Wrapping up Season 4 - all the love

Please note this is largely an automated transcript. For accuracy, listen to the audio.

[00:00:00] Paul: Welcome to episode 183 of Serious Privacy, the final episode, of season four. Wow. I can't believe I have just said that. Time really flies. And what a year it has been, with over 44, 000 downloads. This was our most successful year to date, so thank you all for that. But of course the year was not remarkable because of the number of downloads, but because of all the things that happened. From new legislation in India, to the adoption of the data privacy thingy, from, yet again, failed negotiations on the European e privacy regulation, to still no new data protection laws in Canada, the UK and the US federal level. The world of privacy and data protection is keeping all of us rather busy. So high time to look back at an eventful year. And who better to do that with than our gentle British co host Ralph O'Brien. My name is Paul Breitbart.

[00:01:04] K: And I'm K Royal and welcome to Serious Privacy. Ralph, when I have you on I need to wait and be an I'm K Royal and let you come in with

[00:01:14] Ralph: And I'm Ralph O'Brien, and welcome to Serious Privacy.

[00:01:20] K: Can you tell they're always yanking my chain here? Okay, we're gonna go straight.

[00:01:25] Paul: yanking who?

[00:01:26] K: Right? Okay, I gotta control these two guys. 

I'm just saying. I don't know how it happens. Yeah, they're telling me it ain't gonna happen. Unexpected question. At what age did you realize that Santa Claus was not some big guy in a red suit that came down your chimney and left presents under your tree.

[00:01:45] Ralph: Okay, I don't understand what you mean. What are you saying? Okay!

[00:01:49] K: All right, y'all. All right, y'all. think I just broke Ralph's poor little heart. 

[00:01:55] Paul: Well, and you couldn't break mine because nobody in the Netherlands believes in Santa Claus because we believe in 

[00:02:03] K: Ah, and he is a real person that comes down your chimney and leaves gifts under your tree.

[00:02:08] Paul: No, he rides his white horse over the rooftops and his assistants bring the gifts down the chimney. 

[00:02:14] K: See, y'all are always about the operational efficiency. 

[00:02:17] Paul: of course. I mean, you have the CEO and then the other people doing the actual work. That's also how it works 

[00:02:24] K: the K's and the Paul's and the Ralph's of the world. 

[00:02:27] Paul: Yeah, absolutely. But I, I stopped believing in since a class when I was probably seven or eight,

[00:02:33] K: Okay. 

[00:02:34] Paul: about the average age in the Netherlands when you are told, Hey, it's actually your parents that fill your shoe with gifts.We don't do stockings. We do shoes. 

[00:02:42] K: And I do know that we have fans who are minors, but I don't believe we have any that are under 10.

[00:02:50] Paul: I don't think so. 

[00:02:52] K: Okay. Ralph, what about you? Yes.

[00:02:55] Ralph: belief in Krampus. I think Krampus 

[00:02:58] Paul: that's Austria. 

[00:02:59] Ralph: that Austrian? I apologize. I apologize. but yeah, it's, you knowme, it's all about the enforcement. 

[00:03:08] Paul: The big city. 

[00:03:09] K: for me, it was about hedging my bets because I recall in fifth grade, so I was nine years old before Christmas, someone said so. And I was like, well, of course I don't believe in Santa Claus and I hope he didn't hear that. So always optimistic in the face of evidence to the contrary. 

[00:03:29] Paul: Hmm, that's a difficult topic, I must say. Evidence to the contrary in belief. But let's not go down that route. 

[00:03:37] K: Well, I wanted to say Paul gave a little bit of stats in the beginning, but we got our, our stats back from Buzzsprout for the end of the year, which of course we still have an episode to go. It's not the final stats. I will say they put us in the top 25 percent of all podcasts. However, They also gave what they based it on and we literally missed the top 10 percent by like five 

[00:04:02] Paul: Average downloads per week, yeah. 

[00:04:04] K: And I literally think we missed it by like five. I think our average was like five below what they list for the top 10 percent which tells you we're probably in the top 12 percent or 15 percent of it. But that was really cool. 

[00:04:17] Paul: So kids out there, please tell your friends about this podcast and make them listen so that next year we are in the top 10%. 

[00:04:24] K: And Ralph, that is our number one city. 

[00:04:27] Ralph: Dublin? Wow. 

[00:04:29] K: is our number one city for overall downloads followed by Amsterdam, New York, San Francisco, and London. So we are truly a global podcast here. And then total downloads, I will say, however, come from United States. United Kingdom, Netherlands, Canada, and Sweden.

So that was cool. and then our top five episodes. And I love this. I love this because we have our top episode of all time was on cookies. That's still our top episode of all time on monster cookies. And I've been saying all season long, we got to get another episode on and we haven't done it, but we've got to do it.That'd be our priority for next year. 

But. Number five, we're back and already loving season four. Number four, will we ever learn data transfers? Will we ever learn with Dr. Laura Dressler? Number three. This is the year that was the season finale of 2022. Number two, AI, not so intelligent and not so artificial. Number one, if you're looking over our list of podcasts, episodes for the year, Ralph, would you have any idea what number one would be?

[00:05:51] Ralph: I couldn't tell you. 

[00:05:52] K: You got to pick it out of 46 episodes. So 

[00:05:55] Ralph: I know. It's yeah, It's that's good. I wouldn't want to, I wouldn't want to, it's not, it's not one with me on it. It's not one with me on it. How's that?

[00:06:05] K: mega meta privacywith Romain Robert and Gabriella Zanfir-Fortuna.

[00:06:12] Ralph: Well, two rock stars. 

[00:06:13] K: That was our number one episode for the year. So can't diss that. So how about we talk about what was your favorite episode of the year or your least favorite? I don't know that we have a least favorite. In season one, Paul and I had least favorites.

Let's be honest. That was before we learned that not everybody was meant for podcasting.

