Serious Privacy

One Hot Week in Privacy

May 10, 2024 Dr. k royal and Paul Breitbarth Season 5 Episode 14
One Hot Week in Privacy
Serious Privacy
More Info
Serious Privacy
One Hot Week in Privacy
May 10, 2024 Season 5 Episode 14
Dr. k royal and Paul Breitbarth

On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal discuss a hot week in privacy! Topics include the amendment of Colorado’s privacy act to include protecting children, CT’s AI bill did not pass, but the TikTok bill was rolled not a foreign aid bill. ByteDance is ordered to divest themselves of TikTok by January 19, 2025 with the allowance for a 90 days extension. But Bytedance has already filed a suit in the DC Court of Appeals and no matter what the outcome is, it will likely be appealed to the US Supreme Court - so regardless of constitutional arguments, it likely won’t see action as long as it moves through the court system. Germany appointed a new data protection commissioner. We also discussed Global CBPRs and BCRs - along with guidance from the CNIL on BCRs. There was developments about the EU Council approved a protocol for the freeflow of data in Japan and in Kenya, there was also a big privacy event because the Pan African Network of Data Protection Authorities held their annual general meeting and as part of that event Kenya's cabinet secretary for ICT and digital economy called for digital sovereignty and data governance in Africa.

A lot happened this week and this only scrapes the surface!

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Show Notes Transcript

On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal discuss a hot week in privacy! Topics include the amendment of Colorado’s privacy act to include protecting children, CT’s AI bill did not pass, but the TikTok bill was rolled not a foreign aid bill. ByteDance is ordered to divest themselves of TikTok by January 19, 2025 with the allowance for a 90 days extension. But Bytedance has already filed a suit in the DC Court of Appeals and no matter what the outcome is, it will likely be appealed to the US Supreme Court - so regardless of constitutional arguments, it likely won’t see action as long as it moves through the court system. Germany appointed a new data protection commissioner. We also discussed Global CBPRs and BCRs - along with guidance from the CNIL on BCRs. There was developments about the EU Council approved a protocol for the freeflow of data in Japan and in Kenya, there was also a big privacy event because the Pan African Network of Data Protection Authorities held their annual general meeting and as part of that event Kenya's cabinet secretary for ICT and digital economy called for digital sovereignty and data governance in Africa.

A lot happened this week and this only scrapes the surface!

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note this is largely an automated transcript. For accuracy, listen to the audio.

[00:00:00] Paul: Another Wednesday another week in privacy 

[00:00:15] K: Don't sound 

[00:00:15] Paul: so excited.

Well, there is there is news Just when we thought that we're gonna do another topic and do a deep dive. You look at the news and yes, there is a massive UK data breach. There is new guidance on scraping. TikTok is suing the U S government.

Surprise, surprise, Europol claiming that encryption is dangerous. Surprise, surprise and Kenya wanting data sovereignty. So I think there is enough to talk about. So let's do it. My name is Paul Breitbart.

[00:00:46] K: And I'm K Royal, and welcome to Sirius Privacy. So unexpected question, if you could hang out with any cartoon character, who would it be?

[00:00:56] Paul: Ooh.

[00:00:58] K: Wow, you're thinking.

[00:01:01] Paul: I am thinking, because

[00:01:03] K: It's a different question from who's your favorite character.

[00:01:07] Paul: it is and is it cartoon as in televised cartoon or do comic books count as well if there have been movies made out of them. 

[00:01:16] K: I think they would have to count anyway, right? Because who wouldn't want to hang out with Marmaduke or Garfield?

[00:01:22] Paul: Me, but, I'm not a cat person, but you knew that already. no, then probably I would hang out with Asterix.

[00:01:32] K: Ooh, now that's the same one you gave on your favorite cartoon though, isn't it?

[00:01:35] Paul: Yeah, I think so at least one of them, yeah, and you know, go back to Roman era to see that for a while, to see what it's like. Wouldn't be that bad.

[00:01:47] K: Wouldn't be that bad at all. I've got all of these going through my head. If you ask me for my favorite cartoon character, it's gonna be Betty Boop. 

[00:01:54] Paul: Yeah, also no surprise there.

[00:01:56] K: Yeah, no surprise. I love Betty Boop. I collect all kinds of Betty Boop stuff. But hanging out with Betty Boop, I had to think about, because wouldn't you want to hang out with Bugs Bunny or Elmer Fudd?

