.png)
Serious Privacy
For those who are interested in the hottest field in a technology world. Whether you are a professional who wants to learn more about privacy, data protection, or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity to social justice and data ethics and AI. In-depth information on serious privacy topics.
This podcast, hosted by Dr. K Royal, Paul Breitbarth and Ralph O'Brien, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on BlueSky (@seriousprivacy.eu) or LinkedIn
Serious Privacy
F to the T to the C - a slow but substantive week in privacy
On this week of Serious Privacy, Paul Breitbarth , Ralph O’Brien of Reinbo Consulting, and Dr. K Royal talk about the controversy with executive changes to the U.S. Federal Trade Commission #FTC, the UK #adequacy extension, and the Norwegian decision about Data Protection Officer #DPO conflicts of interest.
Please subscribe in your favorite podcast app - sharing is caring!
Powered by TrustArc
Seamlessly manage your privacy program, assess risks, and stay up to date on laws across the globe.
With TrustArc’s Privacy Studio and Governance Suite, you can automate cookie compliance, streamline data subject rights, and centralize your privacy tasks—all while reducing compliance costs. Visit TrustArc.com/serious-privacy.
If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.
Please note this is largely an automated transcript. For accuracy, listen to the audio.
S06E10 - Week FTC
[00:00:00] Paul: While Ralph is out teaching privacy courses across the UK, K and I will catch up this week on what happened in the week in privacy and on the agenda. In any case, a strong discussion on what is happening with the Federal Trade Commission and some news to watch out for if you are a DPO in one of the EU countries because enforcement action is taking place there as well.
As always, my name is Paul Breitbarth.
[00:00:43] K: And I'm K Royal and welcome to Serious Privacy. Paul, I have to share the first question that popped up that I was, is what's a surprising thing you've learned recently? But I think that's the intro to what we're talking about today.
[00:00:58] Paul: Yeah, it could be. So maybe you should pick another question and then we'll answer this one along. Go.
[00:01:05] K: Would you rather communicate only by emoji or by gifs?
[00:01:10] Paul: I don't know, to be honest. I use both quite a lot. But then let's go with GIF because at least that allows to add a little bit of sneaky text into them.
[00:01:21] K: Oh, there you go. I like that. If it was my husband, it would be gifs. He spends five minutes looking for the right audio clip or gif to send to us in response to whatever it is we're texting so I can answer for him.
[00:01:33] Paul: I would never do that
[00:01:36] K: They don't see you nodding your head Yes, but I do.
[00:01:39] Paul: They hurt me, nodding my head right.
[00:01:42] K: Oh my gosh. Exactly. They heard you nodding your head. I love that. So, yes, so it's not necessarily that it's a slow week in privacy. It's not, but there's nothing
[00:01:53] Paul: Ho, ho, ho, ho. You did not answer. You answered for Tim. You did not answer for you.
[00:01:58] K: You caught that, huh? Emoji Emoji's for me
[00:02:02] Paul: Okay.
[00:02:03] K: because people text in teams and text personally in messaging apps and I don't, I get to the end of the day and that whole meme, it didn't give us an option for memes, but I guess memes or gifs. Mainly, but that whole meme that says, and eight hours later K logs on and catches up on 500 emails.
Yeah. Or 500 chat messages. Yeah, that's me.
[00:02:26] Paul: I like the one with the teacher and stand in front of the math board where you see this whole complex formula and then the face becoming more and more like what is happening here.
[00:02:39] K: So that is me. So it's always really easy for me just to respond with a thumbs up or in our personal chats, our family and I have changed the default. Emoji that's right there on, on the side to the I Love You sign. So we've been doing that ever since. The kids are little, my grandkids know how to do it now in crowds.
We raise our hands over our heads and do the I love you so they can see it. So it's emojis definitely for me.
[00:03:05] Paul: Yeah.
[00:03:06] K: Like I said, my face is an emoji. So back to the, it's not necessarily a really quiet week in privacy, but there's only a. Few things that are really.
[00:03:18] Paul: Worth discussing.
[00:03:19] K: I hate to say earth shattering because I think my level for earth shattering is going up and up. Because we're still here. Speaking of earth shattering, there was a horrible series of storms that came through the US over the weekend. And Mississippi had an earthquake that is literally earth shattering 'cause it doesn't happen there. But but we were fine. I spent all night watching the trees bending over. Hoping none of them were going to follow my house.
[00:03:47] Paul: At the very least, you are in short now, so if it would happen again, then.
