A week in Privacy with fines, new laws, and Snowden!

Please note that this is an automated transcript that may not translate our words exactly. For the correct statements, please listen to the audio.

[00:00:00] Paul Breitbarth: from the parliamentary monsoon session in India to the great Plains and the wonderful state of Oregon in the Pacific Northwest this weekend privacy episode, K and I will take you on a truly global tour around the world. My name is Paul Breitbart. 

[00:00:27] k: I'm K Royal and welcome to Serious Privacy. So I'm excited about this week, Paul, because I haven't talked to you in a couple of weeks cuz I was on 

[00:00:37] Paul Breitbarth: were on vacation. I was traveling before that. So it's it's been a while. It feels like we haven't met in a while.

[00:00:43] k: it's been a minute, right? It's been a minute. Let's go with unexpected question of the week. What was your favorite day this week? 

[00:00:51] Paul Breitbarth: The week isn't gone yet.

[00:00:53] k: I know, right? It's just Wednesday. For all of you who don't know, we typically record on Wednesdays. Then we try to release by the next Wednesday. Of course, y'all have gotten some of those releases where something came out, usually earth shattering, usually in Europe, and Paul reads and assesses it before I wake up, and then he's like, jump on a call.

We gotta record this and release it, and we'll release it the same or next day. Not the case here, so. . .

[00:01:20] Paul Breitbarth: No. Favorite day this week? Well, if you consider the week starting on Monday, then probably was my favorite day

[00:01:27] k: because it

[00:01:28] Paul Breitbarth: Was final two days of for this academic year at University. But if we can include the weekend, then Saturday was my favorite day of the week because the twin sister of one of my best friends got married.

[00:01:41] k: Oh, congrats to her. fabulous. Weddings are wonderful.

[00:01:46] Paul Breitbarth: It was a lovely beach wedding. We had absolutely lovely weather, which is not always the case in the Netherlands in summer, but this was 26 degrees Celsius. Blue skies, a nice beach, slight breeze. So sheer perfection.

[00:02:01] k: Oh,

that is amazing. Well, congrats to her. I wish them the very best. I love weddings. I've been through three of them myself,

[00:02:08] Paul Breitbarth: Well, I actually had two other weddings on, on Saturday night, so I only could attend one. It was a bit of a bit of a mess. You have no weddings for five years and then

[00:02:17] k: three on the same day 

[00:02:19] Paul Breitbarth: but hey, that's the way it goes. So one of my colleagues at Catawiki got married to another friend of mine. I'm not involved in that in any way, but it's nice that the colleague and a friend got married. And then also a colleague from the university got married. So it's been wedding season here.

[00:02:33] k: That's pretty cool. It's nice to see all the weddings when for so long, Over Covid, we heard about so many divorces.

[00:02:41] Paul Breitbarth: Oh, I haven't luckily

[00:02:42] k: Yeah. Divorce lawyers here in America. Were having a ball over covid. Oh my gosh. It was crazy, 

[00:02:49] Paul Breitbarth: I mean, you can imagine if you're stuck in a, in, in a two bedroom apartment or even a one bedroom apartment for the better part of two years that people start to go crazy.

[00:02:58] k: yeah. Then you find out, how much do you really enjoy being with this person? 24 7. 

[00:03:02] Paul Breitbarth: like your privacy?

[00:03:04] k: right? I'd have to say that this week, my favorite day was Sunday. I'm gonna go with that because last week I was on a Disney cruise with the grandkids, both their parents, one being my daughter, my daughter's ex stepmother, and my mom, and I have to say I am over my need to ever go on another Disney cruise in my life.

Done.

[00:03:30] Paul Breitbarth: I can't imagine it sounds exhausting.

[00:03:32] k: It was exhausting. Not to mention that on the first day of the cruise, my oldest grandson, he's four plowed into me and I tripped over an ottoman and thumped my head on a concrete floor. So I have a concussion.

[00:03:45] Paul Breitbarth: Ouch.

[00:03:46] k: And that wasn't fun. 

It was nice and quiet and the dogs were happy to have us back and it was good, but also, This is just a week in privacy where you and I can discuss just what has been developing around the world in the past couple of weeks that we should talk about. we pick up these stories from just about everywhere you can imagine.

