneuver whereby certain legitimate interests could prevail. But basically they looked at not just at Facebook's advertising process practices, but at more also for, for security and for product improvement and auto legitimate interests.
And for most of them, the court says it is unlikely. That Meta's legitimate interest would prevail over the rights
[00:07:24] k: Right.
[00:07:25] Paul: And that means that it is not so much the, the legitimacy of the interest that is the problem, but the balancing test that
it just doesn't prevail over the fundamental rights. And I think that is an important an important step because what I still have to find out and that, that requires many more times of rereading, it's whether the court interprets this also, I. In light of Facebook's meta's market dominance or just whether this would apply to every single company that would be involved in behavioral advertising, that I just don't
[00:07:56] k: Right. I was looking at those provisions now. And of course they're, they're throughout the decision, so it's, it's hard to put 'em together piece by piece, but it seems like a lot of the legitimate interest is talked about. In paragraphs 47, 40, 47, 49.
[00:08:13] Paul: 1997 until 1
[00:08:16] k: Well, I was gonna say the first part was there, and then it goes into the biggest part where it has more of the conversation. So the earlier part was on raising the question.
[00:08:25] Paul: to the legislation and raising the questions. Indeed.
And the substantive review on it's question three and four that are the core of this discussion, at least that have been put to court is as of paragraph 97 and beyond. And then in the final provision the court says that
The, the, the court basically repeats all of the requirements for a legitimate interest assessment.
[00:08:49] k: Yeah, it talks about minors in here in particular because, you know, that's a big. Use of Facebook or meta that the preliminary ruling does not contain any explanation as to how research and innovation for social good or the fact that the user is a minor could justify as legitimate interest the collection and use of the data in question. And it said, consequently, the court is not in a position to rule on this matter, so it doesn't speak to research and innovation for social good or.
[00:09:19] Paul: No, they do not. And that is because the lower court that referred the case to the Court of Justice of the
[00:09:24] k: Didn't look at that.
[00:09:26] Paul: just included insufficient detail in the referral. So I'm sure there will be follow-up cases on this one as well. But it is a, a, a major milestone also because now the Court of Justice has held that competition.
Authorities can also look at data protection infringements, if that leads to market dominance. And thus to an non level playing field and unfair and deceptive practices. And that can be significant because competition fines can go up to 10% of global turnover, whereas GDPR finds, as we all know, can go up to 4%.
That is a whole big difference. And also, competition authorities in general do not shy away from sf. Fine. So this, this could be a
[00:10:09] k: This, this absolutely could be a big one.
[00:10:12] Paul: And there is, less of a one-stop shop as
[00:10:13] k: Yeah. Absolutely agreed. Okay.
[00:10:17] Paul: So speaking about the one-stop shop we also got today the GDPR procedural regulation in draft still proposed by the European Commission. We knew this was coming for a while already. Basically during the first review of the GDPR, that came out in 2021, I believe. It was already one of the conclusions from the European Commission.
That the procedural aspects of cooperation between data protection authorities in cross border cases were not harmonized, which is true because they are all subject to administrative procedural law, which is not in scope of the EU treaties. So the commission has been thinking from that time onwards to see, can we, can we do something here?
Can we make some changes? They decided not to open up the GDPR, but to introduce an accompanying regulation. So a new law with direct effect to clarify some of those more procedural aspects on how data protection authorities cooperate. One of the proposals. Is that both the individual filing the complaint and the parties under investigation should be heard throughout the whole process.
So whenever there is some, a relevant development whether that is drafting the outline or drafting the first conclusions or determining define, there is a right to be heard for both the complainant and the supervisee. so that's one the other part much more much more vital. I think relates to the cooperation between the data protection authorities themselves.
And this also addresses the issue. You may recall from the Irish Twitter case where the Data Protection Board said, well, we disagree with the scope of the investigation. Dear Irish DPC, you should have had a much wider scope than just the one data breach that Twitter reported. You should have looked at all of Twitter's data security which according to the Irish D P C would interfere with their independence.
That issue is now sort of solved in this this new regulation because early on in an cross-border investigation, the lead D P A must send a so-called summary of key issues to the European Data Protection Board, identifying which elements will be subject to their investigation and also their initial views.
And that gives the opportunity for the other data protection authorities to say, Hey, We disagree with that. We want to discuss that. And as with all GDPR debates, that should come with the so-called relevant and reasons, objections. So they should motivate why they disagree with that. This could also lead to an urgency dispute resolution decision before the European Data Protection Board.
