All messed up and places to go: a week in privacy plus Brussels (with Amit Ghadia)

Please note this is a largely automated transcript. For accuracy, listen to the audio,
[00:10:45] Paul: Hi, everyone. This episode is slightly different from what you are used to since K and I were not able to find a moment to record together this week. Work is busy. And with some traveling to mix time zones, we decided to each record our own separate segments to bring you some updates on this week in privacy. 

But as always, my name is Paul Breitbart. 

[00:00:33] K: And i'm K Royal and welcome to serious privacy We're going to do this week, a little different, as Paul said, we're going to start with Paul. Let him give you some updates. Little bit of conversation from his conference. I'll also give you a little bit of updates from my side and we'll go from there. And yes, I realize no unexpected question this week. 

We can pretend that it's a silent question and a secret answer because hello privacy. But we'll just cop up to the fact. We don't have an unexpected question this week, so let's take it from there. Paul. You're up.

[00:01:08] Paul: So this week, I spend a few days in Brussels in the margin of the IAPP data protection Congress, 2023. I did not have a speaking slot this year and decided I also did not want to spend a few thousand heroes to get into the conference hall this time. And maybe even better because I am a suit from a lot of people. 

It was really, really busy. But we'd lots of friends in town and from our colleagues, it was still good timing to be in Brussels. The real reason I was, there was actually a different event. The Google data protection forum, the day before the Congress, it's, you know, all these events always have lots of. Site events as well. 

And this time Google organized for the first time, their own data protection forum, focusing on the privacy side of older product developments. So the privacy sandbox and all the advertising stuff, but also Google cloud. And whole how all of that will develop going forward. And I find it really useful because it was also more of a legal discussion. And not just the, the marketing site that was highlighted. And don't worry. 

I also still have my concerns and questions. Regarding Google's data processing operations. Also some that I will follow up on after this is data protection forum. But they also did give me some reassurance about dare approach. And I must say I actually liked some of the technological approaches that they have taken. Pew compared at, for example, to what Metta is currently doing. With their overlay. Forcing you to choose between pay or, okay. 

Google really is trying to do a lot better in my view. So during the Google event, I also took part in a short panel discussion together with Alex Davies from jellyfish. And we mainly talked about how privacy teams and marketing teams cute and should work together. And I was happy to share more about the risk assessment approach that the. Katsu Wiki has implemented in recent years looking at both the business case, but also company risks and data protection risks in parallel, and also showing how data protection professionals can also support the business in getting things done. 

Instead of standing on the sideline saying no. Meeting friends and colleagues in Brussels is always fun. And it also means that there was a lot of time to catch up on global developments and lineups and future guests for the podcast. It's only a few more weeks until season five gets underway. So we better start preparing. So one conversation I particularly look forward to is an update on legislative developments in Australia. You have heard from analysts months before, and she will join us again. 

As soon as the draft of the new Australian data protection legislation is presented to parliament. Another episode to look forward to is a conversation about EU cloud code of conduct. We spoke about the coat before, but they now have made a big step by also getting to third country module done. And this means that for the very first time a code of conduct could be used as a mechanism to transfer personal data out of the EU. I was already excited about his idea when still working with trust, dark and chairing the working group that was preparing the module. 

But I'm even more excited that the work has now been completed. And a big shout out to Thomas and Yelena who took over the work chairing this, this working group and to Laura, who did the actual drafting together with her colleagues at scope Europe for completing all of this. And I'm not the only one who is excited because the third country module received this. Here's IAPP privacy innovation award for the EMEA and APAC regions. So also here stay tuned. A third conversation to look forward to is a conversation with Todd. Fitzgerald and Valerie lions about the compass for privacy leaders that they have just released a nice book. 

I was able to contribute. And also there, the book will officially be, be launched. In a couple of weeks time it is available already. To order from Amazon. But we'll invite him on the podcast in January or in February to have a conversation. About what they have actually been doing. And how to work with this. Because it is a good foundation also to further build out your privacy program. Final catch-up that I had was actually recorded because I also met with, I mean, a consultant from my Roby, Kenya, who also partners with my colleagues at Maastricht university. I made and I had to meet outside in Nicole because all bars in Brussels nowadays, at least the ones close to the IEP are playing really loud music. 

