.png)
Serious Privacy
For those who are interested in the hottest field in a technology world. Whether you are a professional who wants to learn more about privacy, data protection, or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity to social justice and data ethics and AI. In-depth information on serious privacy topics.
This podcast, hosted by Dr. K Royal, Paul Breitbarth and Ralph O'Brien, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on BlueSky (@seriousprivacy.eu) or LinkedIn
Serious Privacy
The first week in privacy - hot news now
On this week of Serious Privacy, Paul Breitbarth of Catawiki, Ralph O’Brien of Reinbo Consulting, and Dr. K Royal launch the first week in privacy for 2025. Topics include State laws in the US entering into effect (link to White & Case article, but bonus for 10 areas for US-based privacy programs to focus in 2025 from Hintze Law) to a TikTok ban that was there and then it wasn't. European Data Protection Board opinions. Court of Justice of the EU. Regulatory issues in Kenya. so much more. and did we even talk about Deepseek? Remember to like and subscribe!
Powered by TrustArc
Seamlessly manage your privacy program, assess risks, and stay up to date on laws across the globe.
With TrustArc’s Privacy Studio and Governance Suite, you can automate cookie compliance, streamline data subject rights, and centralize your privacy tasks—all while reducing compliance costs. Visit TrustArc.com/serious-privacy.
If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.
Please note this is mostly an automated transcript. For accuracy, listen to the podcast.
[00:00:18] Ralph O'Brien: It's been a busy couple of weeks in data protection and privacy world. State laws in the US entering into effect to a #TikTok ban that was there and then it wasn't. New #European Data Protection Board opinions.# CourtofJustice of the EU. Regulatory issues in #Kenya. And so much more. Oh, and did we even talk about #Deepseek? So welcome to a very extended week in Serious Privacy
privacy. My name is Ralph O'Brien.
[00:00:46] Paul Breitbarth: I'm Paul Breitbarth.
[00:00:48] K Royal: And I'm K Royal and welcome to Serious Privacy.
[00:00:51] Ralph O'Brien: Yes,
[00:00:53] K Royal: a lot packed in for this week. This is gonna be good, right? We're starting off 2025 with a bang. I love it. Tell us more. Who's got the first story up?
[00:01:03] Paul Breitbarth: No, no, no, no, no,
[00:01:04] K Royal: Oh, wait a minute! Unexpected question! Unexpectedly, I forgot that.
I like to do these random, where I don't even know what the question is coming. So, let's see. What's your favorite thing about your hometown?
[00:01:17] Ralph O'Brien: Wow. Okay. What's my favorite thing about my hometown? Well, is it my hometown or?
[00:01:22] K Royal: That you're no longer there.
[00:01:23] Ralph O'Brien: I mean, my hometown is a very small town beside the sea, a fishing village, so yes, that I'm no longer there is possibly one thing. Equally I could add that where I am now used to be a brickworks, so it's one of the few planned towns in the UK.
With everything very much sort of planned and it's actually very sort of picket fencing compared to quite a lot of places that just sort of sprung up medievally. So there we go. There you go, where I am now is, is a, is a planned
[00:01:55] Paul Breitbarth: Yeah, I would say my hometown is where I live now. That at least feels like my hometown, although it's not where I was born. But for me it would be the beach. The beach and the sea. It's great living near the waterfront to just watch over the waves and sit down and see the sunset if the weather is nice.
Best place.
[00:02:16] K Royal: And for me, it was exactly as I joked about with Ralph that I'm no longer there. I'm from a small town in Mississippi called Meridian, Mississippi. Had a population of about 30 to 50, 000, which isn't tiny. I mean, it's not a little village.
And I guess my favorite thing is that Jimmy Rogers, who is considered the father of country music, is from Meridian, Mississippi. And the father of rock is from Mississippi and the father of jazz is from Mississippi and the father of where we'll just stop there.
Mississippi has a lot of arts, but that's my favorite thing about my hometown.
[00:02:48] Paul Breitbarth: Isn't Dolly Parton from Mississippi too?
[00:02:51] K Royal: Oh no, she's from Tennessee.
[00:02:53] Paul Breitbarth: Ah, okay. It's all in the South,
[00:02:55] K Royal: from the south. Yeah.
[00:02:58] Paul Breitbarth: So, indeed, a lot has happened. So, let's start just by looking at what happened this week and then go backwards a bit towards Christmas, I would say. What happened today, Ralph, you looked into that, is the Court of Justice of the European Union.
