Serious Privacy

A good week in privacy with Paul and Dr. K

August 10, 2023 Paul Breitbarth and Dr. K Royal Season 4 Episode 29
Serious Privacy
A good week in privacy with Paul and Dr. K
Show Notes Transcript

In this episode of Serious Privacy, powered by TrustArc, Paul Breitbarth of Catawiki and Dr. K Royal sum up recent developments in privacy, including Meta's intent to change its legal basis and offer Europeans a choice, a notable breach in the United Kingdom involving a former politician Nigel Farage and a CEO resigning due to a breach, a TikTok decision about its practices with minors, new U.S. state privacy law, and the proposed India privacy act (now passed that quickly).

We also discuss California's ide


If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note, this is largely an auto-transcription. For accuracy, listen to the audio

[00:00:00] Paul: This week, the U. S. state law counter goes up to 12 and maybe even 13. Will California get its own adequacy decision? New U. S. data breach requirements and a notable breach in the United Kingdom involving a former politician, as well as another EDPB dispute resolution decision. In the next 35 minutes, you'll hear all about it.

My name is Paul Breitbart.

[00:00:35] K: And I'm K Royal and welcome to Serious Privacy. So Paul, after everything we've talked about the past few weeks was fabulous guests, it's another week in privacy with just me and you.

[00:00:46] Paul: It is, although probably it's more another six weeks in privacy to catch up on everything that we've missed, despite it being summer.

[00:00:53] K: oh my gosh, right? Okay, first unexpected question.

Do you remember any activities you did in kindergarten?

[00:01:03] Paul: yes, I do, because that's something that... My mom reminds me of as a sweet childhood story every once in a while. And that is that I actually stole a button.

[00:01:14] K: You stole a button?

[00:01:16] Paul: I stole a button. We were making things in kindergarten. I don't know, I don't remember exactly what, but there were buttons there and there was one in blue and green that I really liked. So I took it home. And when then was. I was told by my mother that I had to give it back to the teacher with apologies that I could not just take things Home that I liked without asking or without paying.

[00:01:43] K: that is so

[00:01:44] Paul: So it was a good lesson But yes, that is something I do remember because I'm reminded of it every once in a while

[00:01:50] K: Oh, my goodness. 

[00:01:50] Paul: That is by the way the end of my criminal career.

[00:01:53] K: That was the beginning and the end, huh? I don't need to turn you over to Interpol?

[00:01:56] Paul: You don't

[00:01:58] K: My memory comes at probably about the same age. It was, I was five years old, but I was in first grade. The biggest memory I have, and I was sent to second grade for a lot of my classes. So here was this girl who was in school younger than she should have been and also going to classes above. So I wasn't at the same thinking level.

As some of these kids and when the teacher said no talking, I whispered and I got in trouble and when she told me that she said no talking, I said, but I'm not talking. I'm whispering.

[00:02:33] Paul: Smartass

[00:02:34] K: I got, yes, and I got put into time out

to that day. It sticks with me that I must have always been just very. Precise on those use of words

[00:02:47] Paul: And also very talkative

[00:02:49] K: probably to that too. Yeah, we're gonna skate past that one. All right, let's talk about some fabulous things that have been going on or maybe some not so fabulous things.

[00:02:58] Paul: Well, let's start with one of the fabulous things, and that is something that our listeners have already noticed at the start of this episode. and that is that we have some advertising.

[00:03:08] K: we do we are now officially sponsored by TrustArc. You will hear the powered by TrustArc for us I mean everybody knows we're raving fans anyway But the good thing is TrustArc worked with us to develop a sponsorship package that we're doing. And this means that one, I might be able to go over to Europe for the Stockholm conference.

Although probably not business class. Two, we might be able to get some little swag for our listeners when we're around. Three, we might be able to hold like a coffee, get together when we're at conferences for our fans, which would be pretty fantastic. And Paul and I will actually have some real podcast equipment

[00:03:49] Paul: And all of that is indeed very helpful to continue working on the Sirius Privacy Podcast. So yes, we are still here to stay. We're not going anywhere in the foreseeable future. 

