Our Sovereign Opinions (Week in Privacy)

Show Notes

Welcome to the newest episode of the Serious Privacy podcast, where hosts Paul Breitbarth and Dr. K Royal discuss the privacy and data protection news of the past couple of weeks. This week, Paul rants about digital sovereignty, K discusses new American legislation, especially to protection children's data, and together they also talk about the latest WhatsApp decision from the Court of Justice of the European Union.

If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Transcript

Tim 0:04

You're listening to the award-winning Serious Privacy Podcast sponsored by Trust Ark. Please welcome your hosts, Paul Breitbart, Ralph O'Brien, and Dr. Kay Royal.

Paul 0:17

This is the first week in privacy episode of season seven. Only guests so far, catching up at the start of the new year, but only guests so far. And that means that we also have a lot to discuss. Nothing major, I would say, but quite a few small stories about digital sovereignty, signs over children's privacy failure, what else is new, a court decision from the CGAU, generative AI, the risk of becoming a Wild West. Isn't that that already? And also some new legislative proposals in the US. Again, what else is new at the start of the new year? As always, my name is Pal Breitbart.

K 0:55

And I'm K Royal, and welcome to Serious Privacy. So Ralph is out this week, so Paul and I are just gonna take it back to the original rate and bring you a week in privacy, but we're gonna start with unexpected questions. Alright, Paul, have you ever drizzled liquid soap on your finger like it's a hot dog?

Paul 1:17

I'm sure I have, but not deliberate pretending my figure finger would be a hot dog.

K 1:24

I'm pretty sure I have too. No specific occasions come to mind, but it sounds like something fun to do, doesn't? I'm gonna do it the next time I have to drizzle a hand soap over.

Paul 1:36

It's true. Although I try to reduce the volume of liquid soap that I'm using because you do realize that liquid soap is over 90% water that you're buying.

K 1:48

Yes, that is true. That is very true. So they do recommend for the environment that you buy the laundry sheets that are like the concentrate because it's not water. You're paying for water.

Paul 2:00

Regular blocks of soap.

K 2:01

So you should buy the laundry sheets to use instead. So yeah, so you should do that. Also for the environment, I have a friend. Actually, this is back on the same topic. Never mind. But also I have a friend that have tried the laundry sheets and they swear that they work just as good.

Paul 2:17

Yeah. They've been around here in Europe for many years already. It's fine. Is that something new in the US, really?

K 2:25

Okay, it's not really new. It's just not something a whole bunch of us do.

Paul 2:30

Okay. Are we not becoming a household podcast as well?

K 2:33

We're becoming a household environmental podcast as well.

Paul 2:36

We are because then I maybe should start promoting the company of friends of mine who actually make soap dispensers for blocks of soap that you can use in your kitchen and in your bathroom and in your shower and all of that. Not sure whether they use it in the US already, but go to lessosoap.com.

K 2:55

I'll have to check that out. I do know I take them when I go on a cruise and I never use them. Does that count?

Paul 3:03

Lessosop.com. L E S S S Less O soap. No, L E S S A O U soap. A O U.com.

K 3:13

Alrighty, there y'all go. We are all things.

Paul 3:16

Less O, less water.

K 3:18

Yeah, that would be like H2O, wouldn't it?

Paul 3:22

The scientific one, not the French one. Okay, let's just stick to privacy.

K 3:26

People, I think my brain is slow today. I'm just gonna say it. I Paul has gotten me every 30 seconds. Alright, you know, how about we actually do some privacy?

Paul 3:37

It's 6 15 p.m. at my at my site and you're just at lunch.

K 3:41

I know, it's bad, right? It's bad. I have no excuse other than I am now nine days away from going on vacation. And I'm going on a Mexican Riviera cruise. So my brain is already gone.

Paul 3:58

Wow. Okay.