Friends alert us to these stories. We see them in the typical news cycles that come through, especially if they're breaches or something world shattering that's announced. We watch the IAPP, we watch TrustArc, that comes up with theirs. Nymity puts out alerts. Of law firms put out their privacy alerts, so we don't know it all. We don't see it all. But we get our news from a lot of the same places you do. But it is exhausting sometimes to try to keep up with everything that is going on. I mean, one of the ones that I picked up this week was the, the Apple expansion of its protections for Nudity detection to combat the child sexual abuse material. They just announced on June 5th. So not, very recent, but not too long ago either. But they had had some tools before that people didn't like because then it means that they would ingest the nudity pictures and everything.

I think that was back in August of 2021. But now they have communication safety scans, and now it will scan it locally on the user's devices to determine the messaging that's there or if there's any photos or videos to send, whether it's through the iPhone contact posters the photos, picker tools airdrop, any of this, but it's on the device.

So Apple itself is not ingesting it. The tool is downloaded on the device, and they're going to turn this communication safety tool on by default for all child accounts. Whenever there's a child under 13 in a family sharing plan, parents can go in and disable the plan. Course, but they'll do that. So this is one of their efforts to be able to help keep kids safe 

 More gaming companies have been getting in trouble for the, the messaging that's allowed within the gaming chats and things like that. And we know that there's a lot of abuse going on there. So I think this is a very positive step. For Apple and enjoyed seeing that development. So that's not something that is, 

[00:06:13] Paul Breitbarth: I very much dislike this. I very very much dislike it. I think it's a very dangerous, slippery slope. It is very intrusive even if it's on device scanning everybody's pictures. In such a way. There is also a big legislative debate here in Europe going on for csem. So the child sexual abuse monitoring Where the European Parliament will voting committee on that legislation tomorrow. 

[00:06:39] k: So you disagree with this if it's on a child's phone?

[00:06:42] Paul Breitbarth: I think it's a very dangerous slippery slope because if it's activated at one place, it's easily activated somewhere else. It's activated by default. So this is not a choice that parents have that to protect their child. This is a technology company imposing a technology without giving a lot of attention to it, it will just be switched on And I think that is a dangerous approach.

[00:07:04] Paul Breitbarth: yeah, and I don't believe that that is way to deal with fundamental rights.

[00:07:08] k: But They had an iCloud photo scanning tool now that I did not like that's even worse.

[00:07:14] Paul Breitbarth: That's even worse. the whole principle, of CSAM goes very much against. What I stand for as a fundamental rights lawyer, the fact that it, that in this case it is for a good cause. But once the technology is there, what's next? And that is the very dangerous, slippery slope that I see.

But hey, we don't have to have this debate right now. In a couple of weeks, we'll actually have two guests to discuss this topic who've been doing also a lot of academic work on this. So stay tuned. Somewhere late July, early August, we'll have an episode on Csem specifically.

[00:07:52] k: Which I am looking forward to because maybe it's just my southern roots, but I'm a little bit more protective. Maybe protective isn't the right word, conservative when it comes to this part on the side of protecting kids, but I can absolutely see the slippery slope that it goes towards. So 

[00:08:14] Paul Breitbarth: And you don't hear me say that we shouldn't protect our children. 

[00:08:16] k: Let me be clear. Paul never said that. He never said that. He said this is a technology that has some scary aspects to it, that it could go much further than the good intent that it's planned for. absolutely. I think it will be a great debate and I'm looking forward to that conversation.

Maybe this will turn out to be another one where y'all, you know, immediately convert me to the other perspective. I don't know, I think there's good points on both sides. If there weren't, it wouldn't be a debate.

[00:08:42] Paul Breitbarth: Exactly. So what else is happening in the US?

[00:08:46] k: Oh my goodness. In the US we got all kinds of crazy stuff going on here. 

[00:08:51] Paul Breitbarth: Any new laws adopted?

