Serious Privacy

A holy week in privacy

May 17, 2024 Dr. K Royal and Paul Breitbarth Season 5 Episode 15
A holy week in privacy
Serious Privacy
More Info
Serious Privacy
A holy week in privacy
May 17, 2024 Season 5 Episode 15
Dr. K Royal and Paul Breitbarth

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Show Notes Transcript
On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal discuss a holy week in privacy where the V’s took front page - the Vatican issued a privacy decree and Vermont is trying to pass a strong privacy law and a coalition of state Attorneys General signed a letter imploring Congress not to preempt their privacy laws. In addition, CO AI bill is in front of the governor, Maryland passed a kids code, Google and Apple is hosting their annual developers conference, the U.S. Senate Bipartisan AI Working Group released their roadmap, the spring conference of the European Data Protection Authorities in Latvia, and updates to the Cyber Security agency of Singapore, the CSA.

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note that this is largely an automated transcript. For accuracy, listen to the audio.

[00:00:12] Paul: So our last week seemed to be crazy busy. This week actually was a bit more relaxed, but still there is news to update you on, and we will do that, including on the groundbreaking new data protection legislation in the Vatican. That and more in today's episode of Serious Privacy. My name is Paul Breitbarth.

[00:00:34] K: and My name is K Royal and welcome to Serious Privacy. This week is all about the Vs. I like the Vs. But first, icebreaker question, and I found an awesome one. Of course, it's the first one I really read, but it's awesome. What dog breed would you be?

[00:00:53] Paul: I'm in, I'm in many minds. It probably would either be a Labrador or a Dachshund.

[00:00:58] K: Okay, I wasn't expecting the Dachshund. The Labrador, I could see. Why a Dachshund?

[00:01:06] Paul: just because they are always so cute and friendly and playful and eat a

[00:01:12] K: back problems?

[00:01:14] Paul: well, yeah.

[00:01:16] K: Oh, I love it. Okay, I'd be a cat. Sorry.

[00:01:21] Paul: That's not a breed of dog, I'm sorry. That's not an acceptable answer.

[00:01:25] K: Okay, I'm rolling my brain. What kind of dog is smart? As my client said, brilliant but scattered. So, what's kind of a ditzy dog? It wouldn't be a Chihuahua or a Poodle. Oh, oh, like a Jack Russell Terrier. I don't know.

[00:01:43] Paul: Oh, you want to bite people’s ankles?

[00:01:47] K: Nip, nip, nip, nip, nip, nip. 

I think of the big dogs and the only one that comes to mind is a greyhound, because other than when they're going 90 to nothing, they're big cats. They just lay around and want to be cuddled. Alrighty, let's dive in this. Now, I just, I've been traveling. My daughter graduated med school last week. I'm not going to tell you the travel hell we went through. I'll post all about it online, but just suffice to say, we actually walked in, as they called, Dr. Karis Royal to walk across the stage.

[00:02:20] Paul: Well, congratulations on that.

[00:02:22] K: We did. It was at like the end of a two hour ceremony. She was in the last group. They went by their houses. And so she's getting ready to move cross country. She'll be in Memphis. We're very excited about that.

[00:02:35] Paul: Yeah, for me that's all still in the South, so still very close together, but, yeah.

[00:02:39] K: It's about an eight hour drive, so it's not horrible.

[00:02:43] Paul: well, I mean, an eight, no, I mean, eight hours is what you would drive if you would go on vacation from the Netherlands to, say, Southern France.

[00:02:52] K: There you go. See, that's awesome, right? You just say, that's just a weekend drive. It's good. So,

[00:02:57] Paul: not a weekend drive. That's a week's drive. You don't drive eight hours for a weekend trip.

[00:03:03] K: oh my gosh, but it was also while the northern lights were visible, even in Arizona. did you see I didn't go out looking for them on Friday night, so I missed them. Now, my mama and I went out looking for them on Saturday night. We didn't find them. We were out hunting wabbits, and we did not find wabbits. no. Saturday night was was not a good night, but Friday night was amazing. I saw them from my back 

[00:03:26] Paul: I've got, I've got an amazing picture just from my back garden. I went to the beach actually to spot the Northern Lights. I did, but it became very cloudy very 

[00:03:36] K: Wow. 

