Serious Privacy

Happy Data Privacy / Protection Day with the Kickoff of Season 5!

January 28, 2024 Dr. k royal and Paul Breitbarth Season 5 Episode 1
Happy Data Privacy / Protection Day with the Kickoff of Season 5!
Serious Privacy
More Info
Serious Privacy
Happy Data Privacy / Protection Day with the Kickoff of Season 5!
Jan 28, 2024 Season 5 Episode 1
Dr. k royal and Paul Breitbarth

On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company kick off Season 5 with a Bang! As usual, we launch the new season on Data Privacy - Data Protection Day and what a year we’ve had so far!

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Show Notes Transcript

On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company kick off Season 5 with a Bang! As usual, we launch the new season on Data Privacy - Data Protection Day and what a year we’ve had so far!

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note this is largely an automated transcript. For accuracy, listen to the audio.

[00:00:00] Paul Breitbarth: Happy new year. After our annual January break, we are back for season five of serious privacy. Still one of the best privacy and data protection podcasts out there. We don't expect any major changes this year. We still have TrustArc as our sponsor, and we still aim to release weekly episodes of around 35 minutes.

And also this year, expect to hear from interesting voices in the privacy community, old and new.

this week we kick off with an update episode because a lot has happened in the usually so quiet month of January. And of

[00:00:44] K Royal: Not quiet this year.

[00:00:46] Paul Breitbarth: no it's not, but of course, first of all, happy Data Protection Day to all of you.

[00:00:51] K Royal: And Happy Data Privacy Day and the crowd goes wild.

[00:00:56] mediaboard_sounds_synced-audio_media-board_riverside_0108: Yeah!

[00:01:01] Paul Breitbarth: My name is Paul Breitbart.

[00:01:04] K Royal: And I'm K Royal. And welcome to Serious Privacy. Season 5!



[00:01:12] Paul Breitbarth: have believed that?

[00:01:13] K Royal: And still going 

[00:01:15] Paul Breitbarth: Yeah, Happy New Year, 

[00:01:16] K Royal: Happy New Year, Paul. It's good to chat with you. I know we chat back and forth anyway, but

it's different 

to see your 


[00:01:24] Paul Breitbarth: This is the first time it's on the record again, right?

[00:01:26] K Royal: Exactly. And you're not kidding. This has not been a quiet month.

I mean, did New Jersey not shock everyone? Wham! Bam! Thank you, ma'am. We have a law now!

[00:01:37] Paul Breitbarth: Yeah, well, they shocked me. Like, okay, why couldn't you do this still in December? Why does this have to be January? Why do we immediately out of the gate a few days into the new year? Hup, we've got a new lol.

[00:01:49] K Royal: I was like, stop that!

Unexpected question! And, you know what? Let's change things up a little bit. Why don't you throw an unexpected question my way?

[00:02:02] Paul Breitbarth: Okay, I will. What are you most looking forward to this year?

[00:02:06] K Royal: Getting my house finished and moving into my house and out of this house.

[00:02:13] Paul Breitbarth: Well, I guess that makes two of us.

[00:02:17] K Royal: Because you're gonna be moving? Yay!

[00:02:20] Paul Breitbarth: I'm going to be moving in April. Yes, the, my current house is sort of sold, just waiting for the mortgage of the buyer to come through.

So then that's done. And the renovations of my new house are going well. So a couple of more months and then I should be able to move in.

[00:02:40] K Royal: We've been saying ours are going to be done in about six months because things move really, really quickly. We've got the plumbing done and the roof and the walls up and the doors and the windows are on. And I don't know. I make these five payments and gauged on, balanced on the level of work that they do. And we've only made one. So if I go by that, we're almost at the second payment. So almost at the halfway point, but I don't know how much time each one of them takes. So we're there, but it is exciting.

I'm already buying stuff for my brand new office. What's going to go on the walls, my new desk, excited. So how about you with your new house? Are you doing the same thing?