[00:03:13] Ralph O'Brien: can start back up to date today and by the way today is the 29th of January, 2025. So
[00:03:20] Paul Breitbarth: Happy second data
[00:03:21] Ralph O'Brien: Happy second data protection day or in fact, happy birthday to one of my children. So there we go. And we've also been blessed with a judgment from the court of justice of the EU. Now this one's an interesting one because this isn't against a controller or a processor.
This is actually against the supervisor authority. People might remember that the data protection commission of Ireland challenged the European data protection board's competency. over interfering or the dispute resolution process with Facebook and Meta last year. And well, surprise, surprise the DPC's objections to the way the European Data Protection Board has handled that have been found that the European Data Protection Board was competent to make those decisions.
So, it's really interesting because this, of course, all started with the #noyb case against Facebook Ireland and then went through with #Facebook, #Instagram, #WhatsApp, and really finished with you know, the DPC, you know, being quite unhappy with some of the decisions that the European Data Protection Board asked it to do, including carrying on new investigations on new aspects not yet examined, to issue a new draft decision on the basis of that new investigation. The DPC thought that they shouldn't be able to do that. The court says they can. How's
[00:04:51] Paul Breitbarth: Well, not surprising indeed, but it's good that they do. And while we are on the topic of the court, just two weeks ago at the start of the year, the court also ruled against a data protection authority, and that was the Austrian Data Protection Authority in a case on damaged systems. The Austrian data protection authority at some point, it said, well the number of complaints that a data subject can file can be no more than two per month because otherwise we have too much work.
It doesn't it doesn't we are not able to, to deal with so many complaints. So if you file more than two complaints a month, we consider that to be excessive. Obviously this also caught the attention of NOIP who are filing a lot of similar complaints to data protection authorities and the Austrian Data Protection Authority is their home authority.
This case also went up to the court of justice, and the court of justice has said, indeed, a data protection authority cannot just limit the number of complaints that an individual can file. So, excessiveness is not just based on volume or vexatiousness as a reason to deny. The procedure, so you really need to go above and beyond to demonstrate as a data protection authority that a complainant is really just doing this for fun, or is trying to annoy you but doesn't have a case to answer.
So in this case, also the court awarded damages. It was a couple of hundred euros. So that was not that was not very impressive. And also, I don't believe that, there was a lot of serious harm done in this in this particular case. But still it goes to show that the threshold for vexatiousness and for limiting individual rights under data protection law is fairly high.
I'm not completely sure how that will affect the similar provision that the GVPR also has for limiting data subject access requests or other individual rights requests against the data data controller, where you can also say, hey, if there is an excessive amount of requests from one individual, you could deny them or charge a reasonable fee.
But it can be expected that the court will have a similar high bar there much higher than at least I so far expected it would
[00:07:11] Ralph O'Brien: that? And this is actually interesting to me because it shows some divergence between the EU and the #UK. There's a case that went through the UK in 8th of March 24 that we call Delo versus the Information Commissioner. And that was about the Doors from Peel. ruling that the information commissioner's office here in the UK didn't have to investigate every single complaint that it received.
And, you know, it really gave the #ICO some very broad leeway on whether it, you know, had to investigate complaints and data subjects at all. So to me, that's actually means that there's actually a real divergence of what the UK what the European courts are putting on the record.
[00:07:56] Paul Breitbarth: Yeah, I think in part that is also due to the GDPR. Because I recall that when I was still working for the Dutch Data Protection Authority we had a similar policy selective to be effective that Richard Thomas, the, Pre, pre, predecessor of John Edwards as, as information commissioner in the UK helped to develop where indeed some focus would actually help to to increase the levels of compliance across the board under GDPR, that policy has already shifted also here in the Netherlands, just because the GDPR is very prescriptive thou shall investigate although it doesn't specify how deep the investigation should go, of course. Okay, any views from the US? Any experience with data protection investigations or damages or
[00:08:45] K Royal: No, not from any enforcement, especially not any state enforcements like Texas or Colorado and certainly not any movement in the state laws for AI, which is all around the world now, and not from any type of settlement agreements, especially on class actions. I mean, why would you think the U. S. is doing anything in privacy? I'm sorry, did that did that come out? Did I use my inside voice on that 1?