[00:03:37] Paul: so there were not very nice pictures to be taken. And then friends started texting from where they were around the country and the light was not just green anymore, but also the pink and the purple. so I thought, okay, I'll go back outside again and then just text. At my front door and in my back garden, 

[00:03:55] K: Oh, my gosh. Now, I need to look at horizontally how level y'all are with what states in the U. S. I think we looked at it before. You were like New York, right?

[00:04:04] Paul: yeah, I think it's, it's about New York.

[00:04:07] K: And There were pictures Friday night from people right up the road from my mom in Mississippi and people from Florida. It was just, Oh my gosh, this, you know, it's on my bucket list. I'm going on a cruise in Alaska, going to try to catch him and just imagine had I not been so flabbergasted from traveling, then Friday night, I might've actually been outside trying to find the pictures. 

[00:04:30] Paul: Yeah. Now there were amazing pictures from the Alps as well. Just imagine all those snowy peaks and then in scattered pink light. You may know that there is a big cycling round going on in Italy at the moment, the Giro d'Italia, men's cycling, and their main jersey is a pink jersey. So they posted on social media didn't our marketing team exceed themselves this year because all the alps were pink

[00:04:56] K: That is fabulous. That is absolutely fabulous But it really was messing with phones and computers and everything else While we were traveling crazy people like well, why would the Northern Lights mess with you know phones and TV and computers? 

[00:05:11] Paul: lights. It's the 

[00:05:12] K: Yeah, well, it's a huge. What do they call it a geomagnetic storm officially? So it's a Absolutely bonkers. So, okay, so

[00:05:21] Paul: it was the biggest one in 20 years. So 

[00:05:23] K: right? Gosh, and I don't have pictures of it. In the Vatican, we've talked before on this show about how obsessed I am that what does the Vatican do for privacy? It's in the middle of Europe. It's an independent, independent country. location, but they have people that work there and that come there from Europe.

So they, they purposefully market. I don't know that marketing is the right word, but they purposefully do business in Europe that's covered by the GDPR. What kind of privacy do they have? And lo and behold, in the midst of everything else, they issued a privacy decree. So 

[00:06:04] Paul: Yeah, it's a degree promulgating the general regulation on the protection of personal data for the city of the vatican for the state of the city of the Vatican. So, it's in Italian. So I've, I've gone through it trying to understand parts of it. It's not that long.

It's 20 pages. It's 28 provisions. It was promulgated on the 30th of April of 2024. So it's been in force for two weeks now. And it will remain in force as an experiment for three years. So this is this is a law with a horizon clause, a sunset clause,

[00:06:42] K: Okay. 

[00:06:43] Paul: it will apply for three years.

The main provisions are fairly similar to what you see in the GDPR. The definitions are fairly similar. The legal basis to a large extent, everything is based on consent. There are the exceptions for contract and the legal obligation public interest. There is no legitimate interest notably.

and also the law does not apply to anything manifestly made public by the data subject. So that is also different from the GDPR, where that manifestly made public only applies to special categories of data. Here it applies to everything. So if you put something on a website or on social media the Vatican would be able to to use that data.

Or at least it's not covered by this data protection regulation. for the rest, it's the individual rights, the way you would expect them. Some obligations on the data controller and complaints can be made with the judicial authorities in the Vatican that have 30 or up to 90 days, if they extend it for reviews I haven't been able to understand.

Anything specifically related to sanctions so I think it's only making sure that any any contraventions are ended, but there are no specific rules included related to fines or, or, or things like that.

[00:08:14] K: Right. And what I, what I've got is that the, and I had to find sites that translate this for me and everything. So these are official translations, I think either provided by or supported by the Vatican, but it's closely modeled on the European GDPR. It only applies to the Vatican State and its institutions on national territory and in extraterritorial areas, but not to the Holy See and the Curia.

[00:08:41] Paul: no, and that also means that it doesn't apply to the church in general.

[00:08:45] K: Right, so it includes, it includes the rights as you said and everything, but the interesting thing is this is only a trial for three years.

[00:08:54] Paul: Yeah, that is, that is what surprised me. And on the other hand from a legislative perspective, I'm actually very much in favor of having sunset clauses in legislation. 

[00:09:05] K: Okay. 

