Masters of Privacy

The EDPB has finally adopted its much feared Guidelines on the scope of article 5.3 of the ePrivacy Directive, but consent may still be avoided in some cases not specifically covered by an exemption (e.g., analytics). Absent such an exception, and in light of dismal consent rates, publishers and platforms have embraced highly controversial “Consent or Pay” models. Plan C? Server-side processing (Conversion APIs, Enhanced Conversions, Data Clean Rooms…), not without its own challenges.

We have gone through all of it with Peter Craddock in his second appearance on Masters of Privacy. 

Peter Craddock is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. He is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area.

References:

• Peter Craddock on LinkedIn
• Op-Ed: A critical analysis of the EDPB's "Pay or Consent" Opinion (Peter Craddock)
• Peter Craddock: Comparison of the final version of the EDPB’s ePrivacy guidelines with the version of November 2023 (including links to more in-depth comments on those guidelines)
• EDPB Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms
• AEPD guidelines for the use of cookies without need for consent in the context of digital analytics (ES)
• Peter Craddock on Masters of Privacy (February 2024): Could core advertising components fall under the “strictly necessary” exemption of the ePrivacy Directive?
• Romain Robert: Pay or OK in AdTech - How it started and where it’s going (Masters of Privacy)
• Renzo Marchini: Unintended consequences of the EDPB guidelines on storage and access under article 5.3 of the ePrivacy Directive (Masters of Privacy) 
• Cristiana Santos and Victor Morel: The problem with CMPs and TCF-based cookie paywalls (Masters of Privacy)
• Robert Bateman: Consent or Pay (Masters of Privacy)
• Peter Hense: How first party data will kill CMPs (Masters of Privacy)

Dr Lukasz Olejnik (@lukOlejnik), LL.M, is an independent cybersecurity, privacy and data protection researcher and consultant. Senior Visiting Research Fellow of the Department of War Studies, King’s College London. He holds a Computer Science PhD at INRIA (French Institute for Research in Digital Science and Technology), and LL.M. from University of Edinburgh. He worked at CERN (European Organisation for Nuclear Research), and was a research associate at University College London. He was associated with Princeton's Center for Information Technology Policy, and Oxford's Centre for Technology and Global Affairs. He was a member of the W3C Technical Architecture Group. Former cyberwarfare advisor at the International Committee of the Red Cross in Geneva, where he worked on the humanitarian consequences of cyber operations. Author of scientific articles, op-eds, analyses, and books Philosophy of Cybersecurity, and “Propaganda”. He contributes public commentary to international media.

References:

• Full interview transcript (on Medium)
• Propaganda, by Lukasz Olejnik
• Lukasz Olejnik on Cyber, Privacy and Tech Policy Critique (Newsletter)
• Lukasz Olejnik on Mastodon
• Lukasz Olejnik on X
• EU Digital Services Act (DSA) 
• Section 230 (“Protection for private blocking and screening of offensive material“)  of the Communications Decency Act (1996)
• Cubby, Inc. v. CompuServe Inc. and Stratton Oakmont, Inc. v. Prodigy Services Co. as precursors to Section 230
• Doppelganger in action: Sanctions for Russian disinformation linked to Kate rumours
• EU takes shot at Musk over Trump interview — and EU takes shot at Musk over Trump interview — and misses (Politico)
• The story of Pavel Rubtsov (“Journalist or Russian spy? The strange case of Pablo González”), The Guardian
• Silicon Valley, The New Lobbying Monster (mentioning Chris Lehane’s campaigns), The New Yorker
• Financial Times: Clip purporting to show a Haitian voting in Georgia is among ‘Moscow’s broader efforts’ to sway the race
• “Pseudo-media”:  Spain proposes tightening rules on media to tackle fake news

Can we leverage AI-generated synthetic data as a privacy-enhancing or data anonymization solution? How compatible is it with Data Clean Rooms? Will there be a path to effectively anonymize unstructured data?

