Around the world in a week in privacy

Show Notes

In this week's episode of a week in privacy, hosts Paul Breitbarth and Ralph O'Brien discuss some key movements in privacy, data protection, cyber law, and AI around the world. Dr. K Royal was off speaking at a Governance or Emerging Tech and Science conference in Arizona. Join Paul and Ralph to cover both the highs and lows and share concerns about trends we are seeing.

If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Transcript

Tim 0:04

You're listening to the award-winning Serious Privacy Podcast sponsored by TrustArc. Please welcome your hosts, Paul Breitbart, Ralph O'Brien, and Dr. Kay Royal.

Paul 0:17

From Europol to New Mexico, from the Netherlands to Russia, and from California to Canada, this must be a weekend privacy episode. My name is Paul Breitbart.

Ralph 0:26

My name is Ralph O'Brien. And welcome to Serious Privacy. This is Superb Paul. We not Super Paul, of course, uh of course we miss K.

Paul 0:36

Of course we miss K. But Were you going to say this is superb, this is going to be a men's only episode? Not at all.

Ralph 0:44

This is a mammal? Yeah, a mammal. A mammal, my god. Yes, just circumstance. We should, of course, represent the diverse range of opinions as we can, of course. I was more surprised by how quickly your quick your introduction was, but we do actually have a lot to talk about because the world doesn't stand still while we have guests.

Paul 1:04

Nothing major, but they're all nice small topics, I would say.

Ralph 1:09

Indeed. So I'm going to do the unexpected question for a change. And this is just one I've randomly pulled, so I haven't had too much notice. I don't even know what I'm gonna say yet. Random question from the internet. If you were a car, what car would you be? Why would you choose that particular make or model ball?

Paul 1:28

I would probably be a Volvo 760. Okay. Nice and reliable, goes on forever, quality stuff. I'll also tell you what I wouldn't be. I wouldn't be a Yango Taxi.

Ralph 1:41

You wouldn't be a Yango Taxi. I will get to Yango Taxis in a minute, of course, yes. Yeah, I think for mine, let me just think. Well, I I'd have to be something that wasn't a gas guzzler. And but having recently got an electric car, I have realized how data slurpy they are. So an app for everything. I'd probably be something manual. And because I've been going to the gym for the first time in forever all week, feeling the aches and pains in my bones and muscles, I'd probably have to be something old and knackered and manual as well. I think I'd go for a good old reliable sort of Toyota estate or something along that line as well. I should say some sort of sexy Aston Martin or something like that.

Paul 2:21

You don't want the Flintstones car where you actually need to do the exercise to get the car driving.

Ralph 2:26

When the heels hit the road itself, yeah. I've owned cars where they fall apart enough. That's certainly an option. There we go. So you mentioned you mentioned taxis, Paul. Shall we start there?

Paul 2:38

I did mention taxis, yes. We can start there. And this is a fine that was imposed by the Dutch Data Protection Authority at the start of the month, a fine for the taxi app Yango. And Yango, actually the company behind it, MLUBV, which is established here in the Netherlands. Yango is a taxi app similar to Uber or other ride-sharing apps, mainly used outside of Russia in Norway and Finland. There were complaints against this app for alleged illegal data transfers back to Russia. So the Dutch DPA, as lead supervisory authority for the headquarters of the company, together with the data protection authorities in Norway and Finland, has investigated. And the investigation shows that the app indeed collects and stores a significant amount of personal data, both customers and drivers on servers in Russia, including some sensitive data, for example, scans of driving licenses, home addresses, contact details, account numbers, exact location, trip data, images, chat conversations, and also social security number. So sensitive, not necessarily special categories of data, but it's all going to Russia, where as we know, data protection law is not as strict as in the European Union. There is no adequacy, there were no proper safeguards in place. And they have also received a compliance order to immediately seize all data transfers to Russia. And I think this is the first major data protection case against a Russian company. We've seen issues, of course, for data transfers to the US. We've seen data transfers to China, but I think this is the first one that is for a different country. A fine, 100 million, and it's not even a seize and desist, it's actually a processing prohibition. That means that it will not be conditional immediately to an additional fine. Although if the processing continues, obviously the Dutch GPA can further impose sanctions. But for now, it's 100 million euros and the obligation to stop processing, and that means all the data transfers of Norwegian and Finnish users of the Jengo app to recipients in Russia. MLU has announced that they will uh appeal the decision. As far as I'm aware, this will probably end up before the courts in the not too distant future.