K 3:59

By the way, I won't be here that week, other than I think we're in port that day, so I'll have to look and see what time that is for us to see if I'm here. But I think Ralph is already out that day. I think it's February 25th or something. I'll have to see if I'm leaving you by yourself.

Paul 4:15

We'll figure something out. There will always be a podcast.

K 4:19

Alright, let's talk about some privacy stuff. Shall we, what you got going on? I know we have a few things over here.

Paul 4:26

Exactly. We have a few things going on. Let's start with digital sovereignty, because that's the topic of the day, in any case in the Netherlands, but I guess across the European Union at the moment. Not surprisingly, Europe is debating what we should do about becoming less dependent on the United States for political reasons. And there are quite a few parallel discussions going on. First of all, European capital, so the member states, are calling more and more to see if we can find alternatives to US tech, could be getting away from basically the big tech companies, Microsoft, Google, Apple, not so much for the devices as for the software and especially also for the hosting of sensitive data, anything that's government-related, but also for big organizations in the private sector who become less and less comfortable, I would say, with having their data in the US and possible retaliations from the US government as soon as they do something that isn't liked. Finland earlier this year even gamed out the scenario of a US tech kill switch in order to prepare. So if the US would ever say, Oh, we just stop you from accessing services, what would happen then? Um and here in the Netherlands, um, experts are also pleading to do a cloud uh a cloudless Wednesday exercise, meaning that we would just switch off all US tech, not in all sectors at the same time.

K 6:04

Because that could be devastating.

Paul 6:06

That would be devastating probably, but to start testing what would the impact be, even if we switch it off for a couple of hours. So this is not something that obviously will happen tomorrow.

K 6:18

Oh, we hope not.

Paul 6:19

Switching off, hopefully not, no, but also becoming less dependent on US Tech will be very difficult because right now there are European-based alternatives, obviously, but not as integrated and not at such a large scale as US Tech would probably have to be.

K 6:37

Not as adopted, yeah.

Paul 6:38

Plus, it's all integrated across governments across the European Union, but that member states are starting to change this. In France, for example, that officials will no longer be allowed to use US video conferencing tools as Teams and Zoom as of next year. They will switch to a French-built platform called Visio. The city of Amsterdam, here in the Netherlands, set a 2035 deadline to become independent of US tech. The Netherlands new government, which takes up office on the 23rd of February, will have a Secretary of Spa Secretary of State for the digital economy, and one of her portfolios will also be to look into data sovereignty and to into creating a government cloud. And we have, as we are recording this, a big debate in parliament going on for our government online identification system that's currently run by a Dutch company called Solvinity. And they are bound to be acquired by the American tech company Kindro. And also here, the Dutch parliament and the Dutch government are concerned because they say this is critical infrastructure. This is the way that anyone can communicate with the with the Dutch government based on your social security number, basically. So to change that to a US company, to have all that data in the hands of a US company, that might actually put the critical infrastructure at risk. A vast majority in Parliament says this is not a good idea, and we should block the takeover of Sulvenity by Kindle and find a European investor instead.

K 8:23

There was this one article in particular I found that I think is a really good summary of some of the activities that have gone on, is talking about the launch in early January of the data, the Danish initiative, Digital STEM, Digital Voice, which aims to help individuals regain controls from the big tech giants. Now they're calling the tech giants the Gaffem, the Google, Apple, Facebook, Amazon, and Microsoft Gaffem. There you go. But they said that they launched the initiative on January 1st, which is about the time that, you know, the Trump over here announced that he was going to take over Greenland. And they said what reinforced that was really his picture after he was elected with all the tech giant presidents. It made people in Europe start standing up paying attention. And then in the year since then, just over a year since then, they had been lots of different efforts. In Germany, the Chaos Computer Club, which is apparently Europe's oldest and largest hacktivist group, launched digit, what did you call it? The Digital Independence Day or D-Day, D-Day?

Paul 9:29

Yeah, that's what they're trying to claim. Yeah.

