Masters of Privacy

We are closing this season with a Spring Newsroom before we officially kick off the summer, summarizing everything that’s happened in the past quarter across our usual five sections: ePrivacy (enforcement, regulatory updates), MarTech/ AdTech, AI/ Competition/ Digital Markets, PETs/ Zero-Party Data, Future of media. 

This includes:

• EDPB’s ChatGPT Task Force report
• EU Digital Wallets
• Privacy Sandbox news
• EU Commission vs. Apple’s App Store
• LLM updates (Llama3, GPT 4o, Gemini, Apple Intelligence)
• Meta AI *not* training on EU user data
• Mozilla’s acquisition of Anonym
• Oracle’s exit from AdTech
• Revolut ads
• Microsoft Copilot+ Recall retreat
• The Trade Desk’s curated list of publishers
• FCC fines to telecom operators for the sale of location data
• Consent or Pay news
• TikTok ban.

A full transcript with links and additional resources can be found on the PrivacyCloud blog. 

John Cavanaugh is a founding member of the Plunk Foundation, a non-profit dedicated to empowering individuals and communities so they have autonomy over their digital identities and protect their sensitive information. John is helping promote digital data privacy for women, children, veterans, and marginalized communities.

Our mission today: exploring a grassroots approach to privacy or data protection.

References:

• Plunk Foundation
• John Cavanaugh on LinkedIn
• Doctor Ruha Benjamin, Race after Technology
• Village of Evendale (Cincinnati)

Adrian Doerk is co-founder of Lissi GmbH and co-coordinator of the IDunion research project. He has extensive experience in the rollout of digital wallets, specializing in the European digital identity wallet (EUDI-Wallet) under the eIDAS 2.0 Regulation. 

Adrian has helped us answer a few important questions on this topic:

• How much of our lives will soon be intermediated through digital wallets or digital identities?
• What is “selective disclosure”?
• What are the privacy risks?
• What are the challenges of decentralization?

References:

• Adrian Doerk on LinkedIn
• eIDAS 2.0 Regulation
• Lissi
• IDunion research project

Does the inclusion of both a private right of action and a general preemption of overlapping state laws (not limited to privacy, but also including AI or confidential information) condemn the APRA to the fire?

Brian Focht is a cybersecurity and data privacy attorney practicing in Charlotte, North Carolina. His legal practice is focused on helping clients ranging from individuals to international corporations, and involves nearly every aspect of law that touches on cybersecurity and data privacy, including identity theft, internal corporate policies and procedures, data breach response and recovery, and litigation. He is a 2003 Graduate of the University of North Carolina at Chapel Hill, a 2007 Graduate of the Wake Forest University School of Law, and a Certified Information Privacy Professional (U.S.) and AI Governance Professional.

In addition to his legal practice, he is the founder and co-host of the Fearless Paranoia podcast, which attempts to make the world of cybersecurity more accessible and understandable to those not in the IT industry. On top of that, Brian maintains the Resilience Cybersecurity and Data Privacy blog, offering tips and suggestions for keeping yourself safe in the increasingly hazardous digital world.

References:

• Law Offices of Brian C. Focht
• Brian Focht on LinkedIn
• Updated text of the American Privacy Rights Act (May 2024) 
• Biometric Information Privacy Act (Illinois)
• My Health My Data: Addressing the collection, sharing, and selling of consumer health data (Washington)
• EU-US Data Privacy Framework
• EFF: Sunsetting Section 230 Will Hurt Internet Users, Not Big Tech 
• Colorado’s new AI Act (Hogan Lovells)
• Vermont Legislature passes data privacy bill that could shape national efforts (Vermont Public)
• Fearless Paranoia (Podcast)

Can Google overcome competition and performance concerns to make the Privacy Sandbox a reality? Does it really matter in terms of privacy compliance, in the face of the EU ePrivacy Directive? How would Universal Opt-Outs affect the Topics API in the US?

Alan Chapell is outside privacy and AI counsel for dozens of AdTech and Mart¿Tech companies. He started his career in the digital space in 1997 at Jupiter Research and is now the principal analyst at The Chapell Report, which is a monthly report focusing on the intersection between privacy, competition, addressability and AI in the digital media space. 

Mr. Chapell is board chair of the Network Advertising Initiative, the premier trade association for 3rd party AdTech marketplace. He is also an accomplished musician. His band, “Chapell”, is about to release their 7th album, “The Underground Music Show”, on all major streaming services.

References:

• Chapell & Associates and The Chapell Report
• UK Competition and Markets Authority update report (April 2024) on Google Chrome’s implementation of the Privacy Sandbox
• Privacy Sandbox (documentation)
• CNIL’s report on the Privacy Sandbox (July 2023) 
• Global Privacy Control (Universal Opt-Out Mechanism) Peter Craddock: Could core advertising components fall under the “strictly necessary” exception in the ePrivacy Directive? (Masters of Privacy)
• Network Advertising Initiative
• Chapell on Spotify

“There is a UK AI Regulation - It is called the UK GDPR” (John Edwards, February 2024).

