What is the best way to address privacy risks in the context of connected cars? Is data minimization compatible with assisted driving? What is the meaning of “Core Vehicle Data”?

Mark Jaffe leads the Rivian ethics, compliance and privacy program. This includes ethical culture, compliance oversight, privacy, and investigations. 

Prior to joining Rivian, Mark was Senior Vice President for Privacy at Teleperformance, a global business process outsourcer with over 400,000 employees operating in over 80 countries, spending almost two years in Singapore managing privacy issues in the Asia Pacific region. He has also dealt with data protection compliance in Europe, Middle East, and Africa.  Prior to that, Mark spent 17 years at AT&T in global privacy roles as well as global compliance and ethics roles.

Our guest is a frequent speaker on a variety of topics related to privacy compliance and data ethics. Mark earned his B.A., cum laude, from Duke University and his J.D., cum laude, from Northwestern University. 

References:

• Mark Jaffe on LinkedIn
• Rivian’s Privacy Hub
• FTC bans General Motors from selling driving data without permission, adding to case for CarPlay 2 (9to5Mac, January 2025)
• 800,000 EV drivers’ data exposed in Volkswagen breach (The Register, January 2025)
• Privacy Not Included, a Mozilla Report about connected cars and privacy (“It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy”, September 2023)
• Investigation by Netherlands' DPA prompts changes to Tesla security cameras (IAPP, 2023)
• Tesla workers shared sensitive images recorded by customer cars (Reuters, 2022)
• Privacy4Cars

An update was due at the intersection of MarTech/AdTech and the My Health My Data Act, with a Washington Consumer Protection Act case against Costco paving the way for the recent class action lawsuit involving the Amazon Ads SDK. Also, the date is approaching for compliance with restrictions on international transfers of US personal data.

Mike Hintze is a well-known leader in the field with more than 20 years of experience in privacy and data protection. He has been a partner at Hintze Law since 2016 and prior to that was Chief Privacy Counsel at Microsoft for 18 years. He also teaches privacy law at the University of Washington school of law and has served on multiple advisory boards. He has also testified before Congress, state legislatures or European regulators. 

References:

• Mike Hintze on LinkedIn
• The Washington My Health My Data Act - Parts 1 to 10 (Hintze Law)
• New U.S. Regulations Impose Significant Restrictions on Cross-Border Data Flows
• AI governance, MHMD, and third-party risks at PSR 2024 (Masters of Privacy)
• Written summary: P.S.R. Los Angeles 2024: Vendor Audits; My Health, My Data
• Amazon Sued in First 'My Health, My Data' Privacy Dispute.

As of today, February 16th, Google’s platform policies allow the collection, sharing and usage of IP addresses and other signals across websites, apps, gaming consoles or Connected TV. This has been perceived as a direct contradiction of the company’s long-term anti-fingerprinting policy. The company is expecting that a growing reliance on Privacy Enhancing Technologies will do away with the resulting privacy risks. 

Daniel B. Rosenzweig is the Founder & Principal Attorney at DBR Data Privacy Solutions. He advises clients on legal and technical compliance with data privacy and AI laws, and counsels companies on industry mobile app store requirements, AdTech, and privacy-enhancing technologies (PETs).

Daniel’s legal practice is unique in that he develops and codes technical solutions to help serve as a bridge between legal, marketing, and technical teams, in addition to providing clients the usual legal services.

References:

• Daniel B. Rosenzweig on LinkedIn
• DBR Data Privacy Solutions
• Google: Overview of the Platforms programs policies update (February 2025)
• ICO: Our response to Google’s policy change on fingerprinting
• AdExchanger: Does Google’s U-Turn On Fingerprinting ‘Open New Opportunities’ Or Is It ‘Irresponsible’?
• Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing (Masters of Privacy)
• Sergio Maldonado on PETs and AdTech: Some takeaways from PEPR’24 (USENIX Conference on Privacy Engineering Practice and Respect 2024) 

This was a really eventful week for AI regulation, with the first rules of the AI Act starting to apply on Sunday, February 2nd and the EU Commission releasing Guidelines on Tuesday (prohibited practices) and Thursday (scope of AI systems). To cap it all, a first-ever class action under the new framework (alongside the GDPR and the Digital Services Act) was filed on Wednesday against X-Twitter and TikTok. 

