A Month in Privacy

Show Notes

On this week of Serious Privacy, Paul Breitbarth, Ralph O’Brien of Reinbo Consulting, and Dr. K Royal cover a month in privacy. This includes UK adequacy, the March meeting of the European Data Protection Board where they released a statement on the implementation of the PNR directive, we talk about BCRS and the number of companies who have adopted BCRs and BSPRs, and the UK list of BCRs, court cases, we talk about the future of the GDPR and lots of data protection consultation, and that is just the European part of it.

Please subscribe in your favorite podcast app - sharing is caring! 

Powered by TrustArc
Seamlessly manage your privacy program, assess risks, and stay up to date on laws across the globe.

With TrustArc’s Privacy Studio and Governance Suite, you can automate cookie compliance, streamline data subject rights, and centralize your privacy tasks—all while reducing compliance costs. Visit TrustArc.com/serious-privacy.

If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Transcript

Please note this is largely an automated transcript. For accuracy, please listen.

Week in privacy week 9

[00:00:00] Paul: After a few weeks with guests, it's time to catch you up on what has been happening in the privacy community while we were talking to other people. So today we talk about adequacy, we talk about court cases, we talk about the future of the GDPR and lots of data protection consultation, and that is just the European part of it.

So without further ado, my name is Paul Breitbart.

[00:00:40] Ralph: My name is Ralph O'Brien.

[00:00:42] K: And I'm K Royal, and welcome to Serious Privacy. So we actually have a real week in privacy this time. We've been very busy.

[00:00:49] Paul: I think it's about a month in privacy by now, but yes.

[00:00:53] K: yeah, I think it's a month in privacy. There we go, right before everybody comes up on Spring Break or whatever they have there. So here we go. Unexpected question. What is your favorite way to eat potatoes?

[00:01:04] Ralph: I could be boring and be very English here and talk about fish and chips. Right. That is chips as in, chunky fries, not chips as in potato chips, of course,

[00:01:14] K: Paul? You don't like potatoes?

[00:01:17] Paul: No, in every, I love potatoes. So in every single imaginable way, I'm fine with them, whether it's boiled, steamed as mashed potatoes, fried a nice potato salad when the weather is nice, I don't care. I like them all.

[00:01:34] K: I like sweet potatoes. I like just sweet potatoes, dry.

[00:01:37] Paul: Oh no, I don't like sweet potatoes, 

[00:01:39] K: I like them dry, not, no, nothing on them, just plain sweet potatoes, although apparently there's certain ways to cook them that are healthier for you than others. But yeah, I don't think I've ever met a potato I didn't like. I'm with you on that one, Paul.   

Let's talk about our month in privacy. So since you listed a few off for Europe, let's start there.

[00:02:00] Paul: Okay let's start with the EDPB. They are meeting on the 13th of March, which is actually the day after we record. And if we look at the agenda, it's a short agenda. It's only an online meeting. There'll be brief. But 1 of the things that caught my eye is the statement on the implementation of the PNR directive in light of the Court's decision of 2019. So I think we can expect a statement from the EDPB saying we're fed up with the member states not listening to us and not listening to the courts. So get your act together. I haven't seen a draft, but that is probably what they will be saying.

The only other thing that I saw was interesting, they are discussing an update to the procedure for the approval of binding corporate rules. So maybe in a way to speed up the process and they are talking about the visual identity of the EDPB. So it can very well be that they may share a new logo in the coming days.

[00:02:53] K: The visual identity. I love that. But even more so, I love an update to the BCRs, right? I have not looked at the BCR list lately to know which companies are there any new ones for them?

[00:03:05] Paul: Yeah, there are occasional new ones. 

[00:03:07] Ralph: Thank you.

[00:03:09] Paul: But it's going slow, and we know that a lot of DPAs have backlogs in updating the BCRs, let alone in, in approving new ones and that it is very time consuming. So maybe they've come up with some clever ways to to shorten the time for BCRs. I don't know, but we'll keep you posted in future episodes.

So that's on the edpb site. One thing that the edpb and the member states will do together, as they do annual sweeps or consultations to study the effect of one provision in the GDPR. So last year, they looked at data subject access rights. And for this year, the topic will be account deletion And how that's being handled by companies. So there are press releases from the EDPB, but also from almost every single national authority that they will investigate this year, the rate, the right to data deletion with a joint questionnaire and then probably by the end of the year, early next year, we will see see a report on that.

