Serious Privacy

Privacy Popcorn with Paul and K

August 16, 2023 Dr. k royal and Paul Breitbarth Season 4 Episode 30
Serious Privacy
Privacy Popcorn with Paul and K
Show Notes Transcript

In this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal share a healthy serving of privacy popcorn featuring India’s new law, Georgia's new law, Meta news, Argentina and Kenya and Worldcoin, China, NIST Cybersecurity Framework call for comments, and more, including California's adequacy decision from the Dubai International Financial Center.


If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note this is largely an auto-transcription. For accuracy, please listen to the audio

S04E30 - Privacy Popcorn

Paul: [00:00:00] In this week's episode, another round of updates on what is happening around the world. We have a surprising adequacy decision from the, by some #GDPR fines on the horizon registration requirements, #databreaches, and new laws in #Georgia and #India. As well as some other tidbits. So did you think it was a quiet summer then? Think again? My name is Paul breitbarth

K: And I'm K Royal and welcome to #SeriousPrivacy. So Paul, I think there have been some things that have happened that just kind of jumped up and bit me this past week. I wasn't expecting them. I guess maybe I should have been. We're supposed to be omnipotent, 

Paul: Well, I mean, this is August, so it is supposed to be quiet. Yes, this is my European perspective, but August is supposed to be quiet. Nothing should be happening. No major events should be [00:01:00] happening. And yet we have a full episode.

K: And we have a full episode. We might just have to put our hands in the cookie jar, haha cookies, and pull out the one that we like the best to talk about. But let's go with an unexpected question. If you had to eat one vegetable for a whole month and no others, what vegetable would you eat?

Paul: Oh, that's a horrid question. looking at the weather, is it a type of vegetable or one, one very specific vegetable?

K: can go with type. I'm okay with that.

Paul: Well, then probably I would go with lettuce for the summer. Because then with all the different varieties of lettuce, you can still have some variation. And especially now in the summer then, then that's actually, I think that would be doable. If not that, then probably eggplant, because it's...

K: Okay.

Paul: you can still use in lots of different [00:02:00] ways and have some variety on your plate.

K: Very

Paul: So how about you? 

K: My brain has been running amok with potential answers and it might have to go with tomato, which is really a fruit, not a vegetable. So I'll start some controversy here, it means I can still have pizza and spaghetti.

Paul: That's true. Although you can have those with eggplant not so much I guess with lettuce but

K: Right, right, but yes, spaghetti with lettuce would be, would be really interesting. I don't know. That one, it didn't come from the book. It just came off the top of the head.

Okay,

Paul: And here we are serious privacy cooking show again

K: Exactly. One day it's gonna happen. Let's go to the news. So, there are some things we can just throw at you that these things happen.

Go look them up. Make sure you don't miss them. And then some other things that we'll talk about. So, there are some pretty significant ones to talk about and I know which one's top of my mind.

Paul: Go ahead.

K: What about you?[00:03:00] 

Paul: No, you go first.

I've got, I've got a few in mind. I've got a whole list of things that happened that are interesting or noteworthy. But you seem to, you seem to be very eager to discuss one, so go ahead.

K: one is just, it really, when I saw it, I was like, What?

so the #Dubai International Financial Center (#DIFC) has recognized #California as #adequate it is given them an #adequacy determination, and I was not expecting it, that the headline is first of its kind adequacy decision to, regarding California Consumer Privacy Act. (#CCPA)

That, that one just kind of hit me out of left field. I mean, last week we were talking about California, talking about trying to get adequacy. Didn't occur to me adequacy to Dubai's International Financial Center. I mean, it's, it's momentous. It is absolutely momentous. So it is they recognize what they call the amended CCPA and the [00:04:00] California Privacy Protection #Agency  (#CCPA) as an international organization ensuring adequate data protection for purposes of personal data and transferring it across borders.

And it says it meets all the requirements of it and the fact that they're, you know, membership in several international,

Paul: Mm hmm.

