A confusing week in Privacy with K and Paul!

Show Notes

Welcome to the Serious Privacy podcast, where Paul Breitbarth and and Dr. K Royal, while Ralph O'Brien is out, discuss some fascinating news. Catch what's happening. First up - a decision from Spain on when data processing starts. We are so confused.

#unexpectedquestion what fruit would be disappointed by the name we gave it?

If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Transcript

Tim 0:04

You're listening to the award-winning Serious Privacy Podcast sponsored by Trust Arc. Please welcome your hosts, Paul Breitbart, Ralph O'Brien, and Dr. Kay Royal.

Paul 0:17

Hi everyone, this will be another week in privacy episode because there is a lot to catch up on. We try to do a guest every other week, and that also means that some of the things that happen in the privacy community necessarily will not be discussed in those weeks. Unless, of course, it's breaking news than we try to do. So this week we're going to get you up on things happening in Europe, the United States, and beyond. In any case, some guidelines from the EDPB, some interesting court cases from Spain, signs from Italy. Alabama is happening suddenly, big and bold, and whatever we can find more. Sit down, relax, or walk your dog, or whatever you want to do. But stay focused, listen, and welcome. My name is Pal Breitbart.

K 1:02

And I'm Kay Royal, and welcome to Sirius Privancy.

Paul 1:06

Ralph is out this week, so you'll have to do it with the original duo.

K 1:11

The original duo. That's coming back with memories, isn't it? For five five years?

Paul 1:19

Guess what you get when you're working on this for seven years already, right?

K 1:22

For five years, it was just us. Y'all had to put up with just me and Paul. We're sorry. We're sorry. But it is what it is. We're not sorry.

Paul 1:33

We're not sorry. But we're also happy with Ralph, right? It brings an an an extra perspective. So before you know it, we'll also add an Asian perspective and make our recordings even more complex.

K 1:44

Oh my gosh, wouldn't that be fun? Or Latin America one. We know some people in Latin America, some Australians, some Kiwis. Okay, so unexpected question. I've been wanting to use one of these for a while now. I'm gonna go with this one. What fruit do you think would be the most disappointed by the name that we gave it?

Paul 2:08

Wow.

K 2:10

He loves me. Let's just say he loves me.

Paul 2:13

The gooseberry.

K 2:15

The goose. Oh, I like that. I wasn't even going. Odd. I like that. The gooseberry. You're probably right, because it has absolutely nothing to do with goose or geese.

Paul 2:27

Exactly. Not in color, not in size, not in shape, not in flavor. Not no resemblance whatsoever.

K 2:34

Now you're making me really think I thought I had an answer, but now I don't have an answer. But now I'm wondering if I do have an answer. I'm gonna go really legal and law school and say the tomato.

Paul 2:49

Uh-huh.

K 2:50

Because the tomato is not a vegetable. It is a fruit. It was classified as a vegetable by the United States Supreme Court for export purposes.

Paul 3:00

So the Supreme Court is wrong.

K 3:02

So the Supreme Court is wrong. It is not a vegetable, it's a fruit. And I think the tomato, tomato, would be very disappointed by that. Not necessarily the name, which was the question, but yeah, I think it would be very disappointed. By the classification. By the classification, right? So you could be named weird, but you could also be classified weird.

Paul 3:22

I think that's the same with people, right?

K 3:24

We could be named weird, or we could be classified weird.

Paul 3:28

Exactly.

K 3:28

I like it. What have we got for news? If this is a week or two weeks in privacy, what is top of mind in news?

Paul 3:37

Oh top of mind is for me something that I saw from Spain, actually. It's a blog posted on the website of the Spanish Data Protection Agency. When does personal data processing legally begin? This is the consequence of a court case and a ruling by the Spanish Supreme Court. But we always know that this is a contentious issue between the United States and Europe. The United States processing begins as soon as you start doing something with the data. In Europe, under the GDPR, but also under the previous law, we always said processing starts the moment you start collecting the data.