[00:03:16] Paul Breitbarth: Yeah, i'm i'm going from bathroom store to kitchen appliance store to Paint store to pick all the things that I want Which can become tedious after a day, but you know most of the choices are made. 

[00:03:30] K Royal: Are you doing the painting?

[00:03:32] Paul Breitbarth: No, my builder is going to do the painting, 

[00:03:34] K Royal: Okay. So it is building a new house. 

[00:03:37] Paul Breitbarth: No, it's it's renovating

[00:03:38] K Royal: The builder for the renovations got it. Okay, nice. Well, that's good because I, I'm at the point in my life where I'm happy to pay other people to do the painting.

[00:03:47] Paul Breitbarth: So am I plus they have these spraying machines so they can just put a Bucket of paint in a machine and spray the walls. Whereas I would probably take ten weeks or so to do the single wall

[00:03:58] K Royal: Given that my daughter's poor kitchen is still left mostly unpainted after we started it one weekend, I would say the same thing for us too. But, but I am excited. It, it's new stuff, it's old stuff, it's things that I have that I have to have up like this big 

50 by 50 peacock that I have. That when in my living room in the last two houses, it sets the tone for the house.

I don't have anywhere new in the house for it to go. When you open the front door, you're not going to see it. So it's like, huh, it can set the tone, but only once you're actually in the house looking at stuff. So it's interesting how we do this. And I don't, we don't mean to devolve the entire podcast down to Paul and I catching up on personal lives.

Although, what the heck. But just wanted to say,

[00:04:47] Paul Breitbarth: a personality show.

[00:04:49] K Royal: apparently we are. And loved the podcast rankings that Jeff Jockish just did. We opened up the, the voting. I know we'd encouraged our listeners on LinkedIn to vote. We lost in the top three by one point. Not one vote. But it's interesting how he does his, his data and adds them up. And I'm never going to question Jeff on that. He's got a formula and his formula works, but Paul and I were both also voted in as completely right in candidates as top interviewers. And so that was really good. That was nice to see.


[00:05:25] Paul Breitbarth: absolutely very happy with that. And it's always good to see so many enthusiastic 

reactions out 

there for privacy podcasting in general.

[00:05:34] K Royal: Yes! And, and yes, it's a friendly competition. It's funny, if you look at, you know, the people that do podcasts in a lot of these other areas, like Mysteries and Police Podcasts, they don't know each other. They might know one or two of the others, but they don't. We all pretty much know each other.

We like to do shows together. It's, it's a wonderful industry to be in, a wonderful thing to be doing with like minded people. So we really enjoy that part of it.

And speaking of which we have a whole month to catch up on. We don't have a week in privacy. We have like a not a year in privacy, but a month in privacy has been a year so far.

But we have a month in privacy to catch up on. And we already mentioned New Jersey has come right along and New Jersey is following along with some of the other states and has a sensitive data listing. It uses controllers, processors. It Selling data is not just for money. It's for other valuable consideration.

I think it does use the COPPA definition for Children rather than under 13. I think I picked that out off the top of my head. So that's Jersey, New Hampshire. We expect to be signed at any point. It was already passed by both houses going to the governor. The governor, I think, has been public about his intent to sign it.

So looking forward to that. I will say my prediction for part of the year has, or for the rest of this year has been whatever we're going to see, we're going to see upfront. because this is an election year and I expect the majority of the time after this to be taken out. So I do kind of expect a bam, bam, bam up front, maybe the first 60 to 90 days.

And then I expect that we will repurpose our attention, our efforts towards an election year, which if you're outside the U S and you've been keeping up with the news. Gonna be pretty interesting this year as an election year, so we'll just leave it at that. It's gonna be a pretty wild ride. But let's talk about everything else that is, oh, we're not, no way we're gonna get to everything else, Paul.

But let's talk about some other things.

[00:07:40] Paul Breitbarth: Well, first of all on

January 15, the European Commission published their long awaited adequacy review for all the old adequacy decisions predating the GDPR.

[00:07:55] K Royal: And did they really assess it, or did they just kind of rubber stamp what was there already?

