Podcasts about schrems ii

In this episode, the team unpacks Microsoft's recent statement to stay committed to Europe, and their stance against restrictions on services for European customers. They explore what's actually changed since Schrems II and what kind of difference sovereign cloud services in Europe could make. The conversation spans how this plays out across different countries, the potential for more open-source or European alternatives, and what it could mean for the IT job market. They also discuss if there is something organizations can do to prepare. Hosted on Acast. See acast.com/privacy for more information.

Estamos de vuelta con una puesta al día y tenemos de todo: TikTok prohibido, el Privacy Sandbox atascado en la cocina, opinión sobre “Consent or Pay”, Meta AI vs. Google, Worldcoin congelado, Sora investigada, Teams/Office bajo la lupa, Avast vendiendo datos, multa a Glovo, proyecto de ley federal de protección de datos en EEUU… y mucho más. Todo ello en el post y casi todo comentado en las secciones de siempre. Con Cris Moro y Sergio Maldonado.  ePrivacy y marco regulatorio Multas y sanciones La AEPD ordenó a Worldcoin dejar de recabar datos biométricos con objetivos de identificación en un plazo de 72 horas por la vía de urgencia que en el GDPR permite saltarse el “one stop shop”. Worldcoin está basada en Alemania y había preparado el terreno con la autoridad bávara de protección de datos, pero aún así escogió España y Portugal como campo de pruebas. El proyecto ha generado importante alarma social, aparentemente recabando datos altamente sensibles sobre menores y adolescentes sin un propósito definido (“distinguir a humanos de robots”) y con la vinculación de perfiles a la aplicación móvil que permite acceder a criptomonedas o servicios futuros.  La AEPD, a petición de Garante (DPA italiana), impuso una multa de 550.000 euros a Glovo por no observar los principios más básicos en el tratamiento de los datos de repartidores. Se ha apreciado falta de transparencia (información facilitada en el registro inicial), privacidad desde el diseño, uso de decisiones automatizadas a través de un sistema de ranking/scoring que determina la asignación de cada pedido, y la transferencia a terceros fuera de los países en los que operan. Después de sufrir una multa de 16.5 millones de euros por parte de la FTC en Estados Unidos, la agencia checa de protección de datos ha impuesto una nueva sanción de unos 15 millones de euros al antivirus Avast por vender datos de navegación de sus clientes en el mercado publicitario, destacando sus afirmaciones falsas sobre la forma en que se anonimizaban los datos, y el uso exclusivamente estadístico de los mismos.  El abogado general de California anunció un acuerdo extrajudicial con DoorDash (reparto a domicilio), después de encontrarse una infracción del CPPA y CalOPPA por la participación de la plataforma en una cooperativa de intercambio de datos (“Second Party Data”), siendo esto equivalente a una venta de datos personales -y exigiendo un “opt-in”- en el sentido de la propia CCPA.  La AEPD impuso multas de 10.000 euros tanto a La Vanguardia como a NH Hoteles por violaciones en el uso de cookies. El medio de prensa fue sancionado por no proporcionar información clara y completa sobre el uso de cookies, mientras que la cadena hotelera fue multada por usar cookies no exentas, propias y de terceros sin consentimiento, además de no permitir rechazar o gestionar las cookies de manera granular. Se ha concedido una rebaja del 20% a esta última por estar en proceso de actualización de estos aspectos en su web.  El mes pasado Garante, la DPA italiana, anunció que estaba investigando a Sora (texto a vídeo), y solicitó información sobre sus fuentes de entrenamiento (ha circulado un vídeo en el que una consejera de OpenAI confesaba hacer uso de todo el catálogo de YouTube), y el uso de datos personales en ese proceso. Se le han pedido categorías de datos personales, fuentes y bases legales. También en marzo, el EDPS le pidió a la Comisión Europea que deje de usar Microsoft365 -que viene a ser Office, Teams, y todo el kit de productividad de Microsoft- por no haber analizado bien el marco contractual que permite a esta empresa tratar datos en Estados Unidos. El EDPS ha explicado que la Comisión Europea no ha proporcionado las medidas adecuadas para garantizar que los datos personales transferidos fuera de la Unión Europea cuenten con un nivel de protección equivalente (después de Schrems II). Además, tampoco se ha detallado qué tipo de datos han sido compartidos con Microsoft y otras compañías asociadas. El EDPS ha impuesto la obligación de suspender todos los flujos de datos derivados del uso de Microsoft365 a la Comisión Europea a partir del día 9 de diciembre. El EDPB publicó finalmente su opinión sobre “consentimiento o pago” el pasado 17 de abril, como continuación a la cuestión planteada por varias agencias en el contexto de la opción ofrecida por Instagram y Facebook (Meta), análoga a la recientemente desplegada por los grandes medios de comunicación. Hemos debatido el asunto largo y tendido en varias entrevistas del canal en inglés de este podcast. Novedades legislativas Como continuación a una ley propuesta por el congreso de EEUU para prohibir TikTok en el país, y cuando parecía que no superaría la aprobación del Senado, la iniciativa terminó votándose y aprobándose de forma conjunta al paquete de ayudas a Ucrania e Israel, terminando firmada por Joe biden el 24 de abril y resultando en una venta forzosa (o su prohibición) en el plazo de nueve meses que podrían extenderse a doce.  