Ralph 5:13

Yeah, it is interesting, isn't it? You issue a penalty of 100 million. I don't think there's many companies that's probably just gonna roll over and go, okay, then cost of doing business. You start issuing 100 million, there'll be a challenge in the court somewhere. Just remind me, Paul, I'm not familiar with the administrative law of the Netherlands. I take it whilst the appeal is happening, they're not gonna stop the processing.

Paul 5:35

They have to, because that applies immediately. At least until they get a court to rule on it, that's that's a possibility. But this is a processing prohibition. So I would say that this applies actually actually straight away. Whereas if it would have been a sease and desist order, then it probably wouldn't apply until the end of the appeals process. This is effective immediately until a judge would say we suspend the decision pending review.

Ralph 6:06

Okay. Yeah, no, that's absolutely fascinating because we've we've often said, and I think we've said on the podcast before, the ability of a regulator to say stop processing personal data or stop transferring personal data is to me far more impactful than the financial penalty. Because that'll shut you down, right?

Paul 6:24

It could, it it could for sure. And especially in this case, uh, I don't think if your app is built to host everything on a server in Russia and that's the way the whole app is designed, we've seen how long it's taken TikTok to establish their US entity and ensure that all the data is kept on US servers. That took, what, almost 18 months, I think, between the first announcement that lull was coming and it actually happening. So in the interim, I don't believe that this company, Yandex, would be able to just at the snap of their fingers be able to stop all data transfers to Russia and make sure that the app still continues to work. But we'll see. It's an interesting find. It's not at the exact maximum that that the GDPR would allow. Obviously, 4% of global turnover. Turnover for the mother company, which is called Right Tag, is converted into Euros just over 12 billion. The maximum penalty would have been 483.2 billion euros, and the Dutch CPA have taken what about 20% of that. So it's far from the maximum, but it also means that there is still some room for further enforcement if need be.

Ralph 7:39

That's amazing. Yeah, we I I've got a sort of uh an issue around enforcement in general. We were just talking before the call, so I'm always a fan of seeing a regulator use the full range of their powers, not just the financial penalties or reprimands, but the full range, including everything from uh naming and shaming or a light tap on the wrist to a notification that they might be breaching, or as we said, full prohibition.

Paul 8:05

Yeah, processing bans are, in my view, the best way to enforce, especially in scenarios like this. And I'm also happy to see that it's not yet an American company, but it's actually another jurisdiction that we are looking into. And the the report, which is only available in Dutch, but also has an extensive analysis of the applicable legal framework in Russia and also of the corporate setup of uh of Yandex. So you can actually follow along pretty well how all of this is done, what the conclusions of the DPA were, how this is dealt with from a legal perspective. So I'm hopeful that this will also hold up in uh in court. That will take a while, so this will no longer be the problem of the chair, the current chair of the Dutch DPA, Aleid Wolfson, who comes at the end of his mandate on the first of August, but of his successor, Girt Potjeits, which is internationally, of course, an impossible name to pronounce, Potjeveit. But he has been appointed last week as the new chairman of the Dutch Data Protection Authority. He is a data protection lawyer, he has a lot of experience on the topic, used to co-head the data protection and cybersecurity practice at Dutch law firm, the Brow Blackstone Westbrook, and has also been chair of the board of that law firm. While lawyer there, he represented Meta and TikTok among other companies, which in my view is to be expected if you had up the practice at a major law firm that you would also get big tech. But that obviously is also immediately the criticism that he receives. Oh, it's a big tech lawyer taking over at the helm of the supervisory authority.