Also during the day. So unfortunately the audio quality is slightly less than you would be used to. But I hope you still liked the conversation that we'll broadcast later in this podcast. So what else happened this week in Europe? Well, most importantly, the BPB had a plenary meeting with some interesting topics on the agenda. There was a meeting with a us delegation on the implementation of the data privacy framework. Think about some practicalities and who contexts, whom in what way? 

In case of complaints or concerns. But more exciting is that they agree to start drafting an opinion on the role of the EU representative under article 27 GDPR. And we should see the fruits of that in the course of next year. The drafting request was discussed this week. So now the member states can get to work to DBA S. And our staff and of course the EDB secretariat. To really drive this opinion. And finally, and probably also most importantly the BPB adopted a first version of a new opinion on the E privacy directive and the cookie and tracker consent obligations. The opinion confirms what a lot of us already knew, but what's continuously challenged as well. 

And that is that it is not just cookies and trackers for which consent is required. Also pixels and other unique identifiers require consent both online in apps, but also in email newsletters. So this opinion has now been released for consultation. If you do have strong views here, make sure to read the opinion and send in your comments before December 28. 2023. And with that, I'll hand over to Kate to give an update on what is happening at her end of the world. After that you can listen to the conversation I had with Amit and we'll wrap up the podcast for this week. 

[00:17:50] K: So I kind of feel like I should let Paul do the conversation from Brussels first, but you know what? He teed me up so nicely. Let's just go from there. So we didn't have a whole lot that really happened in the past week or so in privacy that Paul hadn't already covered, but a few things on my side. Of the pond here. 

So the us attorney general Merrick Garland. Formerly swore in our eight data protection review court judges, we've been very excited to see this happen. They were James Baker, Raj S day. James Dempsey, Mary B DeRosa Thomas Griffith. Eric H. Holder Jr. David Levi. And Virginia seeds, these honorable judges. Very excited to see them sworn in. Next, the national Institute of transparency, access to information and protection of personal data. Proposes to update the federal law and protection of personal data to include new obligations for generative AI. 

So that conversation isn't over yet, which by the way, should we mention all the news happening with chat GPT and the CEO? No. Okay. We won't do that. And last on my side, let's just say the American hospital association. Texas hospital association, whole bunch of others filed a lawsuit against the department of health and human services. 

Get this for restricting the use of the third party tracking technologies, the Metta pixel, and the Google analytics that we've talked about saying that HHS has overstepped their authority and that the prohibition of tracking to collect patient's personal health information. Protected health information Phi. We'll limit the essential services it provides to patients. 

Now I have a little bit of thoughts about that because. Where HHS is restricting it. Is where the covered entities aren't controlling. Their business associates. I put this in quotes. There are business associates for misusing the information. It's not that you can't have tracking it's that you have to have all the controls that go along with it, but more to learn about that later, let's jump into Paul's conversation in Brussels, and that will be it this week. 

We'll come back and say goodbye and thank y'all. 

[00:09:39] Paul: So this is a recording from Brussels.

We're actually sitting outside in the freezing cold outside the IMPP conference venue and I'm sitting here with Amit Gadia who joins us actually from Nairobi, 

[00:09:50] Amit: Kenya. Hi Paul. Thank you. Thank you everyone. Hello. Good morning. Good afternoon, wherever you podcast and meeting my fellow colleague and a friend, Paul, for the first time in cold Brussels, and I'm.

Always happy to be back in Brussels for the conference. So, I mean, the conference 

[00:10:12] Paul: is very much about AI this year less about data protection. 

[00:10:16] Amit: What do you make of that? hAving been just an AI centric conference to Boston, I think this should have been a bit more privacy centered, but nonetheless, I think it's still a great conference, meeting many friendly faces and making new friends.

Very good. 

[00:10:35] Paul: So you are working on privacy and data protection issues out of Nairobi. Correct. What is, what is it like to be a privacy lawyer in Africa? 

[00:10:45] Amit: It's very exciting. And just so that the listeners did not know Africa has the highest concentration of data privacy laws globally for any continent.

And to my knowledge, when I started going into privacy about five, six years back when the GDPR was just taking its it was just starting in Europe there were just three countries to my knowledge, and Kenya was not one of them. Fast forward five years, we probably have more than 40 countries in Africa.

And most of those countries have modeled their laws around the GDPR, but then there are some many. Important nuances between the GDPR and those countries rooms. And so do you, are you mainly 

[00:11:30] Paul: focused on Kenya or are you working 

[00:11:33] Amit: all across the continent? I'm also a global privacy officer, so I do advise mainly in the East Africa region.