[00:06:33] Paul: True, and episode 1. 1 was also probably one of our least favorite ones.

[00:06:39] Ralph: It's, it's good. It's got to sound selfish, but you know, I enjoy any podcast I get to be a part of. So

[00:06:45] K: And those are also in our favorite, anything that we have you be a, part of. But I'm looking over the episodes and oh my goodness, there, I mean, there's 46 of them to look at. If I look over them all, Paul, do you already have yours picked out?

I don't know that I 

[00:07:00] Paul: I've, I've got, I've got a few actually. I really enjoyed our Europol episode just to show the world how Europol works and, and, and with, with data. 

[00:07:10] K: absolutely. That was phenomenal. 

[00:07:13] Paul: I thought that was a lot of fun. And I also really, well, enjoyed is not the right word, but a really important episode for me was the one on CSUN, 

[00:07:23] Ralph: that was exactly what I was going to say.Yeah. 

[00:07:26] Paul: and Alex

[00:07:26] Ralph: Alex and Teresa. Yeah.

[00:07:28] K: that was very impactful. 

[00:07:30] Paul: yeah, and it's such a difficult topic And I thought that was that was a really good conversation. They do tremendous work on this topic, both of them. So yeah, that was, that was probably also one of my favorites. But God, there is so much. We had Kerry Lenning this year to talk about cats and the feathers

[00:07:48] K: Yep. That was really good. That was one of the ones that I was looking at. I was also looking at the one on ethics.

[00:07:54] Paul: mm hmm.

[00:07:55] K: That one was really, really good. And we'll make sure that we tie these in here. I'm looking, it was the coulda, woulda, shoulda, a talk on ethics, ethics.

[00:08:04] Ralph: Emma Martin. 

[00:08:06] Paul: Emma Martin on Guernsey. Yes, absolutely true. And Emma Godfrey on the UK Apprenticeship Program. 

[00:08:13] K: Yeah. Oh, 

[00:08:14] Paul: and she's been a long way already. you know, Kay, maybe the ones that I absolutely like best are the ones that we were able to record in person. 

[00:08:23] K: Yes. I was looking at those 

[00:08:25] Paul: season four for the first time we actually got to do episodes face to face.

[00:08:30] K: Yep. And the IAPP. So the Nordic, I got to see Paul twice this year, And hadn't seen him since we first met. And so being in person twice was really cool. I will say though that this year has offered up some challenges to us in that now that travel is. We're both traveling and sometimes getting those interviews while we're at a conference or speaking somewhere works.

And sometimes it really doesn't. 

but the Nordic Privacy Arena really was a favorite one. That was phenomenal. 

[00:09:06] Paul: yes, it was it was a lot of fun to be able to do a podcast live on stage. I mean. I've been suggesting to conference organizers all over the world by now that we would be very much open to Do a live podcast also on their show 

[00:09:21] K: And, and are we saying hint, hint, Trevor, if you listen or someone who listens who also knows Trevor. Hint, hint, we would DC. 

[00:09:29] Paul: Well, I would for DC It would be amazing if we would have the big privacy podcast conundrum Live. So with the three of us With Debbie Reynolds from the Data Diva with Gabe and Cameron from Privacy Please, obviously with Jet, from, the Privacy Advisor with Angelique Carson. All of us on stage podcasting together, that would be amazing, I think. 

[00:09:57] K: and no boxing gloves allowed. No bells for go to your corner. There's no timeout. There's no buzzer. That reminds me when we first started talking podcast at TrustArc years ago, before you even joined us, Paul I promised Chris that we would have a buzzer. that we could buzz whenever I started saying something they didn't like. And Chris, Chris's response was K, we would never buzz you. Doesn't matter what you say. K is what K does and we're not going to buzz her. 

Now Paul's going, Ooh, a buzzer for K. 

[00:10:31] Ralph: just be one long buzz. 

[00:10:32] Paul: I was actually looking if we already have one in our in our audio library.

[00:10:37] K: We do. We really do. We're going to buzz Kay. But no, but also the, the, opportunities that we have to not to necessarily get together in person,

but the weeks in privacy, whether those weeks are with Ralph or those weeks are with you or however, we're doing it. But those weeks in privacy where we just buckle down and like, you know what, these are what we've seen happen. And sometimes those are updates. Sometimes those updates don't seem to be very meaningful. And then we get to the end of the, podcast. We're like, wow, that was. Some really substantive updates. And other times we actually diverted from the weekend privacy and we actually tackled a topic that we'd been wanting to talk about.

For me, I think one time it was vendor management. I think another time it was children's privacy. that we talked about so that really stood out to me as well. 

[00:11:26] Paul: So , when, when you look back on, on 2023, I'm sure you're going to say it was a busy year in privacy and data protection that you've enjoyed it that there were many data breaches that there were some fines that interest you and some new legislation that interest you. But what did really stand out for you this year? 

[00:11:44] Ralph: all of the above.There 

[00:11:46] Paul: to make it specific please. Just pretend you're a student doing an exam. You need to make it specific and elaborate.

[00:11:53] Ralph: no. That was yeah, you're right. You know, it has been another crazy year. One of the, one of the, sort of the busiest I think I've ever, ever had. It's been really interesting actually. You know as a consultant, I've always mixed my time between sort of my large consulting projects and my training projects.

And this year actually, you know, I've really seemed to have done a lot more on the training side, which has been fantastic actually because nothing sort of fills my heart with glee then sort of. inspiring a new generation of data protection professionals to kind of come out the gates running and dispelling the myths that that we've seen promulgating really ever since the GDPR arrives.

But looking at the specifics, I would say probably the biggest change. And it's always difficult for me Because I come from the UK here. So I have to kind of consider. global data protection and what's going on locally. But in terms of globally, I would say, obviously, in fact, on the last podcast, you were just talking with Joanne about the rise of the laws across the US.