[00:08:53] k: in any new law, almost Oregon passed it in both houses. It's headed to the governor. I haven't looked in into the Oregon law yet. I know that if you missed it, Connecticut actually added health and children's data to its law, so. Some of the laws already passed, even though they're not in effect yet, or already Strengthening some of the protections that they have.

So the Oregon one follows the it says the Washington Privacy Act variance. It applies to people that conduct business in Oregon or provide products or services to Oregon control and process the personal data of a hundred thousand or more consumers, or the personal data of 25,000 or more consumers while deriving 25% of their revenue from selling personal data.

There are no exemptions for, nonprofit and I'm not sure if there are exemptions for hipaa. There's data level exemptions but I don't think that it exempts HIPAA covered entities, which, as you've heard me say, I don't like that it exempts entities opposed to data.

I prefer it to exempt the data itself, not the entity as a whole. So like Colorado, it does not exempt nonprofits, although I'm sure like Colorado, it will take some enforcement discretion. But there's some very, very large nonprofits that handle a ton of data significant data. they do have biometric data in there, sensitive data. have the individual rights. All of these are. Absolutely standard that we expect it to. looking to see how it defines sale. It is for money or other valuable considerations. So we're actually starting to see what we can call as some standards across state laws. you heard most of them there. 

So there are some things that we are considering standard, which even though they may differ in a lot of nuances, a lot of fundamentals are the same. So I do like that we are seeing some standardization across it, even though it seems like every state wants to take a new tactic to the laws 

[00:11:05] Paul Breitbarth: right? That is the the, the active word here.

[00:11:08] k: Absolutely. So we have that. What else do we have? So the, the Texas data privacy and Security was signed by the governor. It's in effect July 1st, 2024. was it over a hundred thousand chatGPT accounts were stolen and sold. Sold on the dark web. 

[00:11:26] Paul Breitbarth: wow. Already

[00:11:28] k: Yeah. Yeah. That's fun. We should dig into that one a little bit more. TikTok has actually Divulge that there is data that they have about creators stole stored in China, whereas they had gone in front of Congress and denied that they did any of that. either their, I think it was their c e o that testified in front of our Congress.

So either he lied or he doesn't know. But regardless, they're now storing data in China where they have been all along. So , we have a story out that the State attorneys General are supporting those strengthened HIPAA protections.

We've talked about the comments were due, I think the date has passed now. But there are the California Attorney General Rob Bonta and the New York Attorney General Leticia James, are leading about half the states in calling for stronger federal protections for reproductive health. So they did sign a letter to the Biden administration supporting the amendments to HIPAA in the post row world.

So that's about half the states and you're, you gotta know that they absolutely approached all the states. So that tells you of our divisiveness here in the United States and where we're going. So that'd be interesting to see that one come out as well. What about on your side of the pond before I go look and see what else we have here in the US?

[00:12:45] Paul Breitbarth:  First of a bit further down, down in the world in India. It seems that we may get some movement on the protection bill and I know that we've been saying that for quite a while.

[00:12:59] k: Right. 

[00:12:59] Paul Breitbarth: point, expected the legislation to be enforced in 2021, then it became 2022. Now it's 2023 and it's still not there.

But it has announced that. The data protection bill will be on the Indian Parliament's Monsoon Session agenda. And that starts on 17th July.

[00:13:19] k: Oh, nice.

[00:13:21] Paul Breitbarth: So there will at least be a legislative debate whether adoption is also under cards. Of course, as always remains to be seen because it has been on the agenda before, a data protection bill in Indiana and it was then pulled for disagreement slightly closer to home. new standard contractual clauses, This time from the Council of Europe under convention 108. So that is a big step. Also because of course, as. We know Convention 108 is the first binding global instrument for data protection with adoption well beyond the EU 27 countries.

If they now also start working with standard contractual clauses, that might actually go a long way in also facilitating Global cross border data flows and might actually be another reason for certain jurisdictions to come and join conventional 1 0 8 which also would be really good.

[00:14:14] k: Yes. Yes. And convention 108 is . . .There are professionals that are listening to us that don't understand what exactly convention 108 is.