[00:09:06] Paul: because it also means that laws that are unwanted just expire if nobody pays attention to it so that you

[00:09:13] K: And laws they do want can be amended and revised on a

[00:09:17] Paul: Yeah. And then you have a debate about it. If, do we still want this? Like we've seen with FISA, And then the, the outcome may not always be the one that you would expect or would like. But in any case, you have to debate going, do we want more of this? so in, in that respect, I'm in favor of sunset clauses.

Here it's also a trial, because I don't believe that the state of the Vatican has the done similar legislation. I mean, they refer to their constitution. That is dated on the 13th of May, 2023. So just over a year. And I think that's an updated version of the constitution because there are older laws also referenced going back to 2008 and 2018.

And I would be surprised if there were no other older versions of the constitution of the state of the Vatican. But yeah, this, this law would apply to, for example, the Vatican bank and the Vatican museum, and all the other institutions, the Vatican postal services. 

[00:10:16] K: a lot of people don't think about, right?

[00:10:19] Paul: Yeah, but it is a country in itself, even though it's only, what, 1.3 square 

[00:10:25] K: right, right, but it does have people from all over Europe, which is what we had talked about before. 

[00:10:30] Paul: It has a railway. of, I think, 800 meters. But it has a railway, so Yeah, it's it's interesting. 

[00:10:37] K: It is, it's, 

[00:10:39] Paul: So it doesn't answer your church, your, your question. What is the Roman Catholic church doing,

[00:10:44] K: right? 

[00:10:45] Paul: with personal data? 

[00:10:47] K: it gets me a step closer. It does say that they do have data protection officers. It's always carried out by the presidents of the Vatican Council of State. They're the ones that receive the complaints and, and the rights and everything like that, but unlike the Data Supervisory Authority, Authorities under the GDPR, they cannot impose sanctions.

The sanctions come from the president of the governorate, the head of government of the Vatican State, who makes a vi a binding decision as to whether the data protection violation has actually occurred. They cannot be appealed.  The decisions are final and the council of state is currently chaired by the Italian lawyers, 

[00:11:29] Paul: Cesare Cesare Mirabelli and Vincenzo Buonomo,

[00:11:34] K: Chisare 

[00:11:35] Paul: Mirabelli 

[00:11:36] K: and Vincenzo Buonomo. 

[00:11:38] Paul: Fernando Verghez

[00:11:41] K: And I'll give you the link to this, too. This is something that is explaining all of it, and it looks like it's an official site. I'll put it in the show notes, but let me post it here for you.

Okay, so this is where I'm reading this from. The head of the government is the Spanish Cardinal Fernando Vegeza buonomo also heads the disciplinary commission of the Roman Curia. Now, people, I don't know if I'm going to leave all this in or not, where Paul is telling me how to pronounce these names that don't come naturally to a little redneck from Mississippi. But if I do, I'll take this sentence out.

So Let's see,, the Pope delegates the affairs of government to a Cardinal who has his seat in the Vatican Government Palace. In 2023, Pope Francis promulgated the reformed, the basic law of the Vatican State. So, there is that as well. So, he is the head of state, but he delegates it out, appoints people to actually manage. 

[00:12:38] Paul: Yeah, so that's the new constitution of the Vatican. 

[00:12:41] K: Exactly. So we're good there. This is going to be interesting. I still got to dig in and see, but I love the fact that they have something. This gets me a step closer to understanding how does the Vatican work when it's in the middle of all of this data protection legislation that has essentially changed the way the world handles personal data, knowing that they have a ton of personal data.

Which inherently, in one respect, comes with a binding, soul binding, no less decree of confidentiality. But for everything else that happens in the Vatican City, what do you do with the workers and the hospitals and, as you said, the railway and everything? So this is interesting. This is very interesting.

But also very interesting, another V, Vermont passed a state law. Let me see if they actually passed it. So Vermont privacy law, You know, announced they passed it, but then let's see. I've got one hour ago, if he signs it, they will become a privacy leader. 

[00:13:44] Paul: On May, on May 11th, he hadn't signed yet.

[00:13:47] K: All right. So let's, let's talk a little bit about the Vermont privacy law. it's not a law yet. So Vermont legislature has passed a bill. This is a very unusual one. So this is not one I think most people were paying attention to.