The European Commission has published on the 5th of March a new draft implementing decision for adequacy. And that is actually also a nice surprise for the first time. It's not a country, but it is an international organization. The European patent organization should receive adequacy from the European commission.

So if you read the report, we'll put the link in the show notes for those who are interested. You will see that the full legal framework that European patent organization has in place has been assessed like they would do with a member state including all the individual rights, how they are dealt with, but also oversight mechanisms and full disclosure.

I'm part of the supervisory authority for the European patent organization. So all of that is being assessed and approved as being in line with the GDPR. So this will now be submitted to the member states and to the European Data Protection Board for their perspective and probably in the next couple of months we will see a green light for the European Patent Organization and that is a first because it's the first international organization then that would receive adequacy and that's the first. Possibility at all under the GDPR, right? It was not previous under previous laws.

[00:05:30] Ralph: That's superb. Actually, A lot of people don't realize when they actually read through the GDPR that every time it says, take data to another country or territory, it also says or international organizations. So you're having worked for a number of international organizations now, they are subject to international law and GDPR.

But most of them decide to bring in something, some sort of equivalent framework. It is worth saying that even if you gave your data to somebody like the Red Cross, even though the Red Cross would be say in the UK, because the Red Cross. Are an international organization across the world that would count as an international transfer, even if the data never left the UK.

So it, it is worth organizations being cognizant of, what an international organization is, people like ISO and the UN and you know what that means when you give the data to them, because it's effectively passing outside of the GDPR, even though it might stay within Europe, let's say

[00:06:31] Paul: Yeah, And that's why I've said in the past that the definition for an international transfer, if there ever were to be one, could be linked to the change of jurisdiction that applies to the data processing.

[00:06:44] Ralph: indeed. 

[00:06:44] K: Yeah, and we can give a link to the page that lists the international organizations. I think the last time I looked, there's like several hundred.

[00:06:52] Paul: Oh, yeah, there are very many.

[00:06:54] K: it might be worth, and you think of the common ones like the Red Cross, United Nations, things like that, but there are lots of other ones as well.

[00:07:00] Paul: Yeah, but also all the ones under the UN are separate international organizations, so you have UNHCR and you have UNICEF and, 

[00:07:08] K: Right. 

[00:07:09] Paul: UNRWA all of those are also international organizations because they are not entities of a state and they have their own separate legal framework. 

[00:07:18] K: I wanted to go back to the BCRs real quickly since I had said I hadn't gone and looked at it for a while. And we'll post a list of this as well. So right now there's approximately 210 or so entries listed. 161 of them are controller BCRs; 55 are processors. Duplicates in there, I'm pretty sure. Actually, I know they're sure. And in two in 2024, there were 10 that have BCRs. So there looks to be on average somewhere around 10 a year that get BCRs, maybe a little higher, 13, 14. The highest year it looks like was 2018 when there were 30 of them, go figure, when GDPR went into effect.

The next highest was 2018. And I know that there are some companies that have dropped off of this. Sorry, the highest was 2018, and I think the next highest may have been, let's see, there's 23 and 22. Yeah, looks like 2018, then 22 and then 2017, so 30, 23, 22. So those are the high numbers. In 2024, there were 10 of them.

And companies can now get binding corporate rules as a controller or binding safe processor rules as a processor. Typically called BCRs for processors. And I was actually very active in getting the processor category passed, although I don't think I knew it at the time. We were working on our controller VCRs and we had petitioned the data protection authorities when I was working at Align Technology to let us do VCRs for processors, and they said there's no such critter.

And we said why can't there be such a critter? So it took us a year or so to get our application together, and just as we were getting ready to file it, literally stamping the names on them. They came out with the binding safe processor rules. I'd like to think that we and the attorney that we worked with at the time, which was Phil Lee, at the time he was with Bill Fisher, now he's with Digifile, his own firm.

I'd like to think that we were on, riding that early cusp of doing processor VCRs. I was very proud of those. And so we were the first company that were passed as a dual application for processors and controllers. So I've always been utterly fascinated by BCRs and astounded that more companies don't go that path.

If you've got a mature privacy program, it doesn't have to be perfect, it just has to be mature. Then going for BCRs isn't that bad of a deal. And then you don't ever have to worry about whether or not Shrems is going to bring a lawsuit to challenge the U. S. thingy or not, whatever the thingy may be at the time.

You don't have to worry that it will be challenged.

[00:09:54] Ralph: So it is worth just mentioning, of course, the BCRs only cover internal transfers for inside your organization. So you have to be a large joint controller with probably, with entities in lots of different jurisdictions and you're covering internal transfers of BCRs. and secondly, it's also worth mentioning that K was probably looking at the European Data Protection Board list of BCRs.