[00:14:25] Paul Breitbarth: So Convention 108, we have an episode about it. It's the second, the Penn ultimate episode of season two, I believe. Explaining convention 108 in full detail together with the OECD privacy guidelines. But it is the Council of Europe Convention on the automated processing of personal data. Dating back to 1981 with an update several years ago to convention 1 0 8 plus, which is now being ratified by countries around the world.

And it's, it's very similar to what you would see in the gdpr.

[00:14:58] k: Right.

[00:14:59] Paul Breitbarth: All countries could adhere to the convention 1 0 8. And then by doing so, state, hey, we take data protection and privacy seriously. They also commit then to implement a national data protection law that would meet the standards of convention 1 0 8 because it doesn't have direct applicability.

It's just an international treaty between countries. So it is slightly different from legislation like the gdpr, which would have direct effect.

[00:15:24] k: Very good. Very good.

[00:15:27] Paul Breitbarth: So that, about that one. Then we have two interesting finds from Sweden. One you already mentioned briefly in the episode with with Jason Cronk, and that is administrative fee that was imposed Swedish DPA on Spotify. 58 million Swedish kroner, which is about 6 million Euros. Still interesting, fine. And this actually goes back to one of the very first complaints issued by noyb back in 2018 when the GDPR went into effect. So it took almost five years for this fine to be imposed.

[00:16:01] k: Justice is slow.

[00:15:01] Paul Breitbarth: Justice is slow. And this was also probably quite a complex investigation. Also, the Swedish maybe did not really want to enforce in this case, but they were forced to, also a court order.

But the discussion here was how does Spotify the right individuals to access their personal data? Individual rights requests. And whereas Spotify has a tool where you can download a lot of the information it doesn't include all of the information that they should provide.

For example, all the the data is very technical that you can download and it needs to be available also in a way that individuals can actually understand

When you file an access request with also the explanation also in your own language, not just in English. And for those reasons and quite a few others the Swedish DPA imposed fine

[00:16:52] k: Now you know that over the course of five years, companies change their practices or information that might be available to investigate may no longer be available.

[00:17:03] Paul Breitbarth: Yeah, that's true. But at the same time, of course, if you are subject of an ongoing investigation,

[00:17:08] k: You can't delete it.

[00:17:10] Paul Breitbarth: it's implied if not explicit, that you are not to delete the information that is investigation. Changing your policies and procedures and improving your data protection standards is always fine.

And that is also something that we see a lot during DPA investigations, which will then in the end also reduce the amount of the fine or make the slap on the wrist a little lighter. Just because it is recognized that they have made an effort to meet the concerns of the DPA and the complainant.

[00:17:39] k: Right.

[00:17:40] Paul Breitbarth: So this week the Swedish d p a imposed another fine. And this was a 13 million K fine, so about 1.3 million euros to a news website called Buner News for profiling customers and website visitors without consent, and also trying to rely upon legitimate interests.

Finally, I have not dug into this case in full detail. I did find a translation by now. But I also want to look through the three days version, but it's pretty long. And we if we look at some of the summaries that are posted online including one by Valla out of Norway.

She actually explains that this is a decision based on an audit that came after an earlier audit that the Swedish DPA already did and where no sanction was imposed.So the fact that you have been investigated once doesn't mean that you cannot be investigated twice. Always interesting.

Also here it took a long time because the last communication from the A with the data controller was in July, 2020, and the draft report was not sent untilApril of 2023 So that's also quite a while. And apparently this also has some further discussion on what is to be considered as personal data. With the major conclusion, everything is personal data. Surprise, surprise because everything can be identifiable. And apparently also some remarks are made on synthetic data sets that should be regarded as personal data.

So I need to start looking into this in more detail. But in the meantime reus post on LinkedIn is is really useful and we'll link to that in the, in the show notes.

[00:19:25] k: Yep. Absolutely. So, you know, one of the things, and I guess it is news we're reading about it a lot. Do you know how long ago it was that Snowden made his le leaks,

[00:19:38] Paul Breitbarth: Of course that's 10 years ago. As I spent the summer by his side, as they would say in the musical. Not, not really in person, but just with all the documentation was working for the Dutch DPA at time. data protection authorities were much involved in the response to the Snowden revelations.