But I guess in the EU, The biggest fallout that I've seen the most exciting elements that I've seen have been the sort of landmark decision from the CJAU about Bundeskartellement versus META and the Norwegian push of that through the European Data Protection Board. And now into, of course, the Irish to actually take some decision.

That's fascinating for me because in the UK, you may or may not have heard, we've got a sort of a slight bugbear about sovereignty. And so it becomes extremely interesting to kind of hear discussion where a regulator is actually pushed. into enforcing the law in the way the super regulator would like to see it done. 

[00:13:45] Paul: Yeah, that, that, that was a very big moment. Of course, this year, it also shows that if we want to, the European system of DPAs cooperating and taking majority decisions actually works and that they can get things done and that they can get them done quickly, if need be, surprisingly, 

[00:14:02] Ralph: And of course what's fascinating is it actually came from Norway. So it came from a non EU, non voting member of the EDPB as well. 

[00:14:12] Paul: that was interesting. But what does that mean for the United Kingdom? Because you are now on the same heap with the United States and India and Brazil and China, where it where META is concerned, they don't seem to really care about the UK anymore when it comes to privacy and data protection.

[00:14:32] Ralph: Well, I think heap is the right word. 

You know, I find it interesting because there is, you know, a large amount of the customers I deal with are global organizations and they're all saying let's elevate ourselves. Let's elevate ourselves sort of up to this global gold standard of the GDPR. Let's elevate ourselves to a point where it doesn't matter where the citizenship is. at the end of the day, we want to give our customers rights no matter where they are on the globe. and 

I think that's generally a good thing and actually, even in the U. S. We've seen a marked uptick in their data protection laws. In fact, I would say there is only one country at The moment that is considering lowering it, lowering its privacy protections. 

[00:15:14] Paul: Would that by chance be the United Kingdom? 

[00:15:17] Ralph: That's my big downturn for the year, right? That's my big upturns, big downturns. and I think my big downturn is the situation here at home where, you know, I do have legitimate concerns in not only the potential results on individuals, but the language and rhetoric used by our government.

Falling into the language and rhetoric from a supposed independent regulator as well. So even before we've had any new laws passing, the thing I felt was really interesting was looking at the language used in the memorandum of understanding signed between the ICO And the European data protection supervisor, where it said, from the European data protection supervisor, you know, we want to protect people.

in Europe And the ICO saying we want to protect British citizens, which as you know is not what the law says. The law says, you know, people. 

Yeah, so 

[00:16:15] Paul: because it's a fundamental right that is not bound to citizenship. Because otherwise it would not be a fundamental right.

[00:16:22] Ralph: Will you talk about fundamental rights? There is a piece of legislation passed here in the UK. The Fundamental Rights data protection Amendments Regulations. really fascinating law. you can look it up. The Data Protection Fundamental Rights and Freedom of Amendment Regulation 2023.

It's a statutory instrument that literally goes through our data protection legislation and, you know, our version of the GDPR And that removes the word fundamental rights and freedoms. Why? Because fundamental rights and freedoms is EU language And, there is an argument that now we are you know, out of Europe that we no longer have a fundamental right to data protection, because, as you'll be aware, under the European Charter, data protection And, privacy are two separate articles, whereas under the ECHR, it's all under one generalised right to privacy.

So the argument here in the UK is that we've lost our right to data protection and we only have the generalised right to privacy. So for the government to actually pass a law where they're going to Or at least a statutory instrument where they go through our current law, remove references to rights, fundamental rights and freedoms. It's a fascinating thing to do. You could argue that should administrative cleanup in a post Brexit world, but to me, it representssomething much deeper and much more worrisome. 

[00:17:45] Paul: Yeah, I, mean, this is a significant change especially for one of the founders also of the Council of Europe, which was all about fundamental rights, including 

That fundamental right to privacy and later on the fundamental right to data protection. So it's, it's surprising

[00:18:02] Ralph: Well, you know, we have this thing called respect for the rule of law. You know, it's one of the first things the European Commission looks at on a, on a, on a adequacy arrangement that the country isn't in chaos and, it respects the rule of law. and you look at the, our current conservative government's approach to the law at the moment.

It's well. if the courts say that, you know, putting people on a plane to Rwanda will break their, their human rights will pass a new law that will 

[00:18:26] Paul: that we still can. Yeah. 

[00:18:28] Ralph: that saying that we still can. So I don't know, if that's respecting the rule of law or trying to use the law to break the law. It's a, it's a very odd situation we find ourselves in and I you know, I'm We are coming up to elections this time, next next, next November, December time. But in the meantime, of course, you just wonder how much damage the current government will do before that point to those fundamental rights And, freedoms. and of course, there's no guarantee what would replace them would be any better. So my advice to my customers is, it's quite embarrassing really to kind of talk about the UK as an irrelevance, that's, that's a horrible thing to be able to say, but, you know, in a world where everyone else is moving their standards up towards the GDPR, if you're a global or even a European organization in any way at all, it's actually difficult to actually say to the customers, well, let's not worry about local law. let's worry about the higher standard, you know, because that, means you don't have problems with data transfers. It means you're applying the highest rights everywhere. But in terms of, as you say, regulatory penalty. There isn't too much to fear here at the moment. We've seen a number of reprimands this year rather than you know a more penalizing approach.

And that means that you are right, a company like Meta, let's go back to the start of what we were talking about, has taken the approach in the UK after Bundeskartelemont to say, Well, we won't offer those pay or consent options in, the UK. We will treat the UK as if you're the customer of Facebook Inc in, the U S rather than the customer of Facebook Island in the EU and not give you the EU rights.

And that's kind of crazy because they are in our law. You know, our law hasn't drifted apart so EU that those rights aren't there. 

