Serious Privacy Podcast – Fast & Furious: About Start-ups, FinTech, Cars, and Privacy (with Filip Johnssén)

Episode 37 1

Technology around the world changes quickly – fast and furiously. Unique companies solving problems we did not realize we had are hitting the market. For example, the development of always connected mobile devices has fundamentally changed the global banking system. Where before in many parts of the world people were devoid of having a bank account, nowadays a smartphone gives them access to financial services wherever they are with mobile payments, cryptocurrencies, and  fully virtual banks.

In this episode of Serious Privacy, Paul Breitbarth and K Royal host the DPO for Klarna, Europe’s biggest fintech unicorn, valued at over $10 billion, Filip Johnssén. Filip is a seasoned DPO, who prior to Klarna worked for Säpo, the Swedish Security Service, as well as Sandvik, a high tech and engineering company. Given his experience, it is no wonder the topics vary widely.

Listen in as Filip shares his experience working for a startup tech company, which takes an unusual approach to the modern market experience. In addition, we discussed challenges of financial tech crossing international boundaries, personal interests, and authoring several successful books. We also delved into consumer rights and how to manage those across myriad laws. He is currently working on a practical manual for DPOs (link below). In addition, Filip co-hosts his own privacy podcast Dataministeriet, together with Anders Bäckström.  Also check out Klarna’s video privacy notice, which takes transparency to a whole new level.  Lastly, we have a challenge for our listeners of a prior video notice in EU that Filip has been searching for – maybe one of you are familiar with it. This episode can be heard on our website or streamed below.

TrustArc Announces Strong Company Momentum as Organizations Prioritize Privacy as a Strategic Focus

10 22

TrustArc showcased strong company momentum and customer growth over the last year. Customer adoption of the TrustArc Privacy Management Platform increased, and TrustArc strengthened its position as a leading provider of deep privacy intelligence with an expanded partner ecosystem and industry recognition.

Demand for the TrustArc Privacy Management Platform reflects a growing need for strategic privacy initiatives that help drive businesses forward: A recent TrustArc survey of privacy professionals found that 84% of respondents agree that privacy is a core part of their business strategy, exemplifying the high demand for TrustArc’s technology and expertise.

More than 1,500 customers, including global enterprises on the Fortune 100 list, such as AT&T, Johnson & Johnson, and Merck leverage TrustArc to help implement their own privacy programs. This past year, TrustArc has seen especially strong growth in the financial services and banking, healthcare and technology verticals.

David Bowden, VP at Zwift and a TrustArc customer, stated: “Having a strong privacy program is important to my company because of our global reach as a company, the data we collect, and to verify that everything we collect and process is done in accordance with the law. TrustArc is a valued partner that helps certify, review and ensure that Zwift is handling our players’ data correctly.”

TrustArc Helps Organizations Navigate Complicated Privacy Landscape
Now more than ever, organizations must be flexible and agile as budgets shrink due to the pandemic even as the number of global privacy regulations, which now number more than 900, rises. Even existing regulations are dynamic in nature: Proposition 24 on California’s ballot this November will amend the California Consumer Privacy Act (CCPA) to create more stringent data-privacy requirements for businesses.

“Companies are prioritizing privacy as a strategic corporate initiative that drives brand and business growth,” said Chris Babel, CEO, TrustArc. “To implement these initiatives, companies must develop automated, ongoing, and scalable privacy programs rather than piecemeal approaches. The strong demand TrustArc has seen for our platform and expertise is a testament to the support we provide customers on their evolving privacy journeys.”

Platform Enhancements Allow Enterprises to Focus on Driving Business Forward
In addition to customer growth, TrustArc has paved the way for privacy through platform advancements, which include:

  • The expansion of the TrustArc Privacy Management Platform with Risk Profile, which offers customers a comprehensive view of risk across company processes and third-party systems.
  • A number of enhancements that empower organizations to manage risk and meet the obligations of regulations around the globe, including the California Consumer Privacy Act (CCPA) and GDPR, at scale.
  • Capabilities to help businesses develop ongoing, scalable privacy programs to remain compliant with regulations, including California Consumer Privacy Act (CCPA).