K 4:17

Yes, and I agree with that. The US doesn't understand that doing nothing with data is still doing something with data.

Paul 4:25

Exactly. This court case, however, further widens the definition of when you start processing personal data. Because this is about the question. This is about an organization, a public administration that had asked one of their employees for data related to their health, and the individual was provided or was required to provide diagnosis and medical treatment to justify certain absences. So he needed to provide information, or they needed to provide information. And they refused. So the question, is this processing of personal data, yes or no, the request itself? Ooh. And in the end, the Spanish Supreme Court concluded that yes, also the intent to process personal data, and therefore requesting somebody to provide information means that you have already determined a purpose, you have determined what data would be necessary, you have determined a legal basis. So that because of that, it would fall under the definition in Article 4 of an operation or set of operations carried out on personal data. And so the actual processing of personal data would already apply from the moment that you start determining the means of the processing as well as the legal basis.

K 5:50

I'm not sure I agree with that. I know I'm a little bit more, what would you call it, either liberal or conservative in the US, that I don't agree with a lot of the when processing starts here. I do believe it starts on collection.

Paul 6:05

But you look very confused.

K 6:08

I am very confused because I'm like, we think a lot about data we want to collect, and we discuss whether we can collect it, and we put it through a DPIA and we talk to our DPOs and our privacy officers and say, is can we collect this? Is this legitimate? We want to collect it for this reason, but you can't collect it for that. Does that mean it's already starting?

Paul 6:28

It actually means that it would already be started. Also, if you if you look the other way around, that's also stated in the blog, the ruling expressly warns that a contrary interpretation would generate a situation of uncertainty incompatible with legal certainty and the guarantee of the fundamental right to data protection. So the court concludes that the request for personal data is not a neutral or preliminary act, but is part of an activity designed, planned, and ordered to obtain data, which fully integrates it into the concept of data processing.

K 7:01

All right.

Paul 7:03

I can follow the logic of the court.

K 7:05

I'm done. I'm done. Just that's it, people. It has been a wonderful conversation. Bye y'all. I am so confused now because from based on what you said, I guess I can't really disagree with what the court said. But fundamentally I disagree with what the court said, but logically, I okay, people, I'm at a loss for words. He had to pull this one out right out of the hat, and I'm like, huh?

Paul 7:34

You asked what was on what was top of mind for me since I saw this morning. This has been top of mind because even though I can follow the logic, I had the same response like you did, huh?

unknown 7:46

Huh?

Paul 7:46

Does this say what I think it says?

K 7:49

I think it says what you think it says, but is it right? Is okay, is there chatter out there in our community about whether or not they're right or wrong? Is anybody talking about it?

Paul 7:59

No, I haven't seen a lot of it, but this is also this was the blog was released on April 28th.

K 8:05

Okay, so it's kind of had a week or so.

Paul 8:08

And only in Spanish. So it could be that people has have just missed it. But my I said, my response was similar to yours. Huh? Is this what it says it is on is this what it says on the tin? Yes, it is. And I follow the logic. The reverse, I could not argue why it wouldn't be this case, why the intent to collect and process personal data would not or should not be part of the idea of data processing. Also because it comes with with criteria attached. You need to define the scope of the processing up front, you need to define your purpose, you need to define your legal basis, you may need to do your impact assessments all before you actually start the processing. So you need to give it a lot of thought. The only thing you don't have yet is the data, but the absence of the data.

K 9:02

The absence of the data? Are you really about to say the absence of the data and justify something with that?

Paul 9:13

Yeah, I think to be continue to be further discussed.

K 9:18

Yeah, something. You know I'm gonna take a screenshot of our expressions for this one and post it to LinkedIn. Just saying, you know that, right?

Paul 9:26

Because Yeah, it's good that I have a bad hair day then.

K 9:29

Good. I have a good hair day. I actually have my hair actually down from a ponytail or a bun, because I just had to do a not just had to do, but do a tabletop exercise with our company. And so since you're on with the board of directors and everything, I figured I better look pretty legit. Brush the hair, put on some lipstick, things like that.