[00:20:20] Paul: No, but at the same time you, you are trying to make clear that you want your law to drift away from the European legislation. Well, not you, personally, obviously, but your government. I've always learned in, in law school that international treaties go above national law. So there is, no way that national law could circumvent In an international treaty but apparently that part also no longer applies in the UK. Maybe Boris Johnson can translate for the current government what Pacta sunt servanda means, that treaties must be adhered to, 

[00:20:52] Ralph: Yeah, true. And it's fascinating. you look at the whole Rwanda situation and, you know, people trying to, you know, and in a way it's a distraction from other things that are going on, but you know, it wasn't just the ECHR that's being violated here. There is all sorts of international treaties, refugee treaties that the UK has signed up to over the You know, the last 70 or 80 years, you know, certainly since World War Two, I would, you know, I'd be proud to say the UK has been one of the countries that led that march towards human rights, as you say, found a member of the Council of Europe, you know, the, a lot of the ECHR was, was done under UK penmanship.

So to, so to find ourselves in a country that then. Decides that, he doesn't want to be bound by the things that it created. And as you say, international law generally beats local law. So where does this idea of sovereignty come from in a way that isn't xenophobic, in a way that isn't costly to humanity and our international commitments?

Wow, that was suddenly a lot deeper than I thought I was going to get into on a Christmas episode. 

[00:21:57] Paul: So getting back into the festive mood after this this sorrow, which also is part of looking back, of course, on a year but looking, looking back at 2023, if you look outside of the EU and the US, what's there to celebrate from your perspective?

[00:22:14] Ralph: Oh, a huge amount. To me, technology has got this wonderful ability to unite humanity in a way that it never has before. you know, I'm, I'm, I'm actually a big fan of technology and yes, we Can talk about some of, the threats. That it is done, you know, technology increases the scale. You can do things. So it, so because it's morally neutral, you've got great benefit and great harm coming hand in hand. and I believe our role is to reduce the harms while gaining the benefits of of, of the wonderful technology that that's out there. So there is, I think, a growing understanding amongst larger tech firms in general, that data protection, if you like, is not, something that should be as a. After the fact legal compliance paperwork exercise and a lot greater recognition of things like privacy by design of sort of pulling data protection into more of a fundamental giving individuals options and choices and, you know, giving individuals a little bit more power, perhaps.

And making sure that individuals are, you know, comfortable sometimes. And that's sort of a double edged sword because whilst transparency and consent, we would necessarily say are good things. Obviously, it also increases the burden on the individual. And so, you know, when you say what's the best thing to be done in data protection or privacy in the last X years, I think the technology providers have got a huge amount to you know, Be credit because it's the, It's that thing. you, know, the, the, the GDPR can say all it likes on the piece of paper, but when a company like Apple says, no, we're going to enforce on our technology, you can press a button and we won't let anybody track anything. And that's fundamentally done within the technology. Isn't that almost more powerful?

Isn't that almost more powerful than any law that you can do? Because it means that, you know, half the people in the world with that piece of technology in their hand is then protected at that technological source rather than almost proactively having to chase after people through a law. 

[00:24:27] Paul: It's, it's certainly stronger, but I think it's also, to a certain extent, quite concerning. Because it means that company policy becomes much more important than legislation. And we already see that when it comes to, to censorship, for example. And, and another. Small fundamental right called the freedom of speech where some of the social media consider that certain things should not be said or should not be posted because they don't like it and it's not part of their company culture, And to some extent that goes to the extremes.

The way that X, previously Twitter is now not moderating any, any content any longer And and all kinds of crazy and, And extreme right and extreme left propaganda, Can be put out again, pushed out again. But at the same time when you go to, to Instagram a female nipple cannot even be shown because that is, Contrarious to, to Meta's policies and preferences even though that is completely legal in the vast majority of countries around the world.

So I'm not that comfortable with companies imposing their vision and their policy as the truth that should be adhered to. I'd rather have the legislation that is established through a democratic debate.

[00:25:47] Ralph: It's, you know, you've got to feel sorry for those larger companies and, you know, as much as I've perhaps in the past been guilty of saying that a Facebook and a Google or a Meta is the evil empire out there who are out there to hurt our privacy. I think most of my customers are facing this problem of global technology local law.

Right. And you do get different regimes out there with different moralistic standpoints. And again, I can point to the UK this year that brought out a law called the online safety bill. Why? For good reasons. They wanted to make the internet a safe place for children and all this kind of good stuff. But, you know, when you connect yourself to the world, the world is connected to you in all of its savagery, glory, beauty.

And of course you know, all of the dark side as well. You know, you define What's harmful, you know, and this was a big problem. They come up in draft of the law. You know, what do you define as harmful? Well, pornography. We could look at pornography. I mean, obviously, do you want to expose young children to pornography?

Probably not. But yeah, but yet you don't want to criminalize it as something that's awful, you know, it's part of the natural human experience to derive pleasure from sexuality. So at the end of the day, you know, whilst it's, you know, As long as it's done safely with consenting adults, then, you know, it's a very different thing.

You know, would I rather expose children to that or some of the more harmful things that's out there about transphobia and racism and religion? And, you know, it becomes a very difficult thing to understand what's harmful, you know, what, you know, and is harmful the same as illegal content. The two things are very different, right?

[00:27:23] Paul: They are.

[00:27:23] Ralph: And I'm sure what if you and I had a debate, Paul, what you consider harmful and what I consider harmful might be two different things, right? So

[00:27:29] Paul: Yeah, and that's also because each of us has different ethics because of our background and our worldviews. That's a debate I've been having a lot in recent years. If you want an ethical approach to data protection, you first need to agree what is ethical. 

[00:27:43] Ralph: Yeah, it's fantastic. Yeah. People have asked me to train data ethics this year, and I had a customer that came to me and said, do a data ethics training course. And I said, brilliant. What are your ethics? And they said, well, what do you mean? I just want you to do a training course on data ethics for me.