K: Efforts as well, but this one hit me out of left field. I'm not going to lie. I'm like, what, but interesting. So how does this tie into what we were talking about last week about rumors of California potentially seeking adequacy under #GDPR?

I mean, this kind of bolsters up that effort.

Paul: yeah, I think, I think a few things first of all, the, the whole process on, on adequacy for the DIFC we discussed a couple of weeks ago with Laurie Baker as well. So if you haven't listened to that episode yet I recommend it should do when it comes to. D I F C and adequacy. The way [00:05:00] I read the adequacy assessment is that this is a unilateral determination by the Dubai commissioner.

So there was not a request from California. Hey, guys, can you please give us adequacy? Which is the habit for European adequacy decisions. This looks like it was the own initiative of the Dubai commissioner, or at least their office, to start an assessment for California, given that it is a major new privacy and data protection law.

I'm still a bit 

K: right. And California is a Huge Huge contributor to world finance. I mean, a lot of moving and shaking 

Paul: are, and

K: Pardon the pun.

Paul: yeah, and, and, and you know I'm still a bit surprised, and that is mainly for what I also mentioned last week, and that is the scope of application of the legislation it would not apply to the data of people in Dubai. Even if that data is transferred to California [00:06:00] so from that perspective, I think it's a little strange of course, when you look at the levels of protection offered by the CCPA and the CPRA and together the amended CCPA and the regulations, I think.

Most of us will agree that it does offer a high level of protection, and that also last week was not my concern. It is the scope of application, and the fact that, at least from the European perspective, an adequacy decision would likely be a longer conversation, also with California authorities, which could lead to the idea that California would be conducting foreign policy, which they would not be allowed to do.

In in the United States. So, I think it's a bit of a mixed bag. I think it's laudable that the DIFC is looking at all these laws and conducting their assessments. They, they have their ethical data management risk index. That they use, their standardized [00:07:00] approach for how to assess all these third countries.

And I think this document that they published, the adequacy assessment itself, it's 32 pages, it's fairly granular, is also a good example for at least Middle Eastern companies to see, okay, so what are we supposed to do when we start looking at data transfers to other jurisdictions?

K: Yeah.

Interesting. Very interesting. Okay. So now let's go to the list that we kind of prepared to talk about because that one just hit me by surprise this morning. I checked on Delaware. I do not believe the governor has signed Delaware's privacy law yet, but I'm checking once again while we're live.

Nope. I don't believe the governor is signed. So still waiting on that one and I haven't seen any significant progress on any of the others. 

Paul: The tally is still at 12 to 

K: Yeah,

so just a holding pattern on that one. That's fine. There's still four states that have bills in committee that haven't come out of committee yet.

I haven't gone and looked up each one to see how far [00:08:00] close they are. And I believe there is one state that still has the possibility of a bill being proposed this late in the year, but not going to hold my breath on that one. Although the U. S. Government

Paul: Still, we've 

seen a 

lot of progress that we did not expect for this year.

K: Absolutely. That was not my number.

I don't think I chose six or seven. That wasn't my number. We might have to look at that again for next year, but the U. S. government has some proposed changes to COPPA, so calling it COPPA 2. 0. More than likely addressing, because I haven't gone and read this newest version that's proposed, but if it's anything like the other versions, it's mainly proposing some tightening language and then increasing the age that it applies to.

Paul: Okay. So another update. Couple of weeks ago, we spoke about the Norwegian suspension of data processing by Meta that was announced Meta had until the 14th of August to [00:09:00] comply. And it is unlikely that they will META is not very responsive to the requests from the Norwegian Data Protection Authority.

and that means that as of 14 August indeed the Norwegian DPA will start levying their fine. Of 1 million Norwegian kroner per day, which is about a hundred thousand dollars or a hundred thousand euros so that's as of next week and meta has announced some changes And has said that they will start moving towards consent based advertising That dates back to the Irish DPC decision from back in January of 2023 but that they will take various months to Make that happen.