[00:03:59] K: And we're not getting rich off of it. So

[00:04:01] Paul: Oh no, but it covers the cost and that's already a big step after doing this out of our own pocket for the past three and a half years.

So thanks a lot to Trust Stark for believing in us, for sponsoring us. and yes, you will hear the ads both before and after the episode. So also stay on until the the final words have been said at the end of the episode. advertisement will change every couple of weeks so that you also hear something new.

And it might be at some point that there will also be some giveaway from us at the end to make sure that you actually will be listening. So,

[00:04:35] K: that part's a surprise to me, but I will say you won't hear a difference in the actual podcast. Paul and I will still be doing what Paul and I do and say what Paul and I say. So that part's not going to change. 

Fabulous. 

[00:04:48] Paul: And you will still hear us laughing as well.

[00:04:51] K: Oh my God. Yes, you still will. You still will. I am going to Stockholm at the end of September.

I'm bringing my husband. the flights are booked. We're ready to go. So I'm very excited about that. Paul and I are going to be speaking at the Nordic Privacy Arena, September 24th,

[00:05:07] Paul: 25, 26, I believe, but in the final week of September.

[00:05:11] K: and we were invited to do basically a podcast episode on stage as one of the sessions. And so we're looking forward to that. I don't know if Paul has thought about what we're actually going to talk about. There's probably a particular topic we're supposed to do, but we will record it. And if we don't push it out as a regular podcast, we will push it out as a special episode.

So you'll have that as well. But we are very excited about that. I've never been to Stockholm, so I'm, I'm triple excited about that. Flying in the cheap sheets, cheap, cheap seats, but I think we're in a bulkhead row. So,

although I couldn't get upgraded based on my American status. But it's a member of the One World Alliance, which puts me at a certain status, I think, with British Airlines, which is running all the flights.

So I think if I get hold of British Airlines, I might be able to get upgraded

from them. I have no idea how this all works. Y'all can all tell I'm, I'm, I'm very, like, not knowing, knowledgeable

[00:06:11] Paul: So anybody in British Airways listening to Kay, make sure she gets upgraded.

[00:06:17] K: Exactly. Exactly. Right. Let's, let's see what we can do. I mean, it's not so much for me as my husband. He's six foot two seeing him with a cheap seats is going to be not so comfortable,

but okay. 

[00:06:28] Paul: Enough about sponsorship. There are actually things happening in the privacy world, although not as many. As we've seen over the past couple of months, it is of course summer in Europe, which means that a lot of people, including regulators and legislators, are on vacation.

[00:06:46] K: actually take vacation.

[00:06:48] Paul: Not so much true for the U. S.,

because I do believe you have some updates on state legislation,

[00:06:54] K: we do. So Oregon was signed into law. It happened last week. I think the Friday before last. So you've probably heard about that already. We're still waiting on Delaware. Delaware was passed, I think June 30th out of both houses. They are expecting the governor to sign. We checked as we were recording. We don't see the governor has signed it yet, but by the time this comes out very, very well, maybe.

And if so, that gives us a nice baker's dozen worth of omnibus state privacy laws here in the U S. So excited about that. It's supposed to, Delaware is supposed to very closely resemble Connecticut. But if this puts us at 13 state omnibus privacy laws, none of which have created a private right of action, none of which have created a consumer privacy oversight office like California.

So that still stands unique. We do see,

[00:07:46] Paul: to Europeans.

[00:07:47] K: yep, we do see a lot of back and forth on, Whether or not there's a right to appeal if an individual right has been declined for access or something. Some have appeals, some don't. We do see a little bit of differences in the definition of sensitive information, although there's pretty standard definitions in there.

Almost all of them. I don't think I've seen one yet. I'll have to go back and check. I don't think I've seen one yet, but I think they all include data from children. But they do differ, as I think we've covered in a podcast before, they do differ on whether or not they define children as under 13 or as per COPPA.

So, I think there was only one per COPPA, which was actually a pretty brilliant way of doing it. And then there's back and forth on whether or not the sale of data is just for money or if it's for, Something of valuable consideration, but almost all of them have the right to opt out of targeted advertising and profiling.