The following conversation with Markus Wünschelbaum, with a particular focus on digital advertising and AdTech, preceded and rightly anticipated these developments. 

Dr. Markus Wünschelbaum currently serves as Policy and Data Strategy Advisor to Hamburg’s Data Protection Commissioner Thomas Fuchs. In this role, he advises on key data protection & AI policies and strategic initiatives. Previously, he was responsible for imposing fines, fundamental GDPR issues, and freedom of information. He began his career focusing on the intersection of labor law and data protection, having published an acclaimed doctoral thesis on this topic and working at an international law firm.

References:

• Dr. Markus Wünschelbaum on LinkedIn
• Hamburg’s Data Protection Commissioner (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit)
• Guidelines on prohibited artificial intelligence (AI) practices, as defined by the AI Act (EU Commission)
• Guidelines on AI system definition to facilitate the first AI Act’s rules application (EU Commission)
• Class Actions Filed Against TikTok and X in Germany: A Test for the DSA, GDPR, and AI Act (Spirit Legal - Peter Hense)
• Peter Hense (Spirit Legal) on Masters of Privacy
• Luca Bertuzzi (Euractiv)

Alex Dittel leads KHQ’s Data Privacy, Cyber and Digital legal practice. He brings over 15 years of experience in data protection, information security and technology commercial matters acquired during his time working for big and small technology companies and law firms in the United Kingdom and Australia. As a passionate GDPR-native data privacy lawyer, he advises on Australian as well as international data privacy matters. He holds CIPP/A, CIPP/E and CIPP/US certifications from the IAPP.

References:

• Alexander Dittel on LinkedIn
• KHQ: Data Privacy, Cyber and Digital
• Alex Dittel: OAIC’s decision a warning re use of facial recognition technology
• First Tranche of Australia’s Privacy Law reforms explained (Association of Corporate Counsel)

What should we celebrate on January 28th? What is the difference between Privacy and Data Protection? What about Data Privacy? Will Data Protection (or Data Privacy) evolve to encompass many of the things we now discuss in the context of AI regulation? We have asked Carissa Véliz (Oxford University), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Markus Wünschelbaum (Advisor, Hamburg Data Protection Authority), Brendan Quinn, and Tim Turner. 

What do you think? Feel free to participate in the conversation by finding this episode’s post on:

• Our Spotify feed: https://open.spotify.com/show/6M2DpgfTPaGCHm31rKstBr 
• Our LinkedIn channel: https://www.linkedin.com/company/masters-of-privacy/
• Our YouTube channel: https://www.youtube.com/@MastersofPrivacy 

References:

• Council of Europe: Data Protection Day
• US Government: Data Privacy Day

This special mountain retreat will bring together a unique combination of backgrounds and nationalities. NextAI is an initiative of Alberto Lopez Valenzuela and we have asked him to share more details. 

Alberto Lopez Valenzuela is an entrepreneur with over 25 years of experience in the decision intelligence sector, mainly in the UK and the US. He founded alva in 2009, a London-based AI analytics firm that ended up working with hundreds of blue-chip clients, expanding to New York and establishing the company as an industry leader. In 2021 alva was acquired by US private equity firm Falfurrias Capital Partners and this, together with the incorporation of other companies, resulted in the creation of Penta. Alberto was the Managing Director of its AI division until 2023. 

In 2024, he founded Ordino Partners, incubating and investing in AI tech startups with a meaningful social impact. As an author, Alberto published The Connecting Leader in 2018. 