The, the, the, so that meant Kenya, Uganda, Rwanda and Tanzania. Okay. 

[00:11:48] Paul: Yeah. Are there any, I mean, you say that the laws are inspired by the GDPR, but in the jurisdictions that that you are working in, that you just mentioned, are there any notable differences between the laws or are they? 

[00:12:03] Amit: Yes, still very similar.

There are, there are several notable differences. I mean, we could sit here the whole day, but then to give you just a few, some highlights. For example, let's start with the requirements of non conflict for DPOs. Like, under the GDPR, it's not explicitly mentioned that the DPO does not have to have a conflict of interest.

However, there have been jurisprudence, if I can call it that way, or a Rulings coming out from the Berlin Data Protection Authority that there does not have to be, there should not be a conflict of interest when a DPO is conducting their duties in the Kenya Data Protection Act. It's specifically mentioned in the regulation.

that there should not be any conflict. Two, uh, data subject access requests is normally 30 days in, in, in, in, in, in, under the GDPR. However, under the Kenya Data Protection Act, it varies anything between 7 to 21 days reasonable, which makes it the very complicated for international organisations especially some who are multinationals And I have based in Europe and in UK and U.

S. In Kenya. Three. There is also the issue of data localization. So, for example, our that the Kenya data protection regulations specifically and the act specifically mentioned the certain types of data, especially those which has got strategic state interest. So, you know, anything to do with national security, education, health care those must be based in uh, must be must be localized within Kenya.

Thank you. However, one of the difficult part is that we do not have as many data centers yet in Kenya. There are a few notable ones which are coming up, but they're not that many data centers. So data localization. But then there are a lot of similarities. So, for example, you know, when you talk about lawful basis, legal basis, processing data, consent, legitimate interest legal obligation, consenting data public interest.

They are very similar as to what would be under the general data protection regulation. pRinciples of data protection. Oh, yeah. One area where the principles of data protection is, is different. Like in Kenya the, the, the, the family affairs or children's data is actually enshrined as a principle of data protection.

Unlike that, it may be extra protected, extra protected. So it's a principle, just like the principle of data protection over here. So that, you know the end of the GDPR, but then the family affairs are not actually an explicit GDPR principle, but the rest are very similar. Okay. So how did you, how did you end up in, in your privacy?

hoW did I end up? Good question. I've always been, I've always been a private person myself. BPO, Sometimes you are probably one of the most, I'm the social presence. You're not probably one of the most likely, but then coming back, getting more serious is when the pandemic hit five, six years back.

I, I, I was actually in the UK with my family. I have been in the legal profession for five years, but then. The data protection bill was just undergoing in Kenya about five, six years back. So, and then my family lives in Kenya and my mom lives in Kenya. So I decided to then us go back to Kenya, live in Kenya.

And of course, commute between UK and Kenya. So I live in both places. My family is resident in the UK and I had my mom there. So I said, what am I going to do, go back and do? I looked at the GDPR and when the GDPR. came into force. This is in May 2018. There were consent forms flying around all over. If you remember.

Oh, I do remember very well. And then I was getting like five consent forms a day. I said, This certainly cannot be the position. So I decided to look more in depth into the general data preference regulation. And that's when I really found my liking for it, that there was a lot of misconception out there.

And I said, I could, I could, given the chance, do a better job. And that's how I ended up in data privacy. And now it's basically my only mode of living. So 

[00:16:32] Paul: you are one of the newer data protection consultants, 

[00:16:37] Amit: self taught. Yeah, but five, six, I'm enjoying it heavily. Right. Until I've even got my wife going into data protection.

Right. So it's a family business. It is actually a family business, right? And I'm proud to say my wife is actually one of the better data mapping experts than I am. 

[00:16:58] Paul: So how is the profession developing in East Africa? Do you see a lot of people like you trying to educate themselves? I know your data protection 

[00:17:08] Amit: commissioner in Kenya 

[00:17:10] Paul: is really active, really visible, also opening up all kinds of regional offices around the country.

Does that also make an impact in 

[00:17:19] Amit: the industry, in the profession? Let's turn to the Office of Data Protection Commissioner. The office has just been established, I would say, over one and a half years now. But from the time they've been established, they've done a lot of work. They have they're taking a very practical approach to compliances with organizations.