We discussed that last week as well That is taking too long. So the Norwegians will push through and also start levying the fines, collecting the fines at least until November 3rd or until such time that META will comply. And we know that in the, in the meantime, likely early [00:10:00] September, the European Data Protection Board will also discuss the Norwegian decision and see whether it should be extended to the rest of, to all of the European economic area.

So that for

K: Yeah, it's interesting watching the progress because that was a five year lawsuit going on for a long time now.

Paul: I think it's even longer, but yeah, this has been going since forever

K: Speaking of META does bring to mind California. Also, the California Privacy Protection Agency did announce that it will review data privacy practices for connected vehicles.

So your connected vehicle technologies, your internet of things, because everything in that car is connected. Your entertainment, your phone, your location, the cameras that are in there, all of these. So they are taking a particular interest in that and as we've seen for some of past efforts of the CPPA.

Once they take an interest, they will move towards enforcement.

 So, [00:11:00] that's going to be interesting to watch there.

Paul: yeah other enforcement on the horizon comes from the channel islands And in this case, especially from guernsey as You may be aware in the Channel Islands, both Jersey and Guernsey, like in the UK you are still required to register with the Data Protection Authority and also pay an annual fee if you have business operations there, whether you are established on the island or just do business on the island.

You need to register with the data protection authority. Guernsey has now announced that they will start taking legal action against companies that have failed to register. Jersey has not taken that decision yet but might also happen of course, in the future. But this is something that organizations should be aware of.

There are other jurisdictions in the world. I believe Turkey also requires registration. There are others. So if you do business outside of the European Union, outside of the United States, always do check [00:12:00] if there is a registration requirement. With the local data protection authority, they will check companies registers.

They will check websites and local activity to find out if you are open for business in that jurisdiction. And if you are, and you have not registered you may get a friendly request to do so after all. You may get a warning letter, but you could also be sanctioned with a fine.

K: Okay. Good. Good for them.

Paul: So that's another one. Then while we are in the English speaking world, two major data breaches. Last week, we discussed the bank that disclosed information about Nigel Farage. This week we have the electoral commission in the United Kingdom that, that, that keeps the electoral roll. 

K: about that one. 

Paul: They have been subjects of a complex cyber attack or so they claim.

So they've been hacked basically. how complex or not every company and every organization always claims it's complex. So that remains to be seen.

K: It's complex for them to [00:13:00] figure out the damage that was 

Paul: Well, that's for sure because it looks like copies of the electoral register from between 2014 and 2022

K: Wow.

Paul: by the criminals.

K: And as you all know, political affiliation and thoughts and everything in Europe is considered special categories of data. So for those of you who in the U. S. are going, Who cares if electoral rolls? It matters.

Paul: It matters. And, 

K: We wouldn't like our votes accessed. 

Paul: no, and not everybody should have access to everything, right? And this, this equates to the data of about 40 million people. So it's also a lot of data. It is not yet known whether the information has actually been downloaded or only been accessed. So it's also unclear what could happen with the data.

That's all subject to investigation. So this has actually been in under investigation for quite a while already and as yet it's not clear what, when we will see some of the outcomes. It seems that they first [00:14:00] spotted the attack already in October of 2022. And that by then it has already been ongoing for over a year. So Complex maybe, but also it seems that some of the cyber security systems might not have been completely functioning the way they should have if...

Those kind of alerts did not trigger, were not triggered. So we'll see also the information commissioner's office is involved. A second data breach, again, public sector in the United Kingdom, happened at the police service of Northern Ireland earlier this week. Here it was clearly human error, so no complex cyber attack or something.

There was a freedom of information request about the number of people in each rank in each district. And while preparing the file, also the names and surnames of the police officers and civilian staff were included in the spreadsheet that was made available to the public. Apparently this has only been online for a couple of hours before the mistake was spotted.[00:15:00] 

And of course it is a lot of personal data, but it is. It is only between parentheses, only the names and ranks of police officers, but not for example, contact details or their personal address. Nevertheless,

K: Or anything like that. Which makes it a little bit...