There is a separate list of BCRs on the ICO's website for UK BCRs.

[00:10:24] K: Absolutely, yes. Don't let me forget about that part. Which, funny enough, the ICO was our lead regulator at the time. our other two regulators, I forget where they were, probably. Italy and Spain or maybe Germany, something like that. I forget who the other two were. The ICO was the lead one, which of course brought a little bit of a consternation in place when, Brexit happened for companies that were working on that. So that was the thing. But anyway, a very interesting thing to know. 

[00:10:52] Paul: but that system doesn't work anymore like that, right? It's the system has changed. So now it is only 1 lead supervisory authority, which is your lead supervisory authority in the 1st place and then the rest of the data protection board will get involved. So it's not no longer the main authority and 2 reviewers.

[00:11:09] K: which that's supposed to make it a lot easier. I haven't heard any stories whether it's easier or not.

[00:11:15] Paul: I don't think it is easier and that is mainly for lack of resources with the data protection authorities. But the other issue, and you say I don't understand why not more companies are doing BCRs, it is just a very expensive and time consuming process.

[00:11:30] K: it is. 

[00:11:31] Paul: because most organizations are not able to do this completely by themselves. So you need outside counsel to be involved and then the bill gets very high, very quickly.

[00:11:42] K: It does. It really does. 

I will say that when we did it, it was, in our analysis, it was easier to go ahead and go down the route of doing that because there were so many different privacy laws, given the field that they were in, with all the countries they were in, with being both a controller and a processor being both the covered, they weren't a covered entity, being somewhat subject to HIPAA on one part of their business, not subject on other part of their business, dealing with health data, manufacturing technology, different things like that.

You're right. There are lots of challenges to doing BCRs and they're not as easy, but I will still say that I'm surprised that more companies don't do it because they're probably sinking that much work into their privacy program. I was going to say anyway, but in, in spending up to GDPR and everything, they were probably doing as much work on their privacy program and using consultants and external law firms.

Anyway, so to me, it was just easy to spend the same amount of money to get BCRs if you're going to help me improve the privacy program. For GDPR, but I'm sure there's a lot of other considerations that companies have to go into, especially now when their privacy program may already be mature and they don't need the external resources to make it even better for a big, huge law that's coming down the pipeline.

[00:12:59] Paul: very good. So let's take a look at some of the case law. Ralph, you had a case you spotted about the role and independence of the DPO.

[00:13:07] Ralph: Yeah. And actually I should we should thank our friend re Alexandra Waller here as well, because it was her post that led me onto it. 

and so this is one from the Italian data protection authority the Gronte where there was actually a 70, 000 Euro fine put on an organization for having a data protection officer.

Who was that company's legal representative? Now, we've talked a number of times about whether it's possible to be corporate counsel and DPO at the same time. And I know that a lot of people out there will be corporate counsel and DPO. Now, this is a really interesting finding because it talks about the independence of the data protection officer, whereas corporate counsel You might, you're generally instructed by the organization and have to act as that organization's legal representative.

Basically there was 70, 000 data subjects. So they decided it was a one Euro fine per affected individual. And then, and so we said it was 70, 000 Euros purely for having a data protection officer. that's also the legal representative. And I think that's going to be interesting for a lot of organizations out there that have done the same thing.

Thinking that their legal counsel is independent enough. So whether that is going to be, a policy decision by the grantee, whether that's going to be picked up by other organizations across Europe, we've seen it with. With people like IT managers in Germany, certainly who are on the more implementing side.

But I think this is the first one we've seen with legal counsel, which is and can your lawyer be your DPO? This case says no.

[00:14:50] Paul: that is indeed, a very important confirmation from the court.

[00:14:54] K: and when I first heard you mention it, Paul, or Ralph, I think I was confused that you were saying that the legal representative for not having a physical location in the UK was the same representative as the one who was being their DPO, but you mean literally they were an in house counsel and DPO at the same 

[00:15:15] Ralph: Correct.

[00:15:16] K: That's a no.

[00:15:17] Paul: That is a no. And then if you do receive a fine, that's another case that we haven't discussed before. That is the Ilva case. Same shoutouts as as Ralph did. This is a case from from 2023, but that was adjudicated last month in in February of 2025. Here the court had to assess the the amount of the fine.