So, for example, they're not just throwing fines willy nilly all over the place. It's more about Training awareness, giving organizations a chance on. Then, of course, if this fully failed to comply, they are fines. They have find a lot of organizations already, right? And one of the highest fine so far in Kenya has been to do with Children's data on the school.

INsofar as the development of the fashion is concerned, there is no single training at the moment in Kenya or in East Africa wide where you BPOs can train themselves or become more and more involved in data privacy. It's more or less a self taught. A lot of it is to do with courses. doNe from by the IAPD or done other courses from the UK BCS.

So they are trying to use more or less as a self taught. Having said that the, I would say the Kenyan data person community is very. intellectual, they're highly academic, they're much switched on on the board. So if, for example, you'll find that any breaking news in the data protection world, for example, not a fine or to do with the ECE, you know, the European Court of Justice fine, immediately you get to know about it.

And there is a whole discussion group. So is it, they're very much switched on. So I 

[00:19:06] Paul: think some of our listeners will not think, okay, Kenya, East Africa but those are still very poor countries with a lot of people living out in the bush. So how would that work? How would they know? Why would they care?

It might be prejudicial, only to be prejudicial from having visited Kenya. Yeah. But still, it lies in 

[00:19:28] Amit: us. One thing I'll tell you is, again, that is a bit of a misconception. A lot of the people may live in the bush, but then the, the, the, the, may live remotely, but then the Kenyan ethos. And culture is very much enshrined around education and culture and family values.

So these are three things, because majority of the Kenyans and Africans generally know that if you really want to get on in what you got to educate yourself. So once you tell them that, look, this data is your currency, the only thing is currently Kenyans are not taking their data as their currency, as their ownership.

They're very easy to give away their data. We had this world coin saga, which I don't know if you've been following. I did, however, have written a couple of articles on it. One with the Bitcoin equivalent, correct. And then they were taking iris scans. So it become a very big issue in the parliament. But then our parliamentarians, the senate.

The Office of Data Protection Commissioner, they quickly arrested the whole situation, but they registered WorldCoin, they're now giving training and awareness courses, and then even the Data Protection Fraternity, I call it to learn Brotherhood and Sisterhood. They are now trying to really Make sure that most Kenyans are aware that that data is their ownership, their responsibility.

But of course, as you said, it is going to take time, right? It's not going to come overnight. It's probably going to take years, but we'll get there. 

[00:21:07] Paul: Oh, there are, there are sure. What impressed me when when I visited Kenya last year is that it is actually very well connected both in terms of physical 

[00:21:18] Amit: infrastructure, just 

[00:21:19] Paul: the roads throughout the country, but also mobile connectivity.

There are chefs where you can buy SIM cards everywhere along the roads in the villages. 

[00:21:32] Amit: Compared to other countries in Africa, 

[00:21:34] Paul: electricity doesn't seem to be as big of a problem either. It is actually easier to stay connected. Yeah. And also a lot of the payments and reservation for things, all of it is done online.

[00:21:50] Amit: So the payments are done online. All the government services are being done online. These days, even the service levels, and I'll be honest with you despite being a developing country, a lot of the service levels, especially in the private sector, have become equivalent to the UK or the European standards, right?

So even when you go to the hotels, uh, restaurants, telecommunications, service companies, the, the, the, the, it's, it's, it's, it's, it's very much at par. Though it will take time, right? Because let's not forget, we are still suffering from the, there may be government bureaucracy, corruption, security issues, but there's a lot of improvement.

So what about 

[00:22:30] Paul: health data? Is that also going online? 

[00:22:33] Amit: Mobile phones? Well, that is that is a big problem, right? And one thing I can tell you is our Office of Data Protection Commissioner and this is not public knowledge, is they are going to start their audits. In, in, in, in, in with public and private institutions and one of the key areas where they're likely to start their audits on external companies.

It is one is education. Two is health organizations and three will be hospitality or telecommunication sector. So you'll see a lot of movement in the health data and health areas. For example, I deal with a lot of health organizations myself, hospitals doctors and usually they use WhatsApp for sending health data because WhatsApp is a very convenient way.