Paul: yeah, a little bit less concerning, but still it's a very big data breach and also this one is under investigation by the ICO.

K: Yeah. Well, and then that kind of brings you back to the Move It Breach, which is global. So Move It, a file transfer technology that came out, I believe, in June. It was announced. A lot of people dealt with it in July. More and more companies that have been impacted or becoming public. So, one of the, the better ones to watch to know what companies are impacted is KON Briefing, K O N Briefing.

That site has a lot of companies listed that have been shown to have been impacted by [00:16:00] the Move It Breach or the Move It Vulnerability, which breached the files. And I will say that I think there were 620 companies last listed, and some of them may be double dipping. It may be that. a company is impacted because their vendor is impacted and their vendor is already listed.

So some of these may be double dipping and counting how many companies are a victim of it because it may be they didn't use Move It themselves but maybe their, their vendor did or their fourth party vendor did down the road. So as companies are researching what's happening with Move It they're doing, but it will say that if you go and you look at a lot of the, the victims of the companies that are doing it.

There's a lot of public entities there, government entities there, a lot of universities, a lot of financial entities. So I know that here in the U. S. they've said that retirement funds have been, and then someone alerted me [00:17:00] yesterday that even though their parents got a notification that their retirement fund had been accessed, it said no damage, but then apparently they got ransomware on top of that, so the parents couldn't.

See what their records were anyway, I don't know much about that If anybody does please let me know. I haven't seen a lot of news on, you know, ransomware from people Following the move it breach to be able to get it back. But if you know anything, let me know I haven't found anything So it's just it's globally There is there are a lot of companies that were a victim of the move it breach today Or yesterday there was an announcement Of the well, I guess by the time this comes out it'd be a week or so old of the intel vulnerability that's out.

I think they're calling it downfall I don't know much about that yet. It's not a lot public of what companies are impacted with that one yet But that's another vulnerability to keep your eye on to find out whether or not your company has been impacted by that it very well could [00:18:00] be this could hit your infrastructure.

So make sure you check on that too but In speaking of breaches and being back here, this isn't really a breach, but it is news. Google had filed for a summary judgment on their illegal tracking when someone entered incognito mode. That has been rejected. So, they are, they are still in court on that one.

They will not have a summary judgment, so that might be another one to watch to keep an eye on. I mean, doesn't it seem weird that when we talk about a lot of these things, Paul, it's the same companies over and over?

Paul: Yeah. And then the question is, is that because of regulatory preferences or is it because they screw up so much?

K: Right? Is it because they're so big and they're so massive that their little paws are in everything?

Who knows? Who knows? But it is. All right. Indians India's parliamentary bill move forward a little bit more. So we're seeing

Paul: Well, it's done.

K: [00:19:00] that one.

Paul: It's a done deal.

K: Okay that one off? It's done?

Paul: well, yeah, you can tick the box because it only needs a signature from the president. And that in India is a formality, apparently. The, both the lower house and the higher house have adopted the legislation without any amendments, also without the support of the opposition, so it seems.

It is still a bit of a controversial law but it has been adopted. And we don't know all the details yet. We don't know exactly when it will apply. Hopefully it is not something like the Chinese PIPL that applied almost overnight.

K: Right. that we're still getting clarifications on.

Paul: yeah, and I mean, it's, it's likely that India's law will apply somewhere in the course of 2024 or early 2025, but we'll invite some India experts to see if they can join us for an episode to discuss this this legislation in full

K: And to let y'all know, it was

originally [00:20:00] introduced in 2018,

and so we've been waiting on this for five years.

Paul: it was introduced and it was repealed and it was introduced and it was repealed. This version was actually only introduced a couple of weeks ago. And has been, basically rushed through Parliament because I guess that they started to realize that being the largest country in the world without data protection legislation in place could also be damaging to their economy.

so the legislation is done. It's there. And once the president will sign, which likely will be in a couple of days time. So before the release of this episode India will have their personal data protection bill. And I said we'll have more details for you in one of the coming episodes.