So, you know, these are coming into effect in 2024. I think a few of them are in 2025. Once you pair those up with some of the other state laws that are passing, you, you've got a lot that you need to work into your privacy program.

[00:08:56] Paul: Yeah, and I mean, by now, 25% of the U. S., at least in terms of numbers of states, will have a data protection law.

[00:09:05] K: Right.

[00:09:06] Paul: And that is a good development, I think, and may also start pushing the federal level to start acting, or at least consider acting, a bit more. With all the differences also for us businesses, it becomes much more difficult to be compliant in all of the States. And so there is a lot to say for an omnibus federal privacy law,

[00:09:29] K: Yeah. Keep pushing it. Right. Keep pushing it. Hopefully we'll see something there. And now with the thingy, actually official. Which, by the way, yes, if there is a seal for the thingy, then Paul and I are gonna bring you stickers with a seal named thingy on it. I, I, I gotta figure out how to make that happen, but we're gonna bring you a thingy seal.

[00:09:48] Paul: Absolutely. In blue and pink, of course.

[00:09:50] K: in blue and pink, of course, cause, yeah, 

[00:09:52] Paul: So, okay. One of the things you mentioned when we were preparing for the episode is that California is still considering to apply for an adequacy decision.

[00:10:00] K: Yes! Which kind of boggles the mind how that's going to happen, cause you and I talked about that two years ago? Season two or so? We talked about it and it doesn't seem like it, but for some reason, they're thinking this is going to be a thing that can be supported and that they could see about trying adequacy.

How would that work on the European side? I mean, isn't it on a national level?

[00:10:26] Paul: No, it can be a regional level. So in theory there is a, there is a possibility. It can be regional. It can be sectoral. I mean, we've, we've seen the discussions with Quebec in the past, and we've got PIPEDA, which doesn't apply in all of Canada. So there are possibilities for that. And with the safeguards of the data privacy framework in place, especially the executive order, 1486, 14086 that might go a long way.

The biggest challenge is that California does not have privacy safeguards for Europeans.

[00:11:03] K: That's always the big catch, isn't it? We, we roll it out across our own citizens or our own residents, but we don't, we don't include the others. And whereas GDPR protects the data of anyone, if that data is processed in Europe,

[00:11:16] Paul: and that's also how it should be. I still don't understand the logic of making that distinction, especially looking at your Bill of Rights. I've said it before. Your Bill of Rights says that all men are created equal, but apparently...

[00:11:29] K: States men,

[00:11:30] Paul: But apparently that is not the case for people that are not a U.

S. resident at, at, with a long term status. So I think that it will be the biggest challenge, actually, for California.

[00:11:42] K: California can probably fix that. I mean, let's be honest. They probably can. Where I see the biggest challenge coming in is. So a company says they are California compliant or C C P A compliant, which makes them adequate to the European requirements, but they don't operate just in California.

[00:12:02] Paul: No, so there is also the onward transfers issue. But that can be solved in the negotiations on the adequacy decision, as we've seen, for example, for Japan.

[00:12:12] K: right.

[00:12:12] Paul: The Japanese government adopted an additional statement on onward transfers that satisfied the European Commission. So, something like that could work in the case of California as well, once they have gone over the hurdle of the application of the CCPA.

[00:12:31] K: But would that satisfy the controllers requirements? If the processor is in California and the controllers in Europe, is the controller gonna trust in the adequacy decision? Or as we're seeing, are they going to rely on all of this work that they've put into their DPAs and their standard contractual clauses?

And, you know, I just don't see it going as smoothly as, as maybe Pollyanna thinks it should.

[00:13:02] Paul: No, probably not. And, I mean, the main question is why do you say that? still wanted if there is a data privacy framework with self certification, should that not be enough? Is it because it is California and is that then more secure to have separate California adequacy? Would that be more secure in case of an annulment of the data privacy framework?