[00:09:09] Ralph O'Brien: Well,
[00:09:10] Paul Breitbarth: No, just your royal
[00:09:12] Ralph O'Brien: talking about the U. S. and the Privacy and Civil Liberties Board will I believe we're going to do in the next episode,
[00:09:19] K Royal: yes, if anyone's waiting on me to speak up about a lot of developments we've seen in the U. S. we're gonna have a U. S. episode next. However, it won't address everything in the U. S. Let's be clear.
[00:09:31] Paul Breitbarth: It will address the, constitutional issues.
[00:09:33] K Royal: yep, we're gonna meet with the constitutional professor and speak about constitutional issues.
But, I mean, what I see going on in Europe. with your decisions doesn't seem to at all reflect what we see in the U. S. Even though things are different. I mean, you don't have here where boards can file a complaint or enforcement agents can file a complaint against another enforcement agent or any type of way to hold them accountable or anything like that now doesn't mean to say that we have anything done wrong here.
I mean, we do have countries with privacy laws that don't have any enforcement mechanism. But what it does mean is that for those of you new to privacy, the way that you see it, data protection enforced in the in Europe, whether it's the UK or the European Union or the E. E. A. Or anything over there is not going to necessarily and most often diverges from how you're going to see any type of enforcement action here in the U.S.
[00:10:32] Ralph O'Brien: Yeah, I think that's, that's definitely agreed. But again, you know, I have to point out, you know, in my U. K. capacity that here we're a different jurisdiction again, right? So, you know, you're going to see different differences.
[00:10:43] K Royal: We don't have a noise,
[00:10:45] Ralph O'Brien: it is. And but what you do have is a tick tock back again briefly sort of, so we that is something in the US we can talk about isn't it the band that wasn't.
[00:10:55] K Royal: right?
[00:10:57] Paul Breitbarth: Yeah, that we'll address in the next episode.
[00:10:59] K Royal: we're going to talk about that on the constitutional pieces of it. Cause y'all know we were watching that really quickly when we started watching it at first, I don't even think there was really a thought that who is currently president would have even been allowed to be in the running.
And so it wasn't even an initial part of most of the evaluation. So I'm expecting the next episode to be a lot of fun on that side. But on the other hand, I mean, this brings up the topic. I mean, one. We're seeing a lot of movement in AI around the world, different countries bringing up. I mean, Australia has a call out for volunteer.
[00:11:33] Paul Breitbarth: Are you going to China?
[00:11:36] K Royal: No, I'm not going to China. No, no, no, I might. I'm thinking about it. I was thinking about AI and so I was working my way around there. But what I was going to say is that. users of social media that are especially at risk of these types of applications that might be used for espionage really are unaware of the risks of it.
And further, they don't care. They hear privacy people saying, Don't do it. Don't do it. And they're like, Yeah, right. Like China is going to spy on me. There you go. I went to
[00:12:08] Ralph O'Brien: Yeah, we were having a conversation today on on AI and I'm actually quite a fan of using the term absent intellect rather than artificial intelligence because. Because actually, you know, human beings always choose simple or wrong over complex and right, you know, you give them a choice of something that's got to make their lives easier or give them an instant, magical, data fairy answer.
They will choose that rather than critically think. So, I thought I think it's really interesting with AI, you know, we'll accept. Simple and quick and fast and wrong over
[00:12:41] Paul Breitbarth: And free.
[00:12:41] Ralph O'Brien: and three over our ability to sort of critically think and rationally go through. And actually, I think personally, AI needs more thought rather than less thought as we begin to increasingly automate over datasets.
So when you're talking about deepseak. You know, I think, I think DeepSeeker is fascinating because you've got this Chinese model that's now number one in all of the app stores. ChatGPT dropping down the app stores, ChatGPT throwing up their hands in horror and saying, Oh, well, they probably used our model and they've nicked all of our data.
And I have to, I have to then ask myself, is that the pot calling the kettle black? You know, where did ChatGPT get its data from? So I find it all very amusing.
[00:13:23] Paul Breitbarth: Well, it's mainly, I think it's also the, the competitive, the, the advantage, right, of something already being there instead of inventing it from scratch. Even if they didn't use all the data that OpenAI has in their files, just the idea of OpenAI and how it works, and we know that the Chinese are very good in reverse engineering, whether it's software or cars or any, anything, any appliance that you can buy they're really good at that.
So. It is not unlikely to me that they reversed engineered some of the technology used in ChatGPT and used that to their advantage, whether or not they used the training data from OpenAI or just scraped the internet themselves. I would argue that it's the same difference
[00:14:08] Ralph O'Brien: It's what OpenAI did, right?