Antes de eso, el 25 de marzo, el Gobernador de Florida (Ron de Santis) firmó la nueva House Bill 3 (“HB3”), que se une a un debate muy candente al prohibir a los menos de 14 años abrir una cuenta en Instagram, Snapchat u otros medios sociales, exigiendo además consentimiento parental para los menores de 16. Esta ley exige además que se eliminen las cuentas existentes de menores.  El 7 de abril se presentó un proyecto histórico de ley federal sobre privacidad en Estados Unidos. La American Privacy Rights Act establece derechos claros y nacionales de protección de datos para los estadounidenses, eliminando el actual mosaico de leyes estatales y estableciendo un derecho de acción privada para los individuos. MarTech y AdTech En el mercado ampliamente cubierto aquí de Data Clean Rooms (DCR), LiveRamp compró Habu y Snowflake había comprado Samooha anteriormente. Recientemente hemos entrevistado a Matthias Eigenmann, DPO de Decentriq, solución apoyada en Computación Confidencial. También hemos hablado con Damien Desfontaines, de Tumult Labs, sobre “privacidad diferencial” aplicada a DCRs en el caso de uso de análisis de datos combinados de dos responsables del tratamiento.  En paralelo sigue avanzando el concepto del Reverse ETL (Extract, Transform, Load), que ahora se rebautiza como Customer Data Platform modular, donde la nueva generación de data warehouses permite que las funcionalidades de activación de datos estén erigidas sobre éstas, en vez de exigir un repositorio completo e independiente (o redundante) como ha venido ocurriendo con los Customer Data Platforms en los últimos siete años aproximadamente. Aquí hemos entrevistado al CEO de Hightouch, Tejas Manohar, una empresa líder en esta tecnología. Esta misma semana Google ha anunciado que vuelve a retrasar el fin de las cookies de tercera parte por no darle tiempo a introducir las medidas exigidas por la autoridad de mercados y competencia del Reino Unido. El equipo del Privacy Sandbox sigue colaborando con la comunidad para solucionar algunos aspectos bastante pobres de la medición de resultados o la optimización de la publicidad bajo los nuevos estándares. IA, competencia y mercados digitales  A mediados de febrero, OpenAI presentó una “función de "memoria” en ChatGPT, lo que generó preocupaciones sobre la protección de datos de sus usuarios a pesar de los diversos controles individuales proporcionados para la eliminación de dicha memoria. Poco después, la misma empresa lanzó una herramienta "texto-a-video" llamada Sora. Para contrarrestar el aumento del riesgo de infracción de derechos de autor, desinformación y "deep fakes", OpenAI anunció que había incorporado el estándar de la Coalición para la Procedencia y Autenticidad del Contenido (C2PA), que muchos expertos consideraron insuficiente. Meta ha lanzado su nuevo modelo genérico de IA generativa, Llama 3, capaz de competir con la última generación de alternativas ofrecidas por OpenAI, Google, Anthropic o Mistral. Como gran novedad, la empresa ha integrado su propio agente, “Meta AI” en todas sus plataformas - comenzando con múltiples países angloparlantes. Los analistas comienzan a especular con que la reciente caída en bolsa de la empresa por el aumento exponencial de su inversión en IA (incluido su propio hardware) podría obtener un premio a largo plazo si consigue reemplazar a la propia Google en la búsqueda de respuestas directas desde aplicaciones de uso tan cotidiano como WhatsApp.  PETs y Zero-Party Data Signal ha introducido nombres de usuario en el canal de mensajería, permitiendo con ello ocultar números de teléfono en la popular alternativa a WhatsApp y Telegram.  La más reciente alternativa a X/Twitter, Bluesky, ha dejado atrás el requisito de invitación, reportando un crecimiento exponencial en volumen de usuarios y anunciando un sistema modular de gestión de “feeds” y filtros de contenido.  Futuro de los medios Del mismo modo que ya lo había hecho con Axel Springer (Der Spiegel) en Alemania, OpenAI ha firmado acuerdos con El País y Le Monde para facilitar el acceso a noticias en castellano y francés a través de ChatGPT. OpenAI se ha comprometido a facilitar resúmenes, atribución de fuentes y links a las fuentes originales, y estamos asumiendo que también podrán hacer uso de sus archivos históricos a efectos de entrenamiento en castellano y francés.  