Or what about Mickey Mouse and be at Disney World? I mean, there's all these fabulous ideas if you hang out with them of things you could do.

[00:02:15] Paul: McDuck. Hmm

[00:02:16] K: Yeah, I think I'm still gonna go with Betty Boop because, you know, she, and I know I shared this before, but I'm gonna do it again. The Betty Boop cartoon was the origins of Popeye.

He was a sailor that would visit and he became very popular. As a matter of fact, olive oil stole Popeye from Betty Boop. And years ago there was this shirt I saw that had Betty Boop and Popeye riding a motorcycle. And I'm like, how cool that Betty Boop and Popeye are together. And this was before the internet people.

So I had to go do research and find why was Betty Boop and Popeye together. I didn't buy the shirt and I regret it to this day, but most people have no idea that Popeye came from Betty Boop. So that, that would be the one I'd hang out with. 

[00:03:00] Paul: I also did not  know. 

[00:03:02] K: She was originally a dog,

[00:03:04] Paul: A dog?

[00:03:05] K: a dog. They, they changed her ears to earrings and, and different things.

I don't think that lasted very long. But anyway, very cool. So yes, tons and tons and tons of news happening this past week. No surprises, you said that TikTok and ByteDance filed a, a suit against the government claiming that the Protecting Americans from Foreign Adversary Control Applications Act is unconstitutional.

They say that banning TikTok is unconstitutional. I don't know that I agree with banning TikTok is unconstitutional. That's for the constitutional lawyers to figure out whether or not it is or not again We've said we'd love to have some constitutional experts on here to actually look at it But of course, they're also fighting the forced sale that they have a january 19th 2025 deadline The act will force a shutdown of them if they have not divested it.

They're saying, even if it was feasible, they're saying, first of all, it's not feasible. But even if it was feasible it would be an extraordinary and unconstitutional assertion of power. It would give the government to decide that a company may no longer own or publish, their words, the innovative and unique speech platform it created.

Accusing it that if Congress can do that, it can circumvent the First Amendment by invoking national security and ordering the publish of any individual newspaper or website to sell their product being shut down. 

[00:04:37] Paul: It's a very dangerous precedent. Yeah.

[00:04:39] K: it very much is a very dangerous precedent.

However, I mean, and, and this is where I do wish that our fans would join the conversation and, and let's get some conversation going over this. Do you feel, I mean, lots of countries have banned TikTok. And actually I think last count there were 30 something of them. So there's Afghanistan, Australia, Belgium, Canada, Denmark, European union in general, it says. 

[00:05:06] Paul: Yeah, but they haven't banned the tool completely. They have banned it for civil servants now.

[00:05:11] K: Right, 

[00:05:11] Paul: Civil servants cannot use it on their work phones, and that is a different use case.

[00:05:16] K: And that's what a lot of countries have done. It has banned it for the, the government. But India imposed it, a nationwide ban on TikTok and, and WeChat in 2020 over piracy. So there was a bunch there. India, a lot. Indonesia, Latvia, Netherlands, Nepal, New Zealand, Norway, Pakistan, Somalia, Taiwan, United Kingdom, and then United States.

And a lot of cases it's banned for the military or the government workers to use it because they don't want it in there, but it's not banned overall. But in some cases it's banned overall. 

[00:05:48] Paul: Yeah, but those are not the countries with the best reputation when it comes to freedom of speech. And wasn't the US the country that said, yeah, freedom of speech, yay for everybody, including for corporations? And that is why corporations can pay millions to US presidential candidates.

[00:06:05] K: So yeah, well, I think there's a little bit more complicated rationale than just that, but you're right. I mean, I, but I do believe that a ban of TikTok would go over and go down, whatever you want to call it, a lot better than forcing the sale. If you truly believe that a particular application is dangerous to the national security, then you should be able to ban it from being active in that country.

[00:06:34] Paul: then you should also have evidence and not just, oh I'm scared of China.

[00:06:38] K: Well, and, and again, it's along the same line as having the the export and the import bans and certain countries that you can't buy things from. It's the same thing. This would be importing the TikTok app. So I do believe that that would go over, that would go down a lot better, but there are still the First Amendment rights for freedom of speech that would come along with this.