“I chose TrustArc for cookie consent because it is a managed solution that is compliant,” continued Bowden. “That takes a load off the engineering teams and keeps us compliant at the same time. The money saved in not having to create compliance solutions from scratch is well worth it. Additionally, the risk mitigation from using standard solutions such as the cookie managers reduces our engineering and support time. It is a win/win for us.”

Acquisitions, Awards, Partnerships Showcase Industry Leadership
To broaden its breadth of privacy intelligence and bolster its platform, TrustArc acquired Nymity, a provider of business-friendly privacy compliance software solutions. Together, the companies have reimagined privacy by accelerating the development of the next generation of technology-driven privacy solutions.

TrustArc has also developed a broader partner program, which includes relationships with key industry players, BigID and Evident ID. These partnerships bolster the combination of privacy expertise and automation technology TrustArc provides customers to build their ongoing privacy programs.

A number of industry accolades acknowledge the positive impact TrustArc has made on companies pursuing automated, scalable, and programmatic privacy programs. These awards include:

  • Recognition as a Leader by Forrester Research in the Forrester Wave™: Privacy Management Software, Q1 2020.
  • Cybersecurity Breakthrough award for Compliance Software Solution Provider of the Year. The award recognizes the top companies, technologies and products in the global information security market.

To learn more about how TrustArc helps companies put privacy first:

Serious Privacy Podcast – Ferociously Imperfect: Consumer Tracking (with Rob Shavell of Abine)

Episode 37

Putting the evils back in Pandora’s box just doesn’t seem possible – much like reclaiming privacy in today’s datacentric world. This week, Paul Breitbarth and K Royal hosted Rob Shavell, CEO and founder of Abine to discuss consumer privacy controls related to online privacy. Just over a decade ago, the World Wide Web consortium (W3C) started the development of a Do Not Track (DNT) standard, that would limit the way in which people could be tracked between websites. In 2018, the project stopped, because it simply did not gain traction. Now, DNT is back in the form of Global Privacy Control (GPC): a new technical standard to help companies meet the CCPA Do Not Sell requirement and similar requirements around the world. GPC is supported by quite a few companies, such as MozillaBrave, the Electronic Frontier Foundation, and the NY Times.

Listen in as we speak on a variety of topics from the complexities of managing privacy online to the consequences that may arise through enforcement. Rob touches on concepts such as ferociously imperfect laws and controls as well as informed consequential debate. Through these open conversations with privacy professionals and activists, the discussion is unfettered and thus, brings up many elements, such as meetings in Brussels, AI, and being zealous about privacy. Listen to this week’s episode on our website or stream the episode below.

Serious Privacy Podcast – Privacy’s Perfect Storm: A Technical Tempest in a Teapot – or Not? (with Stuart Brotman)

episode 36

Events happen occasionally that reinforce each other in such a way that the sum of things is worse than you could ever have imagined: a perfect storm. You may very well say that 2020 is a perfect storm in itself. And who knows what November and December may bring. This week, Paul Breitbarth and K Royal invited Stuart N. Brotman, author of Privacy’s Perfect Storm: Digital Policy for Post-Pandemic Times.

Brotman took the notion of the perfect storm as the basis for a book about privacy, data protection, the digital economy and the fight against COVID-19. The book contains a series of reflections on a wide range of issues, outlining the authors’ views and ideas on the way forward.  He just completed a term as a Fellow in the Science and Technology Innovation Program at the Woodrow Wilson International Center for Scholars in Washington D.C. The essays in his book sparked quite the conversation.

Listen in as we speak on a variety of topics – one of which immediately stood out: Why Discussing Digital Privacy Now Belongs at the Kitchen Table (on page 19), given Paul and K’s ideal for the Serious Privacy podcast to be those casual conversations one would have at Paul’s kitchen table, or K’s back porch.  But in addition, some essays grabbed attention to discuss, such as the one on digital trust being essential for data privacy protection and the one on millennials teaching grandparents about internet safety. We discussed so many topics – from public-private data sharing to password management. This episode can be heard on our website or streamed below.