Are privacy professionals truly equipped to handle the coming AI revolution? Jamal Ahmed interviews renowned Privacy Professional and Attorney Christopher Schmidt on the opportunities and threats posed by emerging technologies like generative AI. They discuss:Pragmatic ways to apply core privacy principles to AI systemsWhy you shouldn't overreact to AI hypeThe complex state of International Data TransfersAnd a bonus segment where Christopher addresses listener queries about IAPP exams and how to set yourself up for success as a World Class privacy professional.This episode is a must-listen for any privacy pro looking to stay ahead of the curve!Christopher Schmidt, FIP; CIPP/E; CIPM; CIPT, CDPO/FR; is a German Magister of Law and Attorney-at-Law (Rechtsanwalt) experienced in European Data Protection and IT law.He previously served as an Advisory Board Member and Chair of the IAPP's CIPP/E Exam Development Board and has been selected as an expert on data protection matters by the Council of Europe.Christopher has worked at the International and European Affairs Department of the Hessian Data Protection Commissioner and with renowned global law firms, focusing on cybersecurity and data protection matters across all sectors. Among the clients he has advised are leading technology and software providers, financial institutions and blockchain businesses, global pharmaceutical and tourism companies.As a freelancer, Christopher runs advanced courses and workshops for law students as well as for lawyers and data protection officers on current European data protection matters in German, English, French, and Italian. In 2020, he launched the European Essential Guarantees Guide [www.essentialguarantees.com] to help data exporters with conducting global transfer impact assessments in a post-Schrems II world.If you're ready to transform your career and become the go-to GDPR expert, get your copy of 'The Easy Peasy Guide to GDPR' here: https://www.bestgdprbook.com/Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/Follow Christopher on LinkedIn: https://www.linkedin.com/in/piracybydesign/Subscribe to the Privacy Pros Academy YouTube Channel► https://www.youtube.com/c/PrivacyPros

⁠Dr. Laura Drechsler⁠, the researcher at KU Leuven, who addresses the issue of rights in international data transfers in her analyses talks about international data transfers, presented as a game changer for big tech companies. The episode is hosted by ⁠Dr. Joanna Mazur⁠, a DELab UW analyst and assistant professor at the UW Faculty of Management. Topics of the podcast include: - the definition of international data transfers, - ways of solving the difficulties of having to distinguish between personal and non-personal data, - the economic and social importance of solutions,- challenges faced by service users, - the grounds for lawful data transfers, - Schrems I and Schrems II cases, - evaluation of current solutions.

Berta es Senior Privacy Counsel en la Oficina Corporativa de Privacidad de General Electric, responsable de la implementación del RGPD en la UE y el Reino Unido. Berta se encarga además de propagar y hacer valer los estándares reflejados en las Normas Corporativas Vinculantes (o Binding Corporate Rules) de General Electric, así como de definir un esquema de gobernanza de privacidad a nivel global y operacionalizar lo requerimientos legales de la protección de datos a través de diferentes países.  Con Berta hemos abordado las Normas Corporativas Vinculantes para saber qué son, cómo se aprueban y cómo se mantienen. También tocaremos otros temas como la en ocasiones confusa línea divisoria entre responsables, encargados, corresponsables y responsables independientes.  Referencias: Berta Balanzategui en LinkedIn Directrices del CEPD sobre Normas Corporativas Vinculantes para responsables y encargados del tratamiento [EN] Jetty, Tielemans, una primera aproximación al impacto de Schrems II en las BCR  

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ Notes: A more comprehensive coverage of all relevant updates can be found on our blog. The topics below have been specifically addressed during this recording: GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union.   LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018. The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios). TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024. The EU Commission announced that it would stress-test Twitter's ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct. Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France's CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario - in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available.  CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website's consent banner.  FTC enforcement actions involving the use website/app user data for digital marketing purposes (healthcare, children): GoodRx, Betterhelp, Edmodo, Premom. The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421 EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions: 68% of French internet users consider that the information provided by the advertising ecosystem is insufficient or non-existent 39% are now rejecting all cookies, with 49% actively managing their consent preferences (analytics-related cookies are normally favored). The share of sites serving more than 6 third-party cookies dropped to 12% from 24%,  with 29% of all websites not serving any third-party cookies at all (vs. 20%) The IAB released TCF 2.2 on May 16th, finally removing the extremely confusing legitimate interest selectors for advertising and content personalization, replacing purposes and feature descriptions with a more user-friendly language, standardizing information about vendors, and providing a path for end users to withdraw their consent. CMPs are due to implement these changes by September 30th 2023. Following the TCF 2.2 announcement, Google has started reviewing and certifying Consent Management Platforms introducing new requirements under its Additional Consent Mode specification (important to remember that Consent Mode's Ghost call is still considered in breach of ePrivacy unless consent is specifically requested).