[00:14:09] K Royal: yeah. And first to market is not always best to market.
[00:14:13] Ralph O'Brien: This is true,
[00:14:14] Paul Breitbarth: Also true. Well, I mean openai was not the first to market obviously with with an llm And also not to be forgotten they probably lowball the number that they have spent and maybe that's the number the six or six, 7 million that they used for development. Maybe that's the number of investment money.
And they just simply forget all the money that they got from the Chinese government, which is very likely behind deep seek at least with grants to help develop, to show that China can do something similar as the U S and the U S are not the only ones working on. On LLM models and reasoning models.
I think that's probably to be expected that also the the Chinese government has heavily invested, but that those numbers will not, cannot, shall not be disclosed.
[00:15:02] Ralph O'Brien: that's, that makes a lot of sense. I mean, I'm trying to use both models at the moment. I'm slightly unusual in that I don't download the app off the app store or use their public facing website. I've actually sort of hosted my own, you know, and so and so, you know, I'm not using the public versions.
I'm using my own you know, their algorithms. locally hosted on training data that I've selected. And we know it is interesting because we are starting to get, you know, people saying, Oh look, the deep seek doesn't recognize the Tiananmen Square Massacre where Jack GPT does. So, you know, so selective reasoning within the search results, you know, based on where it's found.
I mean, you know, so there are some interesting stories about, you know, censorship and what's in that program. But equally, ChatGPT has got elements where it doesn't want to go. You ask it questions of a sexual nature or, or about certain individuals and it will say, sorry, I don't want to comment. And so, you know, there are some really interesting questions, I think, the freedom we have to find information versus The gateways we use to access it and who programs them with what slant or agenda, you know, and as you say, most people will just pick it up and use it without giving it that critical thought and
[00:16:18] K Royal: Yeah. Without, without thinking about any consequences. And if, like I said, if we tell them about them, then they, they think that the professionals that know these things are paranoid. Well, paranoid doesn't mean you're wrong.
[00:16:33] Ralph O'Brien: Yeah.
[00:16:33] K Royal: Right. I mean, so it is interesting. And then Ralph, I know you're coming to speak to my law class tomorrow and you'll find it interesting.
I don't know if they'll speak up and ask questions. I hope they do that. On one hand, they say we don't want to take the time to read five pages of a privacy notice, even if a company puts the right stuff in the privacy notice and they're true and they're transparent. We don't want to read that on an app we're trying to download.
But then In the same class, they will express their frustration with not knowing what a company is doing with their data.
[00:17:05] Ralph O'Brien: Yeah, Yeah,
[00:17:06] K Royal: And they don't even realize that the circular argument that they're making there. So what else do we have going on in the world?
[00:17:14] Paul Breitbarth: yeah, we have a few things from the European data protection board. They've had their first meeting and they have adopted long expected guidelines on pseudonymization. And the guidelines are available for comment right now. So if this is a topic that you are interested in, you have until the end of February to provide your insights on how this should work.
I should warn you, it is a fairly technical opinion. and I'm still making my way through it to really understand it.
[00:17:44] Ralph O'Brien: I've got to say, actually, I was fairly disappointed because, yeah, I didn't find it as like, it was almost like a discussion paper rather than an actual set of guidance from a regulator, right? You know, yeah. As you say, it is up for comment, but I didn't, you know, it wasn't the regulators saying this is what pseudonymization is and this is what our guidance is Enormous, just felt like a, like someone doing their thesis on pseudonymization. It was a, it was a very , a very technical paper rather than a natural guidance document
[00:18:15] Paul Breitbarth: Yeah, and what they, what they have made clear in the press release are two things which I think is also stating the obvious. One pseudonymous data, which could be attributed to an individual by the use of additional information remains information related to an identifiable natural person and is therefore still personal data.
Indeed, if the data can be linked back to an individual by the data controller or somebody else, it remains personal data. And two, pseudonymization can reduce risk and make it easier to use legitimate interest as a legal basis as long as all other GDPR requirements are met. So, the board says, pseudonymization.
Yes, really good. Do it. Use it because it's better for security. It's better for your legal basis. But don't forget pseudonymous data is still personal data, legally speaking. And that is the continuous debate we're having between the lawyers and the developers who Consider anything that is pseudonymized as anonymous data, which legally speaking is not the case. so that is really important, but I will side with Ralph.