Ben Winokur is the co-founder and CEO of Subsalt, the leading platform for anonymous synthetic data. Prior to Subsalt, Ben worked in a variety of legal, product, and operational roles at Passport, where he first encountered the problem Subsalt solves: privacy and security risks have made it too expensive and difficult to access, share, and analyze sensitive private data.

References:

• Ben Winour on LinkedIn
• Subsalt
• Jonathan Mendez and Alex Dean: Data Clean Rooms: Feature, Product or Platform?
• European Data Protection Supervisor: TechSonar report on Synthetic Data (and its use as a Privacy Enhancing Technology)

Monica Meiterman-Rodriguez is a Partner at Tueoris, an international privacy and security consulting firm, currently residing in Barcelona. She utilizes her US law degree and her experience in data protection and privacy to assist global clients in developing, maintaining, or growing their privacy programs. She has experience supporting compliance across global regulations including US state and federal requirements, EU/UK GDPR, PIPEDA, LGPD, etc. in addition to advising on specialized matters in the AdTech space such as targeted advertising, data analytics, AI and growing industry guidance (e.g., IAB, DAA, etc.).

Monica is a member of the New York State Bar, New Jersey State Bar, as well as a Certified Information Privacy Professional (CIPP/US/E) and the Chapter Chair of the IAPP in Barcelona (Spain).

References:

• Monica Meiterman on LinkedIn
• California Consumer Privacy Act
• EDPB Guidelines 01/2022 on data subject rights - Right of access
• GDPR Violation: German Privacy Regulator Fines 1&1 Telecom(BankInfoSecurity)
• Groupon Ireland Operations Limited – March 2024: the DPC finds that Groupon infringed Article 5(1)(c) GDPR by having initially required the complainant to provide a copy of their ID in order to verify their identity for the purposes of their access and erasure requests.

Simon Hania is Global Data Protection Officer at Uber, heading the team that independently advises on and monitors Ubers compliance with data protection laws. In the past Simon held the position of VP Privacy & Security at TomTom and before that various positions in IT service management. Simon is a trained engineer who has learned to love the law.

References:

• Simon Hania on LinkedIn
• Masters of Privacy Summer Newsroom, covering Uber’s $290 EUR fine in The Netherlands
• Glovo (food delivery) receives a 500k EUR AEPD fine for sending rider location data across borders (started in Italy)
• FTC Finalizes Order with X-Mode and Successor Outlogic Prohibiting it from Sharing or Selling Sensitive Location Data
• Uber Ads

The IAPP’s annual “Privacy. Security. Risk.” event took place in Los Angeles last week. Both Celine Takatsuno and Sergio Maldonado attended, took some notes, and now share their experiences and takeaways. 

References:

• Sergio Maldonado (Medium): PSR 2024 Takeaway (DPAs, Vendor Audits, MHMD Act)
• Mike Hintze: Blog post series on Washington State’s My Health My Data Act
• IAPP: Agenda and speakers at PSR 2024.

Jonathan Mendez has been a founder and leader in Adtech and Martech for two decades, with a focus on building first-party data products to optimize media performance. 

He is the founder and CEO at Neuralift AI, having prior to that been Chief Digital Officer at a major cruise line, and having also spent five years building composable CDPs (Customer Data Platform) for global retail brands and telcos. He was also the Founder and CEO of Yieldbot, which in 2016 was the fourth largest Digital Advertising Network. He was also the CSO at Offermatica, eventually acquired by Omniture, now part of Adobe. 

Jonathan’s blog has been active for 17 years and is a recognized source of insights into AdTech, MarTech or Media.