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ This was a pretty active season in terms of regulatory updates and decisions or guidelines coming out of supervisory bodies:  Spain's AEPD issued a decision on the use of Google Analytics by the Royal Academy of Spanish Language (“RAE”), becoming the first EU Data Protection Agency to see the glass half full in the use of the widespread digital data collection service (having been considered high-risk in Denmark, Italy, France, the Netherlands and Austria). It must however be noted that the RAE was only using the most basic version of the tool, without any AdTech integrations or individual user profiling - and in this regard aligned with the CNIL's long-standing guidelines for the valid use of the tool. At EU level, the Artificial Intelligence Act (which we have covered this quarter in a couple of Masters of Privacy interviews) made fast progress with the Council adopting its final position. At the same time, new common rules on cybersecurity became a reality with the approval of the NS2 Directive (or v2 of the Network and Information Security Directive) on November 28th. The updated framework covers incident response, supply chain security and encryption among other things, leaving less wiggle room for Member States to get creative when it comes to “essential sectors” (such as energy, banking, health, or digital infrastructure). Across the Channel, the UK's Data Protection Agency (ICO) issued brand new guidelines on international data transfers, providing a practical tool for businesses to properly carry out Transfer Risk Assessments and making it clear that either such tool or the guidelines provided by the European Data Protection Board will be considered valid.  Already into the new year, the European Data Protection Board (EDPB) issued two important reports, on valid consent in the context of cookie banners (in the hope to agree on a common approach in the face of multiple NOYB complaints across the EU) and the use of cloud-based services by the public sector. The former concluded that the vast majority of DPAs (Supervisory Authorities) did not accept hiding the “Reject All” button in a second layer - which most notably leaves Spain's AEPD as the odd one out. They did all agree on the non-conformity of: a) pre-ticked consent checkboxes on second layer; b) a reliance on legitimate interest; c) the use of dark patterns in link design or deceptive button colors/contrast; and d) the inaccurate classification of essential cookies. The latter concluded that public bodies across the EU may find it hard to provide supplementary measures when sending personal data to a US-based cloud (as per Schrems II requirements) in the context of some Software as a Service (SaaS) implementations, suggesting that switching to an EEA-sovereign Cloud Service Provider (CSP) would solve the problem and getting many to wonder whether it also refers to US-owned CSPs, which would leave few options on the table and none able to compete at many levels in terms of features or scale.  All of which can easily lead us to the latest update on the EU-US Data Privacy Framework: The EDPB released its non-binding opinion on the status of the EU-US Data Privacy Framework (voicing concerns about proportionality, the data protection review court and bulk data collection by national security agencies). The EU Commission will now proceed to ask EU Member States to approve it with the hope of issuing an adequacy decision by July 2023. This would do away with all the headaches derived from the Schrems II ECJ decision (including growing pressure to store personal data in EU-based data centers), were it not for the general impression that a Schrems III challenge looms in the horizon. In the United States, long-awaited new privacy rules in California (CPRA) and Virginia (CDPA) entered into force on January 1st. Although both provide a set of rights in terms of ensuring individual control over personal data being collected across the Internet (opt-out, access, deletion, correction, portability…), California's creates a private right of action that could pave the way for a new avalanche of privacy-related lawsuits.In any case, only companies meeting a minimum threshold in terms of revenue or the amount of consumers affected by their data collection practices (both of them varying across the two states) will have to comply with the new rules. Lastly, Privacy by Design will become ISO standard 31700 on February 8th, finally introducing an auditable process to conform to the seven principles originally laid out by Anne Cavoukian as Ontario(Canada)'s former Data Protection Commissioner.    Enforcement updates It's been interesting to see how continental Data Protection Agencies (“DPAs”) keep milking the cow of the ePrivacy Directive's lack of a one-stop-shop for US or China-based Big Tech giants. The long-awaited ePrivacy Regulation never arrived to keep this framework in sync with the GDPR (which does have a one-stop-shop), and this leaves an opening for any DPA to avoid referring large enforcement cases involving such players to the Irish Data Protection Commissioner (“DPC”) whenever cookie consent is involved. This criterion has been further strengthened by the recent conclusions of EPDB cookie banner task force. Microsoft was the last major victim of this particular gap (following Meta and Google), receiving a 60-million euro fine from France's DPA (CNIL), which shortly after honored TikTok with a 5m euro fine (once again, due to the absence of a “Reject All” button on its first layer - or “not being as easy to reject cookies as it is to accept them”) and, not having had enough, went on to give Apple an 8m euro fine for collecting unique device identifiers of visitors to its App Store without prior consent or notice, in order to serve its own ads (which is akin to a cookie or local storage system when it comes to article 5.3 of the ePrivacy Directive).  The CNIL ePrivacy-related enforcement spree did not stop short at Big Tech. Voodoo, a leader in hyper-casual mobile games, was also a target, receiving a 3 million euro fine for lack of proper consent when serving an IDFV (unique identifier “for vendors”, which Apples does allow app publishers to set when IDFA or cross-app identifiers have been declined via the App Tracking Transparency prompt).  