K 9:31

Yeah, that that they did that. And so uh they're looking at this. But here's the thing: when you're talking about these growth, just like Paul said, looking at trying to switch off from them, it's not a monopoly, but it's a monopoly. There are alternatives to these companies, but they're not nearly as well embedded or well adopted or adopted across the general population. You have to interact with consumers, you need to use a technology that the consumers use. How do you make that happen? Usually right now we're in uh what we're using Word or we're using Google Docs. This would be both of them gone. So you don't have Word, you don't have Google Docs.

Paul 10:11

No, it starts to feel a bit like 2016 when the buzzword in privacy was interoperability. And that is something that you would need to ensure.

K 10:22

Yeah. So is a better option, a better compromise, not necessarily blocking US tech, but doing what US tech tried to do with TikTok is make it a local owned, I say local, being US local, but trying to think of the European countries, it would be a locally owned tech company that you would have to sell all. The US owned Microsoft and the US owned Google, and a company local to Europe or the UK would have to purchase it, take it over, run it as a European company, and the data would not go back to the US company.

Paul 11:01

I don't think that would work, first and foremost, because most European leaders do not have tech billionaire friends who can just tell them, hey, my friend, you just buy a share of this company, as has happened.

K 11:14

Just such a power.

Paul 11:16

TikTok. Yeah. I think that's can I control the other more complicated legal factor would be that the US would still have the USA Cloud Act.

SPEAKER_03 11:29

Yeah.

Paul 11:29

Which is the key concern here. Also not sure that those kind of things would be solved actually through by the acquisition of TikTok US or the split-off of TikTok US from Byte Dense.

SPEAKER_03 11:42

Yeah.

Paul 11:42

I fear that Chinese surveillance laws could still apply, but that the public is less aware. Maybe even the US government is less aware. But the other way around, we know about the USA Cloud Act and that it has a very broad extraterritorial scope, that the US government doesn't care whether data is hosted in the European Union or not. We've seen that in the Microsoft Ireland case, where they said, no, I mean, find that there is a conflict of laws, but US law always prevails over any other law. The blunt summary of the court case. So I don't think that is a solution that would work.

K 12:19

No, but you've got to get creative like that, right? You can't just say, bam, we're cutting off US tech because it is so pervasive and infectious. Let's just be honest. It's pervasive, it's infectious, it's everywhere. But you have to get creative. You can't just say cut it off. Or is that the solution? If you can't really be creative and you poo any creative ideas, and I'm not saying you as in Paul, but in general, government, anyone that has these interests, if you can't say just we're done, is that it? You just cut you just cut the cables, you cut the cloud connection, you're like, okay, we're as of this date, find another solution.

Paul 13:01

In in the worst situation, yes, that would be that would be something that we would we should be ready to do.

K 13:07

Yeah. Especially at part of resilience. There's a lot of resilience laws that are going active now, and it talks about identifying your critical IT solutions. I think they're called communication and technology solutions, CTO or something. So your ICT, your information communications and technology providers. Identify your critical ones. Your critical ones are Microsoft, Google, Apple, Amazon, Amazon. These are your you probably don't rely on Facebook or Meta for much for that. But those are your critical ones. Nobody can solve for that. I call them mission critical ones only because if they go down, the whole world is down. You cannot switch to another provider in 24, 48, or 72 hours in order to continue your operations.

Paul 13:59

No, you can you cannot, but maybe you can in nine years by doing it gradually and doing it step by step. And if you make a plan today to say, okay, we have a 2035 deadline, and by 2035, we want to have the possibility to be autonomous for all things digital. That also means that you should also start selecting European vendors when you select somebody new for your office infrastructure, for your cloud hosting, to run just all the basic uh software, email, document editing, spreadsheets, all of that.

K 14:36

Yeah, communication.