[00:03:50] K: And I increased the insurance as well. So yes, I'm very pleased with that. But yeah, let's talk about this news story. That's gonna be a little old news by the time we come out in a couple of weeks. But Trump, as part of his. Agency Cutting mission, gutting mission, whichever you wanna call it.
He has now terminated both the Democrats on the Federal Trade Commission as of just yesterday, last night. Alvaro Bedia and Rebecca Slaughter. They of course say they were terminated illegally and they plan to sue to reverse their firings, but rather than talking about whether or not this was legal or not, because you know that's a legal argument and a fight to have in court, what we need to look at is if that's the case, what's that gonna mean for privacy enforcement here in the United States? We already knew that, years ago it used to be the FCC and the FTC. Every administration has their priorities. We had really big hopes for the Biden administration since Kamala Harris was the vice president, and she was a big privacy advocate in California when she was Attorney General.
There, we had big hopes that were not realized. There were some things realized, but. They were not really big and they were not really quick. So now we have an administration back again who we know privacy is not the top of his concerns. So not talking about whether or not the cutting that's happening at the agencies is legit or not, we should talk about if we did have any hope of there being any privacy enforcement on the federal level.
It was coming through the FTC.
[00:05:37] Paul: Yes.
[00:05:39] K: And we knew the prioritization would be lowered. We knew the Chevron impact the case overturned. We knew that was going to have an impact. But what does this mean for privacy here in the US for, the listeners, they enforce coppa, they enforce a lot of privacy.
[00:05:57] Paul: yeah, I think there are a few things, right? When you look at privacy enforcement, I think I. The two most outspoken FTC commissioner the past couple of years were the former chair Lena Khan and also Alva. He was very outspoken that privacy actually is a fundamental right, that it should be enforced.
Rebecca's daughter the third Democratic member of the Federal Trade Commission was more focused on on competition law, on margin acquisitions, things like that. And less outspoken on privacy and data protection. So the fact that two of these. Very outspoken members of the Federal Trade Commission have now either resigned or been dismissed.
Ms. Khan resigned under threat of being fired when president Trump took office and he appointed a new chairman who, by the way does not stand behind his commissioners, but stands behind the Presidents, which is surprising for an independent independent agency. But it is a concern because they were very outspoken and also very much taken the perspective of the individual, the consumer, I should
say, in the us, on the fact that their privacy should be protected. Of course, in the past couple of years, the Federal Trade Commission has put out some guidance also on the enforcement of privacy and data protection issues under existing legislation that the Federal Trade Commission overseas not in the least also, and that is where it becomes relevant for.
Europe the European Union, the United Kingdom, and for Switzerland as well as Norway, Iceland, and Liechtenstein. Under the EO US Data privacy framework because also there, the Federal Trade Commission is the key authority to oversee, any potential wrongdoing either by the department or commerce or by the companies that have self-certified under the framework.
With that gone, or at least with that now at risk, because not only are. The Democratic members of the Federal Trade Commission now all gone. There's, it means that there is only two members left. From what I understand, but correct me if I'm wrong, two members of the Federal Trade Commission could still take decisions that are that are needed under law for supervision and enforcement.
We also saw a similar dismissal of Democratic members for the privacy and Civil Liberties oversight board including a friend of the show, Travis LeBlanc, who has also been dismissed, who's also challenging this in court. It is for me a very concerning signal that people who stand for fundamental rights have been dismissed just because apparently they adhere to the wrong political party.
And if I am not mistaken for any of these federal, independent oversight bodies it is prescribed in the law. That members should come both from Democratic and from Republican backgrounds and that, of course the balance can shift during a presidency
[00:09:10] K: and, priorities. We know that.
[00:09:12] Paul: and, priorities, but also the political balance will shift depending on who is in the White House with nominations.
That has traditionally been the case in the us from what I understand. But to have no Democratic members indeed might be a breach of the law. And we'll see whether President Trump will nominate new Democratic members for any of these. But my main concern is indeed that any replacement for commissioners can slaughter EIA or for the Democratic members of the P-C-L-O-B will not be as outspoken protectors of fundamental rights and look at privacy and data protection much more as a transactional.
Protection the economic right, that it was in the early two thousands in the United States, and where we finally saw a shift towards the fundamental rights approach, even though it was only fundamental rights for American citizens. That's now off the table again, or it seems to be off the table again.
Let's not jump to too many conclusions yet.
[00:10:15] K: No, I agree. And just to catch people up, as we're talking about the Supreme Court decision that says that FTC commissioners cannot be moved for the president for political reasons or based on policy decisions was the case I. Humphrey's executor versus the United States. So back in the early 1930s pre president Calvin Coolidge had appointed William Humphrey as a member of the FTC.