Paul 9:49

Wow.

K 9:50

It's gotta look good and say good.

Paul 9:52

So what's top of mind on your end of the ocean?

K 9:55

I nothing that ranks with that. I g I got nothing. I will say that Alabama passed its personal data protection law, and I'm always surprised. I for some reason to me, Mississippi and Alabama are basically the only states that in their entirety qualify as deep south. There's the South and then there's the Deep South. But Mississippi and Alabama are deep south, and then you got parts of Louisiana, parts of Tennessee, parts of Georgia, parts of Florida, parts of these other states that are also within the definition of the Deep South. But they're not hillbilly and they're not Appalachian. They're deep south. So to me, the fact that Mississippi keeps trying year after year to pass a personal data privacy bill is significant. It's not all states try every year, let's be honest, right? We call out the states to have a bill proposed because we're surprised. But then for Alabama to pass one, I think is notable. I need to look up if it was signed into law.

Paul 10:59

Yes, it was signed into law on April 17th.

K 11:02

That's what I thought. And it goes into effect in 2027?

Paul 11:06

Yes, first of May 2027. So in two years, no, in one year's time.

K 11:11

Yeah, yeah, that's just like next year, which is crazy, people. We're like almost to June, just saying in 2026. This year is really flowing by, and I haven't nearly gotten accomplished the stuff I needed to get accomplished. But to me, maybe it's not the only type of mind things. You still have the other things going on, like the settlements with Roblox, which again, Alabama had a settlement with Roblox.

Paul 11:37

It's quite a bit of money, right?

K 11:39

Quite a bit of money, which I thought was significant, right? Because you these are the things that matter. But let's see what else I have.

Paul 11:48

Yeah, let's see. Alabama settles with Roblox for 12.2 million US dollars and a crease to improve age assurance practices. So this was once again a minor protection case without sufficient protections for sufficient safeguards in there, especially for the chat function. And the fine is need to be paid is payable to the Attorney General's Safe School Initiative Fund. Roblox also has a lot of compliance orders mainly on safeguarding, not using information collected for age assurance purposes for unrelated secondary purposes, establishing a default content mode to moderating filter gains that are age unappropriate, using 18 plus standard rating, and so forth.

K 12:35

Yeah, and it was a $12.2 million settlement. So that was, again, pretty significant. A couple of the other things that really hit, I am not going to talk about the Secure Act proposal.

Paul 12:47

Because you consider it to be ridiculous?

K 12:50

Yeah, pretty much. Okay.

Paul 12:52

Done and dusted.

K 12:54

Yeah, there's a lot of people out there that are giving their play-by-play act on there. I think there's better scholars than me that have reviewed that, Dan Solov being one of them, which I should see him in a couple of days, which will be a few days ago by the time this comes out, and looking forward to seeing him for that. But there's been a lot of scholars out there that have examined this. I don't think I need to. I don't like it. But there is the one thing that did hit me, the proposal, which I do want to look into for the Children's Health Advancement Trust Boundaries and Oversight in Technology Act, that has also been proposed.

Paul 13:32

Okay, come again.

K 13:33

Chatbox. It's one of those backronyms, right? The Children's Health Advancement Trust Boundaries and Oversight in Technology Act.

Paul 13:45

Somebody really made an effort there.