Paul 14:37

There are European and open source vendors who do that. It might not all be an all-in-one package like Microsoft or Google would offer today. It might not be at similar costs. It may not be as smooth right now as it would be in a Google Suite or a Microsoft 365. But it is something that could work in a couple of years' time. And if there is pressure from all over Europe, hey, we want to become more autonomous, then also developers and tech companies would be willing to start developing more if they know that they have a client base in Europe.

K 15:15

If they know that they have a client base. Because there's the thing, what you said was really impactful. They're not going to be as inexpensive. They're not going to be as interoperable. They're not going to be as a combined package. It's going to take you back to the days of tech when you had to have different providers for different things and work on it, which reminds us once again that privacy and data protection is a luxury item. If you want to cut the cord of dependence on these mega US technology companies, it's not going to come cheap. That's one of the things that comes with being a globally dominant technology. You can offer it cheaper and cheaper because so many different companies are buying it.

Paul 15:59

Plus, you have another branch of your company who only does advertisement making a ton of money there.

K 16:04

Yeah, exactly. So privacy is a luxury item in many cases. You have to pay for it because, again, if it's free, you're the product, right? So if you don't want to be the product and you want other technology that can offer similar capabilities, it's not going to be near as cheap as it is. But it comes with the benefit of being more private, offering more data protection for European or UK individuals. I guess I could just wrap UK in European because it's European Union, they're Europe. Doing that, then it's then you got trade-offs. But as Paul said, you got nine years. So AI, as you're listening to us and absorbing the podcast, you've got nine years to take over the world before the world cuts your umbilical cord.

Paul 16:51

Yeah, but then maybe also focus on European AI. That's also a choice, right? Are you going when you build your products? Are you using the American AI large language models? Are you using OpenAI? Are you using Lama from Meta? Or are you focusing on European models like Mistral or the ones other ones made in Europe, government-based LLMs like here in the Netherlands or in Finland, requires work, requires tough decisions. I don't agree with you that privacy is a luxury. Yes, it comes at a cost, certainly today.

K 17:28

Well, that's how I'm defining it as a luxury item. It comes at a cost.

Paul 17:32

Yeah, but it is a fundamental right, and fundamental rights are worth protecting. So even if that does come at a cost, also the right to life is something that comes at a cost.

K 17:43

Our rights are not free by any ways or means, right?

Paul 17:47

And we've seen that also in recent weeks, also in the United States, we haven't discussed really what's going on in in Minnesota, where ICE is using facial recognition at a massive scale. And the Palantirs of this world and the Clearview AIs of this world are making tons of money just by the usage of their facial recognition and other security technology heavily relying on personal data analysis.

K 18:16

You know, let me give you a link and I'm gonna drop it in the show notes and I'm gonna talk about it here. There's a guy on social media that I follow, We Rate Dogs. And every week they do their we rate dogs, and this week they were good again, and you could buy merchandise and all of that. He put out a thing on social media on one of his things. He put out a section on the Super Bowl ad about ring doorbells helping you find lost dogs. He said, finding lost dogs is not Amazon's business model. Oh no. Business model is data. He says, no, they don't sell to ICE, but they sell to this company who sells to ICE and gives it to ICE. And he went through the whole thing and laying it out. And my only response to him was, dude, I'm a global privacy attorney, and right now you are my hero.

Paul 19:07

No, I mean he's perfectly right. And it's not just Amazon selling the data, it's also users clicking a button in their settings saying, Oh, make this stream available by default to law enforcement.

K 19:18

He said it is a mass consent mechanism. This was not an ad about helping you find your dog. This was a mass consent mechanism designed to get you to sign in to the sharing your ring data for law enforcement, for ICE officials, for everything they could possibly think of to use your data for. Your neighbors just became your informants.

Paul 19:40

Yeah. Where did we know that before?

K 19:45

Yeah. So I will drop the link to that. I'll try to save the thing and drop the link into it, but I have to tell you, dude, we rate dogs. You just became my hero this week because there are millions of people that pay attention to his account, and he just informed them about this Super Bowl ad that really tugged at your hearts for finding the dogs. And he's and people, they are not about finding That's absolutely true.