And my commissioner was also part of one of the expert groups. That the European Commission created at the time, which meant that I had to go through all the stolen documents to actually analyze what the hell was going on there.

[00:20:13] k: Right.

[00:20:13] Paul Breitbarth: It was a good summer project. It took, it took me off the streets that summer

[00:20:20] k: Well, in case anyone is not familiar with the Edward Snowden leaks. was for the US Security. Agency, he was working in Hawaii at an underground lab and he basically did whistle blowing on telephone calls and recording and how information is shared there. Kicked off a lot of privacy conversations and review of laws and practices for the international surveillance. Different things like that quite, quite.

[00:20:53] Paul Breitbarth: of safe harbor and then privacy shield and negotiations like that.

[00:20:58] k: This happened in 2013 and it basically kicked off, you know, the United States interest, biggest interest in privacy and what's happening. Now a lot of people here, in the US still consider him a traitor. They still consider what he did as treasonous. I think he still has pending criminal charges if he was to return. which tells you right now that he is not in the us. I believe he is in Russia 

Married has kids now. I think he married an American, but has kids now and everything. And I heard a few months ago that he was starting to move around a little bit more and you can still get interviews with them. Just typically remotely. not gonna go anywhere that has an extradition to the United States, so other countries who might not want to extradite him anyway.

So it was very controversial and it seems kind of. Interesting that it was only 10 years ago. It at times seems like it was just yesterday, but on the other hand, it seems like, gosh, wasn't that like many, many years ago?

[00:22:09] Paul Breitbarth: Well, it was many, many moons ago because , it, we, the, the world has turned quite a lot ever since. I recall actually in the run up to the Snowden revelations the year before, the summer of 2012 we already had a similar scandal that everybody seems to have forgotten the Washington Post top Secret America debt here.

[00:22:29] k: Yes.

[00:22:30] Paul Breitbarth: Showing that tens of thousands of employees of the security services had top level clearance without even being screened without having the need to access those top level documentation. So and then the year after the Snowden revelations came, so that all a lot fell into place. Also at that time also why the fallout that Washington Post series probably so big because there were so many Yeah, I want, I, I will call them illegal programs going on, behind the scenes in, in and government surveillance in the us.

And no, the US is not the only one. We've had that discussion before. But by whistle blowing at this scale Snowden made a lot of things clear about the very tight relation between big tech and the US government. And I think in the end for privacy and data protection,

[00:23:21] k: It it has meant a lot calls I think were the, the 

[00:23:26] Paul Breitbarth: One of them not, certainly not the only one.

But I think that was a a, a very important, a very important whistle blowing statement that he made that has changed the world, I think for the better.

[00:23:40] k: Yes. Yes. And a lot of it was under the, U S A Patriot Act, which was passed in times of, of nine 11. It was passed hastily. Some people consider it the worst law that the US has ever passed given its impact and its tentacles into everything else. It was passed again, hastily, as Paula and I have said, a lot of legislation is passed response to something horrible happening that gets people's passions and emotions up and they react in order to protect and yeah, there we go.

But anyway.

[00:24:14] Paul Breitbarth: we've had quite a few whistleblowers on, on these topics in recent years. I mean also Chelsea Manning obviously the WikiLeaks page Assange, which also showed a lot of details on how the European deals with intelligent information and embassy information.

But let's also not forget the original. National security leak in the Pentagon Papers.

[00:24:41] k: Ah, 

[00:24:42] Paul Breitbarth: Danielle Berg who passed away a couple of weeks ago.

[00:24:44] k: Oh, that's right.

[00:24:45] Paul Breitbarth: So also there a lot of sudden transparency for things that the government may not have been too happy with.

[00:24:54] k: And And also still not incredibly educated as to privacy rights and how companies violate them. mean, even now where almost every company has someone that. visible in privacy. Maybe not in a lot of the small companies or just state-based ones, but in almost all global companies, there's going to be an awareness of privacy.

If there's not an awareness of privacy, there's an awareness of the need for cybersecurity, They go hand in hand. There's very few cybersecurity laws out there. Almost all the cybersecurity requirements come from privacy data protection laws. But you know, people first look at, yes, we understand privacy, but someone's trying to hack us.

on cybersecurity. That's that they, no one's gonna argue with that, that that's look at that. But if you're following the privacy laws and the restrictions, you may not have as much damage. When you are hacked, and trust me, you're hacked at some level, at some place.