That would imply that the expectation is that the framework will fail under the commercial clauses and not under the national security clauses. Because if it's the national security side. Then this is not something that California in itself can solve

[00:13:38] K: right? And. It might be a strategic thing as well for California because over COVID, we saw a lot of businesses exit California and get established in a lot of neighboring states, Arizona being one of them that absorbed a lot of California business.

[00:13:54] Paul: for cheaper housing.

[00:13:55] K: move to get them to come back.

[00:13:57] Paul: Yeah, it could be. But is it possible on the U. S. side? That is, that is my question because as far as I know, U. S. states are not allowed to conduct foreign policy themselves.

[00:14:07] K: No, that is reserved to the federal government.

I guess it's not reserved. Reserved would be to the states. It is clear in the Constitution, but you know, it may just be all smoke and mirrors trying to get people to talk about it as well. But knowing California and some of the people there, Tom Kemp that you spoke to as well, if there's a way to do it, I bet they would try to find a way to make it happen.

[00:14:32] Paul: well, I think it's, it's a good idea to at least try it, but there are quite a few of, quite a few hurdles that still need to be taken before it's a done deal. And I can imagine that it would, for example, require some sort of authorization from the federal government or from Congress for California to do this.

Not saying that they are not able to get that, but

I don't think this is something that we'll see in the foreseeable future. Also looking at the whole list of countries that the European Commission is currently negotiating with. I know that all of the reviews are still ongoing on the pre GDPR adequacy decisions.

We have talks ongoing in any case with Brazil with Mexico. So I believe also with some African countries which would then likely include Kenya and Ghana. So there will be quite a few others that that take priority over California, especially because there is already a data privacy framework now in place which covers all of the U.

S. as long as companies self certify. So this isn't something that we should expect in the next couple of months.

Okay, bad. What, what will happen sooner? Federal privacy legislation or California adequacy?

[00:15:51] K: Oh,

we're going to see more action on the federal

[00:15:56] Paul: No, no, that's too easy.

That's all talk and no, and, and, and, and

[00:16:01] K: This is complete random flip a coin. I want to see a federal law so bad. I'm going to say a federal law,

[00:16:07] Paul: Okay. Fair enough.

[00:16:09] K: but it really is a random flip of the coin. God help us because neither one of them's likely to happen, but okay. But also on the federal side what a lot of people have been seeing lately is on July 26th.

The U. S. Securities and Exchange Commission adopted rules requiring their registrants, publicly traded companies, to disclose material cybersecurity incidents that they experience, to disclose them on an annual basis, and also to report them, I believe, to the SEC within four days. So this the EU, except for this is limited to the SEC and this is limited to publicly traded companies.

They've been talking about this for 

[00:16:51] Paul: US publicly traded companies or companies

[00:16:54] K: registered with the SEC. Yep.

[00:16:56] Paul: with the SEC.

[00:16:57] K: Yep. Exactly. So not just US publicly traded. I don't believe, I think this will roll up. Anyone registered with the SEC is a foreign publicly traded company. But one of the things that's interesting that they've been talking about for so long is that they actually did go and review the re, the reports that the companies file annually.

And most of them do disclose breaches. However, it says in there that they bury it among other information. So you don't really comprehend the seriousness of the breach that they're reporting as a material impact because it's reported in so many different ways. So they're trying now to make this consistent, make it mandatory, but along with that, well, okay, let, let me talk about that a little bit more with this comes the requirement to have someone or your entire board.

Okay. Educated on cyber security for companies doesn't mean that they need to be educated to the point that they're directing what happens, but they need to take an educated involvement into it asking for cyber security. What are the protections in place? What data do we have protected? Do you have data classified?

They need to be asking these questions. Now, I will say this is another bump up for people on the technical side of things. To get more time on the board, to maybe push boards, to have more people that are educated in cybersecurity. I still want to throw out there that privacy has a big role to play here.

 Whether it's a privacy professional or privacy lawyer, But they need someone who understands the privacy laws 

 But on the other hand, they're making big strides in the part that is critical right now, which are the breaches that are happening to companies. So it's going to have a lot to do, and by the way, it goes into effect essentially, I think it's December 1st of this year, but then it rolls for your, your years as appointed to your that your companies are set up for.