Putting the ePrivacy Directive aside, and well into pure GDPR domain, Discord received a 800k euro fine (again, at the hands of CNIL) on the basis of: a) a failure to properly determine and enforce a concrete data retention period; b) a failure to consider Privacy by Design requirements in the development of its products; c) accepting very low security levels for user-created passwords; and d) failing to carry out a Data Protection Impact Assessment (given the volume of data it processed and the fact that the tool has become popular among minors).  And yet, one particular piece of news outshined mostly everything else in this category: Ireland's DPC imposed a 390 euro fine on Meta following considerable pressure from the EDPB for relying on the contractual legal basis in order to serve personalized advertising - itself the core business model of both social networks. We had a debate on the matter with Tim Walters (English) and Alonso Hurtado (Spanish) on Masters of Privacy, and published an opinion piece on our blog.  This last affair is a good segue into Twitter's latest troubles. Its new owner, Elon Musk, not content with having fired key senior executives in charge of EU privacy compliance (including its Chief Privacy Officer and DPO), has suggested that he will oblige its non-paying users to consent to personalized advertising. The Irish DPC (once again, in charge of its supervision under the one-stop-shop rule) asked Twitter for a meeting in the hope to draw a few red lines.  Meanwhile, the Spanish AEPD, still breaking all records in terms of monthly fines, sanctioned UPS (70,000 euros) for handing out a MediaMarkt (consumer electronics) delivery to a neighbor, thus breaching confidentiality duties. This will have a serious impact on the regular practices of courier services in the country.  Back in the United States, Epic Games and the FTC agreed to a $520m fine for directly targeting children under the age of 13 with its Fortnite game (a default setting that allows them to engage in voice and text communications with strangers has made it worse), as well for using for “dark patterns” in in-game purchases. Separately, in what we believe it is a first case of its kind, even in the EU (with the ECJ FashionID case possibly being the closest we have been to it). Betterhelp has received an FTC $7,8m fine for using the Facebook Lookalike Audiences feature (and alternative offerings in the programmatic advertising space, including those of Criteo, Snapchat or Pinterest) to find potential customers on the basis of their similarity with the online mental health service's current user base. This involved sensitive data and follows repetitive disclaimers by Betterhelp that data would in no case be shared with third parties.   On the private lawsuits front (especially important in the US), Meta agreed to pay $725m after a class action was brought in California against Facebook on the back of the ever-present Cambridge Analytica scandal. Also, the Illinois Biometric Information Privacy Act (BIPA) kept putting money into the pockets of claimants and class action lawyers, in this case forcing Whole Foods (an upscale organic food supermarket chain owned by Amazon) to settle for $300.000 - we have previously previous cases against TikTok, Facebook or Snapchat, albeit it was the monitoring, via “voiceprints”, of its own employees (rather than its customers) that triggered this particular lawsuit. Legitimate Interest strikes back  To finish with this section, very recent developments justify turning our eyes back to the UK and the EU as there is growing momentum for the acceptance of the legitimate interest as a legal basis for purely commercial or direct marketing purposes:  While the CJEU decides on a question posed by a Dutch court in January, in which the DPA issued a fine to a tennis association for relying on legitimate interest to share member details with its sponsors (who then sent commercial offers to them), a UK court (First-Tier Tribunal) has ruled against the ICO (UK DPA) and in favor of Experian (a well-known data broker) for collecting data about 5.3m people from publicly available sources, including the electorate register, to build customer profiles and subsequently selling them to advertisers. Experian has relied on legitimate interest and found it too burdensome to properly inform every single individual (this being the ICO's main point of contention). The decision does appear to indicate that using legitimate interest would not be possible if the original data collection had been based on consent, but even this is not entirely clear. So, just to make it even more clear and simple, the UK Government presented a new draft of a new UK Data Protection Bill on March 8th that includes a pre-built shortcut to using legitimate interest without need for the so-called three part test (purpose, necessity, balancing). Data controllers can now go ahead with this legal basis if they find their purpose in a non-exhaustive list provided - which includes direct marketing.  Competition and Digital Markets Google was sued by the Department of Justice for anti-competitive behavior in its dominance of the AdTech stack across the open market (or the ads that are shown across the web and beyond its own “walled gardens”), using its dominance of the publisher ad server market (supply side) to further strengthen its stranglehold of the demand side (advertisers, many of them already glued to its Google Ads or DV360 platforms in order to invest in search keywords or YouTube inventory) and, worse, artificially manipulating its own ad exchange to favor publishers at the expense of advertisers - thereby reinforcing the flywheel, as digital media publishers found themselves with even less incentives to work with competing ad servers.  Zero-Party Data and Future of Media (The piece of news below obliges us to combine both categories this season) The BBC has rolled out its own version of SOLID pods to allow its own customers to leverage their own data (exported from Netflix, Spotify, and the BBC) in order to obtain relevant recommendations while staying in full control of such data. Perhaps a little step towards individual agency, but a giant one for a digital media ecosystem mostly butchered by the untenable notice-and-consent approach derived from the current legal framework - which takes us back full circle to Elizabeth Renieris' new book.  