So that means that DPAs early on in the process can already say, Hey, we disagree with the scope or very interesting what you are proposing, but we want to be part of the team much easier than is currently the case. Under the existing rules. So that might change also how investigations are conducted for the the data protection authorities.
And I think that is probably, for me at least the biggest change in this in this whole procedure. What I'm not too sure of is that the regulation also recognizes the so-called usefulness of amicable settlements instead of enforcement. So I think that is each to their own and really up to the data protection authorities.
I don't think we need the European Commission to say that amicable settlements could be useful. But what I, for example, did not see is the requirement to make those public So maybe there will be there will be some moments also for, for input on this this whole process on how to deal with these cross border cases.
Because I think that is also an an important step.
[00:14:10] k: Okay.
[00:14:11] Paul: And this will now go into the the whole legislative procedure, which will take a while before
[00:14:16] k: Right, right.
[00:14:17] Paul: fully completed.
Also, let's not forget, we are just before the summer break in Brussels member states, European Parliament leaving for summer vacations. So this. Will likely not be discussed until September.
And let's also not forget that Parliament will rise somewhere in March before the European elections that will, that we have in June of next year. So the chances that this will be wrapped up before the European elections, in my view are zero. Then
[00:14:46] k: so, so when you say it might take a while, that means a while.
[00:14:50] Paul: That means a while because we have, we have political changes in between as well which are never useful in these kind of discussions. So I don't expect any of this to materialize for a political agreement before 2025. But we'll see. Maybe everybody falls in line, stands behind this and says it's wonderful.
So far that's not the case because for example Johnny Ryan of the Iris Civil Liberties Organization has already started criticizing the, the proposal because he considers that it will strip complainants actually of their right to see and respond to what the companies or public bodies under investigations say about the complaint.
I don't read that yet. In the, in the proposal. But also here, I've only read it once, so maybe I've overlooked something. That's, that's very possible. So the first criticism is also there but we'll see how it, how it will evolve.
[00:15:42] k: Okay. Significant movements indeed. Okay. What do we have? We have one other thing on your side of the pond. That was pretty significant, didn't we?
[00:15:51] Paul: Yeah, we have, well actually we have one and then we have one cross border thing that is also
[00:15:56] k: Yes, the cross border thing is significant.
but go to the other one.
[00:16:00] Paul: but the, the other one is actually from, from last week, and that is the decision by the Irish government and the Irish Parliament basically for gag orders during a d DPA investigation.
[00:16:11] k: I missed that one.
[00:16:12] Paul: the.
The D P C will now have the possibility to say that information that is shared during the, during the investigation, whether that is shared with the company under investigation or with the the complainant that, that cannot be further circulated.
[00:16:28] k: not miss that one. This is basically prohibiting published documents or documents from being shared. Right.
Okay. Yeah. I did not miss that.
[00:16:38] Paul: This is basically the Irish government being annoyed that Nip publishes all the
[00:16:42] k: Yeah.
[00:16:43] Paul: out of the D p C proceedings online. They don't like that. They don't want that. And now it's also part of the legislation that the D P C can at least block that if they want to.
[00:16:54] k: so that, that was interesting when I saw that. You're right. So that's a nice segue over to the thingy because back in May, which seems like it was so long ago, but I mean, it was just, you know, six weeks ago, seven weeks ago, maybe back in May, I believe the European Commission, or the European Parliament, sorry, adopted the EU u s Data privacy framework resolution officially. That was on May
11th during a plenary session, which was really good. And then last week, was it on the 30th, I think it was, our department of justice over here announced that it had fulfilled the requirements for Completing the actions to make the, the data privacy framework to make the thingy legitimate. So the official announcement from the US Secretary of Commerce, so I may have to redo that whole thing. The US Department of Commerce made an announcement. There was another announcement by someone else, but we'll get to that as well. But the US Secretary of Commerce, Gina Raimondo and issued the following statement, that the United States fulfilled its commitments for implementing the E U U S data privacy framework. Back that was announced back in March of 22. It represents the culmination of months of significant collaboration between the US and the EU, and reflects our shared commitment. Now back also on that same day, the Attorney General Merrick Garland designated the EU and the additional three countries making up the European economic area as qualifying states for implementing the redress mechanism.
You may remember that one of the unusual aspects of the executive order, Was that the other countries had to equally agree to protect. Our personal data. So, and that was a question is whether or not we would, because as you and I have discussed, there is quite the significant surveillance over in Europe especially some countries over others. But the office of the director of the national Intelligence also confirmed that the US intelligence community has adopted its policies and procedures. Under that executive order as well. So it looks like we are moving forward with the thingy pretty significantly. Which is really
cool.