And apparently it was a last minute compromise between the House and the Senate that would prohibit the sale of sensitive data, allows consumers to file civil suits against companies that violate their data protection rights. Now this isn't, Consumers can file a lawsuit if a company has had a breach.

This is if they violate their privacy rights. I think specifically related to the sale of sensitive data, but I'll have to pull this up. I think it's other rights as well. But this is a very unusual action to take. I was not expecting this out of Vermont. And people, I have to tell y'all, I don't go read all the privacy bills that are proposed in the U S not on the federal level and not on the various state levels, 

[00:14:48] Paul: that would take days. 

[00:14:50] K: Right? 

[00:14:50] Paul: Every week. 

[00:14:52] K: It would. It would. It would be crazy, and then they get changed in committee and everything like this. I did hear that Vermont was considering one, but there was talk as to whether or not it would actually pass because of the private right of action. That is a huge contention between most of the parties or the people in the parties, and so I Really had no hope that this one was going to pass.

There may be someone in Vermont who was closer to the story who maybe can give us some more insight on this, but it is interesting. I did look and an hour ago, it still says the governor has not passed it. By the time we publish this, probably on Friday, we're still missing that one week people where we have a week.

We're going to catch ourselves up. We promise. But it said that they didn't know if the governor was going to pass it or not, or was going to sign it or not. I mean, we often hear in laws that, you know, the governor has already proposed or already stated that he's going to sign it or she's going to sign it as soon as it gets to them.

Vermont, apparently it's an iffy, iffy thing. They may or may not sign it. So that is something we need to look for. Did you pull out anything in Vermont that that stood out to you other than this private right of action?

[00:16:03] Paul: You mean other than maple syrup?

[00:16:09] K: Well, apparently they move faster than maple syrup but EPIC did the Electronic Privacy Information Centers at EPIC. org. It's a wonderful think tank organization out there. They support this one. It does have data minimization requirements that set meaningful limits on the amount of personal data companies can collect and use.

There is a prohibition on the sale of sensitive data. We can get you that definition as well. Strong civil rights protections against digital discrimination, and then this limited right of action. And so, the person that pushed it was Vermont Representative Monique Priestly.

And the Maryland governor signed the Maryland Online Data Privacy Act as well. So it, it kind of, Maryland and Vermont, as y'all know, are right there together. They're right there with Delaware and some of these other small New England states. And so I'm sure they all talk together, which is one thing I think is fabulous.

Or as we learned at IAPP the state government Enforcement agencies, so usually the staff or the attorneys general or if they have an agency that actually manages data or looks at that, they all talk together, they all work together, they call each other up and ask for advice and what would you do this and everything like that, so these laws may be slightly different from word to word, but don't ever fool yourself that they're not talking to each other.

[00:17:33] Paul: No, I mean, it would, they would be foolish if they wouldn't. 

[00:17:36] K: right? So, just like we learned about the European legislators, talk to each other and, you know, they try to work together and take a consistent approach and look for insight from each other. Very much a big collaborative effort.

[00:17:51] Paul: yeah, although the legislators across Europe don't speak too much about specific bills, I would say, but more about general policy, along par along party lines. 

[00:18:02] K: way it works, right? 

[00:18:03] Paul: Yeah, the the governor, Phil Scott has not signed yet. At this time he has announced that he will veto an increase of the property tax in double digits.

That was two days ago, but there is no news on the data protection legislation, whether he will accept it or not. But private right of action is interesting.

[00:18:23] K: right? 

[00:18:24] Paul: especially in, in, in light of the the efforts to create a federal legislation which would leave room for preemption, then this private right of action could probably also survive, a federal data protection law.

[00:18:40] K: Right, which is interesting if the federal passes, right, because then you see whether or not all the activities by the states actually go to waste or not, which is why the states are so against a federal privacy law that would preempt their actions, or at least not include a it. a provision that it does not preempt state privacy laws that are more protective.

[00:19:03] Paul: Exactly. but yeah, according to the spokesperson of the governor, he has not decided what to do with the bill yet. we'll see.

[00:19:13] K: Yeah, and it says that this, just this past Thursday, that the California Attorney General Rob Bonta and a coalition of 14 other state attorneys general wrote congressional leaders a letter imploring them not to allow federal legislation to preempt state rules. And so, we'll make sure to give you that, I think we have a copy of the letter that was sent to them.