Ralph 9:46

I've already seen that from Noyb. I think Noyb commented on that almost straight away.

Paul 9:51

Yeah, there are some others. And I understand the criticism. At the same time, I've met him, I've worked with him in the past, and I'm more than happy to give him the benefit of the doubt. And I'm really happy that we have actually a data protection lawyer who will be at the helm of the supervisory authority.

Ralph 10:11

No, it is interesting. I I've been working in the UK, and we've seen uh we've had similar criticisms as well. William Malcolm, who was uh working for Google for a long time, moved into a regulatory role at the ICO, for example. It is interesting because you're going to work together with a lot of big tech companies, and therefore big tech will obviously have a valuable perspective. With the Irish regulator, we saw people from big tech move in.

Paul 10:38

Those were coming directly from big tech and not one step removed as their independent, I would say, lawyer.

Ralph 10:46

The digital omnibus, we saw that being headed by somebody from big tech as well. So there is a sort of an opinion out there about regulatory capture. There is an opinion out there about regulatory capture. I totally take your point about law firm being one stage removed even if instructed by. Yeah, something to think about.

Paul 11:03

Aaron Powell Well, at the topic of regulators, I don't think we've spoken yet about what's happening at the information commissioner's office, or should I say the information commissioner? Yes. Or the information commission. I'm confused.

Ralph 11:16

Where do where we stand? Okay, so in the UK, actually legally we have an Information Commission and an Information Commissioner's Office at the moment, but there has been no secondary legislation passed to transfer the assets from the Information Commissioner's Office to the Information Commission. So technically the ICO and the IC are running at the moment. It's just that we haven't transferred assets in power from one to the other. So we've got two regulators at the moment. But we'll see what happens as we go on. But I think you're of course referring to John Edwards. John Edwards was after his speech at IEPP, where he said it would be his last speech as the commissioner. I think at the time we were all referring to the fact that he was going to become the chair of the Information Commission and his tenure was going to run out in January 2027 anyway. Now, I think we're going to have to draw everybody's attention to a letter that's gone from Paul Arnold, who is the CEO of the Information Commission to Parliament. And that letter states that John Edwards has voluntarily stepped back from his duties pending an HR investigation. Now, we have to be very clear here. Due process has got to happen. Innocent until proven guilty, and until there's an outcome of investigation, perhaps we shouldn't talk about things too much. But obviously it is of note that John Edwards is not allowed into ICO premises or to interact with the staff apart from his private office. And in the meantime, it's business as usual for the ICO, because Paul Arnold, who is who was appointed as the interim CEO on that transition to the Information Commission, has taken the helm, as you would do under delegated powers in the ICO's absence.

Paul 13:04

Yeah, indeed. And first I'm sorry for John that this this happens, even though he and I have not always seen eye to eye, these kind of things are always, whatever the outcome, a personal trauma. I hope it will be over soon and that there will be a clear decision one way or the other for all people involved. If there is more news on this, we will keep you posted. I do admire the fact that there are no rumors whatsoever about what would have happened, could have happened here. So it's clearly a very professionally run, close-hold investigation. And let's hope that they keep it that way.