And I said, yes, but what's your ethics? What do you want me to teach people? Are your company's ethics? And they said, well, they just hadn't kind of gone down that road of thinking, you know,

[00:28:10] Paul: is a lot of maturity still required. If, if I look back at, at highlights for this, this past year for me, one of my personal highlights was actually teaching together with you.

Because we had a lot of fun doing that teaching accountability to to a whole group of, of professionals.

How do you build your data protection compliance program? How do you talk about it to your leadership? How do you demonstrate that you are actually doing the right things? How do you do impact assessments? How do you do risk assessments? How do you do security assessments? All of that and. I think that's important also that those kind of, it's not just about individual rights and how do you deal with an access request.

It is not just about what is the right legal basis for this or that data processing operation. It is also about the whole underlying program that you, that you need to establish.

[00:29:03] Ralph: Yeah, project management skills, softer skills, communication skills. I've always said that the data protection professional has really got to be a jack of all trades. You're sort of part risk manager, part project manager, part communicator, part legislates, part you know, Yeah, but software development again, you know, when you go into privacy by design and software engineering and, you know, you've really got to understand that element of the organization as well.

And you're right. It was a joy, Paul. It was a joy. And, you know, I'm really hoping that we get a chance to do more dates across 2024 because you know, again and it wasn't just yourself as well. You know, it was Andrea as well. And Paolo and the rest of the team there at Maastricht University.

I, I heard they actually attached Whittaker delivering on the DPO course the other day there as well. I think, I think that, that team in particular are putting together a wonderful team of people who it's a a privilege and a joy to work with. So yeah, long may it continue.

[00:30:01] Paul: Oh, yes. I'm looking forward to the first training course of next year, which will be in Lisbon, the one that you actually also took some years ago. So

[00:30:09] Ralph: Oh, and congratulations to, to the first masters who came off that course as well. Including our dear friend Alex and, and and others who who managed to successfully complete their master's program as well. And, you know, education is important, but as I've always said, it's not just education and what the law says, you know, it's, it's, it's, it's the practical experience of how to actually run a data protection office and, and deliver on the expectations of.

The management and customers and change perception of the whole profession, you know Luke and and and Claire and others who we've, who we've talked to had coined that phrase from blocker to builder. And, and I really hope that the data protection profession as a whole moves along their sort of their evolution from.

Instead of being the legal person that says no, being the practical person who says, yes, let's do this and here's a load of controls to reduce risk, you know, let's do this and let's add value by adding this functionality rather than being. Subtractive. So, you know, if that, if I had one, if I had to ask data protection professionals to make one new year's resolution, if you like, it's to be that builder rather than the blocker.

It's to be additive, not subtractive. 

[00:31:22] K: You have now reached the first 30 minutes of the serious privacy final episode for season four. You may stop now. And pick us up again at your leisure. We're continually listening. For the last 30 minutes. Of serious privacy, 2023. 

[00:31:41] Paul: wHich regulator stood out for you in, in the past 12 months. You may have into that one already. Not sure whether that's the one you're going to pick. But which global data protection regulator is the one that stood out in 2023

[00:31:54] K: I love it I mean the first one that comes to mind i'm gonna say it's the nordic DPAs because they're all women and they have that phenomenal cooperation going on and their regulatory sandbox, which we learned. But if I really look at what regulators are doing, I do like what the FTC here in the U S is doing.

They're very actively going after companies who are abusing, their responsibilities, and they have very limited law that they can go after them under this, under the responsibility of FTC, but that's growing. So I really like what they're doing in enforcing children's privacy.

And going from there and again, COPPA is not perfect. The Children's Online Privacy Protection Act, not perfect, but the FTC is going after what they can. And the same thing for deceptive, you know, trade practices with privacy notices and what they're doing. So they're being very active and they're actually, they're starting to focus officially more on privacy.

So if you were to say, do you have a privacy regulator in the U. S., the FTC is the closest we have. Given what's under their jurisdiction. So I do like what they're trying to do. And they also do a privacy con every year, which I've never been able to go to in person. But on the other hand, I think they started it over COVID.

And so I'm hoping this next year in March that I'll be able to go to it in person. I love the opportunity of being able to sit down with regulators and hash out ideas. And so when it was explained to me what the regulator, sandbox was at the Nordic privacy arena because that term just keeps getting thrown around.

I'm like, well, what is it? It's actually what the FTC has been doing for years with their open forums and their meets, getting together with individuals, with businesses, with industries and saying, Hey, let's discuss a particular issue and how should it be approached and what would get you in trouble.

So I really do like the FTC, not that the FTC would ever put me on any board or do anything like that, but I really respect what they're doing.

[00:34:02] Ralph: What are your hopes for the Californian board then, because obviously you've now got a dedicated privacy regulator in California. So,

[00:34:09] K: I am impressed with that and I'm a little disappointed that other states didn't follow the same thing and spin up their own little regulator regulatory agency because I think that might've made the federal government move a little faster. But California has always been different from the other 49 states and they're really ahead of times in doing that.

The agency is being very active. They're putting out a lot of guidance. I mean, and I think I was listening to one of their, their board one time say when someone asked them, well, can you put out any guidance? And she's like, we have. We have hundreds, if not thousands of pages of guidance. Yeah. If you want to hide something in a blizzard, throw a lot at it.

Right. It's kind of like, well, can you come out with some succinct bullet point guidance that we can easily absorb it and act on? But if you read their decisions and what they've done they're pretty cool. 

Ralph. 

[00:35:11] Ralph: Oh, wow. That's, I mean, where to begin? They've all done, they've all done different things. This is the thing. They've all done a lot of different things. I think, do you know what, in terms of legacy, I think Emma Martin's worth talking about. Because perhaps, perhaps not, perhaps not anyone's first choice because because Guernsey is a small place, a small island, but certainly the work. that they've done through their project Bejewel, not just Emma, her team as well, of course you know, and good luck to her in a new role in, in, in the new year. But obviously, it's not, it's the work that she's done on the proactive side, the educational side, the going into schools and sort of getting them while they're young.