So, we'll make sure that you do that as well. I'm still trying to pull up a definition of Vermont's sensitive data. For some reason, all the links take me somewhere else.

[00:19:46] Paul: Yeah, but the website from the state legislature is also down.

[00:19:50] K: Oh, that might be why it's not opening. Okay. So, we'll pull that up as well. Let's see, all I got is the Senate Proposed Amendment.

So looking at their definitions, this is really interesting. Y'all know some of the ones that we, we really look at. So starting from the top, one of the ones that I like to look at is biometric data. This one does not say that it's biometric data used for the purpose of identifying somewhere.

Now it might somewhere later in the law, but the definition does not say that is data used to identify someone. Child has the same meaning as in COPPA. So, as y'all have heard us talk before, that means that if COPPA changes, then this law's definition of child will automatically change with the COPPA definitions.

I like that a lot better than defining child as someone under 13, Meaning if COPPA changes, the law is going to have to come back and be revised if they wish to change the definition of a child. They do have definitions of consent that I like that and consumer is the resident of the state. It does not include commercial or employment context, so it eliminates B2B and employee, 

[00:20:57] Paul: And Europeans. 

[00:20:58] K: In Paul's world, it's a person, people. It's a person. In our world, it's a person as long as it's not B2B or employment. 

[00:21:06] Paul: And as long as it's a local person. 

[00:21:08] K: They do use, controller processor. Now, here's the thing, and I wanted to point this out. I don't know that we've actually pointed this out on the podcast before. I think we did When we talked about the state laws that have passed and gave y'all a big summary, but de-identified data means data that does not identify and cannot reasonably be used to infer information about or otherwise be linked to an identified or identified individual or device linked to the individual.

If the controller. One takes reasonable measures to ensure the data cannot be used to re identify or reasonably linkable back to an individual or household, like that they threw household in here, and reasonable measures includes de identifications they actually specify a law other requirements relating to the uses and disclosure of protected health information, so under HIPAA, and you have to publicly commit to process the data only in a de identified fashion, and not attempt to de identify the data.

So for all of you companies out there that say that you use de identified data and in contract that's what you're doing with your clients, if you don't have a public commitment to using de identified data and not attempting to re identify the data, technically doesn't meet the definition of de identified data in most of the state laws that have been passed.

Also, you have to contractually obligate any recipients of the data to satisfy the criteria above. They have to publicly commit and have internal protocols and processes to not re identify the data as well. So, if you don't have all that in place, I'm just saying. Let's see. I'm scrolling down.

They do have gender affirming health data as a definition as well, so expect to have some information on that. Genetic data, geofencing they have definitions, so expect that. And then, hold on. Personal data does not include de identified data or publicly available information. They do have a definition for profiling, so expect that to pop up as well.

They do have a definition of pseudonymous data, so that's a good one as well. Publicly available information, and Paul and I were just talking about this on the last episode, means information that is lawfully made available through federal, state, or local government records, or widely distributed media, or a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.

That's interesting. Okay, sale of personal data. Here we go. Drum roll. Means the exchange of a consumer's personal data by the controller to a third party for monetary or other purposes. other valuable consideration, including for political gain. That's a new definition, political gain. It does not include the disclosure of personal data to a processor in a normal vendor situation.

The disclosure to a third party for purposes of providing a certain product or service. Requested disclosure to an affiliate of the controller. Disclosure where the consumer directs them to interact with a third party. Disclosure of personal data that the consumer has made public or did not restrict to a specific audience.

Disclosure of personal data to a third party that's part of a merger acquisition, blah, blah, blah, blah, blah. Okay. Here we go. Finally, sensitive data means government issued identifier. Consumers racial or ethnic origin, national origin, citizenship, information immigration status, religious or philosophical beliefs, union membership, or political affiliation.

Woohoo! Reveals a consumer's sexual orientation, sex life, sexuality, or status as transgender or non binary. Reveals a consumer's status as a victim of crime. Is financial information including their tax return, account, financial account number, financial account. Debit card, credit card with any required security or access code, password, or credentials, consumer health data personal data collected and analyzed concerning consumer health data or personal data that describes or reveals a past, present, or future mental or physical health condition, blah, blah, blah, blah, blah, is biometric or genetic data.