Ralph 13:43

Yeah, even in the letter from Paul Arnold to the Department of Science, Innovation and Technology Committee that sort of looks after the ICO, it was more about reassurance of service continuity than personnel matters that should probably stay personal, of course. You'd you'd hope that the Data Protection Commission, or the ICO in our case, would understand the nature of personal data confidentiality. So yeah, I don't think it's right to speculate, but at the same time, it is relevant to the development, especially as in the UK we go through that time of transmission, moving from one to the other. On the basis of news at the ICO, um there's a couple of short uh updates that I can give. However, on the 19th of June, we're going to see more commencements of the Data Use and Access Act, and that is to have a data protection complaints process. Now, my argument has always been like they should have had one in the first place. Uh, but this is a requirement on controllers have a formal process that individuals can press the button on where they have to respond and at least acknowledge the complaint within 30 days, go through the complaints process before they can contact the regulator. So you might well consider it a retrograde step because an additional hurdle for the data subjects, they can't go straight to the regulator. But equally, the regulator has actually published guidance that said if it's serious enough, they will they would consider it. So I'll take that sort of point with a point assault. But in terms of business as usual, there's two more updates from the ICO. One today was actually a Glasgow-based energy company, 160,000 for unsolicited marketing calls without checking the telephone preference service or the corporate telephone preference services, which resulted in a number of complaints to the regulator about essentially unsolicited communications, unsolicited phone calls, and that resulted in 160,000 marketing fine under PECA, a PECR, not which is our implementation of e-privacy. And the other bit of guidance that the ICO has put out recently is, I think, somewhat controversial. As you with a Data Use and Access Act, the ICO has got a new mission, or the Information Commission will have a new mission. And the primary of that four mission is to promote the economy and innovation. And so they have issued some advice to government on how to change PECA, Regulation 6, which is about consent requirements for online advertising and cookies and things like that. And they have recommended, this is William Malcolm's statement again, that they've recommended changes to the government on how to change Regulation 6 to have better uses of advertising technologies that allow low-risk forms of online advertising to operate without consent, whilst continuing to require consent for advertising that involves intrusive tracking and profiling. So an interesting piece of advice from the regulator on how to use technology and change the law in a way that, in my opinion at least, would erode the current state of the law. That hasn't gone down well, as you can imagine.

Paul 17:13

Yes, I can imagine that. More money to be paid, in this case in Spain, uh total fine of 120,000 euros to Tiger Media Incorporated, which is an operator of an adult advertising network. Uh, and they were relying on legitimate interest for their cookie and cookie subsequent processing. The regulator rejected this because they say no, non-essential advertising cookies require consent. So legitimate interest cannot repair an unlawful cookie deployment. And this is notable because the AEPD, the Spanish Data Protection Authority, also treated the advertising network itself and not only the publishers using it as a controller under data protection law, responsible for all the downstream processing. So even though Tiger Media argued that it's only the publishers responsible for consent collection, the APD concluded that the network determined purpose and means, and therefore, in line with Planet 49 and also other case law from the Court of Justice, they are actually directly responsible for compliance. There was also the small issue of this being adult advertising. Even though no special category data was explicitly processed, browsing context set browsing in this context would be sensitive because the cookies related to visits to adult content websites, which of course may still imply certain sexual preferences, which in turn would be special category of personal data, and that increased the gravity of the infringement and therefore also the fine calculation. Finally, the AEP also said that this Tiger Media Comped to appoint a valid EU representative under Article 27 GDPR, because their representative was in Northern Ireland, which the AEPD reminded everybody friendly is not part of the European Union anymore since Brexit. So also for all the other companies out there thinking, oh, but I have a UK representative, that's enough, isn't it? It is not, and it is also enforced. So 70,000 euros in fines for the unlawful processing of the cookies, 50,000 for the Article 27 violation, so the non-appointment of the EU representative. In the end, that was reduced to 72,000 because the company admitted liability and paid voluntarily. But on top of the fine, there is a compliance order. Everything needs to be ship-shaped within three months of the fine.