[00:08:00] Paul Breitbarth: no, they did really assess it. But they waited an awful long time to publish the report. Because there is the, the 15 page summary, which has all the decisions in there. And then there is the commission staff working document of 350 pages or so, which has all the details. So it is really a proper assessment of all those

[00:08:22] K Royal: But you did hear a lot of criticism out there for it because I don't think any country's law their adequacy, and I don't think there were any major recommendations for any of those countries moving forward. And I know that that was a little disheartening for some people in Canada who were hoping not necessarily to lose adequacy, but to have that adequacy granted under provision, I think is the wording that they had to do certain things to bulk up what they're doing.

So I think that was a disappointment to some people, but no one lost their adequacy.

[00:08:55] Paul Breitbarth: No one loves their adequacy, and I think that in part will probably also be a political directive that that should not happen because it would also immediately harm trade relations, probably if the EU would say, Hey, you're not good enough anymore. I do understand that, but the report could have been a bit stronger.

There also I agree, and it could have been a bit more up to date given how long it has taken. If I look to the first jurisdiction that interests me Jersey, obviously, the bailiwick of Jersey, We retained our adequacy decision. I'm really happy to see that. But if you look at the staff analysis that goes back to a review in 2020, 2021 and more current developments, for example on the enforcement front have not really been included in the, in the report.

So I thought that was also a bit disappointing given Hmm. The time it has taken to release this report. We knew a lot of the work was done prior to SRAM's 2 already. But I had expected more up to date information to be included. Indeed, related to Canada related to Argentina certainly also related to Israel which is under constant pressure because the DPA may or may not be seen as, as, as fully independent So, yes, I, I agree with those saying, Hey, some more criticism would probably be.

Be required here

[00:10:26] K Royal: Yeah. Yeah.

[00:10:27] Paul Breitbarth: and I'm curious to see what the EDPB will do, whether there will be any recommendation from them, any follow up because they have not been consulted before the decision was taken or at least so it seems maybe informally, but there is no advice from the EDPB included.

[00:10:44] K Royal: Right.

[00:10:45] Paul Breitbarth: so, yeah, I'm curious to see what will happen there.

[00:10:48] K Royal: Yeah. I am too. I am too. And you had a little bit of something else happen over there on that side of the ocean coming out of the EU. Something to do with the A. I. Act? Ha

[00:10:59] Paul Breitbarth: Yes, the AI Act is sort of finalized, the Belgian Presidency of the European Council released a new draft of the text, of the final text, earlier this week I'll admit, I haven't read it yet, There are a few too many other things going on at the moment. But yes, that text is available now as well.

And should go through for final votes in the Council of Ministers and also in the European Parliament. And then we also saw last week the release of the report of the European Data Protection Board on the role of the DPO. as you may remember 2023 for the EDPB was the year of the DPO. They made sure to do a whole assessment in all of the EU member states to take a look at the position of the DPO, how they are designated.

If there are if they have sufficient resources and that report was now now released and I'm also curious to see what followup will be given there, probably some more guidance in any case will be, will be coming In any case it seems that the data protection authority should raise more awareness,

on the requirements that a DPO should be appointed, especially for those where the DPO is, is mandatory.

Obviously more guidance to data controllers on the resources that are required on training needs. for DPOs, because quite a few of them seem to report that they feel they have insufficient expert knowledge. And that is a precondition in the GDPR to be appointed DPO, that you also have the knowledge and the understanding of the legislation.

And also the conflict of interest is a topic that that still remains on focus. It seems that quite a few DPOs report, hey, I also have another role which might be conflicting but they may be scared to speak up and lose one of their roles and become less relevant in the organization.

So that could be a point for follow up as well. And then finally also access to the highest level of management

Remains an issue for many dpos.

[00:13:15] K Royal: it does. 

[00:13:15] Paul Breitbarth: they are basically two junior in the organization

[00:13:18] K Royal: yes.


how do I put this?