It does not say use to identify a person. Now here, that's key people. Usually the law say biometric or genetic data or not genetic, but biometric data used to confirm a person's identity. This does not. This is biometric data. That, that's key. Is a photograph, film, video recording, or other similar medium that shows the naked or undergarment clad private area of a consumer?

Oh, I don't like that. We talked about this the last time too, or is precise geolocation data. If you have that, that broad thing, photograph, film, video, recording, or other similar medium that shows the naked or undergarment clad private area of a consumer, you might unintentionally be cutting out artwork or advertising.

I mean, think of all the catalogs that have, you know, that sale. undergarments. They usually include pictures of people in undergarments, 

[00:26:37] Paul: which would make sense to include those if you want to sell them, right?

[00:26:42] K: Right, but it also says that it doesn't include data in a commercial or a employment context, so you might be able to You might be able to exempt those out, exempt those out from the definition because it's in a commercial context, but what about artwork? And we're thinking of some of the famous, you know, videos, statuary, things like that, that show nude or undergarment clad, but they're not consumers. They're not residents of Vermont.

[00:27:10] Paul: So time will tell, and probably the courts will tell what we actually need to make of this provision.

[00:27:16] K: Right. interesting because there's some very intertwined

[00:27:21] Paul: it's not interesting at all because maybe the governor will veto the bill and we've been talking about this all for nothing.

[00:27:29] K: that will never be the case.

[00:27:31] Paul: So what else is happening in your part of the world? 

[00:27:34] K: I have no clue what else is happening. Paul, I have been divorced from the world for a week. 

[00:27:38] Paul: I wanted to tell you that this week in in Regab, so in Latvia there is the spring conference of European data protection authorities.

So you have every fall, you have the global privacy assembly, which is the global conference of data protection authorities in Jersey this year.

And the EU has an equivalent or not, I shouldn't say the EU, Europe has an equivalent because these are all the countries that are signatories of the EU convention, on human rights. And then the convention 108, obviously on the automated processing of personal data. So it's the 32nd time this conference was held So this year's spring conference was held in in latvia there is not an overarching team for for this conference, although The public session there is two closed session days Only accessible for dpas and their staff and there is one Half day, which is publicly accessible. That is all about the relation between the GDPR and anti money laundering provisions.

so that's actually an, an, an interesting topic. Also how supervisory authorities can collaborate how that all comes together. But earlier on the opening day, the EDPS, Wojciech Wierowski he gave a speech on the availability of health data. And that's actually a, a nice bridge to next week's episode, or two weeks from now when we speak to Ead Kist, who is a, a Dutch researcher at one of our leading cancer institutes, who is defending her PhD also on health data.

In the, in the coming weeks.

[00:29:19] K: forward to that.

[00:29:20] Paul: Wojciech actually said today that he believes that GDPR offers sufficient possibilities to exchange health data, especially for research purposes, there are exceptions and exemptions in the legislation, and as long as the health data is intended to be used for the public good, while at the same time, providing a framework of safeguards this all should be should be possible.

Of course, there should be robust data governance mechanisms in place that also provide guarantees of legal, responsible, and ethical management of research based on EU values. including respect for fundamental rights. The snippets of the speech that have been made public don't talk about international cooperation.

So outside of the European Union, but that might be a good topic for the next couple of weeks to discuss as well.

[00:30:09] K: and tee this up people in your minds, and, and Paula and I have talked about this before, why would health research data be as restricted as it is? Quite often, that is what helps the advancement in diagnosis and treatment, and the individuals typically want their data to be shared.

Because they want to be able to help other people. So there has to be some sort of cooperative mechanism here to make that happen.

[00:30:42] Paul: Of course, but at the same time, fundamental rights need to be respected and that includes also the fundamental rights legislation. So yes, it should happen. And maybe in the distant future, when the GDPR is reopened we should actually create some additional legal basis for for data exchange for these kinds of purposes, indeed for the public good. but right now they don't exist.

[00:31:08] K: Okay. And in further news, okay, so Colorado on May 8th passed the groundbreaking Colorado AI Act. It was Senate Bill 2005. It's effective January 1st, 2026. 