TrustArc Wins 2020 CyberSecurity Breakthrough Award

Copy of Cybersecurity Breakthrough Award

TrustArc announced that its Privacy Management Platform has been named the winner of the “Compliance Software Solution Provider of the Year” award in the fourth annual CyberSecurity Breakthrough Awards program conducted by CyberSecurity Breakthrough, a leading independent market intelligence organization that recognizes the top companies, technologies and products in the global information security market today.

“Only TrustArc can deliver the depth of continuous privacy intelligence, coupled with a fully-automated platform for end-to-end privacy management, that’s essential for navigating today’s ever-changing digital world,” said Chris Babel, CEO, TrustArc. “TrustArc continues to drive the privacy industry forward, continuously adding new solutions to its comprehensive Privacy Platform, backed by more than 20 years of experience helping Fortune 500 companies manage their privacy and compliance. We’re honored to be recognized again this year by CyberSecurity Breakthrough.”

The mission of the CyberSecurity Breakthrough Awards is to honor excellence and recognize the innovation, hard work and success in a range of information security categories, including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Email Security and many more. This year’s program attracted more than 3,750 nominations from over 20 different countries throughout the world.

“With the recent additions of the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), mapping out and managing the hundreds of laws and regulations is an incredibly complex endeavor for any organization,” said James Johnson, managing director, CyberSecurity Breakthrough. “TrustArc empowers organizations to combat these complexities with a robust platform that can manage a broad range of privacy management needs, including data inventory, risk assessments, tracker monitoring, and, most importantly, compliance. We are thrilled that TrustArc is part of esteemed winners circle once again this year and we extend our congratulations to the entire TrustArc team for their well-deserved industry recognition.”

Key features of TrustArc’s Privacy Platform include:
Risk Profile: Deeply understands global data risk considerations, continuously monitors and aggregates risk and delivers mitigation recommendations for both inherent and residual risks of business processes, systems and third-parties, and company entities.
Intelligence Engine: powered by proprietary algorithms across the TrustArc platform based on privacy, data governance and security standards to automate, simplify, and tailor privacy program development and maturity, compliance and risk management for organizations of all sizes and across industry sectors.
Privacy Profile/Dashboard: simplifies privacy management through an intelligent, easy-to-use interface by providing actionable compliance guidance based on an automated review of key company information.
Data Inventory Hub: creating a detailed, up to date inventory of data collected along with visual data flow maps of all business processes. Proven data inventory best practices are engineered into the system to record information about the data collected and generate compliance reports.
Assessment Manager: built on powerful technology that identifies where and why certain practices don’t align with regulations, and defines the path to remediation.
Cookie Consent Manager: addresses Cookie Compliance with an application that makes it easy for consumers to provide consent for the collection and use of their personal information, helping businesses ensure consumer trust.
Individual Rights Manager: designed to help companies meet compliance requirements, minimize risk and build trust with customers.

About CyberSecurity Breakthrough
Part of Tech Breakthrough, a leading market intelligence and recognition platform for global technology innovation and leadership, the CyberSecurity Breakthrough Awards program is devoted to honoring excellence in information security and cybersecurity technology companies, products and people. The CyberSecurity Breakthrough Awards provide a platform for public recognition around the achievements of breakthrough information security companies and products in categories including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Web and Email Security, UTM, Firewall and more. For more information visit

New European Case Law Clarifies Bulk Collection Requirements by Governments

10 9 Blog

Those following the legal debate following the Schrems-II decision, are well aware that one of the main arguments on the U.S. side is that the European Union should not only look at third countries’ surveillance practices, but also at their own. The typical response is that this is not possible, because national security is excluded from the competences of the EU and thus cannot be legislated by the European Commission. A series of new judgments from the Court of Justice of the European Union (CJEU) shed some new light however.

The judgments, released on 6 October 2020, relate to four cases*, criticising legislation allowing the national security agencies in the United Kingdom, Belgium and France to collect communications traffic data, on the basis of an exception in the ePrivacy Directive from 2002. Following the terrorist attacks in Madrid and London in 2004 and 2005, the European Union created a general data retention scheme for telecommunications data, that was since struck down by the CJEU for not complying with the fundamental rights to privacy and data protection. Also national laws creating a similar scheme, either based on the EU scheme or on the own initiative of an EU Member State, have been annulled by the CJEU. In the current cases, the questions put to the Court included if it was possible at all to collect telecommunications traffic data in bulk, and if so, under what conditions?