And he was reappointed. But after President Franklin Roosevelt took office in 33, he not feel that Humphrey was supporting his new deal. And so he. Requested him to resign and he refused to do he was terminated. Now he died before the Supreme Court reached their decision, which is why the is Humphrey's executor versus the United States.
But in 1935, United States Supreme Court ruled that the FTC do serve at the pleasure of the president, and they may be removed at his discretion. However, they are a quasi-judicial body. And they cannot because they adjudicate cases, things we've talked about agencies and how they have basically all three branches of the government in 'em within themselves.
But the president cannot fire a member solely for political reasons. So it's almost like a lot of places for working, they can fire you for no reason, but they can't fire you for an illegal reason. So the president could have gotten rid of them for convenience, it sounds but it has to be per the law.
And this was not per the law as they say. I, again, this is a legal conclusion to come to mind, so I'm not going to go that far. But from what I'm looking at, it sounds like it's really not, however, but let's look. At what they were doing. So as you were saying, they're all, they were both very outspoken proponents of privacy measures.
They had taken positions on facial recognition, technology, biometrics, artificial intelligence as a whole, workplace privacy. So they were very outspoken on privacy issues. Are we losing those voices if the FTC appoints commissioners that are not. Both sides of the aisle, if they only appoint commissioners on one side of the aisle.
And these commissioners are very much driven. By the whims of the president rather than being independent, which they should be. Are we going to see anyone that would disagree with anyone in the executive office? And quite often privacy does disagree with that. Let's be honest. Things that the executive branch wants to do are not always what we, from the average Joe on the street would say is something that is protecting our rights.
So this, it is something to worry about. Apparently blog posts that we're criticizing big tech were removed from the website yesterday. Apparently the Director of Litigation at the Electronic Privacy Information Center, John Davison, said it cannot be coincidental. It's gotta be all coming down as different directions and orders that they're underneath.
His quote is that combined with the illegal removal of commissioners who have been extremely effective, regulators and critics of big tech certainly points to the commission laying off of regulating the companies that are engaged in these harmful large scale personal data abuses.
Now, just anecdotally, one of the things that we are seeing here in the US is a lot of certain companies getting a lot more. Business a lot more support coming directly from the executive office. And that, that scares a lot of people working on issues because these big companies are not necessarily the ones that are most concerned with protecting privacy.
So you have to have someone to check that.
[00:14:12] Paul: yeah, there is a bit more from the European perspective here as well. As I mentioned, the FTC oversees the data. Privacy framework,
[00:14:21] K: Yeah, the thingy.
[00:14:23] Paul: the thingy.
It's the FTC, it's the privacy and civil liberties overboard. And at the third level, or the initial level, actually it's the inspectors general of the various the various agencies who are also playing a role in overseeing the processing of personal data.
And whether that happens all in accordance with the rules and requirements as agreed in the executive order, as agreed in in the framework. Also there with all the dismissals that doge is currently trying to push through. Also on that level, there is a concern that a lot of those inspectors general are no longer on their posts, which means
[00:15:04] K: right.
[00:15:04] Paul: there are gaps
[00:15:06] K: Fundamental gaps.
[00:15:08] Paul: Fundamental gaps. in the effective oversight.
Of the EEO US data privacy framework. And in that light, it is very surprising that the European Commission is keeping completely strong. They haven't said a word, and I understand that interfering in the politics of another country is is difficult, is not something that you do. Certainly not when there are all kinds of tensions already around the world.
But at some point the commission will have to speak out to confirm whether they consider that independent oversight still is in place and whether it is effective with so few members actually being in office in the respective oversight bodies, that will need to happen. The the thingy also at some point needs a further review.
And then also the data protection authorities will speak out. And we've seen also earlier this week that the European Commission, for example, for the United Kingdom has said we are not going to do a full review of your adequacy decision right now because you are changing your legislation.
So that doesn't really make sense. So we'll give you a six months extension to wrap up updating your law, and then we'll decide. On updating the adequacy decision. So basically the UK has been put on notice right now that if they changed their law too drastically the adequacy could also end. I don't see the US that the European Commission doing something similar for the US as yet.
So at least to flag that they are concerned about these, these developments also from members of the European Data Protection Board, I think would be welcome because this is. From just an independence perspective. Politics, aside from an independence perspective, this is a very dangerous situation.