Ralph 19:47

Okay. And again, it's interesting to see EU representatives being included there. Again, not something you often see enforcement on. So that's really interesting. I I do know one of my friends who runs a representative company, he'll be quite happy to see that judgment. Does he run it on mainland Europe or in the UK? Both actually and in Switzerland, as it happens as well. All of which have got representative functions not just across the GDPR, but across all of the other suites of laws as well, the DSA and all of those other European laws as well. Yeah. Don't forget your EU rep or your UK rep or your Swiss rep. Don't forget your rep. Don't forget your rep, indeed. I've got another one here, uh good friend AI again, and I'm not going to spend too long on this because I haven't read the entire paper, because the paper itself is 167 pages with two annexes. And yes. What paper are you talking about? This is the European Commission's guidance on high-risk AI systems under Article 6 of Regulation 2024 1689 that we would know as the AI Act for stakeholder consultation.

Paul 20:59

Ah. Seems like that's my reading for the Pentecost bank holiday on Monday.

Ralph 21:05

167 pages, which is interesting. And I think the main thing that I've read that I really like in there is they are really focusing on it again as a product safety element. Yeah. So what is a safe function and what is the failure or malfunctioning state, which I think is an interesting kind of conversation to have. And then they go through and try and do a load of classification as to what is and isn't a high-risk AI system. I'm not going to speak too much further on it apart from advising people who are utilising AI systems to go and have a look. But also, one of the things that that they actually said is in fact, if you have meaningful human intervention, that doesn't stop it from being a high risk AI system, which I thought was an interesting one. Just because you've got humans involved. So from the GDPR point of view, we'd say Hey, if you've got humans in the loop, then automated decision making, it says you cannot do it solely without humans, right? Whereas in the AI Act, it says just because you've got humans in the loop doesn't stop it from being a high-risk AI system. And I thought that was a really interesting point to bring out and note there.

Paul 22:15

Yeah, agreed. Let's briefly turn to the US. I have uh a nice case from California. We already knew that California was looking quite a bit at car privacy and driving data and things like that. They have now announced that they have reached a settlement with General Motors and UNSTAR following GM's illegal sale of California's location and driving data to data brokers. This all happened between 2016 and 2024, part of which falls within the scope of the California Consumer Privacy Act. So that is something that could be enforced, and this is data, consumer data collected by General Motors, such as vehicle speeds, braking acceleration, parking data, all of that. And that was resold to LexusNexus risk solutions and Ferris Analytics that would then sell it on to car rental services who can then determine, based on all that data, what the risk premium would be for car rental. So the California DPA concluded that this was a violation of the CCPA because there was improper notice, there was a violation of the purpose limitation principle, a violation of the data minimization principle, and it was also misleading consumers about data sales to data brokers. GM and OnStar have to pay 12.75 million euros in fines, but on top of that, they need to stop selling driving data to any consumer reporting agencies for five years, including any data brokers, obtain consent before collecting, using, or disclosing driving data, give consumer privacy notices during the enrollment process for such features, enable consumers to disable GM's remote collection of all data from their vehicles, and develop and maintain a privacy program for five years. So it is a pretty steep and encompassing settlement, I would say. Somebody at GM must not be happy with this.

Ralph 24:18

No, indeed. And from America, there's one that's got the potential to be even bigger as well. New Mexico, they have found Meta Group in a second phase of a lawsuit brought by their attorney general. Not only have they found them liable for child safety failures up to $375 million. The state has also petitioned for another legal suction against the company, ten times the original amount, which could be $3.7 billion in an abatement plan. And again, they're stipulating that the money would fund programs for law enforcement, mental health service, and educators. So they've even said where the fine would go. And not just they want the money, but they want the judge to force a series of design changes to improve child safety, including big psi, universal age verification, decryption of children's messages, a guardian account linked to every child account, and a child safety monitor tasked with holding meta to account. Now I like the last one, the child safety monitor, but the other ones does seem to almost violate the privacy of the child, in that sometimes we we look at children as a risk category. I totally agree we should try and protect children as a vulnerable category of data subject, but I think sometimes we forget that they're autonomous beings with feelings in themselves that sometimes may that may need a safe space free from parental supervision. Whilst I fully support their sort of child safety online at the same time, collecting more data on all of us for age verification and children's safe spaces, not necessarily in my wheelhouse. You may feel differently.