But does that mean it's the government that can't ban freedom of speech? Duh. And different things like this, so does that mean then that they would have to have, as you said, evidence showing, That it is dangerous to the safety. of the nation as a whole, whether it's national security, whether it's health safety, mental safety, because I do believe that you can ban certain things that are that jeopardize the well being.

As well, even if it's not a medication or something, I do believe that should be possible. If you're looking out for the safety and the security and the well being of your population and your citizens, That's usually left to the state level. So can they do it? And if it is such a huge concern from a well being perspective, then can you ban it as a nation?

Do you override the state's rights to decide what's right for their citizens? And of course, we've done that tons of times with different types of actions, just not social media. Not a speech platform or a media platform.

[00:08:05] Paul: So again, to be continued, this will be before the courts.

[00:08:08] K: Yeah. And it's, United States court of appeals for the district of Columbia circuit. So trust me, there will be a lot of constitutional. arguments over this. We could go through we'll make sure that we post the link to the actual lawsuit that was filed.

I expect a ton of amicus briefs to be filed in this as well. Cause this is, this is going to go up. It does. It doesn't really matter what decision the court of appeals comes to. It is going to be appealed.

[00:08:36] Paul: Oh yeah. 

[00:08:36] K: And eventually it will be presented in front of the United States Supreme Court, 

[00:08:41] Paul: which means that it never will be done by the first of January 2025.

[00:08:45] K: Exactly! So , it will be delayed because it's pending in court because, you know, hello, that's how things work. And the Supreme court gets petitioned. For seven or 8,000 cases a year.

[00:08:57] K: I didn't look at the latest numbers, and they take just a fraction of those. so that is a final 

[00:09:04] Paul: Also because also they only work a number of months a year and not a full year.

[00:09:08] K: Well, but they can't take that many cases either.

[00:09:11] Paul: No, that's true. I mean, if there's only nine of you, then

[00:09:14] K: Yeah, exactly. So there, there's a lot of work to be done on this. So this is, this is going to be interesting to follow and watch. This is going to be like so many things that we've had come up lately on social media. Everyone's going to become a constitutional expert or a criminal law expert or an Olympic figure skating expert because you know, that's what happens.

No one knows what a triple sow cow is until you're watching the Olympics. So this is going to be the Olympics of privacy law. I have no doubt. We're going to be watching this all very closely. People will be tuned in. I'm interested to see what people have to say on this. I don't like tick tock.

I don't hide that. I think Paul's on the same boat with me there. He doesn't like Tik Tok either, 

[00:09:57] Paul: yep. but not because it's Chinese, just because I don't see the added value of yet another social medium.

[00:10:05] K: and me because of the lack of security controls in Tik Tok and what they do to capture people's keystrokes and everything. 

[00:10:12] Paul: So just one, one prediction, K. What will happen first? The final decision in STREMS 3 on cross border transfers to the US or the TikTok divestiture case?

[00:10:22] K: decision in the Tik Tok divestiture case, or the decision 

[00:10:26] Paul: Mm hmm. No, no, Supreme Court.

[00:10:29] K: Supreme oh god. Oh I'm gonna go tiktok.

[00:10:34] Paul: Okay.

[00:10:35] K: You're gonna go , aren't 

[00:10:36] Paul: I'm gonna go stramps. I think the European courts will move faster

[00:10:39] K: There we go. People put your money down Let's let's show me the money. Let's see what's gonna 

happen with Okay, so what else is happening in the US oh my gosh, what's not happening in the U.S.

[00:10:52] Paul: well let's not talk about Stormy Daniels and Sorted details that I didn't want to know

[00:10:58] K: let's not talk about that one. Okay We won't talk about that one. Okay, so the colorado general assembly approved a children's privacy bill You I don't know if it's gone to the governor yet, the Privacy Amendments for Children Data Online Activity amends the Colorado Privacy Act.

We've talked before about the actions going on in Colorado. So what it has is that a controller that offers an online service product or feature to a consumer that the controller knows or willfully disregards that that consumer is a minor is required to use certain activities use reasonable care to avoid heightened risk of harm to minors, conduct data protection impact assessments.

I think they call it a data protection assessment for the product and then take other activities there. So we're looking at that one. I think we talked about Nebraska already. The Maryland bill was signed. I think we covered that one. Oh, we did. We actually covered that one as well. 

[00:11:53] Paul: but the Connecticut AI bill didn't make it

[00:11:56] K: that's the one that failed, was the Connecticut AI bill. Right. So we have that. We don't really have a reason, just it wasn't voted in. 