Every company has a breach right now. It just depends on what's the level of that breach and what data do they have that they shouldn't have. And yeah, there's a lot of data that's hacked that is data you absolutely should have, and you need to do your business, even if it's just ransomware at a hospital, if they can't access their systems to make sure the patients have the oxygen.

There is a problem. And you absolutely need that medical data. So there is no easy solution to any of this. But even in light of all of that, it's amazing how little people working in the global companies understand about privacy. This,

[00:26:34] Paul Breitbarth: That's for sure. And at the same time, if we look at all those whistle blowing cases, whistleblowers are important and they

[00:26:40] k: do our protection

[00:26:42] Paul Breitbarth: But it always also makes for very interesting stories. For the Pentagon Papers, there's this great movie, the Post with Meryl Streep and Tom Hanks, I believe,

[00:26:52] k: the worst decisions make the best stories.

[00:26:55] Paul Breitbarth: Yeah, how does, how that, now that hole came about. for Snowden his book, permanent record. I read it a few years ago,

[00:27:02] k: yep. 

[00:27:03] Paul Breitbarth: but it gives a good insight. Yeah. Also gives a good insight in, in his considerations and, and how the whole. Trajectory went from reaching out to the Guardian and Laura Poit, the, the movie maker to get the documentary filmed in Hong Kong before moving to Russia. And

[00:27:19] k: And he Stay in Russia. Let's be honest. He's been very clear, his intention has never been to stay in Russia, but he is, attempts to move to other countries are generally thwarted by the actions of the United States.

[00:27:33] Paul Breitbarth: Yeah, but apparently by now he does have a Russian passport because there was nowhere else he can go.

[00:27:38] k: Yeah, he's there. He's there for all intent. And his kids were born there, so they're, they're citizens, dual citizenship, but citizens. Yeah. It's interesting when you look at this and I mean, is there ever gonna be a world where we're not gonna worry about privacy violations or whether companies are doing the right things with data?

I don't think so. 

[00:28:00] Paul Breitbarth: No, I also, I, I agree that it will be really hard to to have one.

[00:28:06] k: But aren't you kind of sick of hearing people look at you and go, job security,

[00:28:11] Paul Breitbarth: there is some, truth to it. It's not the main driver for me to do what I want to do in this domain because I just, as I just told my students also earlier in the week there is a reason why I stayed with data protection, and that is because I really care about this fundamental right.

And I know the same is true for you.

[00:28:31] k: absolutely. And it's crazy when there are people that are in privacy, data protection, cybersecurity, however you wanna look at it, that are not passionate about it. do it because they know how to do it. it's a good paying job, but they're not passionate about protecting people's data.

[00:28:52] Paul Breitbarth: You know, I think that's fine. Not everybody can have the same passion

[00:28:57] k: Ah, come on.

[00:28:58] Paul Breitbarth: as long as they have a passion for something.

[00:29:00] k: Well, that is true. That is true. But you know, I guess it's true of, of, of attorneys in general. I, I can't speak for non-attorney privacy officers because they come from a wide variety of backgrounds. for attorneys in general, I can say that there are a lot of attorneys that are not passionate about what they do a lot and think

[00:29:22] Paul Breitbarth: that's probably true for most of contract lawyers because. I still don't understand how you can be passionate about a contract. I know there are,some that are that but into it

[00:29:29] k: I know yeah. 

[00:29:35] Paul Breitbarth: and they may not understand why we are so passionate about privacy. So they maybe should listen more to the episodes of Serious Privacy.

I would recommend that to everybody if you want to learn more about being passionate for this topic. So on that note, we'll wrap up another episode of Serious Privacy. If you like our episodes, do like and review in your favorite podcast app or platform. Join the conversation on LinkedIn. You'll find us at serious privacy.

You'll find K on social media as @heartofprivacy, and myself as @EuroPaulb. Until next week, goodbye.

[00:30:09] k: Bye.