K: Okay. And speaking of, 

Paul: And that was not the only, and that was not the only new bill that passed[00:21:00] because we also have a new data protection bill in Georgia, and that is not the state of Georgia, that is the country of Georgia former part of the Soviet Union in the Caucasus so they introduced data protection legislation quite GDPR like in its setup so it contains requirements related to individual rights, to adequacy to legal basis and all of that.

Interestingly, the deadline for individual rights is only 10 days. Following the receive of a request and fines can range to 100 and 75, 000 euros or dollars, which is about 500, which is 500, 000 Georgian Lari as their their currency that is a maximum fine that that can be a point imposed It can be that you also need to appoint a representative in Georgia under this new legislation.

Also here, a [00:22:00] registration requirement will apply if you do business in Georgia, if you process personal data in Georgia. And legal basis include consent, obviously but also performance of a contract, legal obligation and also, certain kinds of legitimate interests.

Can be used. They need to be important legitimate interest unless there is the overriding interest of the data subject, but also for example, public interest can qualify. So in, indeed also here it is it is very GDPR like maybe based a little more on the UK GDPR than the EU GDPR by the looks of

K: Okay, good. I think some others that, that stick in my mind. . I'm not sticking to the U. S. I'm not sticking to Canada or North America. I'm not sticking to Asia altogether. I'm kind of bouncing back and forth, which is what I felt like in the past week or two with the privacy developments.

But I'll [00:23:00] throw out there that China's Cybersecurity Administration Center has issued draft guidance for service providers that hold data on more than one million people to have at least one compliance audit a year.

So they're issuing some draft rules around that. they also made a clarification on what spying is defined as. So that's interesting when you look at what the service providers need. So it's really interesting there. So for that, so we have a little bit more guidance on China, as you know, recently or not so recently, but in in the past little while, they also issued their standard contractual clauses for China, which we've talked about before. But still, if you've got a global program and you're building in your data transfer arrangements and make sure you do account for China's standard contractual clauses as well.

If you have any business there. That also came along the same line as there were some statements [00:24:00] issued on the thingy about how once the thingy is in place and a company is certified under the EU U. S. Data Transfer Framework, Data Protection Framework,

Paul: they had a privacy framework.

K: Data Privacy Framework, the EU U. S. Data Privacy Framework, I know it stands for DPF the thingy. They're saying that guidance came out saying that once a company certifies under that and they are official, then nothing else is required. They are not required to stick to the standard contractual clauses.

They are not required to stick to others. So this goes along the same concern that Paul and I shared that well, our company is really going to give up their standard contractual clauses and their DPAs that they've negotiated down to the nth degree. You can't say that a DPA is thrown out the door because it wouldn't cover the exact same things.

Paul: well, I mean, it's still a contract so the contractual obligations will likely still apply between the [00:25:00] parties. It is just no longer the legal basis to actually conduct the cross border transfer. And I think that is the, the main difference, but the way that the model clauses have been drafted by the European commission, they of course also read as a data processing agreement.

for those purposes, they will stand. It is just a contract that has been approved by the parties. It will just, will no longer be a valid legal basis for transfer similar to. The privacy shield obligations following the annulment of the shield all those obligations remained in place. They could just no longer serve as the basis for the

K: Right. Exactly. Exactly. But I don't, I don't know how this is gonna go over. I mean, I really don't. I'm, I'm eager to see how it's going to work in practice for companies that have it in place, whether or not the people they have the standard contractual clauses in place are gonna drop them or not. If they don't work as a data transfer mechanism,[00:26:00] 

They're not

Paul: No, I mean, I think the, the existing ones we will stay in force. But I also would not be that eager to sign new standard contractual clauses. If a company is self certified under the data privacy framework, then I'd rather just negotiate a data protection agreement a data processing agreement. And then actually negotiate and not sign at the dot.