[00:19:10] Paul: and I'm happy to see that in any case, all of the countries were designated as qualifying states. To me that feels a bit like a political deal and not like there is a real assessment behind it.
[00:19:23] k: it does. but what about the uk
[00:19:26] Paul: They are not
[00:19:26] k: right?
[00:19:27] Paul: but they were not part, they were not part of this agreement in the first place.
The UK is negotiating a data breach not a data breach, a data breach with the with the us like they are with with the Dubai international financial sensor as we heard two weeks ago. So the UK is not yet part of this list. We may see that later on. But for now it's the EU 27 plus the the three economic area countries so Norway, Iceland, and Lichtenstein.
And those are then the first in the world to be qualifying under executive order 14,086. But that decision does not go into effect yet. But it, because it will only go into effect once there is the mutual decision. So only once the European Commission indeed determines adequacy can be given to the us.
So it really is a quid pro quo.
[00:20:19] k: Yeah,
[00:20:20] Paul: Everybody that hoped to already be able to use these as part of their standard contractual clauses still not the case. We still have to wait until the moment that the European Union is ready to also grant adequacy to the United States, and that may still take some time.
[00:20:35] k: And it might, and
we'll make sure to post the link as well, but the intelligence community had to each develop their own. Processes and procedures on how to do this. And they had to do so in consultation with the Attorney General, the Civil Liberties Protection Officer, and the O D N I and the Privacy and Civil Liberties Board. And there is a link here for the procedures for each agency, for the cia. The Drug Enforcement Agency, the F B I, the National Reconnaissance Office, the N S A, the National Security Agency, the O D N I, the office of the Director of National Intelligence, department of Energy, department of Homeland Security. I. Both their intelligence and analysis and their Coast Guard procedures, department of State, bureau of Intelligence and Research, and Department of Treasury, office of Intelligence and Analysis. So all of the procedures are linked. And we'll give you the link to that. So you can go and delve deeper into those if you want. But this means that the thingy is more than likely moving forward with all this work done. It's kind of really hard to imagine. It's gonna get to the European Commission. They're gonna go, no, go back and do some more. But
that's a political thing.
[00:21:45] Paul: it is, moving, it is moving forward. Of course, we still have to wait for the the, the full creation of the court and also the names of the people eligible for the expert panels. So I think the commission will still be waiting for those. Maybe some further behind the scenes talks are ongoing.
For further clarifications as requested by the European Parliament, and especially the European Data Protection Board. So some people speculated online today that, that we will see the formal adequacy decision next week. That is unlikely because the member
[00:22:18] k: That's a little.
[00:22:19] Paul: still need to, yeah, member states still need to give their agreement, and that meeting has not been convened yet.
So it will take at least a few more weeks. But I think we can also be quite certain that we will not have to wait until November as others speculated before this is a done deal. So maybe by the end of the month before Brussels really goes on, on summer holiday is still a feasible target.
And that means that the commission would then have their before the summer edition. And that means that we have only waited three years since the annulment of privacy shield for a replacement to be in place.
[00:22:56] k: Yep. Yep. Absolutely. Well, speaking of appointing people president Biden did appoint two new regulators to the ftc.
He appointed two Republicans. As you may remember. We had one that, you know, was very vocal about her displeasure with the chairman.
So we actually have two new Republicans, he appointed the Virginia Solicitor General Solicitor, general Andrew Ferguson and the Utah Solicitor General Melissa Holyoke, to fill the two Republican slots at the ftc. Now, you may remember the FTC is very active in privacy investigations and enforcement, but that is not their main job. They have quite a few of other things that they take care of, a lot of things that are in motion right now. Right now there's a current one they've sued to stop Microsoft's 69 billion deal to buy Activision, and they're awaiting a court decision in it. But some of the things that they've done this year included the Amgen purchase of Herion. Therapeutics purchase of intercontinental, exchanges of Black Knight. They're also fighting Lumia over its purchase of Grail. There's a whole bunch of things that the FTC does, but this is significant that there are they're balancing as they're required to do and appointing the two Republicans to there.
So this would be really interesting to see this. Every time you get new commissioners on the board, you'll start seeing a different flavor. Of priorities. And that's also
in addition to the different priorities you see under the different administrations. So everybody brings their own thing to it, but it's significant that he did that those two republicans have been appointed now.