[00:12:05] Paul: The Colorado AI Act is still alive. So maybe that will be maybe that may be one that we will see. but there is another patchwork that's being created off AIX. So we have a data breach patchwork. We now have a consumer privacy law patchwork and the AI patchwork is coming.

So maybe again, some federal legislation would be welcome, but I guess I'm four years early. 

[00:12:28] K: It would be welcome. And to go back to Connecticut the governor actually said that if the bill did come out of the house and send it and land on his desk, he would veto it. So that was known in advance. There's probably some reasons back there we could look up. I don't really see AI bills. getting much of a toehold here in the US.

I don't know why, but I would imagine that the rules to control them would be rolled under the Privacy Act, right? Why would you need a separate bill for, well, then again, there's a whole lot about AI that is not privacy. Nevermind. That was a stupid,

[00:13:02] Paul: well, no, it's, it's it's not stupid because it is all data related and almost all personal data related. But yeah, also here in Europe, we saw the need for an additional AI act and we have one now. It's actually it was confirmed this week today, actually, I think by the council of ministers. So it will be published in the next week or so.

[00:13:24] K: Yeah. Let's see. What else do we 

[00:13:27] Paul: Well, also in the U. S., the Federal Communications Commission has presented their net neutrality order. And they make clear that they consider themselves to be a privacy regulator. Because somewhere in the the order, they write that, This will support the Commission's efforts to protect consumers privacy and data security by restoring the Communications Act for Protective Privacy and Data Security Framework for broadband and granting the Commission enforcement and oversight authority over privacy related practices. So both the FTC and the FCC are now claiming that they are a privacy regulator. That's interesting. I think,

[00:14:07] K: right. Well, you know, I mean, the FCC did have a toehold certain administrations back and then it kind of bubbled out a little bit. The FTC really gained some ground in doing that. But I believe the FCC has a role to play in privacy and data protection. I mean, it's the federal communications commission.

[00:14:27] Paul: of course. And that's the same with all the telecommunications regulators here in Europe, also having a role to play when it comes to data protection, especially when it comes to online communications, to cookies and things like that, but also email and Hey, maybe also encryption. And when we talk about encryption, we can talk about Europol's recent statement, Europol, together with the European police chiefs, urges action against end to end encryption because it makes it so difficult to combat crime.

[00:14:58] K: Yeah, for them they can't actually read the communications and intercept them.

[00:15:03] Paul: exactly. So then privacy yet again becomes the harbor of criminals and terrorists.

[00:15:09] K: Well that is true and that is one reason that a lot of, a lot of government don't like encryption protocols being encrypted end to end because then they can't intercept them and keep an eye on criminals. If you have to unencrypt them, that takes a heck of a lot more work. 

[00:15:23] Paul: Yes, it takes, it takes a lot, it takes a lot more work, but at the same time, if one person has a backdoor, then everybody has a backdoor, which means that The overall society will not be more secure. Also, the police doesn't have the resources to go after, after every cyber criminal.

[00:15:43] K: but they're not asking for back doors, are they 

[00:15:46] Paul: no. And I mean, if they had all of the data. They would not be able to analyze all of the 

[00:15:51] K: Well, that is true. That is true. They, don't have enough people to cover the amount of work that they might want to go after anyway. So I don't know. What do you think about that? I mean, honestly, what do you think about, it seems like you don't like it,

[00:16:05] Paul: No, I mean, I'm, I'm, I'm in favor of end to end encryption and I'm pretty sure that law enforcement is clever enough to break it with some effort but to ban end to end encryption of communications, that also means that, people in less democratic regimes Are at risk because if you force telecommunications providers or phone providers or phone manufacturers or other device manufacturers to lower their standards, 

[00:16:33] K: that brings everybody in. 

[00:16:35] Paul: that brings everybody at risk, not just, it isn't easier for criminals to do whatever they, they, they want, but it's, it's more dangerous for everybody.

[00:16:45] K: Well, and that was my point. If they're not asking for a back door, they're asking for general band on encryption for end to end, which I'm right there with Paul. I. I mean, that would mean that my Teams chat within my company wouldn't be end to end encrypted. But I'd have to dig more into what exactly it is they're recommending.