U. S. companies that do not have a defined global footprint, they're completely based out of the U. S., don't seem to appreciate the role of the DPO. And I know I was told at one point by someone I reported to that the DPO is just operational, K.

They're just taking in the DSARS and pushing them back out and logging things. But I think that that is not an unusual take.

on DPOs. But I definitely don't consider the role of DPO to be junior whatsoever or to just be an operational, kind of person who shuffles around DSARS or whatever.

So I find it interesting or maybe intriguing how this report might actually go over with US companies who are strictly, I don't see it so much in the ones that have a big global footprint and they have you know, subsidiaries in other countries, but those that are just strictly us, I wonder how that's going to go over.

But on the other hand, I've been wondering how the whole GDPR and privacy law and a whole bunch of other things are going to go over with a lot of companies that, that only have the one headquarter in a specific country. And for some reason are a little blind to a lot of privacy laws out there. Yeah,

[00:14:44] Paul Breitbarth: Deep sigh well

[00:14:45] K Royal: deep sigh.

[00:14:46] Paul Breitbarth: on the one hand I do under I do understand Also that for a lot of companies. It is a struggle, especially if you are a mid sized company and this is something. Oh, yeah, we also have to do that. How are we going to do this? How are we going to find time? For somebody to also take up this role and do the right reporting and have proper resources and pay for everything

[00:15:08] K Royal: And proper independence and everything. It, it is challenging. And nowadays it's even more challenging because we're in a challenging economy of companies coming out of the COVID times. And COVID ain't over. We all know that. But the pandemic, the shutting everything down and companies are still coming out of that.

We're still seeing major layoffs. by major companies. eBay just had a lot of layoffs. I think some others did too that hit the news. Google did. Some others did. We're still seeing massive layoffs. And I don't mean a reduction in force of a couple of hundred. We're

[00:15:44] Paul Breitbarth: No, it's thousands and thousands. Yeah signify the smart lighting company announced today another thousand on top of the two and a half or three and a half thousand that they had already laid off at the end of last year.

[00:15:55] K Royal: so we can't say that privacy or data protection is more important than the company actually staying in business.

[00:16:03] Paul Breitbarth: no, it's not. Well, at least not for the company.

[00:16:06] K Royal: and so you have to you have to get your priorities. 

[00:16:09] Paul Breitbarth: Well, it's not, it's not more important for the company, for the individual. It might be different obviously, because a fundamental right to privacy is a fundamental right to privacy, but there

[00:16:21] K Royal: absolutely.

[00:16:21] Paul Breitbarth: right to be able to do business.

[00:16:24] K Royal: We're in a services component to where we have to understand that even in our role, you have to balance the risk with the benefits. I know that we have colleagues that say that's not done in data protection or privacy, you don't, you make your recommendations, you live by it.

Well, yeah, that's true. You, you don't back off from making your recommendations of what would be the right thing to be done. What you're making a decision on is what parts absolutely, totally have to be in place and wouldn't put the company out of business. Is essentially what I'm saying.

[00:17:03] Paul Breitbarth: Yeah. And 

[00:17:03] K Royal: a hard position to be in. 

[00:17:05] Paul Breitbarth: know that's something we want to avoid. And I mean, that goes back to the discussions we had in 29, following trams one, when safe Harbor was annulled. At the time, we already discussed, okay, so if we would now strictly enforce the court's decision that Safe Harbor has never existed and prohibit immediately all data transfers to the United States Then you would, then it would crash the global economy, because the data needs to flow.

So that one, that's one of the reasons why the grace period was was decided upon at, at the time because also

DBAs are realistic enough.

[00:17:45] K Royal: There was not a grace period after this last one. Officially.

[00:17:49] Paul Breitbarth: facto grace period of two

[00:17:51] K Royal: Yes. Yes. Officially. But I mean that's one of the harsh realities we face. As privacy. And I think a lot of professionals in any type of risk or compliance role faces the same thing. You got to be legal.