[00:24:37] Paul: Have they been appointed or have they been nominated? Subject to Senate
[00:24:40] k: He's nominated them and they still have to be confirmed by the Senate. Yes. There was also one that popped up and I just happened to have this open at the same time as Biden that I didn't mention, but it came to mind with the FTC cuz the FTC. Enforces Kapa, the Children's Online Privacy Protection Act,
and we're starting to see a lot of conversation around that because California adopted the age appropriate design code very much after the UK age appropriate design code. And with this, there's a lot of talk about raising up the age of Kapa CAPA's
under 13 right now. And every state in the us, which by the way, there's a new state probably about to pass their privacy laws. Delaware came out of their, their two houses.
But we got more coming down the pike. I think we're up to like 12 now. But. Every single one of them recognizes children's data as being sensitive data. Most of them actually define the age of children's data as being under 13, which is what Kapa does. But there's a couple of them. One in particular, and I can't recall who it is, that actually defines it as defined under Kapa. And there's been a lot of conversation lately about raising the age of COPPA up to under 15 or under 16, kinda like what California has done. There are certain things for under 13 and then there are those 13 to 15 ages that you have to do other things with about opting into their data and all. So it could be that COPPA raises its age, and if so, most of these states will have to go through and raise their age to match coppa. I like the ones that put in the provision that the definition of children's data matches that as defined by coppa. So I think
that
[00:26:26] Paul: I mean that would, for, that would make some, for some consistency, right?
[00:26:31] k: it does.
[00:26:32] Paul: similar consistency as we are missing in the European Union with all the member states,
with all the member states actually picking their own age for children's consent, for
[00:26:41] k: Well, yeah, and that was why it made me think of France. So France just approved a new law. It still has to go through final approval,, requiring social media platforms like TikTok and Instagram to obtain parental consent for those under 15 years of age. So it's going through and is doing all this. And not only If it's approved, websites and apps will have a year to comply with the policy for new con subscribers in two years to apply the requirements to existing users. sites in theory are closed to those under the age of 13. But now they're saying that since more than half of the children, aged 10 to 14 used social media, they want them to get parental consent, but they also want them to limit the time that children can spend on their sites.
Now, you may have, that may sound familiar because we've had another law like that that has been passed, and I'll have to pull up exactly where that was, that limited the ability of children to use TikTok to a certain number of hours a day. Of course parental consent can go in and turn that off. So it is interesting.
[00:27:45] Paul: China.
But
[00:27:47] k: TikTok is a Chinese company, but just because it's a Chinese company doesn't mean that regulators aren't concerned about what the children do on it. So that could be, but it made me think of that because the children, now, the one thing that I find interesting is that most people need to realize this is not data on children.
It's data from children. So parents who shared their children's information on social media, like the episode we did early on on Sherring,
[00:28:14] Paul: Sharon
[00:28:15] k: right? Which is a, becoming a bigger and bigger issue. We were early on on that issue actually. But it seems like it's
become,
[00:28:22] Paul: maybe our
[00:28:23] k: Our guests.
were early on. Exactly. And we'll need to follow back up with them to see if they've researched further on this or made any further advancements on it.
But you're seeing it come out from more and more researchers, but it is data from children, not data on children. The data. On children which come from parents or other third parties might be equally concerning because of the significance and the amount of data that's being shared. There are some children whose entire lives are documented online, and it's from their parents, not from the children. So that is one thing a lot of people need to pay attention to. This is data from children. So we need to pay attention to that as well. There were a couple of other interesting things that happened over here in the us. I mean, one thing that's pretty big and thank you I A P P for publishing this we're celebrating the 50th birthday of the fair Information Practice principles. They were developed
back in 1973. One of the earliest, let's be honest, one of the very earliest they were published, On 30th of June in the federal register as part of a report on records, computers, and the rights of citizens. And most of the information in there were based on information from Alan Weston. He
had a 1967 book, privacy and Freedom. This is the. I'm not gonna say it's the Bible of privacy, but it was very early and very significant. And he is the godfather of privacy rights in my
opinion, At least in the US.