We've seen it before in other jurisdictions. We talked about Mexico not too long ago, where indeed also the independence of the supervisory authority was, was touched upon because now all the supervisory authorities are integrated in, into the federal government agencies no longer independent.
So there we saw the development. We saw other commissioners that have been fired in the past where the courts did stand up. It's a rapidly changing world and
[00:17:32] K: Yeah.
[00:17:32] Paul: independent oversight somehow doesn't seem to be. The foundation anymore, the accepted rule of truth. And you hear me searching for words and
for perspectives
[00:17:45] K: Searching for the right words to use to address a situation we never saw coming.
[00:17:50] Paul: basically really, flabbergasted what, what's happening here. And yeah, putting this to words is hard.
[00:17:57] K: It is difficult, and as I said, one of the things that our listeners or fans should understand is if you did not know that the FTC was the loudest privacy enforcement. Voice in the us. Just to give you a list of some of the things that they oversee. We mentioned COPPA. They also have the Health Breach Notification Rule, which is typically companies that are not covered by hipaa, but have apps and websites that collect health data, whether they're.
Specifically working with healthcare organizations or not? It would be things like your watch collecting, your heart rate and rhythms and things like that. So they have the Health Breach notification rule, kapa. They have the Graham Leach Bliley Act, which is the financial they have.
Credit reporting, they have the red flags rule, they have the thingy. They have a lot of input, not to mention the general input and what they became known for, probably quickest in privacy, was the fact that they enforced against companies under the unfair and deceptive trade. Practices act because of what companies say they do or don't do in their privacy notices.
So if they state publicly, they do something and it turns out they don't. And this is where we got rid of all the flowery statements about, we take your data privacy ultra seriously and we won't do anything to jeopardize it. And then they have a breach. Clearly they lied. And you shouldn't say things like that.
That was the old, flowery type of language that. People were throwing in privacy notices trying to reassure people almost like a sales pitch. It needs to be the facts and only the facts that are in there. And so if under the facts they say, we don't sell your data based on the various state privacy laws, or if they say we do or whatever it is they're saying they do or they don't do, and they do the opposite, then the FTC can hold them accountable.
For those, and that's typically where a lot of the majority of privacy enforcement came from for so many years, were those privacy notices and what companies were saying they do. Now, right now, according to the article that I'm reading, there is a pending lawsuit against the location data broker, Ava. So we can only presume the FTC is gonna move forward with these cases. But what if they say now we're down commissioners, we can't, we don't have the personnel to pull this off and further we don't really have the interest in pursuing it. What's gonna happen?
[00:20:30] Paul: Yeah. Time will tell.
What, what will happen here. We obviously will we'll monitor we are in DC for the IAPP Global Privacy Summit. We'll see.
[00:20:42] K: That's gonna be a really interesting panel, right?
[00:20:45] Paul: Yeah. And we'll see. Maybe the former commissioners will suddenly turn up and then we'll try to interview them as well to see if maybe we, we get their perspective.
I don't know what's if they're willing to speak out in, in, in public at this time or save that for for the court cases.
[00:21:03] K: was gonna say right now they seem to be speaking out, but as soon as they get an attorney to seek a lawsuit, they'll probably be told not to. And so probably as we're speaking right now, they have engaged counsel. I'm pretty sure, 'cause both said they were looking to sue.
[00:21:16] Paul: and that would make sense. So to be continued. And of course as soon as there is news from the European perspective, we'll we'll share that as well.
[00:21:26] K: Absolutely.
[00:21:26] Paul: In meantime, the world keeps turning.
[00:21:29] K: Storms. Keep coming. Rain
[00:21:32] Paul: Exactly, but also fines are being imposed by supervisory authorities, this side of the Atlantic for data protection violations.
I won't go on in, in into too much detail, but the Jersey Data Protection Authority actually announced its first fine earlier this week. It's 500 pounds, which doesn't seem much, but this is for a small company.
[00:21:54] K: But it's their first.
[00:21:56] Paul: This is a company that has been under investigation before for sharing personal data where they shouldn't have, they were under a compliance order. And still shared personal data in this case of an employee with interested but non-authorized parties.
[00:22:12] K: Yep.
[00:22:13] Paul: And given the way that was done and given the earlier warning the authority thought it was only the right decision to impose a fine in this situation and also to make clear to the people in Jersey again, the channel island that such behavior will be pursued,
And is not acceptable.
So that's one of the cases that we've been working on this this past here. The other fine is slightly bigger. That's 4 million Norwegian
kroner, which is about 400,000 euroes to one of the telecom providers in Norway. And they have been fine. They've also received a compliance order and a reprimand.