Masters of Privacy is a NextAI partner and Sergio Maldonado (your host) will be attending the event.

References:

• NextAI (use this voucher code for an additional 15% discount: PRINXT25)
• Alberto Lopez Valenzuela on LinkedIn
• Ordino Partners
• Andorra: ski resorts, restaurants and destinations

What is the future of Customer Data Platforms in the context of recent acquisitions, the modularization of their offerings, and the privacy compliance challenges of first party data activation? 

Matthew Niederberger is a seasoned Martech consultant with years of experience helping global organizations unlock the full potential of their marketing technology investments. As the founder of MarTech Therapy, his mission is to guide companies in optimizing their Martech stacks to drive better customer experiences and business outcomes. 

With a deep understanding of Customer Data Platforms and a passion for bridging technology with strategy, Matthew brings both technical expertise and creative insights to the table. Beyond consulting, he shares his knowledge through his podcast and short-form videos, making complex topics accessible and engaging.

References:

• Martech Therapy
• Matthew Niederberger on LinkedIn
• Jonathan Mendez: making the most of first-party data in the age of AI (Masters of Privacy)
• Tejas Manohar (Hightouch): data activation and composable CDPs in a privacy-first world (Masters of Privacy)
• IBM sued again in storm over Weather Channel data sharing (The Register)
• NBC, Peacock SDKs Let 3rd Parties Secretly Collect Users' Viewing History: Class Action
• Twilio’s Software Development Kit, Segment, Embedded in Various Mobile Applications May Constitute a Violation Under CIPA 
• [ES] Paco Roldán: the CDP before the law, the logic, and the future (Masters of Privacy) 

Can we introduce greater individual agency in the management of identity? Will that lead to better controls over personal data and less privacy risks? What is the problem with LinkedIn? Are we turning a page in the evolution and potential mass adoption of cryptographic solutions? How can we avoid storing personal information on the blockchain?

Dan has spent his career building products from 0-1 at the intersection of predictive analytics, AI/ML, and privacy.  He most notably served as a Group Product Manager at Google, where he built Google’s most sophisticated personalized marketing and cross-identity measurement products, Google Analytics and Google Signals, respectively. Prior to co-founding Icebreaker, he served as a Group Product Manager at Coinbase, where he led Consumer Trading, earning a patent for AI-assisted multi-chain intent orchestration.  He holds a BS in Management Science from the Massachusetts Institute of Technology.

References:

• Dan Stone on Icebreaker 
• Icebreaker: an open, decentralized professional networking platform
• Jamie Smith: AI Agents, digital identity, wallets and personal data (Masters of Privacy)
• Adrian Doerk: digital identity, digital wallets, and data protection (Masters of Privacy)
• Joana Mota: privacy compliance in a web3 world (Masters of Privacy)
• Gam Dias: On privacy, agency, convenience, and freedom (Masters of Privacy)
• Project VRM (Berkman Klein Center, Harvard University)
• Doc Searls, The Intention Economy

Carey Lening, JD, CDPP writes, speaks, and consults on data protection, law, technology, and fractal complexity in systems. Currently based in Ireland, Carey has over 20 years of experience in thinking about hard problems and helping people arrive at practical solutions.

Besides providing data protection compliance support to select clients, Carey runs Privacat Insights, a newsletter that offers a paid tier with exclusive content, members-only Q&A, a slack channel and a yearly meetup.

References:

• Privacat Insights
• 18,000 words. Four Questions. Much Delegation. Little Guidance
• EDPB opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models
• Privacy Disasters: Microsoft, Just Because You Can (Recall)
• Privacy Disasters: AI Spy-Wearables, and the Scourge of Competing Friendants
• An early adopter's thoughts on Rewind.ai's $350m pivot
• Privacy Disasters: FaceHuggers Are Eating Your Skeets
• Carey Lening on LinkedIn
• Carey Lening on Bluesky
• (Jeffrey Pfeffer) Power: Why Some People Have it and Others Don't