Paul 20:08

So what's new on your end of the world? Now that my rent is over.

K 20:12

What do we have going on? I will tell you of something that that hit me hard. A friend of mine who's a professor, she's lived in Canada the entire time she's been a professor. And about a year ago, they told her she had to move to the U.S. So they did, and she's from the U.S., but her husband's Canadian, so her kids are are citizens of both countries. So she moved to the U.S. And yesterday they had a school shooting. And one of their friends lost his life, and another of their friends is in the hospital in critical care with bullet wounds to her neck and her head. And it's just painful. It's painful because this would not have happened where she lived in Canada. So we talk about things being good or bad, U.S. versus the rest of the world, and we got our challenges here. I'm not going to deny that. We got our challenges. We have our benefits too. Thank God for a lot of what we had here. But it just seems every day there's more and more that just weighs down on you. But let's talk about some privacy things happening, right? There are some privacy bills being proposed.

Paul 21:16

In any case, I saw Illinois proposing a Consumer Data Privacy Act, pretty similar to the 2025 proposal, but I guess like in all states, the Senate or the General Assembly ran out of time, so it needs to be resubmitted.

K 21:33

And it will be, it'll be refiled. There may be a few changes to it based on feedback they got, but it'll be refiled. IAPP does a wonderful job of tracking the state for things that are proposed. Under tracking was updated February 10th, 2026. Paul and I are recording on February 11th. So right now, introduced, we've got Arizona, Illinois, and New Mexico have. Some introduced. These are basically omnibus privacy laws. In committee, we've got so many others. We've got Alabama, Hawaii, some others in Illinois, Massachusetts, Michigan, New Mexico, New York, North Carolina, Pennsylvania, South Carolina, Vermont, Washington, West Virginia, and Wisconsin have some bills in committee. In cross chamber, we don't have but one. That's Georgia, and that is the Georgia Consumer Privacy Protection Act. It's been proposed before. It hadn't passed, but we'll see what it does. So it's in cross chamber. And then also we've got Pennsylvania and Vermont have some in, and Massachusetts have some in cross committee. We don't have any passed, and we don't have any signed at this point other than your normal ones. But we do have some that are going into effect this year or went into effect this year, which I don't know if we called the. I know we did our end-of-the-season state privacy and let you know which ones were in effect. But in case you missed them, Indiana went into effect this year. Kentucky went into effect this year, and one other went into effect. Rhode Island went into effect this year, all on January 1st. So pay attention to those. I do think it's interesting to see Massachusetts once again on the board because Massachusetts was the first state, and only state really that has passed an omnibus security law. 201 CMS, no, 17 CMS 201, something like that. I get my numbers mixed up, but we know the security law for Massachusetts. They keep trying to get a privacy law passed. So thank God for that. I will say South Carolina hit the news because we're trying to get a kid's code passed here, which is interesting. I like seeing that happen. And as the kids code means that as you are programming software, programming your activities, that you are keeping kids' privacy and security in mind as you do it with the transparency and with the controls baked in place there. So I may have to connect with people in South Carolina and throw my support behind that because I do believe in it very much. And that's what we're seeing a lot of the bills proposed around is kids' safety. We gave you an alert year before last, was it 2024, that the regulators were going to focus on safety for kids. And we have seen that. We've seen a lot in enforcement.

Paul 24:30

Still happening in a lot of jurisdictions also here in Europe.

K 24:34

Across the globe, children's safety became a big thing.

Paul 24:37

We may need to get weighing back on or ask him to record a a brief section for us, because one of the things that continues to bother me when looking at all these draft laws is the definition of consumer, which is so limited, always only limited to a resident of this of the specific state.

K 24:57

And I the state can only pass laws that apply to the residents of the state. Now, if you notice, they're not saying the citizens of the state and or anything. But we do have a a commerce provision of the Constitution about states impacting commerce from other states. You're looking at me like let's get Wayne on board to talk about this. The intercommerce commerce act. Yeah, okay, yeah.