You've got to do the right thing. You've got to protect the thing. In our case, it's the individuals and their data at the cost of what? And so that's interesting. But before we get off this very, very depressing subject, it's something you wrestle with all day long. And that's the measure of a privacy professional.

is how you know the wisdom and the experience to be able to approach.

the risk and the benefits.

Harsh reality of our jobs. So let's talk about another harsh reality. What's this about Facebook and their pay or play and opting people into the free ads?

[00:18:46] Paul Breitbarth: Well,

[00:18:47] K Royal: other option was opting them into paying and charging them, which they couldn't do.

[00:18:52] Paul Breitbarth: well, I mean, opting them in without people giving consent is also something they couldn't do. and apparently they have done it because

[00:18:59] K Royal: They should have just blocked 

[00:19:00] Paul Breitbarth: also looking at my Instagram, I can certainly access it again. So apparently. I'm now okay with being served ads which I'm not which I told them I'm not. Still waiting to hear back for a substantive response to my complaint, by the way.

[00:19:15] K Royal: Oh, you might be waiting a day or two on that one.

[00:19:18] Paul Breitbarth: oh, I know. But you know, for the first time in a very, very long time, the Dutch DPA made me proud this week.

[00:19:25] K Royal: Tell us. 

[00:19:27] Paul Breitbarth: Actually on Friday released a press statement saying privacy is a fundamental right. It is not just for rich people. And together with the Norwegians and with the Germans they have started a process in front of the EVPB to get a decision from the EVPB in the next eight weeks.

So by the end of March on whether or not pay or okay is allowed, we already know from the Germans, also from one of the Italian commissioners, that they are not in favor of pay or okay. Also, the Dutch DPA now seems to imply this is not something that we like,


The chair of the Dutch EPA in the press release actually said online platforms can follow a lot of things, whatever you click on, whatever you watch online, where you are, your political preferences.

And it is your right to have control over your personal data, that those are well protected. And that is a fundamental right for everybody. But what tech companies are doing now is putting a price tag on that. And privacy will become a luxury only for rich people. That is not something that they like.

That's my words again, not his. But important questions for the EVPB's decision will be whether the consent to process your personal data is actually freely given or forced.

whether the price is fair and also if you deny consent, if that leads to disadvantageous consequences, especially for people with a low income.

and all those questions to me imply a certain answer, but let the EDPB come to their conclusions

by themselves. I strongly encourage them to come to the obvious conclusion that pay

ROK is 


[00:21:14] K Royal: You can go away and consider it, but we strongly encourage you decide this direction. no, I like that because as you know, it's long been

a concern of mine that privacy is becoming a luxury for those who can afford it.

And I think the Facebook pay or play is a perfect example of them. There's, there's a lot of examples out there, which state laws are trying to get rid of as well saying you cannot be discriminated upon by acting upon your rights, including the right to opt out of advertising and profiling and things like that.

So, but I do, I do find it interesting I mean they had an option. They could have suspended people's accounts who didn't make a choice.

[00:21:57] Paul Breitbarth: Yeah, I would have rather seen that they did that instead of

opting me 

back in. 

[00:22:01] K Royal: There would have been an uproar.

But it would have been a fair choice.

[00:22:05] Paul Breitbarth: Mm hmm.


[00:22:07] K Royal: some people may have just said, screw it, I'm not going back on Facebook again. Which I think there's a lot of people. I mean, frankly, I think I post on Facebook my wordle every day.

[00:22:17] Paul Breitbarth: Why? What's the added value of doing that? 

[00:22:20] K Royal: I, don't know. It's a habit.

It's, it's, it's a habit.

I go share my wordle because I have three friends who will post their wordles in exchange. And also the new Connections Puzzle. I think I posted it once. That one will break your brain, the Connections Puzzle.

[00:22:39] Paul Breitbarth: is it fair to say that you have certain addictions to social media?