[00:19:24] Ralph O'Brien: And not de-identified.
[00:19:26] Paul Breitbarth: also not be identified, indeed. I do side with Ralph. I was also disappointed. Not so much because of the content of the opinion, because, as said, I'm still making my way through it. But this is, in part, an update of an opinion from 2014 2015 on anonymization and pseudonymization techniques.
And that update has been expected for three years. We do have the pseudonymization part now, but there is no word on whether there will be an anonymization part and if so, when that will appear. Is this to say there is no anonymization possible? Is that still coming? I don't know. And that is what worries me.
Maybe indeed the board comes to the conclusion right now, anonymization is no longer legally possible.
[00:20:12] Ralph O'Brien: That's what's always been a thing for me. You know, you, you look at the legal definitions and may say, anonymization cannot be reversed. Pseudonymization can be reversed. But actually when you actually think of the real world, it's more like a percentage chance. It's like, it's like, you know, there is no absolute say, you know, you can say, Oh, do I reasonably think that no one could reverse engineer it.
You know, you just don't know what someone else out there has right so you know I wish you even though the law says can be reversed cannot be reversed is kind of a. You know, the world just doesn't work like that. You know, there, there are, it's more like a percentage probability based on what anyone else has, that it can be reversed.
And, and I wanna double down on what, on, on, on, on what the press release said as well, because, you know, being technically correct is always the best or correct. You know, I, I, I used to say, oh, there are four categories of data in the GDPR anonymous pseudonym, personal data and special category data technically wrong because pseudonym and special category data are, have to be personal data first. Right. So you could argue there's anonymous and personal data and then pseudonymous and special category nature subcategories of personal data. And that's and again you know that's for the real geeks listening so yeah perhaps this is right.
[00:21:22] K Royal: Well, and I do think that when we look at the ability to be reversed, which means to reidentify the data, the key part is data that you have or data that is available to you. And in this world of big data, as Paul says, is that the case? Can someone purchase data that would make it reidentifiable? However, I think there's also another perspective to look at this.
Are you looking at classifying the database as a whole as pseudonymized? Or are you going down to the individual entries and saying fact specific on that entry? Is that specific entry re identifiable? And that's where I think you can definitely get into trouble because Look at my world in claims management.
There's probably only one NFL super. I don't know if this is an honest claim we have or not. I'm making it up off the top of my head. If an NFL superstar gets into a plane crash in a specific location in a specific, let's just say month doing a specific activity, that's re identifiable, even if you remove all of what would most the I T people would mostly consider personal data or personal.
And just as a personal, peeve of mine, I don't like the term personally identifiable information PII. That just irritates the heck out of me. It's it's personal data or it's identified data.
[00:22:44] Ralph O'Brien: Well, it's, I'm glad you said that because from an EU point of view it, it hurts like hell when you hear people using it instead of personal data, because you know the two are legally very different scopes.
[00:22:58] Paul Breitbarth: to trying to change people's ingrained mindset that #PII is not a thing,
[00:23:06] K Royal: Yeah.
[00:23:06] Paul Breitbarth: that it is an outdated American concept that even in the U. S. has no validity anymore, that, that, takes a long time,
[00:23:13] Ralph O'Brien: I know we're coming up on time. I know, I know we're coming up on time, but before we come up on time, one of the things that we talked about in the introduction, which I know we haven't touched on is Kenya.
So Paul, over to you.
[00:23:24] Paul Breitbarth: So, oh, I was going to say Ralph over to you because you are the one that spotted this in the news. What we would like to address is a complaint made actually in Kenya against the Data Protection Commission. There we go again. I feel a trend throughout this episode that the Data Protection Commissioner actually.
Is being sued for handling violation cases, a Nairobi lawyer is challenging the powers of the data protection commissioner to hear and determine cases touching on personal data and the violation of data protection. Because he says this is
[00:23:59] Ralph O'Brien: Unconstitutional. Yeah.
[00:24:03] Paul Breitbarth: I'm very very surprised by this. So basically the, the lawyer Henry Avrunda says that the unconstitutional powers of the office of the data protection commission to investigate and find a determination on the right to privacy is akin to amending the constitution in, in a way that the constitution doesn't foresee.