Today, I welcome Gary LaFever, co-CEO & GC at Anonos; WEF Global Innovator; and a solutions-oriented futurist with a computer science and legal background. Gary has over 35 years of technical, legal and policy experience that enables him to approach issues from multiple perspectives. I last saw Gary when we shared the stage at a RegTech conference in London six years ago, and it was a pleasure to speak with him again to discuss how the Schrems II decision coupled with the increasing prevalence of data breaches and ransomware attacks have shifted privacy left from optional to mandatory, necessitating a "privacy left trust" approach.---------Thank you to our sponsor, Privado, the developer-friendly privacy platform---------Gary describes the 7 Universal Data Use Cases with relatable examples and how they are applicable across orgs and industries, regardless of jurisdiction. We then dive into what Gary is seeing in the market in regard to the use cases. He then reveals the 3 Main Data Use Obstacles to accomplishing these use cases and how to overcome them with "statutory pseudonymization" and "synthetic data."In this conversation that evaluates how we can do business in a de-risked environment, we discuss why you can't approach privacy with just words - contracts, policies, and treaties; why it's essential to protect data in use;  and how you can embed technical controls that move with data for protection that meets regulatory thresholds while "in use" to unlock additional data use cases. I.e., these effective controls equate to competitive advantage.Topics Covered:Why trust must be updated to be technologically enforced - "privacy left trust"The increasing prevalence of data breaches and ransomware attacks and how they have shifted privacy left from optional to mandatory7 Data Use Cases, 3 Data Use Obstacles, and deployable technologies to unlock new data use casesHow the market is adopting technology for the 7 use cases and trends that Gary is seeingWhat it means to "de-risk" dataBeneficial uses of "variant twins" technologyBuilding privacy in by design, so it increases revenue generation"Statutory pseudonymization" and how it will help you reduce data privacy risks while increasing utility and valueResources Mentioned:Learn about AnonosRead: "Technical Controls that Protect Data When in Use and Prevent Misuse"Guest Info:Follow Gary on LinkedInFollow Gary on Twitter Privado.ai Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.Shifting Privacy Left Media Where privacy engineers gather, share, & learnBuzzsprout - Launch your podcast Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Copyright © 2022 - 2024 Principled LLC. All rights reserved.

Giulio Coraggio, partner at the law firm DLA Piper, outlines DLA Piper's methodology and legal tech tool named "Transfer" to perform the data transfer impact assessments in line with the principles of the Schrems II case.You can see a presentation on the topic here and read an article on the methodology "Do you have a data transfer impact assessment methodology based on the Schrems II decision?".

ePrivacy y marco regulatorio Hemos vivido un invierno cargado de iniciativas regulatorias y multas de gran relevancia. Vamos por partes, empezando con el marco normativo y siguiendo con multas y demandas privadas. Actualizaciones normativas  En la UE, el Reglamento de Inteligencia Artificial (que hemos cubierto este trimestre en un par de entrevistas de Masters of Privacy) dio un paso importante en el Consejo con su adopción de una posición final. Estos días esto es importante porque el nuevo marco legal diferencia ya entre las medidas que deben adoptar diferentes empresas a lo largo de la cadena de uso de, por ejemplo, un OpenAI (detrás del omnipresente ChatGPT) o un Stability AI.  Al mismo tiempo, en noviembre vieron la luz las nuevas reglas comunes en materia de ciberseguridad con la aprobación de la Directiva NS2 (una versión mejorada de la Directiva de Seguridad de la Información y de las Redes). El marco actualizado cubre la respuesta a incidentes, la seguridad de la cadena de suministro y el cifrado, entre otras cosas. Por su parte, la Agencia Española de Protección de Datos (AEPD) emitió una decisión sobre el uso de Google Analytics por parte de la Real Academia de la Lengua Española (“RAE”), convirtiéndose en la primera autoridad supervisora de la UE en ver el vaso medio lleno en el uso del extendido servicio de analítica digital (habiendo sido considerado de alto riesgo en Dinamarca, Italia, Francia, los Países Bajos y Austria). Huelga tener en cuenta que la RAE hacía solo uso de la versión más básica de la herramienta, sin integraciones de medición de campañas publicitarias ni perfilado de usuarios individuales, y en este sentido alineado con las pautas de la autoridad supervisora francesa (CNIL) para el uso válido de la herramienta. Ya en el nuevo año, el Comité Europeo de Protección de Datos (EDPB) publicó sus deliberaciones en dos informes importantes, sobre el consentimiento válido en el contexto de los faldones de cookies (con la esperanza de acordar un enfoque común frente a múltiples quejas de Max Schrems/NOYB en toda la UE), y sobre el uso de servicios basados ​​en la nube por parte del sector público. El primero de ellos concluyó que la gran mayoría de las autoridades supervisoras no aceptan ocultar el botón de "Rechazar todo" en una segunda capa, lo que parece dejar a la AEPD aislada en su empeño. Sí que ha habido unanimidad en la no conformidad de: a) casillas de verificación de consentimiento previamente marcadas en la segunda capa; b) el uso del interés legítimo como base legal; c) el uso de patrones oscuros en el diseño de enlaces o colores/contraste de botones; y d) la imprecisión en la clasificación de cookies esenciales. El segundo concluyó que los organismos públicos de toda la UE