You know, and letting people know their information rights from a really young age the Project BG work that, that's been happening there. So in terms of the sort of the interaction and increasing understanding of the general populace, you'd actually imagine that I'd come out and start saying something about enforcement because I'm always online going, do enforcement, do enforcement, do more enforcement, you know, hurt people for their transgressions.

But actually. On the more proactive side of stuff, you know, it's Emma and the team down at Guernsey that I think deserve a huge amount of credit.

[00:36:21] Paul: And if you want to hear more about Emma or from Emma, actually listen to episode six of this season where Kay and I have a long conversation with her about all the great work that she's been doing on Currency.

[00:36:32] Ralph: Superb. yeAh, I mean, obviously we've just mentioned Norway and the Bundeskartellement case as well. I would, wouldn't be, I wouldn't be doing my job if I didn't mention my home regulator here, who was. Confused me with a number of reprimands and then one late bit of enforcement this year. You know I, I think that certainly the Irish regulators in an interesting place because obviously we're now going to have a number of commissioners over there in the new year.

[00:37:02] Paul: I didn't see a LinkedIn post from you yet that you have not been selected. So I guess you are still in the process.

[00:37:08] Ralph: I didn't apply. I have heard from a good friend, Alex. Sadly, he hasn't been chosen to go through to the next round.

[00:37:15] Paul: I would assume the same is true for Maxstrems.

[00:37:17] Ralph: yes. nO, but actually I didn't apply it. You know, I, always think what do they want in a regulator? And you know, I always think that a regulator perhaps I'm not, not.

Political enough perhaps I, I, I want to say what I mean a little bit too much to to be politic. But you know, policy work is certainly in fact, I am going to be getting involved in as something I should mention, perhaps one of my proudest moments this year is I'm creating something called a global privacy panel, which is a number of individuals across the globe who Can really offer a follow the sun service in terms of, you know, people where I myself am based out of the UK and you're, you're based out in the Netherlands and I've got no people in, in the U S 

Oh, 

[00:38:03] Ralph: and in Asia and Australia, all of whom were a good people, but all of whom, you know, perhaps offering.

Services by themselves could not you know, offer something that could interest a global company. So by forming sort of a global advisory panel, I've got this concept going into the next year that we can help support larger tech companies. And we've already taking on a piece of work for a regulator in Africa and potentially for a global technology platform.

Who won the advisory board. So moving things onto a more global basis as part of that sort of global privacy panel, that's probably the thing I'm looking forward to most going into 2024.

I'm going to ask you the same questions. What you think is your standout regulator and what you're looking forward to going into 2024?

[00:38:53] Paul: when it comes to the standard regulator, apart from, from, I would say the, the obvious candidates certainly Norway is, is very high up there for me because they've done amazing work throughout this year, not just with the the, the, the meta case and the, the, the personalized online advertising certainly also the the grinder case, which they saw through.

With a, a massive fine also for advertising that they were not transparent about. But also the way that they are approaching their strategic plan. The chair of the Norwegian DPA during the Nordic Privacy Arena explained that she actually Held a series of roundtables throughout the country with companies with public authorities just to talk about what it is to be a data protection authority what they should do better what they should focus on if the company was in the seat of the regulator, what would be their number one priority.

[00:39:50] Ralph: A listening tour. 

[00:39:50] Paul: Yeah, a listening tool, but a very, a very thorough one. And I thought that was that was actually a really good thing to do. To, to, when you come in as a new data protection authority, a new commissioner to set up your strategic plans. So that's, that's one outside of. the traditional western world I would like to give a big shout out to kenya the office of the kenyan information commissioner Is doing so much at the moment.

They are a very young authority. They've been around for Around two years, I believe They've now opened up offices not just in Nairobi, but also in Mombasa, in Naikuru so spread out over the east and the west of the country as well, regional offices so they are available to people, they bring out a lot of guidance, they start their enforcement And they're also very vocal about it.

I recall earlier this year, there was this this initiative from one of the founders from OpenAI, Sam Altman with his his, his Bitcoin alternative that if you would give a copy of your retina scan he would give you, I don't know, a hundred dollars, I believe, 

In, in, in, in virtual money. And a lot of people. Obviously, that is a lot of money.

So it was very quickly, very popular also in Kenya. And the regulator said, no we're shutting this down because this is completely illegal under our legislation. And that was very impressive, especially for such a young regulator to do things like that. So a big shout out to Kenya.

[00:41:17] Ralph: going ahead into 2024, what's your hopes for 2024?

[00:41:21] Paul: Well, it would be nice to see a bit of live in the U. S. federal legislative debate. Not sure we're going to see that. It would be nice to see some live in the commission review of the adequacy decisions of that were made under the directive that, that should have been reviewed at least in my perspective, by May 2022. We still have not

[00:41:42] Ralph: You mean Uruguay and Argentina don't have GDPR like laws? Is this what you're telling me?

[00:41:47] Paul: I'm not sure whether they do because the commission is still reviewing them and they claimed just ahead of SRAMS 2 in 2021 that the reviews were almost done and that they were just waiting for the, the SRAMS 2 judgment to confirm a few things, but we haven't seen it appear. And it's not just Uruguay and Argentina and New Zealand and Israel, it's, it's also the Channel Islands, for example.

So I do have a personal interest here as well now declared. 

[00:42:14] Ralph: And there's a country that has only got a four year one I can't think of which country that would be as

[00:42:18] Paul: No, but there the review should start at the end of next year as well. So and with legislative change happening right now, that could also be an interesting discussion. So that's happening and I'm actually looking forward to what the European elections will mean for data protection. Because we've got the The, the review of the GDPR coming up sometime in the May time frame the EDPB just submitted their position for the next evaluation of the GDPR and that was adopted last week in the plenary of

[00:42:49] Ralph: is that the one that says we don't think that there needs to be any changes right now?