Stephen Almond is Executive Director for Regulatory Risk at the UK’s Information Commissioner’s Office (ICO), leading the teams charged with engineering information rights into the fabric of new ideas, technologies and business models as part of our dynamic digital economy, including through the Digital Regulation Cooperation Forum.

Prior to joining the ICO, Stephen led a World Economic Forum initiative to promote the adoption of a more agile, innovation-enabling approach to regulation with governments and tech firms worldwide. He previously worked in leadership roles across the UK Government, including creation of the White Paper on Regulation for the Fourth Industrial Revolution and roll-out of the Regulators’ Pioneer Fund, which invested in regulatory sandboxes and similar initiatives to unlock technological innovation.

References:

• Technology and Innovation Directorate at the ICO
• ICO: Guidance on AI and data protection 
• ICO: Draft Guidance on Privacy Enhancing Technologies (PETs) 
• Dragos Tudorache: dealing with foundation models, data protection and copyright in the AI Act (Masters of Privacy)

Amy Worley is Managing Director at BRG, a global leader in data protection, information security, and AI governance. A licensed attorney, certified privacy professional, and certified information systems security professional, Amy formerly served as the Chief Privacy Officer for a billion-dollar pharmaceutical and medical device company and now serves as a fractional Data Protection Officer for several multinational companies. 

Amy’s consulting practice is focused on helping clients implement sustainable programs that result in meaningful compliance with state, national, and regional laws and build corporate trust. She is passionate about the intersection of data, people, and power.

References:

• Amy Worley on LinkedIn
• BRG: Privacy and Data Protection services
• Draft: American Privacy Rights Act 2024
• Dragos Tudorache: Dealing with foundation models, data protection, and copyright in the EU AI Act (Masters of Privacy)
• EDPB Guidelines 8/2020 on the targeting of social media users

Luke Mulks is VP of Business Operations at Brave Software, makers of the Brave browser. He has previously worked in AdTech and print publishing, and he has also founded a few businesses. He is in charge of new business initiatives and strategic revenue growth and oversees the BAT community. 

Our wide-range conversation has encompassed new business models for media owners, privacy-preserving ads, putting a price on personal data, the manner in which Apple’s bottleneck asphyxiates bolder or more creative approaches to monetizing people’s attention, and Google’s Privacy Sandbox.

References:

• Basic Attention Token
• Brave Ads Manager
• Brave: Blocking annoying and privacy-harming cookie consent banners
• Brave: Privacy And Competition Concerns with Google’s Privacy Sandbox
• How we tried to fix advertising, ecommerce, and media by putting people in control of their data — from WeRule to PrivacyCloud

What is Homomorphic Encryption? Can it be leveraged in the context of cross-vertical challenges?

Dr. Ellison Anne Williams is the Founder and CEO of Enveil, the pioneering data security startup protecting Data in Use. She has more than a decade of experience spearheading avant-garde efforts in the areas of large scale analytics, information security and privacy, computer network exploitation, and network modeling at the National Security Agency and the Johns Hopkins University Applied Physics Laboratory. In addition to her leadership experience, she is accomplished in the fields of distributed computing and algorithms, cryptographic applications, graph theory, combinatorics, machine learning, and data mining and holds a Ph.D. in Mathematics (Algebraic Combinatorics), a M.S. in Mathematics (Set Theoretic Topology), and a M.S. in Computer Science (Machine Learning).

References:

• Dr. Ellison Anne Williams (full profile), Enveil
• Enveil Drives Data Value Across Silos with Enhanced Encrypted Search Offering
• ICO Guidance on Privacy Enhancing Technologies
• Matthias Eigenmann: Confidential Computing, contractual relationships, and legal bases for Data Clean Rooms (Masters of Privacy)
• Damien Desfontaines: Differential Privacy in Data Clean Rooms (Masters of Privacy)

Is there a sweet spot between privacy compliance and marketing outcomes? What is “progressive consent”?

Radha Gohil is a Data Governance and Privacy leader at Shell. She works on AdTech and MarTech data flows, as well as digital and programmatic supply chains, applying privacy compliance requirements to marketing-related practices. This includes consent management and, in general, acting as a bridge between Marketing, IT, CDO and legal. On top of that, Radha chairs the Digital Governance Steering Group at the ISBA (Incorporated Society of British Advertisers). She has previously worked at PwC and The Telegraph.

With Radha we have covered the manner in which marketing teams navigate privacy compliance or even leverage a privacy-first approach as a competitive advantage. This includes dealing with transparency requirements or the difficult trade-offs involved in gathering proper consent when required to do so. 

References:

• Radha Gohil on LinkedIn
• Incorporated Society of British Advertisers
• ICO: Upcoming action on making advertising cookies compliant