K 13:47

I guess ChatGPT or Gemini or Claude or something, but this requires AI companies to create family accounts, giving parents control over how children and teens interact with AI chatbots. Parental consent and controls for chatbot usage, limit manipulative design features, prohibit targeted advertising, and direct further study on chatbot-related harms to children and best practices for parents. Now, y'all have been with us long enough, dear listeners, to understand that it's not the controlling of chatbot harms that I have a problem with. It's the requiring it to be family accounts that I think needs to be very carefully used because there's a lot of vulnerable populations out there that if their parents literally had to provide permission on what they could use chatbots for, might actually endanger those kids and teens more than parental oversight would be. But this is nothing new to social media, right? We I completely understand why this is coming out. There's been so many activities linked to people using chatbots to a self-counsel or and coming to a bad conclusion on you should go kill yourself, or you should go shoot up a school. And here's how to do it. Here's how I would do it. Here's the plans, here's the guns, here's the whatever. So I I trust me, I get it. I understand there's a valid concern. I'm not sure the implementation of controls there is ever going to be an easy thing to do. I'm not saying it's good or bad. I'm saying there are dangers and it needs to be very carefully thought out and implemented. Because I would really hate to correct something that is only bad in a small percentage of cases, but is really good in a large percentage of cases, right? So I just think there needs to be a lot more thought and effort put into it and bringing in the right experts to provide testimony on it to say what are the harms, what are the risks, what are the benefits, things like that. So I'm just not sure we're at that point where we know all of that yet to be able to dictate a law on it. And as you and I have discussed, we know that the laws out there are not necessarily aligned with the technology growth and spurts. And so it's really hard to try to fit new technology into old laws. We get it. Especially in the absence of a federal privacy or data protection law. So I get it. When something bad happens is when the lawmakers try to push through significant laws to address that something bad. And sometimes we get it right and sometimes we get it wrong.

Paul 16:43

We'll see where this law will go.

K 16:46

Yeah, we'll walk we'll watch it. We'll see where it is. But hey, Connecticut passed a data broker law.

Paul 16:52

The thing I'm still struggling with in the US is all these mini laws and this it's all so dispersed and inconsistent and getting more Yeah, I think by now there are seven, eight, nine hundred different privacy laws, only focused on core privacy and core data protection issues across the US. How do you ensure that especially as an SME, as a small and mid-sized entity, how do you ensure that you are able to demonstrate compliance and look at all these thresholds and when do they apply? Do they apply to me? In what situations do they apply to me? What is so hard about creating just one rule to Rule Law? That applies to everything. Like a USGVPR.

K 17:40

Maybe we need to do a back readm for ring, R-I-N-G, so we could have one ring to rule them all.

Paul 17:47

Yeah.

K 17:48

I don't think Paul likes my sister humor sometimes.

Paul 17:51

Oh no, I I'm just my mind is just No, it's true. I really can't follow the logic. Also, not of the legislators. Why the small success of having a law on the books, yet another law that that takes care of this tiny little thing, why that would be preferable about above having a good debate about a broad law that applies to everything at the same time?

K 18:20

Exactly. No, I'm with you. And y'all heard our frustrations with lawmakers or trying to get them is mainly because of the lack of education of what privacy and data protection is, and cybersecurity and bad people and threat actors and all of this, and trying to get them to understand the significance of understanding these types of issues when they're changing out every two years. You get one class educated, and then bam, you have a whole new class in. So it's really frustrating to be able to get the knowledge passed across on a federal level. And so I guess they're tackling it on a local level. Think about the laws against using live body cam footage for lawmakers or not lawmakers, law enforcement. Uh, and those are on a city basis. Not even a state. Those are on a city basis. Yeah. This is a week of blow my mind.

Paul 19:21

Yeah.

K 19:22

The next one that blows our mind.

Paul 19:24

Not sure whether it's going to blow our mind, but the European Data Protection Board has actually issued an opinion on or guidelines on the processing of personal data for scientific research purposes. So they have also further defined what scientific research actually means, also to ensure that not everyone and their mother or every single company can claim, oh no, but we do this for scientific research without actually having any scientific approach. So they have six key indicative factors that should be considered. The research should be methodical and systematic. There needs to be adherence to an ethical standard. It needs to be verifiable and transparent. The organization or the researchers need to have autonomy and independence. There need to be clear objectives of the research, and there needs to be potential to contribute to existing scientific knowledge or apply existing knowledge in a novel way. Only if all of these six factors are met, then you can rely upon the scientific research legal basis in the GDPR, which will also allow you to rely upon a broad consent where not everything needs to be specified up front. So where organizations thought they could get away with a broad consent by claiming just that they have scientific research, those days are pretty much over now. And of course, this also has some effect on the individual rights, especially the rights to erasure, object, a withdrawal of consent, because that is also then to be seen in light of the scientific research. For example, if I understand correctly, you can say, I no longer want my data to be part of the research, but that would not have retroactive effect.

