Serious Privacy Podcast – Privacy’s Perfect Storm: A Technical Tempest in a Teapot – or Not? (with Stuart Brotman)

episode 36

Events happen occasionally that reinforce each other in such a way that the sum of things is worse than you could ever have imagined: a perfect storm. You may very well say that 2020 is a perfect storm in itself. And who knows what November and December may bring. This week, Paul Breitbarth and K Royal invited Stuart N. Brotman, author of Privacy’s Perfect Storm: Digital Policy for Post-Pandemic Times.

Brotman took the notion of the perfect storm as the basis for a book about privacy, data protection, the digital economy and the fight against COVID-19. The book contains a series of reflections on a wide range of issues, outlining the authors’ views and ideas on the way forward.  He just completed a term as a Fellow in the Science and Technology Innovation Program at the Woodrow Wilson International Center for Scholars in Washington D.C. The essays in his book sparked quite the conversation.

Listen in as we speak on a variety of topics – one of which immediately stood out: Why Discussing Digital Privacy Now Belongs at the Kitchen Table (on page 19), given Paul and K’s ideal for the Serious Privacy podcast to be those casual conversations one would have at Paul’s kitchen table, or K’s back porch.  But in addition, some essays grabbed attention to discuss, such as the one on digital trust being essential for data privacy protection and the one on millennials teaching grandparents about internet safety. We discussed so many topics – from public-private data sharing to password management. This episode can be heard on our website or streamed below.

TrustArc Wins 2020 CyberSecurity Breakthrough Award

Copy of Cybersecurity Breakthrough Award

TrustArc announced that its Privacy Management Platform has been named the winner of the “Compliance Software Solution Provider of the Year” award in the fourth annual CyberSecurity Breakthrough Awards program conducted by CyberSecurity Breakthrough, a leading independent market intelligence organization that recognizes the top companies, technologies and products in the global information security market today.

“Only TrustArc can deliver the depth of continuous privacy intelligence, coupled with a fully-automated platform for end-to-end privacy management, that’s essential for navigating today’s ever-changing digital world,” said Chris Babel, CEO, TrustArc. “TrustArc continues to drive the privacy industry forward, continuously adding new solutions to its comprehensive Privacy Platform, backed by more than 20 years of experience helping Fortune 500 companies manage their privacy and compliance. We’re honored to be recognized again this year by CyberSecurity Breakthrough.”

The mission of the CyberSecurity Breakthrough Awards is to honor excellence and recognize the innovation, hard work and success in a range of information security categories, including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Email Security and many more. This year’s program attracted more than 3,750 nominations from over 20 different countries throughout the world.

“With the recent additions of the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), mapping out and managing the hundreds of laws and regulations is an incredibly complex endeavor for any organization,” said James Johnson, managing director, CyberSecurity Breakthrough. “TrustArc empowers organizations to combat these complexities with a robust platform that can manage a broad range of privacy management needs, including data inventory, risk assessments, tracker monitoring, and, most importantly, compliance. We are thrilled that TrustArc is part of esteemed winners circle once again this year and we extend our congratulations to the entire TrustArc team for their well-deserved industry recognition.”

Key features of TrustArc’s Privacy Platform include:
Risk Profile: Deeply understands global data risk considerations, continuously monitors and aggregates risk and delivers mitigation recommendations for both inherent and residual risks of business processes, systems and third-parties, and company entities.
Intelligence Engine: powered by proprietary algorithms across the TrustArc platform based on privacy, data governance and security standards to automate, simplify, and tailor privacy program development and maturity, compliance and risk management for organizations of all sizes and across industry sectors.
Privacy Profile/Dashboard: simplifies privacy management through an intelligent, easy-to-use interface by providing actionable compliance guidance based on an automated review of key company information.
Data Inventory Hub: creating a detailed, up to date inventory of data collected along with visual data flow maps of all business processes. Proven data inventory best practices are engineered into the system to record information about the data collected and generate compliance reports.
Assessment Manager: built on powerful technology that identifies where and why certain practices don’t align with regulations, and defines the path to remediation.
Cookie Consent Manager: addresses Cookie Compliance with an application that makes it easy for consumers to provide consent for the collection and use of their personal information, helping businesses ensure consumer trust.
Individual Rights Manager: designed to help companies meet compliance requirements, minimize risk and build trust with customers.