[00:22:43] K Royal: I have certain,

certain pseudo addictions. It's, it's interesting because I don't know what I use Facebook for anymore. It's, I say that it's to stay in touch with people and keep up with what you're doing, but months ago by and you'll be like, Oh, wait, I haven't seen anything from this person. And you go look that person up and either they're no longer on Facebook or they unfriended you.


[00:23:13] Paul Breitbarth: Or they closed their account. 

[00:23:14] K Royal: And it's, it's like, it's like, I'm not even sure that means I'm keeping, I use Facebook messenger a lot. Our, our family uses Facebook messenger a lot and my daughter's fiance, which there's news for me, my youngest daughter got engaged. This is the one in med school. so they got engaged while they were here.

I guess they got engaged right before Christmas, but they were here for Christmas. So we took them out to celebrate. She graduates med school this semester, but her fiance started questioning me about the,

the third party doctrine for services here in the United States, that

you don't have a right of privacy once you've given your data to a service provider or to a company.

Because therefore, you're, you're consciously giving up your right to privacy by sharing it with that company. Therefore, the government can go to that company and get the information. Companies like Google publish their transparency reports of how many requests they have gotten. And we're talking hundreds of thousands of people.

Hundreds of thousands of requests. In, in a six month period, hundreds of thousands of requests and so they publish their transparency reports of how many they've gotten and then of course, how many that enterprise has gotten as well, not just on individual accounts. So it's interesting, he's like, but shouldn't that be controlled?

And I'm like, no, the constitution does not apply to private companies.

The Constitution applies to government. He's like, yeah, but doesn't it matter when it's an essential service, when it's something that is critical? I'm like, and you think Facebook is critical?

He was actually talking about cell phone companies and he was like, well, cell phones are critical.

That is a critical means of communication. I'm like, well, yeah, but someone doesn't have to use a cell phone. They can call emergency in another way. But this, as people would call it, the Gen Z view on privacy is more along the lines of private companies should have to do the right thing too.

[00:25:12] Paul Breitbarth: I, I agree with that wholeheartedly, but I think also for quite a few people,

it is actually an essential service, social media. And you can debate which social medium would be would be the one. I think for many people here in Europe, WhatsApp is an essential service they could not live without because

[00:25:33] K Royal: Right.

[00:25:33] Paul Breitbarth: not be able to, to communicate with their friends and family.

[00:25:38] K Royal: Exactly. And it, he's talking about also the freedom of speech and how you get blocked from social media or certain sites or whatever. I'm like, that's been long established that private companies have the right. I mean, yes, the New Yorker publishes op eds. They don't have to though.

That's, that's the thing.

And we just had two Supreme Court cases that went up here in the United States about terrorist organizations using social media to recruit and how the social media has the right to block them or not

because it is not pornography. It's not.

These, these offensive things, and I don't have to go into a list of offensive things, y'all know what I'm talking about.

It is recruiting for terrorist organizations. So the concept itself may be offensive, but the way in which they're recruiting them necessarily isn't, and so it's not blocked by the social media tools. And the United States Supreme Court upheld that a private company has the right to block or not block.

anyone using their services. And that is starting to be the thing that is not sitting right with the younger generation is they believe the control should be applied uniformly and not just a government sponsor because so much essential services are now in the hands of private companies

[00:27:02] Paul Breitbarth: Quite a fair point.

[00:27:03] K Royal: is a good argument.

[00:27:04] Paul Breitbarth: It is, yeah. And 

[00:27:06] K Royal: It's not going to go anywhere.

[00:27:07] Paul Breitbarth: the Bill of Rights, I guess, only applies to individuals and not to companies.

[00:27:12] K Royal: And it applies to the government.

with those Bill of Rights.

saying that the government shall not infringe a person's free speech and shall not infringe a person's privacy in their own home has nothing to do with whether a private company can infringe their free speech 

[00:27:28] Paul Breitbarth: But what about a legal person? A legal person is a person.

[00:27:31] K Royal: I'm sadly shaking my head here at Paul on this one


[00:27:34] Paul Breitbarth: Not under US law.