But he based, let's see I wanna get this right. The report that was published prominently credited three government publications, privacy and computers in 1972, the report of a task force established by the Canadian Departments of Communications and Justice. Data and privacy. 1972, the report of the Swedish Committee on automated personal systems and data banks in a Free Society. 1972, the report of the National Academy of Sciences Project on computer data banks. Alan Weston authored both the Swedish one and the last one on the data banks. And so this is really significant. The fair information practice principles have been legitimized in several different treatises on privacy, and it is actually what I use as my basis for formulating a privacy program as well. So 50 years To that go figure. Most people didn't think the US had privacy for that long. We actually have. But it's really, really cool to see celebrating that. One of the other things that was a big news here is that the Illinois federal judge overturned the 228 million of damages award in the first. Biometric information Privacy Act that made headlines from a railroad company that used biometrics for timecards and it assigned a 228 million damages. It's not that the decision has been overturned, it's the fact that the federal judge has determined that the defines are discretionary. And so
it is the B N S F railway, and it was Judge Matthew Kennelly in Illinois, US District Judge, he said that the damages under the biometric law, discretionary. And so he is going to hold another trial. I believe it's another trial to empanel a jury to decide what appropriate damages are. And so this was a pretty landmark decision and so coming back to, to see what the actual damages should be ordered by a court. Is interesting. It said that there is, the BPA contains the word may, which means there's an option to award damages. There's the option to not award damages. And so this was significant because it calculated the damages based on the number of people.
So it was a cumulative damages award. And so this is interesting. So we'll see what happens there, but that was pretty significant. So looking forward to what the decisions of that are. I'm pretty sure there are other things, cuz as you and I said at the beginning, everything seems to be moving fast and furious in the past week. A lot of them just in the last 24 hours.
[00:32:50] Paul: Exactly. Well, there is one other thing that I, that I'd like to share. This is not a.
[00:32:55] k: Okay.
[00:32:56] Paul: major public statement or whatsoever. But during my my last lectures at university last week I spoke to one of the participants during the break. I won't reveal who they were, I won't reveal the company. But they told me that they are actually going through the motions right now with the c a C in China to get permission to export
[00:33:16] k: Ooh, okay.
[00:33:18] Paul: And they have already cleared the regional level and are now in front of the national
[00:33:23] k: Oh, isn't that fascinating?
[00:33:25] Paul: permit. So the procedure is actually seems to be working together with local council preparing the the whole dossier to to get that approval. But it is being it is being used and c a c is actually also.
Considering these kind of requests.
[00:33:42] k: Very cool.
[00:33:42] Paul: might be that the first decisions have already gone through. I do believe this to be one of the first ones also based on what the student told me. But I thought that was fascinating to see that. About a year, I think after we dis we started discussing the the Chinese data export provisions that they actually seem to be working.
[00:34:00] k: very nice. That is good news to hear as well. Argentina's. Data Protection Agency, the agency of Access to public information submitted a draft personal data protection bill to theirs. So we can look forward to more developments under Argentina.
As we had talked about previously in one of our shows, China and Hong Kong have signed a memorandum of understanding to promote cross border data flow. And so that will
be, Yeah, right. There were additional fines under India's proposed digital personal data protection bill is exactly what it is. And so they are adding penalty provisions for violating agreements with the data protection board. And so we might actually have more developments from there. And then by the way, Colorado and Connecticut's privacy laws took effect on July 1st. There's the other news item I was looking for. They've decided, the court has decided that California needs to delay enforcement of the C P R A, the new provisions they were to go into effect on July 1st. So there is a delay there. prepare for that one. Let's see, what's this one? Was it Nigeria? Is that what I saw the news out of? I think I saw
Gabriela. think Gabriela may have posted something on Nigeria. And. Basically looking into it because the Nigerian d p a nixed is the word that is used, nixed the bank directive to collect customer social media accounts. So it was a directive that was issued by the Central Bank of Nigeria to collect their customer social media handles. It was ruled illegal by the Data Protection Commissioner. So not that that is huge, huge news, but we always love it when there are. Clarifications, especially when something like, you know, using people's social media handles from banking in financial transactions. So that's interesting there as well. I'm sure there are other things that have happened in this past week all over the world. We're bringing some fabulous guests on in the next few weeks, so look forward to hearing from them as well.
And if there's a topic in particular you want us to talk about in depth, let us know as well. Just to make sure y'all know, we are monitoring the privacy law developments in the United States and all the states that have passed. So at the end of this year, when all the states are done with their privacy legislation, we will do a show for you analyzing the different state privacy laws and what's gone into effect or when they were going to effect and what the differences are.
[00:36:40] Paul: And on that note, we'll wrap up another episode of Sirius Privacy. Thank you as always for listening to us and sharing this episode with your friends and colleagues who are also very much into privacy and data protection developments. Join the conversation if you want on LinkedIn. You'll find us under Sirius Privacy.
You'll find us on Twitter and Macan. Myself is Europol, b k as Heart of Privacy, the podcast at Podcast Privacy. You'll find us, you know where to
[00:37:07] k: You can't miss us.
[00:37:08] Paul: week, goodbye.
[00:37:09] k: Bye y'all.