Paul 26:09

I do not. And I actually have something about children's data as well, in a far more, well, an even more serious context, I would say. And that is the law enforcement context. The coordinated supervision committee of the EDPB, which is responsible for supervising Europol and Eurojust and other EU-based agencies dealing with law enforcement matters. They have investigated Europol's processing of the data of minors under 15 as suspects or potential future criminals. And this has a reason. The evaluations done on a regular basis of what data Europol has show that there is an increase of data related to minors under 15 in their systems. And that in turn is because we see that minors under 15 are more and more involved in serious crime across the European Union, mainly fireworks-based bomb attacks, arson and those kinds of things, but as part of large criminal networks. That's a concern all over Europe. So it means that Europol has a title to investigate. But obviously, Europol may only process minors' personal data if that is strictly necessary and proportionate for preventing or combating serious crime within their mandate. That applies to all under 18s, but certainly for under 15s. And labeling these children as suspects or potential future criminals could also have a stigmatizing effect. The investigation showed that indeed categorization sometimes is weak in Europol systems, that records are not always well kept. Some minors were labeled as suspects despite apparently only having peripheral involvement. And also the national logs of what had been sent to Europol are lacking. So this is not just a Europol issue. This is also an issue with the national police forces sharing data with the European police agency. So there needs to be better documentation of why the data is actually in the system. There needs to be stronger data quality and data quality controls, and also better processes to correct inaccurate age data to ensure that this is not turning into something that it shouldn't be stigmatizing these children. Originally, the intention was that this would have been a one-off exercise, but there are now plans to make this part of structured supervision, at least until matters are a little more under control.

Ralph 28:39

I feel a blog post coming on. It's probably too much for the podcast. It'll be on seriousprivacy.co.uk by the time this this episode. I can assure you of that. Three very small ones. Louisiana's comprehensive privacy bill. Looks like it's being voted on as we're recording. I'm sure Kay will tell us more about that. The US Take It Down Act has entered its enforcement phase. So that's an interesting one. And a little bit of news for data protection professionals because you're of course listening to the Picasso Award-winning Series Privacy Podcast. Is that even though we won last year, the world keeps turning, and the Picasso Award nominations are open for 2026, and so too are the Picasso Africa Awards. Yes. Are open for 2026. Which you might find has developed a new judge recently. Would that judge be a co-host on this podcast, coincidentally? You never know. We'll see what happens, shall we?

Paul 29:55

Completely respectable and non-bribeable, obviously. Indeed. So maybe to wrap up, our friends at OpenAI have also been under investigation by our better friends from Canada. The Office of the Privacy Commissioner of Canada, Alberta, British Columbia, Quebec have jointly investigated OpenAI following some complaints that the company, and especially ChatGPT, would engage in data collection and processing without valid consent. And indeed, finding was that OpenAI is overcollecting users' personal data to train their models, including sensitive information, do not have valid consent from users before collecting that information, do not have any mechanisms to verify the accuracy of the information contained in the outputs, fail to provide effective access correction and deletion mechanisms, and fail to demonstrate accountability before launching ChatGPT. I don't think anyone would consider that this is a surprise, at least these findings. OpenAI has made some some commitments and will implement further safeguards in new ChatGPT models. It's unclear as yet if that will only apply to Canada or whether they will be responsible and make those safeguards available in all countries.

Ralph 31:11

Yep. We'll see how that pans out. I guess we'll see how that pans out.

Paul 31:17

And on that deep sigh, we end another episode of Sirious Privacy. Thank you all for listening. Until next week, goodbye.

Tim 31:25

Goodbye. Now that was serious privacy. Please subscribe on your favorite podcast app and leave us a review. You can find us on LinkedIn, Instagram, and Blue Sky at Sirius Privacy. Feel free to drop us a question or a comment. We'd love to hear from you.