[00:42:53] Paul: Well, there don't need to be Fundamental changes, but if you read between the lines, there is actually quite a bit of change that they do think is required maybe not in the way that everybody cooperates because that will be part of separate legislation. But, for example, already in the last one last review, it was concluded that the processing of data of minors is an issue because it's not consistent across the EU and it's not clear in the GDPR what age, when what age would apply what is leading how it would be applied, how it should be checked.

So that is one of those points where you probably want more clarity. So I think it would be disappointing if the conclusion would yet again be yeah, we continue working on guidelines, but we see no need for any fundamental changes to the GDPR. You don't need full new legislation for sure, but you do need probably to make some minor updates and, and correct some, some mistakes in the legislation.

[00:43:52] Ralph: How's, how's this for a hot take? What do you think? 5 percent chance we have any privacy regulation.

[00:43:58] Paul: No, none. None. That will, that, that will be repealed by the new European Commission and there should be a new proposal. But also there, what will happen and that also to some extent will depend on the outcomes of the European elections. You see a very big push to the right all across the European Union also to the conservatives.

Some would argue extreme right so. Also there we need to see what that will mean for our fundamental rights and and how the European Union will legislate on those topics. Because it cannot be ruled out that we will see some of those far right parties also proposing the next European Commissioner for their member state. Yeah, that's scary stuff. Isee your face. 

[00:44:42] Ralph: What's this space.

[00:44:43] Paul: so that's one of the reasons why I'm I'm curious to see what the European elections will bring.

[00:44:50] Ralph: What's this space. Indeed.

Indeed indeed.

[00:44:53] Paul: Yes, absolutely. I'm pretty sure that we will have that discussion around the June timeframe when the elections will happen and we'll invite some EU legislative experts to to join us then.

[00:45:05] Ralph: And top tips 2024.

[00:45:07] K: Top tips, tips. Like tips, like privacy tips.

[00:45:14] Ralph: Looking forward to what? Looking forward to. 

[00:45:16] K: Privacy tips. You know, funny enough, I put out a thing on LinkedIn about online shopping, no no's to do. And so those are probably, if you ask me on a person to person basis, what are my privacy tips? That would be personal privacy tips. Company privacy tips is please God, just pay attention to what you're doing with data. Just, just know, just know knowing is half the battle. Just know data. And,

[00:45:45] Paul: bit like your wallet, don't let it lie around somewhere where you don't have control over 

[00:45:49] K: right. But I would say really pressing for companies coming up in 2024 is don't get swept up in the mania around AI. whether it's on the good side or the bad side, whether you're trying to use it or you're trying to not use it. Just tackle it from a very practical, open minded you're, you're open to learning what AI can do, but you know what its limits should be and where you should and shouldn't use it.

I've heard some people say privacy people have no right speaking to AI because it has nothing to do with privacy, and I'm sorry, that's bull hockey. You know, throw that one out the window. You can't just keep us out the door cause you want us out the door. But those are the two things I would say is your data and then don't get called up in this mass mania.

Learn about it, know about it, use it responsibly, but don't be blinded by it or overly excited by it. Look at it as a practical perspective. Hmm.

[00:46:51] Paul: we discussed with Joanne Virgil the U. S. state legislation. What's your prediction for 2024 there? First of all, do we see a federal 

[00:47:01] K: Nah. Oh, we'll see a bill. We'll see all kinds of bills. Will they go anywhere? No. 

[00:47:07] Ralph: Is it because of the California preemption, or do you not think there's the political will?

[00:47:10] K: Both. It's the pride. They're scared of a private right of action, but the only one that has a private right of action is California. The states are scared of preemption, but the only one that really cares is California. But California has a big sway in on the federal. I mean, you saw our fight for Speaker of the House, right?

I mean, yeah,

[00:47:30] Paul: Was that a fight that looked more like an internal war in the Republican Party?

[00:47:35] K: right. but yeah, so it's not going to. And I think the reason it's not going to is because. Our elected politicians don't know enough about the subject to one, give it the priority it needs or to give it the consideration it deserves. And until we have someone who can actually drive it strongly and has the influence or people get educated, but it takes us four years to educate someone on it. And by then they're out of office or they're in jail. 

[00:48:09] Ralph: Yeah, I actually sent, sent a message to my local politician who's recently changed about the Data Protection Digital Information Bill here in the UK and said, you know, what are you thinking about it? Which way are you planning on voting? You know, could we be happy to have a discussion sort of thing?

And I got back a message about Brexit and the fact that we'd left the EU and I'm like, oh my God.

[00:48:30] K: You're like, okay, yeah, I don't have enough crayons to explain this to you, but okay. No, I've actually thought about running for office

[00:48:41] Paul: Wow,

[00:48:42] Ralph: Wow. 

[00:48:43] K: I, I don't know how I don't, I don't have tons of money to throw at the problem so, right.

[00:48:49] Ralph: for Kane, you heard it here first.

[00:48:52] Paul: Well, maybe you need to move to Colorado because there the Republicans seem to be out of the windows.

[00:48:57] K: I saw that. That's interesting. And, and, and I wonder about that because it seems like they're priming it for a Supreme Court debate.

[00:49:04] Paul: hmm before January 4th, so SCOTUS will not have a quiet Christmas apparently

[00:49:13] K: no, no, it's going to be very interesting there. And 

[00:49:16] Paul: But you are avoiding my other question

[00:49:18] K: Oh, am I? State

[00:49:20] Paul: this your predictions for state legislation we're currently at 12 We're at 12, right?  Six more? 