But

the earliest is December 1st. 

[00:18:56] Paul: so just to summarize, you need to report every single cyber security incident that you consider to be material within four days to the SEC, and you need to have a public report or a page in your public annual statement describing all the reports that you filed with the SEC, and that comes on top of all the state legislation requirements for notification of breaches.

[00:19:18] K: along with the requirement that your boards must be in the know.

So this, this is a big push on that side. But, at the same time, there is a battle right now with the SEC and Covington. So the law firm, Covington, had a breach and the SEC is ordering them to disclose the names of the seven clients that were impacted by that breach.

[00:19:39] Paul: to publicly disclose or just to the SEC.

[00:19:42] K: just to the SEC.

So they're saying that Covington and Burling must disclose to the U. S. SEC the names of seven clients whose information may have been exposed in a 2020 cyber attack that impacted the firm. This was U. S. District Court Judge Amit Mehta. And so it is really interesting to see how this works because I know that attorney client privilege doesn't work the same around the world, but here that could be violating attorney client privilege,

[00:20:15] Paul: Hmm, interesting.

So what does The American Bar Association think of 

this? 

[00:20:22] K: the ABA, I, I don't even have to pull up the stuff to tell, ABA is supporting the law firm.

I mean, I

don't 

know if they've come out with a public statement. 

[00:20:31] Paul: this can be a nice battle?

[00:20:33] K: don't know if the ABA has come out with an official opinion, but if they were going to, I would absolutely, T totally, T totally, hands down expect them to support the law firm right to not disclose the names of their clients. Although it is typically accepted that if there is a legal oversight.

Activity going on that attorney client privilege can be forced to be broken. There's nothing's ever a complete and total impossibility. But

[00:21:06] Paul: course, nothing is absolute.

[00:21:08] K: I don't think they should have to disclose the names of the 7 clients either. So, but my word really doesn't mean anything to the FTC or Covington or The SEC. anyone else.

[00:21:21] Paul: At least not yet. 

[00:21:22] K: At least not yet. So the other thing, and I wanted to bring this up quickly, and then I know we have some others there was an open letter sent to law schools headed by Dan Solop and Paul Schwartz, I believe, encouraging law schools to develop courses on privacy and to hire professors who can teach privacy.

I believe the open letter went out before COVID started, and then that changed everything. So now they sent out a reiteration of the letter, and I know some law schools have responded and said, yes, we've hired someone like our friend Wayne Unger, who was just hired as a tenure track professor at how do you say it, Quinnipiac

Law School?

And so, that law school has stepped up. They've hired Wayne. They've developed more courses. They have that. You know, that's a dream of mine to be a full time professor. I don't know if it's at a law school or not, but teaching privacy law, whether it's global privacy, health privacy, consumer privacy, cyber law, the business interests in privacy, it's just a big time dream of mine.

So, law schools, whether you hire me or not, Hire someone. Hire

[00:22:29] Paul: Yeah, that's... 

[00:22:30] K: privacy. This is a big thing globally. We've been telling y'all for years this is a big thing.

[00:22:36] Paul: It is, absolutely, and it's... It is important that we, that we also teach this in academia and that we talk about it and not just teach it, but also do more research because there are so many, so many very fast developments in this space. I mean, I know that it's one of the youngest fields of laws of law with over.

just over 50 years of history. But we, we really need more research. I know when, when I was at the Dutch TPA about 10 years ago, we complained that we needed more case law. Well, that part has been largely solved by now with the number of cases that at least we see in Europe on, on privacy and data protection issues.

But, we also certainly need more academic research.

[00:23:21] K: Well, and it's not just that. It's the fact that we have judges who don't understand it, who are making the case law. And no, judges don't have to understand every piece of law that comes in front of them in order to render a just decision. Learn But it really does help if they're somewhat familiar with it.