Then, then signing yet another series of standard contractual clauses.

K: which are not commercially friendly whatsoever.

Paul: Yeah, exactly. 

K: Okay, NIST published their draft Cybersecurity Framework 2. 0. They're seeking feedback on that. A lot of companies adhere to the Cybersecurity Framework. So if you have thoughts on that and you want to issue it, they have published it.

They're seeking feedback on it. So make sure that you pay attention to that. can't think of almost anything else. Like I said, it's like privacy popcorn.

Something we may have been watching for years all of a sudden got hot. [00:27:00] 

Paul: yeah, Well, there is, there is one more thing because 

NOYB has found another target. 

K: Uh Oh. Color me surprised

Paul: instead of method, they are now targeting Ryanair and Ryanair is a low cost airline here in Europe. I guess. It's a bit similar to Southwest Airlines in the US, fairly low cost, fairly low service. And they want you to book directly through their website or through their mobile app and to discourage people from booking flights through a travel agent.

They actually installed a, a, a verification process that also involves facial recognition. Transcribed and you can imagine that NOIP does not like that because they consider, and I tend to agree with them that there should be, first of all, no difference whether you book via a travel agent or directly on the website of an airline.

But also that a facial recognition verification process certainly is not something that would be [00:28:00] necessary. So a verification via biometric data which is also special categories of personal data if used for identification purposes. Seems a bit a bit too drastic

K: Yeah.

Hmm.

Paul: and this file has been filed. This, this complaint has been filed in Spain. Again, probably also to test the cooperation mechanism of the data protection authority. And based, NOIP has calculated that based on Ryanair and Ryanair's turnover in 2022, the maximum fine would be 192 million. Euros not sure whether it would come to that.

But in any case, it's it's another complaint to follow. Could take

K: Yeah.

Paul: before we hear more.

K: And the last one that I have, because I know we're coming to time, is Argentina. Their data protection agency, the Agency for Access to Public Information, they are investigating a cryptocurrency provider called #WorldCoin. Now, there's also authorities in [00:29:00] Europe, in Kenya investigating this. This is on their biometric collections and their security measures built into it.

So that's going to be an interesting one to follow.

Paul: yeah, and this is this is an interesting one because Worldcoin is not just a cryptocurrency. This is actually something That is developed by the people behind open ai That is responsible for #chatgpt and you see that This has been launched this project two weeks ago only And you see that a lot of data protection authorities are jumping on this bandwagon because they don't trust it.

Worldcoin claims that they will give away free money if they can use your facial scan for whatever purposes that they like. And obviously certainly in, in third world countries, in, in poorer countries, development countries this is something where a lot of people might [00:30:00] be interested.

So not just Argentina has, has launched this but you see that also the ICO, the Spanish DPA, some of the German DPAs, France, Japan, Indonesia, and indeed Kenya are looking into this in Kenya. WorldCoin is no longer allowed. They are not allowed to sign up new users as per the government for data privacy concerns.

K: Yep. So it's going to be an interesting one to watch, but this

Paul: bad idea from the people behind #OpenAI.

K: also, but this also brings in mind the concept that privacy are for those with money, because this is targeting people who want or need money. I mean, rich people can always want more money too, but it is much more of a motivator for those who don't have it.

Paul: So I guess that wraps up another episode of Serious Privacy. I know we've been a bit all over the place, literally, 

K: A privacy popcorn? 

Paul: this week. but there's been [00:31:00] so many small things happening, so I think it's good to list those as well. We'll have the more in depth episode coming for you as well as promised including on the new India data protection rule, which will have an impact for a lot of companies out there.

If you liked the episode, rate and review us in your favorite app, on your favorite podcast platform. Join the conversation on LinkedIn, find us under @SeriousPrivacy. You'll find Kay on social media as @HeartOfPrivacy, myself as @EuropolB. Until next week, goodbye.

K: Bye y'all.