The judgment of the CJEU

Most importantly, the CJEU has confirmed in both judgments that the transmission of personal data from a communications service provider (i.e. a telecom or internet service provider) to a government authority, including to the national security services, is covered by data protection law. In this specific case, it is the ePrivacy Directive that applies, but read in the light of the GDPR. Since a transmission constitutes a data processing operation, the Court explains, it means that the communications service provider – the data controller – would need to comply with the requirements of the ePrivacy Directive and its national implementations. That includes the general aim of ePrivacy to ensure the confidentiality of communications. It is not relevant in this instance that national security is excluded from the remit of EU legislation, according to the Court, since national security is not the main reason the ePrivacy Directive exists.

National security could however be a good reason for limitations to the confidentiality requirement of the ePrivacy Directive. According to the Court, this is possible as long as the essence of the fundamental rights to privacy and data protection, among others, continue to be respected. An unlimited and continuous collection of telecommunications data is not allowed, since that goes beyond what can be seen as strictly necessary in a democratic society, and could also have detrimental effects on the life people want to live. They may stop doing things for fear of being under constant surveillance, thus causing a chilling effect. 

What would be allowed, is a time-restricted collection of telecommunications data in case of a  genuine and present or foreseeable grave threat to national security. In theory, the Court would allow the data collection under these circumstances to be indiscriminate (i.e. covering everyone), but it makes clear it prefers if the government authorities put in place objective criteria to narrow the scope of data collection, for example to a specific group of people or a specific geographical location. As to the time restrictions, the Court explains the duration of the collection of data should be such that it is foreseeable, and that regular reauthorizations – based on a renewed necessity check – should take place. For such collections of telecommunications data, governments should ensure that there is a possibility for a judicial or administrative review, with binding effect, especially with regard to the existence of the genuine and present or foreseeable grave threat to national security. 

As long as the data collection is limited to the registration of the IP address at the source of a communication – but without the link between IP addresses being documented – the Court provides more leeway, but still imposes a time restriction. The documentation of the personal information (name and address) of electronic communications users is even less restricted, and can generally take place, since it would not really contribute to the chilling effect. These two data types could therefore also be processed for other purposes, such as the fight against serious crime.

Why is this relevant?

The judgment of the Court is mainly directed at the governments putting in place legislation on the collection and use of telecommunications data. So why is it relevant for companies? 

In the first place, this is the first time since the Schrems-II decision that the Court has assessed laws against its own threshold. Paragraph 65 of the Privacy International judgment states that “the requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself de?ne the scope of the limitation on the exercise of the right concerned”. In other words: if mass data collection is taking place, the same law should also provide for the safeguards for individuals. In the Privacy International case, the Court held this criterion was not met, since there is no limitation to the data collection – not in time, not in location, nor in the group of people whose data are transmitted to the security services.

Secondly, both judgments show that the CJEU does not only criticize the legislation of the United States, but holds the EU Member States to the same standards. Unlimited data collections without access to binding judicial or administrative review is also prohibited in the EU Member States, because this interferes with the fundamental rights to privacy and data protection beyond what can be seen as necessary in a democratic society. In addition, in these cases the Court has provided further clarity on the assessment criteria for government interference. It has made clear that in case of a serious and immediate threat to national security, for example because of a suspected imminent terrorist attack, much more would be allowed when it comes to data processing than for regular law enforcement or other government interests. In short: the data collection should be necessary and proportionate, and be accompanied by safeguards to protect the rights and freedoms of individuals. 

* The CJEU released two judgments. One in the case Privacy International v. Secretary of State for Foreign and Commonwealth Affairs and others (C-623/17), and one in the joint cases La Quadrature du Net v. Premier Ministre and others (C-511/18 and C-512/18) and Ordre des barreaux francophones et germanophone v. Conseil des Ministres and others.