[00:23:39] Paul: Well, or if if they can invite an expert, I don't know what it's like in the U. S. Despite all the U. S. Law TV shows that I've watched over the past decades. But in the Netherlands, judges also allowed to ask an expert to be heard in in the court. And I assume that's the same in the

[00:23:57] K: yes. 

[00:23:57] Paul: the judge can ask or maybe even a jury can ask.

Can we hear from an additional expert to tell us on this point of law?

[00:24:05] K: But I will say, when you hear of those, you're reading the opinions coming out of at least courts of appeals. Original judicial decisions are rarely published. So the, the trial court decisions and what they're looking there, of course they can bring in experts. The law firms or whoever's involved are going to bring in experts.

But what about the ones that are just between small businesses? 

[00:24:28] Paul: Yeah, but then if, if the judge says, I don't, I don't understand this issue of law because I've never learned about it it would be good for the judge to say, hey, I invite an expert to testify in court.

[00:24:40] K: and in a lot of courts that probably can happen, but I got a feeling that in a lot of the trial courts is not likely going to happen, especially things and I mean, okay, maybe this isn't a big deal to people, but small claims courts that are less than 5, 000 where the parties aren't allowed to have lawyers.

[00:24:57] Paul: There is no time, there is no budget. 

[00:24:59] K: most cases, I don't know the law of all small claim courts across the U. S., but I mean, I wouldn't imagine it would be dissuaded, but the judges don't have the time or the energy to call in an expert to, to look at issues like this. So, it's, it's interesting. I think the more that we can educate our legal profession on this very critical piece of young law that's coming out, I think the better the profession will be 50 years from now.

[00:25:24] Paul: So also to be included in the continued education programs,

[00:25:28] K: Yes.

[00:25:29] Paul: especially also for the courts.

[00:25:31] K: Yes, exactly. Well, and one of the professors that I work with, the head of the Center for Law Science and Innovation, Gary Marchant, he does go speak at judicial conferences and help train judges up on this area of law, but it would be, I mean, yeah, it's, y'all need to, law schools need to hire privacy people.

[00:25:50] Paul: Yes, there we agree.

[00:25:53] K: All right. What have you got going on on your side of the

[00:25:56] Paul: Well, a few quick updates. First of all there is a decision coming up on TikTok processing personal data of minors because the EDPB announced on the 3rd of August that they have settled a dispute between the Surprise, surprise, the Irish DPC and the rest of the data protection board on the interpretation of the law and also on the sanctions this relates among other things on to, to data protection by design.

data protection by default with regard to age verification. Also, whether there is an interference with the principle of fairness when it comes to certain design practices. So, the final decision should be out in a month or So, 

[00:26:38] K: Okay. 

[00:26:39] Paul: when we, when everybody goes back to school early September, we should have more clarity on a sanction on TikTok.

[00:26:46] K: I just wish it would go away. I found out the other day, my daughter uses TikTok. I was like, have you lost your ever loving mind? She thinks I'm just paranoid. Well, that might be, but paranoid doesn't make it not true.

[00:27:00] Paul: No. And of course this decision will only apply prob well, will likely only apply to the European Union and not to the US because the way these companies implementing these decisions, and that's the the other fun point that is being debated right now in Europe, not the European Union in Europe, because meta announced.

Earlier this week that they will once again change the legal basis for their online behavioral advertising practices.

[00:27:27] K: To what?

[00:27:28] Paul: And after relying upon performance of a contract and switching away to legitimate interest in March of this year, they have now announced that they will switch to consent.

finally, I would say,

so it will be, 

[00:27:43] K: I'm kind of skeptical. 

[00:27:44] Paul: everybody is kind of skeptical because it's for certain online behavioral advertising practices without specification what that certain is.

It is for people that are resident in the European Union, which as you and I know, is not a criterion that is valid under GDPR. And we do not have any further detail that will take further months. To clarify also in conversations with the Data Protection Board and the Irish DPC.

[00:28:11] K: Wow. 

[00:28:12] Paul: but NoIP is already raving that at least it seems that Meta has seen the light and complaining that they don't do it right.

we'll see what happens there.

[00:28:23] K: see the light, but oh no, not that light.