K 21:12

Because typically you can't, once things are already published and relied on, if you were to remove the data from that, you would jeopardize findings, right? You just can't. I did find this one interesting in Italy that the Garant issued a notice to hospital industries clarifying that hotels, BBs, bed and breakfasts, and guest houses are prohibited from retaining copies of guests' identity documents beyond the time strictly necessary to transmit the required data. Yeah, for public security.

Paul 22:00

Okay, because this is actually a requirement that comes out of the Schengen Code, as we have a single travel area within the European Union, so no internal borders. And that means that you enter the European Union on the outside borders. By now, I think you have about a three-hour waiting period because the entry-exit system doesn't really work well yet. So you need to have a bit of patience and cue at customs, depending on the airport. But once you're in, but there is a requirement for any hotel BNB or anybody lodging somebody commercially to register the ID number of the travel document of the traveler. It's registering the number, not making a copy, not taking a picture. It's just registering the number. And they need to keep that register to make it available upon request to law enforcement or the municipality, for example, for tax reasons or things like that, but mainly also for security reasons. But it's actually only the requirement is to document the number.

K 23:03

Then that means they really need to stop retaining the information.

Paul 23:08

Try having that conversation with somebody at hotel reception when you arrive late in a hotel, you want to go to bed, the night watch who checks you in has no idea what the law says. He only has instructions from management saying you need to make a photocopy. Right. So even getting the copy back and putting your name or purpose or something on it so that and blackening out any things that should not be there is already a challenge.

K 23:35

Yeah. My point was you shouldn't have to issue guidance on that, but I guess you have to.

Paul 23:41

Yeah, also because the law is misunderstood.

K 23:43

Yeah, you need someone to say what it is. So another one, and then I want to get out of Europe and the US because I think we have some things, pretty sexy things going on outside. But this one also got me was the University of Edinburgh. How do you say that? Edinburgh?

Paul 23:58

Edinburgh.

K 23:58

Ah, okay. I was not near that. Found many hackers in the Crime BB forum have expressed their struggles to navigate AI tools to conduct cyber attacks, noting that AI security tools made systems hard to bypass. That's good. I like that.

Paul 24:16

That is good. I know you want to get out of Europe, but there is one thing that I do need to mention. One more, and that is a fine of twelve point five million euros again from the Italian Garanti to the Italian Postal Service and Postal Bank because their apps are non-compliant. They claim security and anti-fraud technology, but the app basically requires access to all the other apps on a mobile phone, or at least understanding what apps are on the phone so that would help to spot any uh any criminals. There was no freely given consent, there was insufficient transparency, no data minimization, and also the DPIA that was conducted was inadequate. So the curante got a little angry and said, no, you're going to pay a fine and change your practices.

K 25:05

Yeah, I like that. The Korea Internet and Security Agency signed a memorandum of understanding with Hyundai and Kia to strengthen cybersecurity and information protection across the automotive's industry supply chain.

Paul 25:19

That's interesting.

K 25:20

I think that's cool. Given all the fines we've had for cars and internet of things, I think that's cool. But similarly, Vietnam, the Ministry of Public Security, seeks comments on its circular, draft circular, concerning the national technical standards on vehicle tracking devices and driver image recording devices. That ended like a few days ago for the consultation period. But there are still some things you can speak out to, I believe, in various things. California has a call for comments out for something that ends, I think, next week. And then there's another one that ends June 1st for AI. I think it's Portugal's AI draft seeking comments on it, and that ends June 1st. But we do have some in Latin America, which I love as well. Another consultation from the Superintendency of Industry and Commerce on updating the standards for personal data protection. It targets emerging challenges by AI and the protection of children in digital environments. If there's a theme we've heard for this year, it's been children.