pueden tener dificultades para proporcionar medidas complementarias al enviar datos personales a una nube basada en los Estados Unidos (según los requisitos de Schrems II) en el contexto de algunas implementaciones de Software as a Service (SaaS), lo que sugiere que cambiar a un proveedor de servicios en la nube (CSP, en inglés) basado en el Espacio Económico Europeo resolvería el problema y haría que muchos se preguntaran si también se refiere a los CSP de propiedad estadounidense, lo que dejaría pocas opciones sobre la mesa y ninguna capaz de competir a muchos niveles en términos de funcionalidades o escalabilidad. Al otro lado del charco, el 1 de enero entraron en vigor las muy esperadas nuevas leyes de protección de datos en California (CPRA) y Virginia (CDPA). Aunque ambas ofrecen un conjunto amplio de derechos en términos de garantizar el control individual sobre los datos personales que se recopilan a través de internet (exclusión voluntaria, acceso, eliminación, corrección, portabilidad...), la de California crea un derecho privado de acción que podría allanar el camino para una nueva avalancha de demandas. En cualquier caso, solo las empresas que alcancen un umbral mínimo en términos de ingresos o la cantidad de consumidores afectados por sus prácticas de recopilación de datos tendrán que preocuparse por las nuevas normas. Por último, la Privacidad desde el diseño se convertirá en unos días en el nuevo estándar ISO 31700, inaugurando finalmente un proceso estructurado y auditable para cumplir con los siete principios establecidos en su día por Ann Cavoukian, ex directora de la agencia de protección de datos de Ontario (Canadá). Multas y demandas privadas Las agencias continentales de protección de datos siguen ordeñando la vaca del cabo suelto de la Directiva ePrivacy (artículo 22.2 de la Ley de Servicios de la Sociedad de la Información en España) con relación a la ventanilla única de GDPR (“One-Stop Shop”). Como muy comentado por estos lares, el tan esperado Reglamento ePrivacy nunca llegó a ver la luz para mantener ambos cuerpos normativos en sintonía, y esto permite que cualquier autoridad supervisora gestione independientemente los casos relativos al consentimiento de cookies y otras tecnologías similares. Este criterio se ha visto reforzado por las recientes conclusiones del Cookie Banner Task Force del Comité Europeo de Protección de Datos (sumadas a las mencionadas anteriormente). Microsoft fue la última gran víctima de esta particular casuística en el año que ya hemos dejado atrás (después de Meta y Google), recibiendo una multa de 60 millones de euros de la CNIL francesa, que poco después agració a TikTok con otra multa de 5 millones de euros (una vez más, por la ausencia de un botón “Rechazar todo” en su primera capa -o “no siendo tan fácil rechazar las cookies como aceptarlas”). También llegó su turno a Apple a pesar de toda la publicidad gastada en promover su supuesto abanderamiento de la privacidad, con una multa de 8 millones de euros por recopilar identificadores de dispositivos únicos de los visitantes de su tienda de aplicaciones sin previo consentimiento o aviso, con el fin de gestionar su propio sistema publicitario. La carnicería de sanciones-ePrivacy de la CNIL no se detuvo en las Big Tech. Voodoo, un líder en juegos móviles hiper-casuales (incluyendo Helix Jump, Baseball Boy, Hole, Aquapark o Paper.io - con cinco mil millones de descargas a mediados de 2021), también recibió su ración de jarabe de palo con una multa de 3 millones de euros por falta de consentimiento adecuado al servir un IDFV (identificador único "para proveedores", que Apple permite que los editores de aplicaciones lancen cuando el IDFA, que permite hacer un seguimiento a través de todas las apps, ha sido rechazado por los usuarios como consecuencia del aviso de App Tracking Transparency). Dejando a un lado la Directiva ePrivacy, y en el dominio puro del RGPD/GDPR, Discord recibió una multa de 800k euros (nuevamente, a manos de la CNIL) sobre la base de: a) la ausencia de un periodo de retención específico; b) la inobservancia de los principios de Privacidad desde el diseño en el desarrollo de sus productos; c) aceptar niveles de seguridad excesivamente bajos para la creación de contraseñas de usuario; y d) no realizar una Evaluación de impacto en materia de protección de datos (dado el volumen de datos que trata y la popularidad de la herramienta entre los menores de edad). Y, sin embargo, una noticia en particular eclipsó casi todo lo demás en esta categoría: el DPC de Irlanda impuso una multa de 390 millones de euros a Meta, a instancias del EDPB, por confiar en la base legal contractual para servir publicidad personalizada en Facebook e Instagram, en sí misma constituyendo el modelo de negocio que sustenta ambas redes sociales. En Masters of Privacy hemos tenido un debate sobre el asunto y sus consecuencias con ambos, Tim Walters (Inglés) y Alonso Hurtado (español). También hemos publicado un artículo de opinión en nuestro blog. Este último asunto es una buena transición a los últimos problemas de Twitter. Su nuevo dueño, Elon Musk, no contento con haber despedido a altos ejecutivos clave a cargo del cumplimiento de la privacidad en la UE (incluido su Chief Privacy Officer y DPO), ha sugerido que obligará a sus usuarios del servicio gratuito a dar su consentimiento a la publicidad personalizada. Este tipo de práctica nos ha recordado a los “cookie walls” que el Consejo de Estado francés ha obligado a la CNIL a aceptar en ese país, resultando en las solicitudes de consentimiento con pistola en mano que se han ido propagando por Le Monde y otros grupos editoriales. El DPC irlandés (una vez más, a cargo de su supervisión bajo la regla de ventanilla única o One-Stop Shop) ha solicitado de todos modos a Twitter una reunión con la esperanza de trazar algunas líneas rojas. Por su parte, la AEPD, que sigue batiendo todos los récords en cuanto a multas mensuales, ha sancionado (70.000 euros) a la empresa de paquetería UPS por hacer un envío de MediaMarkt a un vecino, incumpliendo así su deber de confidencialidad.  