The Data Protection Authority had assessed that only the the local entities turnover needed to be needed to be assessed when calculated the fine, and the court had says no undertaking actually means undertaking as intended in the Treaty on the Foundation of the European Union, meaning that it needs to be calculated on the basis of the whole undertaking, and that means the whole group so the corporate group so to turn over of the whole corporate group determines the maximum fine.

I think that is in line with also what the data protection authorities have. Discussed before in, in several of the the enforcement cases coming out of Ireland that indeed the global turnover from all of the entities of an organization needs to be taken into account and not just the EU or the local turnover but that has now been confirmed by the court.

[00:16:34] Ralph: Wonderful. 

[00:16:35] K: I know companies love that. 

[00:16:37] Ralph: Yeah. One more case to add from a UK perspective, and that's Ashley versus the HMRC. Mr. Mike Ashley was essentially had an inquiry conducted by our tax office, the HMRC and the valuation agency, the VOA. And put in a subject access request and the HMRC decided they was not going to give him a large amount of the data because of the definition of relates to, so it was a really interesting court case from a UK perspective, which actually went back through a lot of the EU judgments looking at, what is personal data, what isn't personal data and the UK case really adopted the NOAC Novak approach to relate to and what is personal data which is actually a fairly wide interpretation a fairly wide interpretation, even though the court did say that relates to doesn't necessarily amount to everything, it does have to have him as the focus.

But it went through a number of court cases all the way from our much maligned Durant court case. Which was, versus the financial services authority where Durant was basically said, no, you are not the focus. It is not your personal data all the way through to work and FF versus Austerite, Dathan Schutzbehold.

And yeah, it really hinged on the relates to the court held the HMRC needs to reconsider the subject access request, applying the approach that the court did in, in, in no work they didn't go as far as to saying it was all personal data. But they would have to reconsider their four of relates to to make sure that they gave Mr.

Ashley more data than in the original SIR. Whilst they established that the right was broad. They also established that the right was narrowed by the term relates to a certain extent. Yeah, really interesting kind of judgment. And I'll be doing a webinar with it, with the actual Kings council and your proofs from 11 KBW very shortly.

[00:18:44] K: right 

[00:18:44] Ralph: The thing that really stood out to me throughout the case was they also differentiated between the information you might give the regulator compared to the information you might give the data subject. And they were talking the fact that, whilst you might not disclose everything to the data subjects, just make it explainable, but you don't have to give away all your proprietary information by doing so, you don't have to give away your algorithm or your secret source to the data subject to just say, you can always treat it as a black box and say.

To make it explainable. Say, if you told us this much more, you earn this much more, you'd get the mortgage or whatever else, right? So you can keep it inputs and outputs with a data subject. But they did say you would have to disclose as much as possible, including your trade secrets to the supervisory authority.

So what was really interesting about the Dun and Bradstreet case for me was not only explainability to the data subject, but the fact you would have to disclose nearly everything to the supervisory authority when they were gonna. Determine and make their decisions. So you're a very different sort of burden about what you might give one party than the other.

[00:19:49] Paul: Yeah, no, absolutely true. And when we talk about automated decision making, we all know that one of the ways to get around the Article 22 of the GDPR would be to include meaningful human intervention. There, the Dutch EPA this week has launched a public consultation. They've been told off recently, both by parliament and also in their evaluation that they are not transparent enough.

Suddenly there is a consultation on new guidelines that they are proposing. So that consultation is running. It's only in Dutch, but if you do speak Dutch, that might be an interesting one. If you speak Dutch and also speak French, or speak French, you can also partake in the public consultation on direct marketing from the Belgian Data Protection Authority.

They have issued a whole set of new guidelines on what constitutes direct marketing when consent is required, when legitimate interest is required. But that is only available in French and in Dutch. I have one more European topic, but before we go into that, okay, let's turn our faces to the U. S. and see what's happening in your end of the world. And let's just focus on privacy and data protection for this week. 

[00:20:59] K: Let's focus on privacy and data protection. Let's not mention DOJ or any people being arrested for terrorist activities and squirreled away. We've got several states and lots of states that are publishing bills on AI, on data collection, on children's privacy, different things like that.

Georgia's one of the ones, the privacy one, made it out of Senate by a 53 to 2 vote, but we're still looking at others. It is for businesses over 25 million, so it's going to be, seems to be a lot like Florida's one. It's going to have a high threshold for it. But other states are introducing bills as well, so there will be a long list of those to look at.

Canada, we've got the Center for Cybersecurity is warning about China activity. There's other, few other things moving there. Let me see what else I've got fascinating here. I do think it is interesting that there's a lot of countries, not just the U. S., but a lot, including the U. K., that are doing a little bit more investigation into children's activity.