I'm not gonna debate the U. S. Constitution with you now. I mean, we'll get opportunity for that later in the year when the Supreme Court allows Donald Trump onto the ballot.

[00:27:45] K Royal: No

comment, no comment. 

[00:27:49] Paul Breitbarth: Not for now. 

[00:27:50] K Royal: It's, it's interesting. So anyway anything else fascinating 

[00:27:55] Paul Breitbarth: Not sure whether it's fascinating or not. It's also not surprising. But one of the commercial test labs for COVID here in the Netherlands from the pandemic heydays had reported earlier this week that they had a data breach of 1. 3 million records.

[00:28:10] K Royal: Oh, wow.

[00:28:11] Paul Breitbarth: and I'm pretty sure they are not the only one out there that have a data breach.

Maybe they are one of the few that actually came clean.

remember all those test centers had to be set up within a matter of Days if not hours, so data security cannot have been very high on their priority list Let's just make sure it works

But that means that indeed also a lot of that data got breached.

[00:28:36] K Royal: Well, speaking of breaches, did you hear the one that they are calling the mother of all breaches?

[00:28:42] Paul Breitbarth: Oh, we have a new one

[00:28:44] K Royal: researchers discovered a database composed of stolen, PII so large it's been dubbed the mother of all breaches. It contains no fewer than 26 billion records.

[00:28:58] Paul Breitbarth: Okay,

that's more than 


[00:29:00] K Royal: Making up to 12 terabytes of data,

from sites including Twitter, LinkedIn, Weibo, Tencent, and more.

This is a cybersecurity researcher, Bob Diacinco, who's covered many other data leaks over the years. He discovered the exposed records. Now it could be that these are gathered from all these other leaks and put into one database. But the sheer number of records it contains, and I'm quoting this from an article on Techspot.

My husband sent this to me. Go figure. My whole family's tuned into privacy now. The sheer number of records it contains suggests there will be new information that has never before appeared online. It's 26 billion records across 3, 800 folders, each corresponding to a separate data breach and is the largest ever compilation of

multiple breaches.

So it is data that's been breached before, but they're starting to add together all these data breaches and going, you know, the known data breaches don't amount to that much. There has to be some new data breaches in here. So it's really interesting. Some of the ones you can see on the screen print are MySpace.

Wattpad, NetEase, Deezer, Adult Friend Finder, Zynga, Luxottica, Evite, Zing, Adobe, MyFitnessPal, Canva, JD. com, Badoo, VK, Youku, and there's more. So this is interesting, how this is thought to be. It says now it comes a week after Troy Hunt, operator of have I been pond uncovered a data dump containing 71 million unique credentials and 25 million never before seen passwords.

It's also possible some of that appears in this as well. So it's one database compiled over multiple data breaches, but they seem to think there's going to be data breaches that have not been brought to light shown in this. But what was it? 26 billion. 


[00:31:01] Paul Breitbarth: that's a lot. So I would

[00:31:03] K Royal: That's a lot.

[00:31:03] Paul Breitbarth: listener who reaches out to us that is not included in this data breach of 26 billion records, that they will get the very first serious privacy coffee mug.

[00:31:14] K Royal: Yes! There, there is hope for you yet.

But, yeah.

[00:31:21] Paul Breitbarth: those 26 billion records.

[00:31:23] K Royal: Yes. And it's interesting, if any of y'all haven't heard of the website, Have I Been Pawned? It's P W N E D. And you can put in your username, you can put in your email, you can put in your password. And similar to using the login with Google, it will pop up and say, This password has been used in multiple reaches.

Would you like to change it? And rather than saying, Nope, keep going, you should probably say, Yes, and go change the password. Multi factor authentication is still the number one prevention out there. And I know that's irritating to people. But I can't tell you how many notifications I get to Gmail telling me someone just tried to access my account.

Was this you? It's never me. It means someone out there is trying and failed multi factor authentication.

[00:32:14] Paul Breitbarth: a password manager is also still a good recommendation. One password actually includes a watchtower that is also 

[00:32:22] K Royal: Yeah. 