[00:24:25] Ralph O'Brien: so,
[00:24:25] Paul Breitbarth: this is quoted in
[00:24:26] Ralph O'Brien: so I think what this comes down to is, He's saying the Data Protection Commissioner is not a court, you know, and therefore it should be in the court's powers to issue penalties rather than the, rather than the commissioners. Now, we know in the EU, for example, the EU looks, you know, especially when we come down to looking for adequacy, that the country has both judicial redress and administrative redress.
So redress from a court and redress from a regulator, right? So administrative and judicial redress. So this individual is, is challenging Kenya and saying, but by doing the administrative redress, they're effectively acting as a court. And that doesn't fit with the Kenyan. Constitution. So I mean, we'll see how that turns out.
My own thoughts are, isn't it nice to have a regulator and a court, but you know, there we go. Yeah.
[00:25:09] Paul Breitbarth: and I mean, it is an act of parliament. So I would be surprised if this really was an issue that it wouldn't have come up during the parliamentary debate that an administrative authority would not be allowed to impose a sanction. I hardly believe that the data protection commission is the 1st administrative authority in Kenya with with sanctioning powers.
But I mean, we'll see it. There are countries in the EU, which have the same system, right? Where the. Data protection authority can only recommend the sanction that then needs to be imposed by the police or the judiciary, for example, in Denmark.
[00:25:44] Ralph O'Brien: And it was the same before the GDPR in a lot of jurisdictions, like in Ireland, for example, you know, you had to, you know, you originally had to go to the court and the Irish commissioner didn't have powers, you know, so yeah, I mean, you know, it's, it's, it's not alone. I've done some work in Ghana and it's exactly the same in Ghana.
The regulator has to, you know, You know recommends to the courts and the courts do the final issuing. I personally think it's great for the individual to have an administrative redress and judicial redress. But you could argue that sort of a double bubble risk for the controller, right? That they could be hit from both sides.
And a good example of that in the UK would be British Airlines where the ICO issued a penalty and then individuals went, went, went for damage or distress. settled down to court, but still, you know, those both avenues are available to them.
[00:26:30] Paul Breitbarth: true
[00:26:30] K Royal: how it works here in the U. S. You get hit by every avenue that's out there.
[00:26:34] Ralph O'Brien: A private right of action and a regulator. Yeah, okay.
[00:26:37] K Royal: Exactly. And criminal findings versus civil findings, too, for the exact same thing. So let's, let's be, I mean, we all grew up on OJ, right? I'm probably dating myself on that one.
[00:26:47] Paul Breitbarth: so before we wrap up, are you familiar with casper
[00:26:51] Ralph O'Brien: friendly ghost?
[00:26:52] Paul Breitbarth: the friendly ghost? No, this is actually not a friendly ghost. I mean, I like the the
[00:26:57] K Royal: This is the K A S P E R
[00:26:59] Paul Breitbarth: This is kspr Which is an extension for a Chrome browser that enables paying customers to scrape a professional contact details of LinkedIn out of the database of Casper.
And on the 5th of December the French Data Protection Authority imposed a 240, 000 fine on Casper for illegal scraping, for failure to comply with having a legal basis, no data retention periods. Thanks. Insufficient transparency, failure to respect the right of access. And this is, this is not a massive fine, but what is, what is much more important is that Casper is to cease collecting the data, so they received a processing ban and they have also received an order to delete all the data collected in this way.
And finally, we see that data protection authorities also start making use of those sanctioned possibilities. Stop doing that. Don't do it again and delete everything you have collected in the past. Mm
[00:27:59] Ralph O'Brien: Yeah. I actually prefer to see, them use the full range of enforcement powers rather than just administrative penalties. I mean, you know, to impose a ban on processing, that's powerful. Stop processing personal data,
[00:28:10] K Royal: Well, and that's what we've shared with people here in the U. S. when they're like, well, what is the actual risk of not complying with GDPR? We get fined. And if we refuse to show up in court like that one Canadian company did, are we actually going to be fined or not if we don't have a physical presence in Europe for them to enforce against?
Well, they can stop you from doing business in Europe.
[00:28:32] Paul Breitbarth: Yeah. And if need be, they can go to the internet service providers to just block your IP addresses and block your DNSs and block your access. If need be, I mean, that is, that is very far ranging, but if need be, they can do it.
[00:28:46] K Royal: They can do it.
[00:28:47] Paul Breitbarth: On that happy note, let's wrap up.
[00:28:50] Ralph O'Brien: happy 2025!
And then Ralph’s addition on Deepseek update.