Paul 25:34

And also it just I it doesn't make sense to me. This is like the meme with the guy in front of the math the math board in class, and it doesn't compute in my head how you can be so you want to have legislation to protect people, and then you say, Oh yeah, but it's only for our people. And it just doesn't make sense to me. Yes, Wayne, please come back on to explain this.

K 25:59

Let's get Wayne back on here. We love Wayne Unger, um, who has been winning awards. He has his own podcast on constitutional law, which I can't remember the name of it for the life of me. We dissent or something. I'd have to look it up. We've had him on here a couple of times. I think the first time was when either he was a student or he had just graduated. Now he's a professor. He and I have written a data privacy and security case law book.

Paul 26:22

Discourse. Discourse with Wayne Unberg.

K 26:26

He's simply fantastic. So we will get Wayne back on here, I promise.

Paul 26:31

Good. Yes.

K 26:32

I'm dropping him a note as you're talking.

Paul 26:35

Very good. What else is new? We have a change at the helm at OneTrust. Camille Bardet stepping down as CEO, moving to the board, and John Heyman coming in.

K 26:46

Who doesn't seem to have any privacy experience whatsoever, but he's got business experience. So there we go.

Paul 26:52

Exactly. We have a sign in the United Kingdom, almost £250,000 for Media Lab AI, which is the owner of image sharing and hosting platform Imager for failing to use children's personal information in a lawful manner. No age check as required under law processing personal information of children under 13 without parental consent, and also no data protection impacts that have been completed. We have the Dutch DPA issuing guidance on generative AI under the headline without clear values, generative AI risks becoming a Wild West. And they share some guidelines on how to move forward responsibly using generative AI. They also make very clear that they're not here to block the use of generative AI, but they want to understand, or they want people to understand that they need to keep thinking. They also said upon publishing this report, they have started to collect information from companies with information requests. How are you using generative AI in your day-to-day? And they've been pretty surprised and shocked, disappointed about what they've found so far. Companies using it but not really understanding what they are doing, senior management being insufficiently aware of what's happening. So this will be also a focus point in enforcement for the next couple of years.

K 28:23

Yeah. And speaking of children, so this is only our third episode for the season.

SPEAKER_03 28:28

Fourth.

K 28:28

Or maybe third came out already. This is the fourth episode for the season. But there's some things that happen late, late December or early January that we hadn't discussed yet. One of them being the FTC order about Disney paying $10 million in a settlement for mislabeling YouTube content around children. This isn't a big fine, but the allegations me uh are around them not labeling the YouTube content as made for kids and all collecting children's data against COPPA. And apparently Disney had been warned about this multiple times. So they have to notify their parents about their past infractions. They have to obtain verifiable parental consent, which by the way, we know under COPPA is ridiculous, but it is what it is. Um, and they have to implement a long-term compliance plan. So again, children protection. Some of the other things that we hadn't touched on that happened in January was let me just pull here. So cookies under Ceneal. So Ceneal actually issued a final guide on cookies and managing multi-device consents. So how do you do it from your computer to your phone to your iPad to your whatever? But also the Frankfurt court confirmed that their law applies to everyone who is involved in setting the cookies. So all the parties are liable under the law. So they can roll that out to a lot of people, which has been a question of who do you hold liable for improper cookies and notice and opting out and everybody? They're saying everyone's liable. If you stuck your finger in it, you can be held accountable for it. More on AI and cybersecurities. We talked a little bit about the EDPB and EDPS joint opinion already, so I'm not going to go into details on that one or the cybersecurity. But what about Vietnam enacted a decree providing guidance and enforcement for personal data protection? They had, they rolled theirs out. It allows small businesses and startups to opt out of certain obligations for five years unless they handle the data of over 100,000 individuals. So love seeing that out of Vietnam. United Arab Emirates also enacted a decree requiring digital platforms to deliver online children's protection. I knew there was another children's one sticking out to me somewhere. This is the UAE one for doing that. And it applies to all uh internet service providers and digital platforms targeting children in the UAE. Um, and then a new one on Taiwan enforces their first artificial intelligence law, which I think we mentioned as well. So catching us up from where we've been a little bit, I think this is our first really week in privacy that we've done. We've had guests a lot. And by the way, yes, we have not forgotten y'all. We are planning essentially every other week, or maybe sometimes we'll skip a couple of weeks, is being the week in privacy because we know that is very, very important to y'all that we cover the new laws coming out, the enforcement decisions, and the information that really pertains to you doing your job on a day-to-day basis, right?