[00:32:23] Paul Breitbarth: hack databases. So to show whether your password has been compromised or not, there are others out there that work well.

[00:32:31] K Royal: and yes, they've been compromised too.

[00:32:33] Paul Breitbarth: Yeah, usually the, usually the free versions,

[00:32:36] K Royal: Doesn't mean they're not still good.

[00:32:38] Paul Breitbarth: but I always like the ones that store locally instead of store centrally, because then the risk is a lot smaller. And,

one password does that proton pass also does that. And it also allows you to generate those multi factor authentication codes and sometimes even already to just fill them out for you while you are logging in.

[00:32:58] paul_breitbarth_raw-audio_riverside_0106: before we wrap up, we actually have one more thing for you. Why did I P P Brussels last year, I know stress struck CEO, Jason, west Becker. If he would be able to share some reflections on his first couple of months at the helm of our sponsor. And he did so let's listen in.

[00:33:16] Jason Wesbecher: Well, hello there, Paul K and the Serious Privacy audience. My name is Jason Westbecher and I am the CEO of TrustArc and Paul and K have asked me to share with you three things that I've learned as the new CEO of TrustArc. So a bit of background here. I've been at TrustArc since 2021 as our head of go to market and about six months ago was tapped on the shoulder to become the CEO of the company.

And I have learned. 300 things during those six months but I'll share with you three ones that are relevant to this audience. The first one is that teams that are in the privacy business. are perpetually understaffed, under resourced, and overworked. It is incredible to think about the importance that privacy has within a company's identity and existence.

And yet the folks that we talk to day in and day out Are constantly underwater, and I think that's owed to a couple of things. Number one, the ever changing, dynamic, murky regulatory environment that we're faced with on a U. S. State level on a global level. It is increasingly complex and shows no signs of letting up.

I think the second thing that leads teams to be as overworked as they are is that Frankly, the privacy teams don't get the budget that the security teams get. And so my heart aches for the folks that work in corporate America globally on privacy teams that don't necessarily have the resources that they need to accomplish their jobs.

I, I think my second learning here, which is sort of related to the first one is that. The folks that we talked to they're not seeking a vendor, they're seeking a partner, a coach, right? It's like the old analogy of they don't want to buy a treadmill. They want a gym membership with a trainer. And that's owed to the fact that simply they don't have the resources to go accomplish the mountain of work ahead of them.

And so vendors in this marketplace. That can serve as that personal trainer in that coach will do much better by their, their customers than folks that serve purely as, as a, as a software vendor. And the third thing that I've learned and again, this is an old one, but it's remarkably true about this privacy business.

The economics of automation are tremendous, right? This is a business that has historically been done the old fashioned way, right? Manually with Google sheets and spreadsheets and consultants and lawyers. But when you can provide automation into that mix, you actually end up not only accomplishing your mission much more effectively and much more fast.

But you do so by spending less money. So, automation economics, once again, rule the day in the privacy world. So, with that being said, thank you so much for hearing me out. I'm super excited to be leading the team here at TrustArc on a fabulous privacy journey. Stay pay close attention to TrustArc, by the way, over the course of the next couple months because we're going to be offering a really, really compelling and innovative product roadmap that we can't wait to share with you.

So thanks everybody. You guys have a great day. We'll talk to you soon.

[00:36:56] K Royal: And there's your month in privacy, there's your update of mine and Paul's new houses. Housewarming gifts can be sent to yourself. It makes us happy when you make you happy.

[00:37:07] Paul Breitbarth: Absolutely.

[00:37:08] K Royal: to buy us something for a new house, go buy yourself a little happy.


[00:37:12] Paul Breitbarth: And on that note, we wrap up Episode 1 of Season 5 of Serious Privacy. Thank you all for listening. You know where to find us. On LinkedIn, find us under Serious Privacy. You'll find K everywhere as @HeartofPrivacy and myself as @EuropolB. Until next week, goodbye. 

[00:37:15] K Royal Bye y’all.