But frankly, and this is where it irritates me for a lot of laws, they're only going to catch the casual criminals that way. They're not going to catch the professional criminals that way, because they're going to go ahead and end to end encrypt their communications anyway. Right. Yes. 

[00:17:16] Paul: exactly. Plus, let's also not forget, this all comes from the secrecy of correspondence. That is one of the oldest fundamental rights that exists. the communication secrecy that you are not allowed to opening a letter of somebody before it is delivered. That is, that has been a crime for many centuries.

Even though in the U S it is not officially written down in the constitution, 

[00:17:45] K: a law against it.

[00:17:46] Paul: You have a law against it, and it is also, it was already confirmed in 1877 by the U. S. Supreme Court as a fundamental right. I think here in, in Europe it even dates back to the 1600s where messengers were not allowed to read the letters that they delivered.

And although, The letter may be different because it's no longer written on paper with a ghost feather and ink and then folded and lacquered and sent away with a messenger. The communication is still the same. It's still something I 

[00:18:20] K: Communication. 

[00:18:21] Paul: in private.

[00:18:22] K: Yep. Between one person and another. Exactly. And, I mean, to be fair, things like WhatsApp app for communication is not as popular in the U. S. as it is in other countries.

[00:18:34] Paul: it's not, but iMessage is end to end encrypted as

[00:18:37] K: Yes. And I mean, Facebook messages just on Meta, which I think are pretty popular here are encrypted end to end. They didn't used to be. That's a new thing. That is encrypted end to end as well. But please also keep in mind people, there are certain pieces of the communication that cannot be encrypted.

The to and the from cannot be encrypted because the carrier has to be able to read those in order to transmit the message. If you go, if you think back to Paul's example about a letter, you, you you have to put an address on the outside of the envelope or they don't know who to send it to. And you don't have to put the return address, but if that's all you have to go by, then they would have no one to respond back to either.

Unless they actually open the communication. So there are some parts of communication that can not just from its pure functionality cannot be encrypted. 

[00:19:30] Paul: In modern speak, we call that metadata. 

[00:19:33] K: Yes, there you go. Metadata. you're right, the true, the from, and usually the subject field, if you're talking an email, are usually not encrypted, but that's because the subject field is rolled into the header information, which is the metadata.

So things like that yeah, just keep our days going up and up. Let's see, what else do we have? We have a lot of things that happened last week. 

[00:19:56] Paul: Yeah. Oh, there is more. 

[00:19:58] K: Microsoft. Yes. Did you catch that? Released its first responsible AI transparency report. 

[00:20:05] Paul: No, I missed that. 

[00:20:06] K: Oh they released it.

I started digging into it and then I got distracted with something else. I want to go back to it. I'd love to be able to bring on someone from Microsoft to discuss the responsible AI transparency report with us. Cause there was a lot of good stuff I saw when people have already been talking about it.

So I do think that was interesting. We love Microsoft's report on cybersecurity and things like that. So this should be another one as well. Let's see. Oh, you had a whole bunch of things over in Europe that What do you have? The Dutch Data Protection Authority issued guidance against the web scraping?

[00:20:41] Paul: Yes, they did. And the header in the press release is scraping is almost always illegal. which is almost always. Yeah. Which means that it's a fairly straightforward opinion, actually. Yeah. they claim once again that making something public doesn't mean you give consent for the information

to be reused. That only applies for sensitive personal data. That caveat that if something has been made deliberately public, that it is no longer sensitive. Also then, it doesn't mean that it can be reused. So publishing. Is not the same as consent. and that also means that scraping for another purpose is not just allowed.

So the Dutch EPA explains that if you want to scrape, you can only do so on the basis of a legitimate interest, but that legitimate interest almost never exists as certainly not if your intent is to make money off of something.

[00:21:37] K: To commercialize it for something else,

[00:21:39] Paul: exactly, there are there are a few exceptions the household exemption does apply.

So if you want to collect some things for personal use or to share it with your friends, that would be allowed also as a company to scrape news reports to keep track of what's being written about you as a company or as an individual. Those kind of things would be allowed but all these data resale services that keep notifying me on a weekly basis where I need to go back to them and tell them to delete my data.

Hey, we've built a profile about you and we're going to resell that to, to others. Those services are illegal and In principle, this, this kind of guidance would be the first step towards more enforcement. So look out for that in the next 18 months or so.