About CyberSecurity Breakthrough
Part of Tech Breakthrough, a leading market intelligence and recognition platform for global technology innovation and leadership, the CyberSecurity Breakthrough Awards program is devoted to honoring excellence in information security and cybersecurity technology companies, products and people. The CyberSecurity Breakthrough Awards provide a platform for public recognition around the achievements of breakthrough information security companies and products in categories including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Web and Email Security, UTM, Firewall and more. For more information visit

New European Case Law Clarifies Bulk Collection Requirements by Governments

10 9 Blog

Those following the legal debate following the Schrems-II decision, are well aware that one of the main arguments on the U.S. side is that the European Union should not only look at third countries’ surveillance practices, but also at their own. The typical response is that this is not possible, because national security is excluded from the competences of the EU and thus cannot be legislated by the European Commission. A series of new judgments from the Court of Justice of the European Union (CJEU) shed some new light however.

The judgments, released on 6 October 2020, relate to four cases*, criticising legislation allowing the national security agencies in the United Kingdom, Belgium and France to collect communications traffic data, on the basis of an exception in the ePrivacy Directive from 2002. Following the terrorist attacks in Madrid and London in 2004 and 2005, the European Union created a general data retention scheme for telecommunications data, that was since struck down by the CJEU for not complying with the fundamental rights to privacy and data protection. Also national laws creating a similar scheme, either based on the EU scheme or on the own initiative of an EU Member State, have been annulled by the CJEU. In the current cases, the questions put to the Court included if it was possible at all to collect telecommunications traffic data in bulk, and if so, under what conditions?

The judgment of the CJEU

Most importantly, the CJEU has confirmed in both judgments that the transmission of personal data from a communications service provider (i.e. a telecom or internet service provider) to a government authority, including to the national security services, is covered by data protection law. In this specific case, it is the ePrivacy Directive that applies, but read in the light of the GDPR. Since a transmission constitutes a data processing operation, the Court explains, it means that the communications service provider – the data controller – would need to comply with the requirements of the ePrivacy Directive and its national implementations. That includes the general aim of ePrivacy to ensure the confidentiality of communications. It is not relevant in this instance that national security is excluded from the remit of EU legislation, according to the Court, since national security is not the main reason the ePrivacy Directive exists.

National security could however be a good reason for limitations to the confidentiality requirement of the ePrivacy Directive. According to the Court, this is possible as long as the essence of the fundamental rights to privacy and data protection, among others, continue to be respected. An unlimited and continuous collection of telecommunications data is not allowed, since that goes beyond what can be seen as strictly necessary in a democratic society, and could also have detrimental effects on the life people want to live. They may stop doing things for fear of being under constant surveillance, thus causing a chilling effect. 

What would be allowed, is a time-restricted collection of telecommunications data in case of a  genuine and present or foreseeable grave threat to national security. In theory, the Court would allow the data collection under these circumstances to be indiscriminate (i.e. covering everyone), but it makes clear it prefers if the government authorities put in place objective criteria to narrow the scope of data collection, for example to a specific group of people or a specific geographical location. As to the time restrictions, the Court explains the duration of the collection of data should be such that it is foreseeable, and that regular reauthorizations – based on a renewed necessity check – should take place. For such collections of telecommunications data, governments should ensure that there is a possibility for a judicial or administrative review, with binding effect, especially with regard to the existence of the genuine and present or foreseeable grave threat to national security. 

As long as the data collection is limited to the registration of the IP address at the source of a communication – but without the link between IP addresses being documented – the Court provides more leeway, but still imposes a time restriction. The documentation of the personal information (name and address) of electronic communications users is even less restricted, and can generally take place, since it would not really contribute to the chilling effect. These two data types could therefore also be processed for other purposes, such as the fight against serious crime.

Why is this relevant?

The judgment of the Court is mainly directed at the governments putting in place legislation on the collection and use of telecommunications data. So why is it relevant for companies? 

In the first place, this is the first time since the Schrems-II decision that the Court has assessed laws against its own threshold. Paragraph 65 of the Privacy International judgment states that “the requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself de?ne the scope of the limitation on the exercise of the right concerned”. In other words: if mass data collection is taking place, the same law should also provide for the safeguards for individuals. In the Privacy International case, the Court held this criterion was not met, since there is no limitation to the data collection – not in time, not in location, nor in the group of people whose data are transmitted to the security services.