So it was a triple sanction in an investigation into the independence of their data protection officer and the role that officer had within the organization. It was a lengthy organization. There were also some procedural issues because the Norwegian Data Protection Authority got a new director general during that investigation who had a conflict of interest.
So that had to be solved as well. So according to Norwegian law, you then need to appoint an acting director general for that specific investigation. So basically appoint an external commissioner to oversee what's happening that caused delays, that also caused an impact on the fine. But all in all the question here is, first of all.
Do you need a data protection officer as an organization? And then you need to look at the requirements in the GDPR. It's large volumes of data. It's sensitive personal data. It's CCTV, things like that. If you do not need a DPO, if it's not mandatory, then you need to document that if you do need and if you, despite not needing a mandatory DPO, if you do appoint.
A DPO. Then they also need to meet all the requirements that an independent DPO should have. So if you are not subject to a mandatory data protection officer, then you may want to call the role differently because then you are not subject to all the. Mandatory requirements in the law in this case, the Norwegian telecoms provider had decided to appoint A DPO in the early 2020s.
And there were concerns that they did not meet the requirements. For example, they did not have a direct reporting lines with the highest level of management. Also inadequate internal control. There were no documented guidelines on what they could and couldn't do and how they would work, how they would do investigations.
So for all of that, the company was reprimanded. After the initial communication of the findings of the Norwegian DPA, the telecoms provider said apparently we do not need a DPO, so we'll just stop with this role. And that also was criticized by the the Norwegian Data Protection Authority that then said, if you now say you no longer need a DPO where before you had one, then at the very least you need to explain to us why you no longer need one. And also document document that defining itself is really for the lack of accountability. So the lack of the technical and organizational measures surrounding the appointment and execution of the role of the DPO.
And then the the reprimand was mainly for for some of the other violations. It took forever because they started already in November, 2021. And only last week, March, 2025 the decision was published. That's in itself, I don't believe is unique in data protection land.
But obviously it is concerning as well.
[00:25:57] K: Yeah. Absolutely. And I think the last news that we have to share this is one that Ralph sent us. He wasn't able to be here today about the UK getting a six month. Temporary extension of their adequacy decisions on both fronts. The UK Parliament has more time to pass its data act before the commission assessment begins.
So they extended the adequacy decisions until December 27th, 2025. Now remember, they were originally passed in 2021, both for law enforcement and for personal data.
[00:26:33] Paul: Yeah, both the GDPR and the Law Enforcement Directive.
[00:26:37] K: And so right now though, their data act hasn't passed, so they're hoping this temporary will give 'em time to pass it and that way they'll have more oomph to bring to bear when the real adequacy decision comes forth.
They will have that. So just news that they're gonna get a six month temporary. Hopefully they'll pay pass the data act during that time they're expecting to do and then they'll undergo their true adequacy review, which happens every four years.
[00:27:05] Paul: It does. But this is also, this is not just up to the commission also here. The extension is a formal adequacy decision. So it will need to go through the EU member states and through the European Data Protection Board for advice before the European Commission can finalize that decision.
That's also why they announced it already.
[00:27:25] K: I was gonna say it cause, 'cause it takes about three months to get through that process and so they're hoping the decision's gonna be July through December for the extension.
[00:27:33] Paul: exactly. So I would assume that neither will have difficulties in improving the extension. I think the real debate will come, especially from the European Data Protection Board perspective. The real debate will come when the new law in the United Kingdom is adopted and published in, in the statutes.
Because then the discussion needs to be had. Does this still meet the requirements of the GDPR? Are we still convinced that this means that we have an essentially equivalent level of data protection, and that if we look at the critics in including Ralph that remains to be seen. the final text obviously are not there yet.
But it seems that the text at the very least is more business friendly. And less fundamental rights focused.
[00:28:23] K: is only to be expected outta the uk.
[00:28:25] Paul: It is what we expected. It is also what we would expect if there is ever a fundamental a general data protection law in the us. that it would be more business friendly, more economic focused and less on the individual, but. We'll see what The uk what the UK law will bring, what happens. But there, the real debate will come and that also means that to allow time for that assessment and that discussion to be had the UK should move forward pretty quickly, and make sure that they adopt our legislative change probably this side of the summer.
[00:29:01] K: I would think it would have to be right
[00:29:03] Paul: know, we have this, this thing called in Europe called Vacations, um, that happen every July and August and we believe in it. We take them and, and then offices are closed and things like that, so that when the European Data Protection Board comes back in September, then there would still be four months for for that assessment to be finalized.