[00:22:25] K: Here in the U. S. even, if a person makes something publicly available, but caveated by making it publicly available for the intent of public consumption. just because you post something on Facebook does not mean it's intended for public consumption.

Different things, just because you, you say, just a lot of things there about people may post or write or state something publicly that they don't actually intend for public consumption. 

[00:22:53] Paul: Yeah, and that's the same conclusion that's in the EU Working Party 29 social media, social networking guidelines.

[00:23:02] K: Right. So, I think, I think that is something to take into account as well, that you have that. But there was also the Australian officials. Who announced a comprehensive overhaul of their Privacy Act. They want to enhance protections for women and children online. Now one of the things that they include, we've already talked about, that Australia was considering was banning deepfake pornography creation and non consensual distribution.

So outlawing Doxing, which I would hope y'all know what doxing is. It actually comes from this wonderful abbreviation that I can never remember what it is, but it's basically putting people's information online in order to, for other people to find them easily.

There's probably a better definition than that out there. If there is, I'll find it. I'll stick it in the show notes. they're looking at that and they launched a new phase of their stop it at the start campaign to counter misogynistic content online. So I think this is their privacy awareness week in Australia this week as well.

I think I've been seeing some media around there, so I love the privacy awareness week. That's wonderful. Not to mention this is also lupus awareness month. And we will probably publish this chat this week. Paul and I are running a little faster than we normally do cause we got a week behind, but I believe it will be published this week.

And if it is published this week, it will probably be on May 10th. May 10th is wear purple for lupus day. So I should have made Paul wear purple today. I should have worn purple today so we could take a wonderful picture and publish a picture for purple day. But we didn't. So, eh,

[00:24:38] Paul: Oh, well, there's always next year. In the meantime, this week in Kenya, there was also a big privacy event because the Pan African Network of Data Protection Authorities held their annual general meeting and as part of that event Kenya's cabinet secretary for ICT and digital economy called for digital sovereignty and data governance in Africa.

So basically being less dependent on Western technology Western products and more promoting the African digital products. 

Interesting, interesting development, of course. He also raised concern of the vulnerability of children today. Who are the early adopter of information and communication technology and called on the African Data Protection Authorities to promote child safety by making sure that age verification is in place and also weak consents are no longer possible.

Very interesting developments. You really see that Africa is developing fast when it comes to privacy and data protection. Certainly with Kenya playing a leading role kudos to data commissioner Immaculate Cassade for playing such a leading role.

[00:25:54] K: Yep. And then, you know, there's just some other things that have happened as well. This week there was a lot. There was a lot this week. There was, right? Let's see, what, what is it? Oh, there was one that was just on the tip of my tongue. I know that we had the, the White House report on the U.S. cybersecurity efforts. I have not read that yet, so I can't really speak about that. But what was the one? Oh, the CBPRs. Yes. so the global CBPR forum, we haven't talked about that lately. Looking at expanding the CBPRs in Asia for using global. You and I both worked on that a little bit when we were back on TrustArc as well, because they're big in that area.

but they have appointed accountability agents to issue certifications this summer. So the accountability agents are been approved in Japan, Korea, Singapore, Chinese, Taipei, and the United States. So organizations can now pursue global CBPR and global PRP, which are the processor rules for certifications for that.

And I think we talked about it a little bit. that there is a crossover walk between the CBPRs and the BCRs. I have noticed that the number of BCRs have actually decreased. I think companies let their BCRs go and started signing onto other types of protocols there for that.

But BCRs binding corporate rules. There's also binding safe processor rules available in Europe. They are very, very tough to get. They have made the process easier, but they're still tough to get. And now it's almost as if companies don't care if you have BCRs, they still want you to sign SECs and everything anyway.

So, but regardless. There was a CBPR crosswalk over to BCRs, and at one point, and I still believe this is true, it was faster and easier to get your CBPRs first, and then use your crosswalk over to get your BCRs as well. There was a recognition program there. So anyway, the global CBPRs are on the move. I haven't been following that very closely, so I'm glad to see that it's being rolled out and that might be something that companies might be able to rely on as well, especially there. The CNIL released a new assessment, to help to groups in the bcrs So, this is a questionnaire published by the CNIL, the French Data Protection Authority for BCR.

So, that might be something that will also help you if you're looking, So

[00:28:26] Paul: yes and no. 

[00:28:28] K: yes and no, you're going to throw some water on my chocolate here, aren't you?