Secondly, both judgments show that the CJEU does not only criticize the legislation of the United States, but holds the EU Member States to the same standards. Unlimited data collections without access to binding judicial or administrative review is also prohibited in the EU Member States, because this interferes with the fundamental rights to privacy and data protection beyond what can be seen as necessary in a democratic society. In addition, in these cases the Court has provided further clarity on the assessment criteria for government interference. It has made clear that in case of a serious and immediate threat to national security, for example because of a suspected imminent terrorist attack, much more would be allowed when it comes to data processing than for regular law enforcement or other government interests. In short: the data collection should be necessary and proportionate, and be accompanied by safeguards to protect the rights and freedoms of individuals. 

* The CJEU released two judgments. One in the case Privacy International v. Secretary of State for Foreign and Commonwealth Affairs and others (C-623/17), and one in the joint cases La Quadrature du Net v. Premier Ministre and others (C-511/18 and C-512/18) and Ordre des barreaux francophones et germanophone v. Conseil des Ministres and others.

Serious Privacy Podcast – Wicked Privacy: A Frank Discussion on Thorny Topics (with Michelle Dennedy, Ruby Zefo, and Hilary Wandall)

Episode 35 1

Wicked problems are those without simple answers. They are thorny, complex, multi-faceted issues. This episode of Serious Privacy by Paul Breitbarth and K Royal was pre-billed on social media as “talking anarchy” and “Serious Privacy-ing.” In this episode, guests include Uber CPO and frustrated comedian Ruby Zefo, Godmother of Privacy Engineering Michelle Dennedy, and TrustArc’s General Counsel Hilary Wandall.  Given the breadth and depth of the experience combined across this guest list, the topics were broad-ranging and far-reaching. 

Listen in as we delve into wicked problems and solutions addressing women in privacy, ethics, global privacy standards, social justice, and privacy engineering. In particular, we discuss our guests’ experiences in navigating these topics and how our guests themselves may have been on the front lines. In at least one area, our guest was the developer of what has now grown into a field within privacy in general. Listen on our website or stream the episode below.  

Recap of San Francisco Public Hearing on CCPA

public hearing V2

On December 4th, the California Attorney General’s (AG) office held a public hearing in San Francisco on the California Consumer Privacy Act (CCPA). The hearing provided the public with an opportunity to take part in the CCPA rulemaking process. The rulemaking process is governed by the California Administrative Procedures Act which requires the AG to solicit comments from the public through hearings and in writing. The AG considers all comments, makes revisions to the proposed regulations where appropriate, and posts another draft of the regulations for public review and comment.The San Francisco hearing took place at the Milton Marks Conference Center where the room was packed with approximately 175 attendees, including TrustArc team members. 

Representatives from the Office of the California AG started with a brief introduction and then allowed for pre-registered speakers to make their comments. With over 20 speakers, the public hearing lasted almost two hours and covered a wide range of CCPA-related topics and concerns. Below are some highlights from the hearing:

Individuals representing two different Bay Area credit unions spoke on the difficulties of complying with the complexities of the CCPA with a small staff and limited resources. Both asked for the enforcement date to be extended to January 1, 2022, pushing the date two full years. Extending the enforcement date would allow them the time needed to “get it right the first time,” they argued. 

One of the co-authors of the CCPA text also spoke during the public hearing. He argued that the CCPA’s fifteen-day grace period for companies to process opt-out requests was simply too long, and the requests need to be processed immediately, up to 72 hours at the latest, adding, “If [a company] is able to start selling immediately, they should be able to stop selling immediately.” 

A representative of an SF-based technology company criticized the “out of date” toll-free phone number required for CCPA compliance, especially for companies who conduct business solely online. She said the unnecessary requirement is expensive for companies to maintain, even if they do not receive a single phone call. She argued that companies could also become the targets of robo calls designed to exploit the way in which toll-free telephone numbers are billed to commit a fraud for profit.

Another speaker, a CPO with over 20 years of privacy experience in California, asked the AG’s office to clarify the definitions of “business,” “service provider,” and “3rd party.” She stated definitions were needed for these three terms because they are often used differently within the text of the CCPA.  

A data privacy advocate and former elected official expressed his concern over whether large technology companies will take the CCPA seriously. He commented that based on his conversations with C-Suite executives, attitudes towards the CCPA have been very cavalier, with statements ranging from “I’ll wait until there’s fines” to “I’m retiring soon, so it’ll be someone else’s problem to deal with.” The speaker suggested the AG’s office carry out tight enforcement in order to truly protect consumers.

The §999.315(c) requirement, that businesses treat browser privacy signals as valid requests to opt out, received attention from several speakers. Advocates commended the proposed regulation as giving consumers an accessible method to express their intent, while opponents argued that it would frustrate actual consumer intent. Two speakers expressed their belief that consumer intent would be better inferred through their interaction with an opt-out link or button.