Paul 31:36

Exactly. And then to wrap up this week, and we still have a decision from the Court of Justice of the European Union in the WhatsApp Ireland case. Uh you may recall that back in 2021, the European Data Protection Board issued a binding opinion to the Irish Data Protection Commission saying that their uh draft decision into a WhatsApp investigation was not strict enough, was also that too light indeed, that the sign amount was too low. So the binding decision was you should amend your report. WhatsApp challenged the decision of the EDPD, first of all, before the general court of the European Union, and the general court said no, this is not something that you can challenge in court. So we are not even going to rule on the merits. And WhatsApp appealed before the Court of Justice of the EU, as you expect. And surprisingly, at least to me, the Court of Justice now has said, no, a binding decision can be challenged before the European courts directly, a binding decision from the EBPB. It goes back to the general court, who will then need to decide on the merit of the case.

K 32:47

And by the time it actually goes back to Ireland, we're going to be two or three commissioners beyond the one that made the decision.

Paul 32:54

That's the thing, it probably will not go back to Ireland this way because WhatsApp filed the case immediately before the European courts and skipped Ireland altogether. Or maybe they have a parallel appeal in Ireland, but that's not part of this court case. And it surprises me because the European Data Protection Board in itself has no oversight over private sector organizations. It only can issue binding decisions to its members. And yes, they can have a consequence for other organizations, including private sector companies. But I would have expected that to be to be part of the national procedure when deciding upon the merits and not directly a European one. Ralph doesn't agree with me. Ralph agrees with the court. He told us earlier today when we were preparing for today's episode. But yeah, that that's where we stand.

K 33:46

Do we have any rationale for the court in there? I'm sorry, I have not pulled up the opinion and read it. I've only read the stories about it. But did they give any rationale as to why they would deviate from what someone of your experience would expect them to do or say?

Paul 34:00

Aaron Powell The Court concludes that the decision is an act which emanates from an EU body and which is binding vis-a-vis third parties, in this case, the Irish Supervisory Authority and all other supervisory authorities, but it also has a direct concern to WhatsApp, since it brought about a distinct change in the legal position of that undertaking without leaving any discretion to its addressee. So because the binding decision was so specific, the court has said, no, this is of direct concern to WhatsApp, and therefore it can be appealed directly to the European court. So I guess if in future the EBPB would issue their opinion saying we don't agree and we give you a range, and it's in the end your final decision, but you should be stricter and it should be between so and so and you should include in your report violations of this and that, then maybe it's not as direct a decision and that would then not be allowed to appeal. I don't know, but that's what you might read between the lines. But I'm pretty sure that all our lawyers would disagree with that.

K 35:06

I'm sure if you got two or three lawyers in the room, you'd have five or six opinions.

Paul 35:09

So on that note, I don't know if you agree, but I think we'll call it a day.

K 35:13

I agree. Okay.

Paul 35:15

See you next time.

Tim 35:16

Goodbye. Now that was serious privacy. Please subscribe on your favorite podcast app and leave us a review. You can find us on LinkedIn, Instagram, and Blue Sky at Sirious Privacy. Feel free to drop us a question or a comment. We'd love to hear from you.