[00:28:32] Paul: I do because I don't hear a lot of enthusiasm for the global CBPR system in the European Union, which means that interoperability is far away. 

[00:28:44] K: Or maybe if not far away, not necessarily recognized.

[00:28:48] Paul: Well, I mean, the, the, the referential that facilitates the easy crossover from a CBPR to a BCR and vice versa. They have not been updated in a while, so they don't need, they don't align with the latest versions. Plus

[00:29:05] K: was going to say, I haven't done that analysis to see if the global CBPRs followed the same alignment. I imagine they are a little different. I'm excited about the global CBPRs. I just don't know from a realistic perspective how well accepted they are.

[00:29:19] Paul: Well, I mean, also the CBPRs weren't, well, let's say it kindly, not a massive success so far.

[00:29:25] K: Yeah. 

[00:29:25] Paul: So I'm, I'm less optimistic than you are.

[00:29:30] K: But I do think it's interesting that it is something. outside Europe that is trying to drive a global interoperability.

[00:29:39] Paul: How can there be anything interesting outside of Europe, K?

[00:29:44] K: Oh, if I said how much, how much I love you. And I need to say that 

[00:29:50] Paul: because tomorrow, tomorrow is Europe Day. The, the, the 9th of May is Europe Day, Chu Monday the day that the very first European treaty was signed. 

[00:30:00] K: Yes. And by the way, we've been using the CBPR acronym without saying it, it is the cross border privacy rules. so CBPRs we throw a lot of acronyms at people. If you're new to our podcast, you can usually catch on to, mostly everything, but every now and then we throw out some acronyms that we probably should explain what they stand for. 

[00:30:21] Paul: So if I tell you the acronym BFDI, what do you say then?

[00:30:24] K: My best friend does what? 

[00:30:26] Paul: or the Bundesbeauftragte für den Datenschutz und Informationsfreiheit, the German Federal Data Protection Authority. 

[00:30:34] K: bless you, bless you ten times over 

[00:30:37] Paul: so the German Federal Data Protection Authority will get a new commissioner. this was already, Expected to some extent because the German government did not extend the term of the outgoing, German Commissioner Ulrich Kelber. He is, he has been the caretaker commissioner since the 1st of January and earlier today on 8th May the German government has confirmed that they will propose Louisa Specht Riemenschneider, a very German name Louisa Specht as the new German Federal Data Protection Commissioner.

Probably next week she will be officially elected by the German parliament and then subsequently appointed by the president and then take office probably in the course of June she is a lawyer. She has no party background and she is from the western part of Germany So yeah, a new commissioner, a new German commissioner of course, always an important one in the EDPB.

But at the same time, I think it's also a disappointment for many because Ulrich Kerber was well loved both by his staff and his colleagues. So there have been some political games here behind the scenes allegedly on, on his replacement. Maybe some thought that he may have been a bit too critical also against government policies, which His role.So, 

[00:32:04] K: that, there's always that political game to play, right? I suck at it. 

[00:32:08] Paul: sad to see him go, but he will be replaced by Luise Specht. she has no background in data protection as far as I'm aware. She is a lawyer, but that's about all that the press releases have said so far.

[00:32:21] K: Ah, beautiful. One last thing and we'll close it out. The EU Council approved a protocol aiming to facilitate the free flow of data between the European Union and Japan. So hoping to make sure not to limit data transfers by localization measures. So that's something to watch as well if you do business in Japan.

Maybe if you had some prohibitions on you, so hopefully this will help facilitate the free flow of data there. And I don't think I had anything else top of mind. There's a lot there. There's a lot. 

[00:32:53] Paul: Oh, I'm sure we missed certain things. Well, there was the, the, the massive data breach in the UK military. Check your service providers, always check your service providers because in this case, a payroll provider leaked a lot of personal data of soldiers those things happen, but of course it's not something that should happen.

But on that note, we'll wrap up another episode of Serious Privacy. We'll try to find some guests. We are talking to some guests and trying to actually also schedule them. That is. That is also a challenge for us but to schedule some guests for the next couple of weeks. So also stay tuned for that.

And on that note thank you for joining us. If you liked the conversation join us on LinkedIn under Sirius Privacy. You will find K on social media as @HeartofPrivacy, myself as @EuroPaulB. Until next week. Goodbye. 

[00:33:42] K: Bye y'all