[00:49:27] K: there's going to be six. There are seven more now. They are counting Florida, even though Florida's not really a generally applicable privacy, but we discussed that to death. I think there's going to be six more. I don't know why.

Six just sounds like a nice number. We're going to have six more. The existence is 19. And then I think after that, we're going to start driving closer to a federal bill, but that also puts us in the next election year. So we know big election years, you're not going to see enough. So maybe I need to knock that down.

Cause next year is 2024 and we, it's a leap year and an election year. They're not going to pay attention to privacy, but I'm hoping it's going to be one of the big points of conversation.

[00:50:10] Paul: And Ralph, will the UKDP, whatever they call it, the New Data Protection Act, will it see the end of the road somewhere in 24? Will it, be adopted? 

[00:50:22] Ralph: it will be adopted in the spring more perhaps not in its current form. I mean, they put up 120 pages of amendments two days before it was supposed to go through parliament, and even one of the mps put up their hand and said, oh, you know, how are we supposed to read this and make an informed choice?

And they just went, no, don't worry about it. Nothing to see here, nothing to see here. So it's not a new data protection, let's make that very clear. All they're doing is adding another layer of track changes. On top of what we've already got, but some of them are significant, you know, reducing the independence of the commissioner and replacing it with a board.

You know increasing the amount of things you don't have to do legitimate interest assessments for, including direct marketing

[00:51:06] K: you don't have to do legitimate interest for direct marketing.

[00:51:10] Ralph: Well, there are going to be a list of pre approved legitimate interests, and that would they include direct marketing at the

[00:51:15] K: They're going to tell us what's legitimate.

[00:51:18] Ralph: Yeah, basically. And changing the very definition of personal data moving moving the reasons why you can say no to access requests of the things like vexatious and excessive.

The only country in the world to be reducing It's rights for individuals. 

How's 

[00:51:36] K: right. Which is really interesting, but you know, it's I do find it interesting this whole thing around vexatious requests. Cause what we're starting to see come out is if, and this came, I believe from a UK decision, if you believe that the purpose is not for individual access or, or what it is related to that data that you have.

If you think that they're asking for the data for another purpose, such as filing a lawsuit on someone, that's not, that's not a reason for a personal data access request.

[00:52:07] Ralph: Yeah, allegedly you're only supposed to do it in support of your next information rights requests, but also they're also purpose blind, so you're also not allowed to ask why.

[00:52:18] K: Yeah. 

[00:52:19] Paul: No. There is nowhere in the law that there are limitations to your, the reasons why you can ask access or deletion or 

[00:52:27] K: Yeah.

[00:52:27] Ralph: to, 

[00:52:29] K: I find, I find it interesting that we're, that we're moving that direction is to, if you believe this isn't for the person's own interest, that it has a secondary purpose, then you can deny the request.

[00:52:40] Paul: No,

[00:52:41] K: Okay.

[00:52:43] Ralph: what's this space? But they're looking for a spring. They're looking for it to be passed in the spring. This extra layer of trap changes and my what it will do is it will mean that small to medium enterprises will, we will use it as an excuse to feel like and ignore the law and larger enterprises will keep adopting the GDPR anyway who work globally.

So

[00:53:02] K: Okay. 

[00:53:03] Paul: a happy note to wrap up,

[00:53:04] K: We need a happy note to wrap up on. Here's the thing. We're coming back next year. Here's a happy note. Now y'all keep in mind, Paul and I like to have the big winter, cold, snowy, nasty part of January to ourselves. And we come back on January 28th, my daughter's birthday, but also global data privacy day. 

[00:53:27] Paul: data protection day, for 

[00:53:29] Ralph: Data protection day, you're 

[00:53:30] K: waiting on that. 

[00:53:31] Ralph: Hey,

[00:53:33] K: I think there are two countries that adopted it as global data privacy day and all the rest of them, global data protection.

[00:53:40] Ralph: The commemoration of signing of convention 108. 

[00:53:44] Paul: on the automated processing of personal data, 

[00:53:47] K: See these guys know a thing or 

[00:53:48] Paul: not PII. I mean, there's no PII in the convention of Europe convention and council of Europe convention.

[00:53:55] K: That is a wall. I beat my head against all the time. The PII debate. Anyway, we're coming back next year. We'll be here for 2024. Now we say that knock on wood that the holidays go well. And we actually do come back, but we are excited to come back for season. Five. We've already outlasted millions of podcasts apparently that spun up over COVID because people were trapped at home.

But Paula and I didn't start it over COVID. We were already starting it and then it happened. No cause and 

[00:54:28] Paul: true.

[00:54:28] K: whatsoever.

[00:54:30] Paul: No, we will continue in season five. We will have Ralph back on as our guest co host on occasion when either of us is traveling or when we just feel like it or when we need a UK voice or somebody to tell us that privacy is actually privacy in all of those situations, 

[00:54:46] Ralph: Well it's actually data protection if you're really with actually data protections.

[00:54:50] K: Or if we want to bring a ginger to the argument, I mean.

[00:54:55] Paul: and we already have quite a few guests That we have reached out to guests that have reached out to us. If they can come on and yes, we are looking also to do some face to face episodes again next year. stArting in D. C. somewhere in the Easter time frame during the Global Privacy Summit. And on that note, we'll wrap up another season of Serious Privacy. This was season four. Thank you so much once again for listening. To Sirius Privacy. If you do like us, please do tell your friends and colleagues about us. We want to make the top 10 next year, or the top 10%. Rate and review our episodes in your favorite podcast app, or on your favorite podcast platform.

You'll find the podcast on social media. At, at Podcast Privacy. On LinkedIn as Sirius Privacy. You'll find Kay on social media as Heart of Privacy. You'll find Ralph as at IGR O'Brien. And myself as Europol B. Until next year, goodbye.

[00:55:54] Ralph: Goodbye. 

[00:55:55] K: Bye y'all.