But then I, I tell them guys, you know, you really have to be careful because what's going to happen, WhatsApp is really important. So you have, you know, so some of these things, it will come with awareness and health, sorry to say, the health is a sensitive fossil data, regardless of state. And one of the areas which I also am very happy to see that Kenya has got the sensitive personal data, for example property details, a sensitive personal data, which is again different from the GDPR.

Also say, for example, that political affiliations is not a sensitive personal data in the GDPR, but it's not in the Kenya data protection law. So you'll even see that next year, political partisan politicians will be also paid to account if they are not in compliance with the data protection laws.

Yeah. 

[00:24:10] Paul: Well, let's, let's hope that will happen. I mean, if I if I look in the Netherlands right now, we have elections coming up a week from now on the 22nd of November in principle, political data is of course, a special category 

[00:24:24] Amit: of data that's extra protected. 

[00:24:26] Paul: But you'll also see that a lot of the political parties are now using micro targeting to find their electorate and also online advertising, despite all the decisions.

That micro targeting should not happen. And then a disruptive shouldn't happen. Yes, with special categories of data, but it still happens. And that is, of course very strange to see in a, in a Western monopoly scene. Got all those political parties are breaching the law. 

[00:24:51] Amit: So that's. Well, I guess, I mean, the question is who watches the watchman, right?

If the lawmakers themselves start breaking the law, how are we meant to tell the rest of the one inchers? The one incher is actually a Kiswahili word for the rest of the population. And I usually like to speak, so I'll explain it. That we also had a similar issue in Kenya a couple of years back where when you log into a citizen account, which is your online government portal, you then this was about three years back that automatically you are actually allocated to certain political parties.

And then the Office of Data Protection Commissioners office came in and said, How do you then just allocate a political party to a certain individual? So why are they using a sensitive person later? Why are they using personally? What sort of data are they using? Why are they using data? So, so I mean, there is a lot of similarities, you know, between what's happening in Netherlands at the moment and what's happening in Kenya.

Yeah. 

[00:25:57] Paul: So for companies that, that are looking to expand into East Africa what recommendations would you have for them when it comes to data 

[00:26:05] Amit: policy? Well, I mean, we could 

[00:26:10] Paul: look at my website. 

[00:26:12] Amit: I mean, we could talk about this the whole day, right? Because I, there are a whole host of, but first of all, is for example, if you are based in Europe, yes, you will be GDPR compliant, but then When you are entering into Kenya, get a local expertise.

Just because, just because organization GDPR compliant does not really mean you are candidate actually compliant. Two, you will need to register with the Office of Data Protection Commission. Registration is a unique feature of our data protection or Kenya data protection law. Which you don't need registration in Europe, but in Kenya you do.

So, for example, if you have a certain threshold of turnover and you are working in certain sectors, for example, if you work in telecommunication, health, education sector, you need to mandatorily register with the Office of Data Protection Commission. Three, Make sure you have your notices, policies, procedures, they explain.

I mean, these are some of the basics what you do under the GDPR. Make sure that's followed as well. Yeah. So I mean, so long as you follow some of these basic items, you are, you are, you are, you are, you are good to go and 

[00:27:25] Paul: you would recommend moving into East Africa because it's moving. Absolutely. 

[00:27:31] Amit: Right. I would not hesitate twice.

Let not some of these years. You hear some of the news on, on, on, on, on, on, on, on social media papers that, you know, that this is what the government is doing. I mean, the news says on negative news, right? Yeah. And that's that. I mean, Kenya is not being exempted. You always is. See negative news, but there are a lot of positives once you go.

You are all. They are also introducing the new way to call them and the Misha member, which is a digital identity card, right? Which is a positive step. Kenya is actually the tech hub for Eastern central Africa. Right. When it comes to the, the, the, the, the you know, technology sector the health sector is doing good.

Although they, they can be, there are a lot of improvements in it, but of course let me not know the negatives and the, the, the issues, you know cast a dark cloud among what the positives are. I mean, I look, I, and I'm not being paid by the government and the politicians to say this, but I, I, I love Kenya, as I said yesterday.

[00:28:38] Paul: And I'm sure we'll talk. I have a lot more about the developments on the African continent next year in our next season of Serious Policy. For now, Amit, thank you so much for joining me here. Yeah, thank you for having me. Let's go and warm up because it is really cold outside. It is very cold, yeah.

And we'll speak 

[00:28:54] Amit: to you soon. Thank you so much. Thank you. Thank you for everyone. Bye. 

[00:28:57] K: Bye y’all