TrustArc is an active participant in privacy conferences and our team regularly attend policy hearings to help inform and shape our solutions. With privacy experts spanning the world in the U.S., Canada, Latin America, Europe and Asia, our team is at the forefront of the ever-changing privacy landscape. To speak with a privacy expert about the California Consumer Privacy Act, schedule a consultation today!

New IAPP and TrustArc Report Reveals a Majority of Companies Are Embracing a Single Global Data Protection Strategy

Measuring Privacy Operations 2019

TrustArc and the International Association of Privacy Professionals (IAPP) announced the results of new benchmarking research that examines the current state of privacy operations. The research shows that a majority of companies are adopting a single global data protection strategy to manage evolving legal requirements, and that managing the expanding ecosystem of third parties handling data has become a top priority. 

“The data outlined in this study demonstrates, once again, that privacy is not a one-off endeavor,” said Trevor Hughes, CEO and president of the IAPP. “Privacy management is an increasingly complicated industry. As a result, the role of privacy professionals is taking center stage. Our research highlights how they must act as stewards for implementing the processes and technologies required to ensure scalable compliance across an ever-growing ecosystem of data from partners, customers, and vendors.”  

Evolving Ecosystem of Partners, Customers, and Vendors Driving Risk Assessment Processes

Vendor and third-party risk assessments ranked first among privacy assessments globally, with 78 percent of U.S. respondents reporting that they now conduct them. That figure indicates the growing complexity of the ecosystem now impacting compliant data privacy management. 

“The CCPA will be the toughest privacy law this country has seen to date, expanding the rights of consumers and their data,” said Chris Babel, CEO of TrustArc. “This survey reinforces what we continue to see and hear from our thousands of customers: that privacy management is getting more complex. That’s why we continue to lead the charge in building the technology solutions and enabling the infrastructure integrations necessary to make compliance automated and scalable.”

To understand the different types of privacy operations across regions, company size and industry, TrustArc and the IAPP surveyed close to 350 privacy professionals in the U.S., EU, UK and Canada.

Key findings from the survey include:

U.S. companies comply with more laws than EU counterparts, which focused primarily on GDPR

  • 79% of respondents report complying with two or more privacy laws, while only 16% are focused on just one. 
  • 10% report actively working to comply with 50 privacy laws or more at once, while 13% are working on 6-10 laws, and another 13% on 11-49 laws.
  • EU respondents were more likely to report actively working to comply with five or fewer privacy laws, while U.S. respondents were more likely than their EU counterparts to be complying with 11 or more laws.
  • Significantly more EU+UK respondents (81%) conduct Data Protection Impact Assessments as compared to U.S. respondents (53%). 

Majority pursuing a single, global data protection strategy 

  • 56% of respondents across all geographies are working toward a single, global data protection and privacy strategy for data subjects’ rights. 
  • Only 28% of U.S. companies and 21% of EU+UK companies categorize data subjects by jurisdiction and geography and handle each data subject’s data according to the laws that apply to that individual.
  • A majority of EU+UK respondents report serving customers in only one region (22%) compared to U.S. respondents (11%). 

Growing complexity is driving operational changes to privacy programs

  • 47% updated their website’s cookie policy and 80% updated their website’s privacy policy one or more times in the last 12 months. 
  • 42% deleted personal data more regularly; more so among EU+UK respondents (56%) than U.S. (44%).
  • 21% converted from an opt-out to an opt-in email marketing strategy across geographies; vastly more so in the EU+UK (30%) compared to US respondents (13%).

To download the complete findings, click here.

About the Research

The survey was fielded in the fall of 2019 to the IAPP Daily Dashboard newsletter, which reaches more than 60,000 subscribers from around the globe. The results are based on responses from 327 privacy professionals (primarily in-house in privacy, legal and compliance functions) based in the U.S. (43%), EU/Non-UK (24%), UK (13%), Canada (9%), Asia (4%) and Other Countries (7%). Company size ranged between 1-250 employees (25%), 251-1,000 (17%), 1,001-5,000 (20%), 5,001-25,000 (19%), and 25,000+ (19%). Respondents represent a variety of industries, split between sectors traditionally regulated for privacy (e.g. health care, financial services and banking, insurance) at 35% and sectors traditionally not subject to privacy regulation (e.g. technology and software, manufacturing) at 33%. Those working in legal or consulting services made up 16% of respondents, with another 11% representing governmental or non-profit organizations.