[00:28:25] Paul: No we'll see what happens there. And of course the UK is now complaining that they are not being regarded as part of the European Union, because this will only apply to EU countries and not to the UK, which has the same legislation still as the EU member states.

[00:28:40] K: Well, jump on the bandwagon then, because you ain't part of the European Union.

[00:28:45] Paul: so it's META seems to be Readying themselves to start making some changes but it's doubtful whether it's enough. Also in light of, of course, the META v. Bundeskartellamt decision that we discussed a couple of weeks ago with Gabriella and Romain.

[00:29:00] K: Yes.

[00:29:01] Paul: it's it's interesting to be continued, I'm pretty sure.

[00:29:05] K: You know, they're going to go down in history, not as the biggest social media of all time, but as the most number of court cases under privacy.

[00:29:15] Paul: Quite possibly, yes.

[00:29:18] K: But. I'll be honest, there are good people working there trying to do the right thing.

Some very good professionals that Paul and I know personally, as well as others. It's not like there's this big corporate mega mindset that says, Ooh, let's go violate things.

[00:29:39] Paul: Well, I think that's to some extent also there, but... So that's different divisions.

[00:29:44] K: Exactly.

[00:29:45] Paul: So one more thing from the UK, and this, this really made me laugh and made me sad at the same time. Because for the first time in history at least that I'm aware of CEOs have resigned because of a data breach. and this is a data breach involving Nigel Farage, also known in the US the former leader of the UK Independence Party, the man who is the instigator of Brexit.

He lost his bank account with a UK private bank. And he was very vocal about that. And he gained access to some documents that among other things showed that the bank considered that his political point of view could be a risk to the reputation of the bank. No surprise there, I would say, but okay, that is, could be a reason.

So there was a discussion in the media about that and can you close a bank account of somebody because of their political views. And apparently a source from within the bank had said to the BBC, oh, but that was not the only reason. It was also because Mr. Farage did not have enough money to be able to bank with this private bank.

Of course, thus disclosing another

[00:30:59] K: Yes.

[00:30:59] Paul: amount. of personal information, talking about somebody's wealth in a very identifiable form, even though it was an anonymous source. So the anonymous source apparently was a senior employee of one of the banks in this group. They resigned but also the CEO of the private bank and the CEO of the mother bank all resigned because of of this media storm.

And Mr. Faraj still does not have his bank account back, but he has created a new source of revenue for himself to get back to the status maybe where he would be entitled to bank with a private bank again because you can now subscribe to his Twitter feed or X feed To get personal updates from him and also advice on what to do when you have a problem with your bank 

[00:31:48] K: Can't you just follow him on Meta and or

whatever and get 

the 

[00:31:53] Paul: no because then he cannot make money of you. So he found another way to do people into doing things that they

[00:32:00] K: Oh,

[00:32:01] Paul: do. I think Brexit is a fair warning that Mr. Farage has some strange ideas.

[00:32:06] K: Yes, yes, I think it is. So, it may have not have been an earth shattering episode, but oh my gosh, was it not a fascinating one?

[00:32:16] Paul: There are some pretty strange stories. One more thing that happened in the past week. We finally have a draft Indian Data Protection Bill.

I have not read it yet. I have only seen that it's out. So we'll wait a bit to see whether it actually moves forward in Congress. But if it will, then of course we'll do an episode with a local expert to discuss it in more detail.

[00:32:38] K: Yes. And to my knowledge, there are only four U. S. states pending still with bills active in committee. I, there may be some states we still have things, so we may be looking in the next month or so of doing that update for y'all on the U. S. state laws or going through all the, the state bills,

[00:32:55] Paul: And on that note, we'll wrap up another episode of Serious Privacy Powered by TrustArk. Thank you all for listening to yet another episode. You will find Kay on social media as HeartOfPrivacy, myself as EuropolB. Join the conversation on LinkedIn, you'll find us there also under SiriusPrivacy. Until next week, goodbye!

[00:33:16] K: Bye y'all.

[00:33:17] Paul: Oh, and stay tuned for the final advertising!