References:

• Jonathan Mendez (blog): Optimize & Prophesize
• Neuralift AI
• Jonathan Mendez on X
• Jonathan Mendez on LinkedIn
• Tejas Manohar (Hightouch): data activation and composable CDPs in a privacy-first world (Masters of Privacy)
• Nicola Newitt (Infosum): the legal case for Data Clean Rooms (Masters of Privacy)
• Matthias Eigenmann (Decentriq): Confidential Computing, contractual relationships and legal bases for Data Clean Rooms (Masters of Privacy)

What extra steps should data processors and controllers worry about now that every cloud-based tool is somehow AI-powered? 

A basic transparency principle is common across FIPPs, governance frameworks and existing AI regulations (EU, Colorado), but even that can sometimes become a luxury. 

Attorney Heidi Saas (CIPP/US) has over eighteen years of experience in consumer rights, six years in data privacy, and three years of ethical AI and governance experience. Her projects currently involve working with CEOs, CTOs, CISOs, DPOs, and CMOs of companies in various industries on regulatory strategy, privacy program designs, risk management, implementation, and monetization of data assets within their privacy ecosystems. She also works with businesses to provide ethical AI advisory, and pre-audit consulting services, as well as regulatory compliance, legal consulting, and public speaking events.

References:

• Heidi Saas on LinkedIn
• Colorado AI Bill (Consumer Protections in Interactions with Artificial Intelligence)
• Fair Information Practice Principles (FIPPs)
• Twilio Under Investigation for Data Breach of Over 33 Million Authy MFA Users
• Medicaid for millions in U.S. hinges on Deloitte systems plagued by errors

This is our second interview analyzing the impact of Google’s decision not to deprecate third-party cookies on its Chrome browser.

Daniel Jaye is a seasoned technology industry executive and currently is CEO and founder of Aqfer, a Marketing Data Platform on top of which businesses can build their own MarTech and AdTech solutions. 

Daniel has provided strategic, tactical and technology advisory services to a wide range of marketing technology and big data companies. Clients have included Brave Browser, Altiscale, ShareThis, Ghostery, OwnerIQ, Netezza, Akamai, and Tremor Media. He was the founder and CEO of Korrelate, a leading automotive marketing attribution company -purchased by J.D. Power in 2014- as well as the former president of TACODA -bought by AOL in 2007. Daniel was also the founder and CTO of Permissus, an enterprise privacy compliance technology provider. 

All of the above were preceded by his role as founder and CTO of Engage, acting CTO of CMGI and director of High Performance Computing at Fidelity Investments. He also worked at Epsilon and Accenture (formerly Andersen Consulting). 

Daniel Jaye graduated magna cum laude with a BA in Astronomy and Astrophysics and Physics from Harvard University.

References:

• Daniel Jaye on LinkedIn
• Aqfer
• P3P: Platform for Privacy Preferences (W3C)
• Luke Mulks (Brave Browser) on Masters of Privacy
• Adnostic: Privacy Preserving Targeted Advertising (paper by Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum, Solon Barocas)

Earlier this summer, Google announced that its Chrome browser would after all keep third party cookies. This interview with Robin de Wouters is the first of two episodes exploring the consequences of that update from the point of view of our usual stakeholders (DPOs, CMOs, CDOs). 

Robin de Wouters is the Director General for the Federation of European Data & Marketing (FEDMA), in Brussels. He has a strong background in communication and public relations across the private, non-profit and institutional spheres. He previously worked in the field of human rights with Euromed Rights, the ONE Campaign and the United Nations. Robin is also the Vice-Chair of the Board of the European Interactive Digital Advertising Alliance (EDAA) and the Communications Director and Spokesperson for Democrats Abroad Belgium, the international arm of the US Democratic Party.

References:

• Federation of European Data and Marketing (FEDMA)
• Robin de Wouters on LinkedIn
• Sergio Maldonado, Nobody was ready for the Privacy Sandbox, but deprecating cookie banners is long overdue
• Google announces they are not deprecating third-party cookies
• Peter Cradock (Masters of Privacy): Could core advertising components fall under the “strictly necessary” ePrivacy exemption? 
• CNIL publishes study on alternatives to third-party advertising cookies (Freevacy)