So the United Kingdom launched an investigation against TikTok, Reddit, and Imgur about how they handle children's personal data, COPPA 2. 0 has been reintroduced here in the U. S. Australia actually just fined a company, I think it was 630, 000 for their failure to respond to the regulators inquiry as to how do they handle or anything on their platform.

I think it was Telegram. It seems like there's a lot more attention still being focused on protecting children. Now, what age that means is anyone's guess. It typically ranges from anywhere under 13 to all the way up to 18. The good thing is nobody is redefining children as being under 25. So we at least still have that of who has to be protected, but there are a lot of countries that are taking the tactic of pure, you're an adult at 18, so anything under 18 falls under child protection.

So we're gonna see a lot there, but that's, if you make me stick to pure privacy, that's about all we've got going on here in the U. S., lots of bills being proposed.

[00:23:08] Paul: Then there still is a nice final topic for debate that's happening in Europe right now, or in the European Union, I should say. Ralph, before we do that, any, anything from the ICO, any new engines to generate content or things like that?

[00:23:24] Ralph: John Edwards did speak at the IPP today spoke a lot about the fact that that they regulating for outcomes, not outputs, which is interesting, a ripple effect on data breaches and how it affects real people. Blah, blah, blah. They investigated and next phase of children's privacy work with investigations into tick imager children's code, AI biometrics, online tracking work sounds like a very positive statement from the commissioner.

My concerns we yet to see any meaningful enforcement action. Realistically, um, from the commissioner doesn't mean say his office isn't active. It just means that there's no real, enforcement work being seen, but there is certainly been a big announcement about, social media and video sharing chat.

Chats and, investigating how TikTok uses 13 to 17 year olds and all that kind of stuff. But nothing realistically in terms of any guidance or any enforcement activity or anything apart from words, really.

[00:24:31] Paul: Okay. Then the final European topic is what to do with the GDPR. 

[00:24:36] K: What do we do with it? 

[00:24:37] Paul: That's the big question. Later this year, the European Commission will need to do a review of a lot of existing laws that may have an impact on business across the European Union to see whether they can minimize red tape.

So you could say it's a European version of those reforms, but probably A bit more granular, gradual and less rushed and maybe also maybe slightly more. Friendly to employees, but they will do a big review on on business impact, especially on SMEs. And there was a discussion in Brussels last week where 1 of the members of the European Parliament Axel Voss, who was also actively involved in the creation of the GDPR and also Max Schrams were on stage and they talked During that panel about Mr. Voss's proposal to have a different regime for the GDPR that could then probably be set up through some sort of enforcement regulation that would come on top of the GDPR instead of Reopening the full legislation, which could be a Pandora's box and take decades to come to to any agreement.

But basically their proposal is that there would be two, no, three tiers of GDPR enforcement and sort of mini GDPR layer that would cover 90 percent of businesses that would require less documentation, simplified transparency. Also, no need for DPOs, then the normal layer that would be for anybody who processes sensitive personal data or operates at a larger scale, whatever that may mean.

And then for the very large online platforms, so the flops and companies that are fundamentally built on data processing, like advertisers they would be getting even more burden also with additional mandatory external audits that they would need to need to comply with before I give my opinion, let's hear what you think, Ralph.

[00:26:42] Ralph: Mixed. It's long been a criticism. It's long been a criticism that, perhaps the GDPR gets in the way of the economy and and has a bad effect on a lot of organizations. But, I think proportionality is written into it already. The words are already adequate, appropriate, necessary, use policies where proportionate only do DPAs where there's a high risk, I think it's built in already this idea of proportionality.

So I don't know that legislating will change that. Plus, years ago, I think it used to be the case that small business equals small tape data and large business equals large data. But I've worked in organizations where there's been like 10 people and they've got access to some of the largest geo location databases in the world.

So I'm not necessarily. Sure. That size of organization will equal size of, fine or size of debt, sign of damage to the individual. So number one, I think proportionality is already built in. I think organizations just get it wrong. And there's a lot of misinformation about the GDPR that we could probably best spend our time tackling.

The only thing I do like is perhaps a slightly different regime for the large megacorps, because I think currently. It's not really in a single authority's interest to go after one. You consider the DPC in Ireland, it's really struggling because you can imagine the DPC's budget versus the, I don't know, Meta group's legal budget, for example, Meta group could keep them in court for years.