[00:31:23] Paul: It was sent to the governor on the 13th of May. So that's only two

[00:31:27] K: That's two days ago, and apparently they're not as fast as we would like them to be. It's like, not like they have anything else to do. So the C. P. P. A. 's rulemaking authority is being challenged. We talked about this before in the Superior Court of California. The hearing is set for June 22nd. So make sure that you watch that.

The issue is whether the agency can issue regulations without providing a grace period for compliance measures. So we want there to be a grace period. You can't exactly pass it and then the next day expect everyone to be compliant. Maryland's governor signed two significant measures. aimed including Maryland Kids Code.

So, hello Kids Code, here we come again. It's the second state to have stringent regulations on this and I believe there was two measures on basically the same thing. So, make sure you're looking at the Kids Code. So, that attorney's letter that we talked about. Spain's Data Protection Authority released guidelines for treatments involving Wi Fi tracking technologies.

Emphasizing the potential privacy risks associated with Wi Fi tracking. So that might be one. All of these it will absolutely link to if you had it. I was looking to see if there was other news that popped up that we have it. So Singapore approved cyber security updates. They amend their cybersecurity law to boost oversight of national interest and essential services. So think utilities. So it was May 7th.

They passed the bill. So it includes temporary systems set up to support the distribution of vaccines as well as to host key international summits and other high profile events. So they're catching up to some of these others. They say the expanded oversight of the cybersecurity agency of Singapore, the CSA comes as threats can often be obscured with increased digitalization, it, the first changes to the Cybersecurity Act since it came into force in 2018. So watch that one as well. What did you have, Paul?

[00:33:31] Paul: So the other thing that's happening now and also next month It's Google and Apple having their annual developers conferences. 

And not only data protection conferences are all about AI, also detect developer conferences are all about AI this week, it's Google's turn. Google has announced a whole range of AI capabilities for all of their tools.

Including their phones, obviously but also Google workspace, so AI capabilities in Google docs and also in Google meet helping you with summaries of your meeting or summaries of your emails and things like that. The one thing that some people are already screaming out about is that Google also promises to use AI.

To help detect spam calls, which probably would mean that they will start listening in to your calls as well to help detect what will happen there, and I'm not so sure that that is the best idea, if 

[00:34:25] K: Boo! 

[00:34:26] Paul: start listening to your calls.

[00:34:28] K: Oh, I don't like that. But, 

[00:34:31] Paul: of the two evils is worse?

[00:34:33] K: but speaking of AI the Senate Working Group, or the Bipartisan Citizen Working Group, I guess I should say that, released a road map for artificial intelligence policy at the United States Senate. So, I have not dug into that one, but it does say that there are nine Forums to address more specific policy domains.

The AI working group hosted nine bipartisan AI forums in the fall of 23. Those forums covered in their inaugural forum supporting us innovation, the workforce, the high impact elections and the democracy, privacy and liability. Transparency with explainability, IP and copyright safeguarding against risk and national security.

So the road ahead. Okay, it gives you some overarching thoughts. We're steadfast in our dedication to harnessing the full potential of AI while minimizing the risks of AI in the near and the long term future.

I'm looking their roadmap includes supporting U. S. innovation in AI. Some very lofty goals what they will do they will encourage committees to do AI in the workforce. So they have bullet points under these things that they expect to work on. 

The 31st page is an end page. It doesn't count. So page, 30 pages is really, really good reading. I will make sure to give you a link to that. That way you can read it yourself. Some of the last, latter pages in the appendix actually just give you who are the members of the working groups and things like that.

So it's really only 20 pages of substantive material to read. So it's not, it's not a long read. I think y'all will enjoy it to look at. I mean, I like these kinds of reports. 

[00:36:17] Paul: I think this is all we have time for. for this week, K. Apologies, this was a bit of a messy episode. But we still hope you enjoyed it. If you did, please share with your friends and family, as always. If you did, if you didn't, just tell us that you didn't like it.

Join the conversation on LinkedIn. Find us under Serious Privacy. We have some nice conversations ongoing also with potential guests on LinkedIn. So we are scheduling those, but traveling schedules make life a little difficult at the moment. And also houses and things like that. It's, it's hard.

You know what it's like, we've been talking about it. If you want to find Kay on social media, you'll find her as @HeartOfPrivacy, you'll find me as @EuropaulB. next week, goodbye.

[00:36:59] K: Bye, y'all.