Paul 26:25

Yes, definitely. I think that would be one of the core topics for 2026 for sure. When we look at Africa, Kenya is pretty active with a number of consultations all open until the 15th of May. So when you hear this episode, you can still quickly respond. One of them on cross-border transfer rules, and the Kenyan Data Protection Authority is explaining what rules apply when data needs to move across borders. So that would include adequacy decisions made by the Data Protection Commission. Could also be that the recipient has ratified the Malabo Convention, the African Union Convention on Cybersecurity and Personal Data Protection.

K 27:10

Nice.

Paul 27:10

There is a reciprocal data protection agreement with Kenya in place. BCRs are recognized, and there are some exceptions under explicit consent or necessity of a contract. But the guidelines also spell out all the further requirements specifically for cross-border data transfers. Also in Kenya, they are consulting on how to develop data protection policies within an organization and how to appoint DPOs within an organization. So data protection policies, that document will outline the essential elements of what the policy should look like, offering step-by-step instructions for data controllers, also sharing best practices. And basically the same is done for the appointment of a DPO in an organization. And for all three of those documents, comments are welcome until mid-May. I think that's a pretty big step. These are three vast topics that they release at the same time. So kudos to the Kenyan DPA for that.

K 28:13

Yeah, and I love that we're starting to see a lot more enforcement actions come out in Africa and Latin America. I don't like seeing a lot of enforcement actions come out of Asia because they tend to have very strict things that really worries companies about whether or not they can even comply with it without being able to issue any fines or do anything on enforcement to what the government does. And the government tends to be a bad actor in many cases there. But that's about it for me. Oh, Australia did issue some a call. What was it? Issue guidelines on, hold on, I had that right here. Where did I go with it? A checklist on AI. Oh no. A checklist on accepting complaints and how you respond to complaints to make sure that if you get complaints from someone that you are responding to those appropriately. So I'll have to clean up the language on that one, but there you go.

Paul 29:11

Yeah. And one more is that we want to give a shout out to Europrivacy because they have managed to get the very first European privacy seal approved.

K 29:21

Yes.

Paul 29:21

Which makes their certification scheme, which is a business-to-consumer certification scheme, also enabled as a data transfer mechanism. So 10 years after GDPR went into effect, we actually have the very first certification mechanism.

K 29:38

I think you meant since 10 years since it was passed.

Paul 29:42

No, I also meant since it was into effect because that was the 27th of No, you are right.

K 29:50

But yeah, it went into effect. It just didn't go into enforcement. Yes, okay. Yeah, sorry, I gotta turn my brain on today. I think my brain is still blown by the first news story. Yeah.

Paul 30:02

Well, I guess we then have to leave it at that so that our brains and those of our listeners can slowly settle again.

K 30:09

I need time to recall, right? We should put a warning at the beginning of this episode. It's not explicit. What do they call it? It's not is it explicit? We have to mark whether or not the content is explicit or not. Is that right?

Paul 30:23

Yeah, that's explicit. But this is not explicit. This is just mind-boggling.

K 30:26

This is not explicit. Yeah, it's just mind-dombing.

Paul 30:29

And there is there is no tag for that in in any of the podcast apps yet.

K 30:34

Brain blown. Brain blown. I think that should be tagged.

Paul 30:38

So that's it for this week. Next week we'll have another very fun guest.

K 30:43

Yes.

Paul 30:44

So I'm looking forward to that one. Until next week.

K 30:47

That's gonna be fun.

Paul 30:49

Goodbye.

K 30:50

Bye, y'all.

Tim 30:50

Now that was serious privacy. Please subscribe on your favorite podcast app and leave us a review. You can find us on LinkedIn, Instagram, and Blue Sky at Sirius Privacy. Feel free to drop us a question or a comment. We'd love to hear from you.