We were at the first time in the world where, company is bigger than country. So I, I've really got mixed opinions. First of all, I think the GDPR already has proportionality built in, but secondly, I do think on the larger end of the scale, there needs to be some more coordinated way of going after the big boys.

Yeah. For me, the jury's out. I do deal with a lot of smaller organizations and think the proportionality is already there. So I'm not sure it needs change at the moment, but I think it definitely needs clarification on some of the misinformation that's out there.

[00:28:51] Paul: Okay.

[00:28:52] K: I do believe there is a way to be able to take into account the considerations for small, medium, and large business. As we've seen here in the U. S. as well several states have a revenue trigger, and not a revenue in that state trigger, a revenue in general trigger, just like the GDPR Not considering local revenue, but overall revenue.

So I do think there's a way to take that into consideration, but the, it's well taken that a small organization can have access to a ton of information. Let's look at a non profit. A non profit is not supposed to have revenue. But yet they can have access to highly classified data, sensitive data, special categories of data whatever you want to call it, amounts of data and it's not tied to their revenue at all.

So I think there is a way to take the underlying concerns into consideration because I agree if the GDPR was created to affect the free flow of data while providing the protection for the individuals, that's not going to hit. A truly small company the same way it's going to hit a truly large company as a matter of fact the small companies the ones that are really small without the access to the data without a huge revenue That really are the definition of a small company.

They're going to be hit a lot different than these mega companies with all the data. So I think where you're gonna see the difference is gonna be the medium companies. Where do you define what's medium? I think we can all encapsulate what's small. I think we all have an idea of what's large.

What's medium? Isn't that 90 percent of them?

[00:30:31] Paul: Apparently not apparently 90 percent of them is small, according to what they said during the panel. 

[00:30:37] K: So I do think you could leverage the language that is there. 

[00:30:41] Paul: That that is indeed part of the concern. What is then remaining? For me this whole idea is, I've got the feeling it is only there, it's only put on the table to take away power from the Irish TPC, and give the European Commission more power. and I'm not sure whether I'm in favor of that, because, 

[00:31:02] K: I don't think I would support that.

[00:31:03] Paul: no it's, the GDPR when, We were discussing the GDPR and the future of privacy ahead of the publication of the draft GDPR. There have always been, or also been long discussions whether or not oversight should be centralized at the European Commission level or not, or at least in part.

And I, I still don't believe that is a good idea. I think that gives the European Commission too big a role and it also. means that national differences are not sufficiently taken into account. Yes, for the very large online platforms there could be an argument to be made that next to national supervision in national cases for anything that is cross border, there you may want to have some more centralized enforcement powers.

But even then, should that be with the European Commission or should that then be with the European Data Protection Board? With the experts, because otherwise you create another supervisory authority. The commission is already quite powerful, already putting their mark on interpretation of data protection law.

And you would also get the strange situation that then the European data protection supervisor would be advising on implementation and. Also advising the European Commission on their enforcement actions, possibly. I think it's just, yeah, I think it will be even more messy than it is today.

[00:32:33] Ralph: a centralization of power in Brussels.

[00:32:36] K: Heck, let's just bring it over here to the U. S. We can handle it. 

[00:32:39] Paul: We can do better in enforcement transparency in communicating to data subjects. So, all of that absolutely no issues, but yeah this proposal of a layered approach to enforcement. I'm not sure, but I'm pretty sure that this discussion will be continued.

[00:32:56] K: Yeah, breaking news just happened today. The California Privacy Protection Agency issued a decision against Honda. They have to pay a 632. 5 thousand dollar fine and it arose from their ongoing review of connected vehicle manufacturers. They allege four violations.

Ones that when Californians go to request their individual rights, they're requiring excessive personal information. And they're not giving them the right to opt out of sell or sharing without requiring this excessive personal information. Using an online privacy management tool that failed to offer choices in a symmetrical, I like the word symmetrical, or equal way.

making it difficult for them to use an authorized agent, and then sharing the information with ad tech companies without being able to produce contracts that have the required privacy language. So online ad tech providers, hello, must have contracts in place. So they have a lot of things that they have to do, and what it was is, the remedy should fit the problem behavior.

It's what they said. We won't hesitate to use our cease and desist to change business practices. So included in this is they have to consult a user experience, a UX designer, to evaluate their methods for submitting privacy requests. 

[00:34:24] Paul: so big news indeed from California. And on that note, we really wrap up this week's episode because if we continue talking, there will be more fines coming. Maybe we then should continue talking, but we've talked enough for this week.