Al otro lado del charco, Epic Games y el regulador estadounidense han acordado pagar una multa de 520 millones de dólares por dirigirse directamente a niños menores de 13 años con su juego Fortnite (la configuración predeterminada les permitía además participar en comunicaciones de voz y texto con extraños), así como por usar "patrones oscuros" en las compras de “artefactos” digitales. En el frente de las demandas privadas (especialmente importante en EEUU), Meta ha acordado pagar $725 millones después de que se presentara una demanda colectiva en California contra su red social Facebook a raíz del siempre presente escándalo de Cambridge Analytica. Además, la Ley de Privacidad de la Información Biométrica de Illinois (BIPA, por sus siglas en inglés) siguió poniendo dinero en los bolsillos de los demandantes y abogados de demandas colectivas, en este caso obligando a Whole Foods (una cadena de supermercados de alimentos orgánicos de lujo propiedad de Amazon) a negociar un pago de 300.000 dólares - por ahí han pasado ya TikTok, Facebook o Snapchat, aunque aquí haya sido el seguimiento, a través de "huellas de voz", de sus propios empleados lo que ha desencadenado la demanda. Competencia y Mercados Digitales Google ha recibido una demanda del Departamento de Justicia por abuso de su posición en el mercado abierto de AdTech (o los anuncios que se muestran en la web y más allá de sus propios "jardines amurallados" de Google Search y YouTube), aprovechando su control del mercado de Ad Servers de editores (controlando el inventario publicitario de “display”) y su posición privilegiada como dueño del principal espacio de gestión de pujas (AdX, haciendo el encaje en tiempo real entre demanda y oferta) para bloquear cualquier posible desafío a su dominio del mercado de anunciantes (cada vez más pequeños, menos sofisticados y más necesitados de la simplicidad ofrecida por Google Ads para invertir tanto en anuncios de búsqueda como en publicidad “display”). Entre otras cosas, se ha acusado a Google de manipular artificialmente AdX para favorecer a los editores a expensas de los anunciantes. Zero-Party Data y el futuro de los medios (La noticia a continuación nos obliga a compaginar ambas categorías esta temporada) La BBC ha desplegado su propia versión de SOLID pods (carteras de datos y preferencias) para permitir que sus clientes aprovechen sus propios datos (exportados de Netflix, Spotify y la BBC) para obtener recomendaciones relevantes mientras mantienen el control total de dichos datos en sus dispositivos.  Aquí se acaba nuestra puesta al día, ¡pero no el invierno! No olvides abrigarte… del frío y de los riesgos en el tratamiento de datos personales :) Podrás encontrar todos los links y referencias en el blog de Masters of Privacy.  Con Cris Moro y Sergio Maldonado

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Can Ads be GDPR Compliant?, published by jefftk on January 8, 2023 on LessWrong. I think the online ads ecosystem is most likely illegal in Europe, and as more decisions come out it will become clear that it can't be reworked to be within the bounds of the GDPR. This is a strong claim, but before I get into backing it up here's some background on me: I'm not a lawyer or an expert in privacy regulation; this is something I follow because I'm interested in it. I worked in ads until, but I'm speaking only for myself. I don't expect to go back into the industry. June 2022 So, how are sites not compliant? When you visit a site in Europe, or an international site as a European, you'll typically see a prompt like this: In this screenshot El País is asking for permission to use cookies and use your data to personalize ads. Why are they asking you? A combination of two regulations: The ePrivacy Directive (2002) which requires the site to get your consent before using cookies or other storage on your device unless they're strictly necessary to provide a service you requested. The GDPR (2016) which tightly limits what companies can do with your data without your consent. The idea is, if you click "accept" then they can say they had your consent for all the advertising stuff they do. But I think it's very unlikely this is compliant with the GDPR. For example, in a recent case France's data privacy regulator CNIL recently fined Microsoft €60M (full text) for a similar popup on Bing. I'm going to come back to this decision later because it has other implications, but in paragraph 65 the CNIL ruled that their cookie banner was not collecting valid consent because it took more clicks to refuse cookies than to accept them. The principle here is that for consent to be valid under the GDPR it needs to be just as easy to give consent as it is to refuse it. This is not widely respected today, since for most companies it's going to be much more profitable to put up a not-really-legal banner that heavily pushes users towards saying yes and hope they don't get in trouble, but as the data protection agencies continue their enforcement I think this will become less practical. Another approach you see on a few sites is the one that Der Spiegel takes: They offer a choice between accepting their standard ad stuff or paying to subscribe to the site (more details). I'm glad they're giving users the choice here and I think this should be legal, but I'm pretty sure it isn't right now. The problem is that the user's consent isn't "freely given" in terms of the GDPR's Article 4(11) if they would otherwise have to pay for access. The third option is to have a cookie banner that is as easy to reject as it is to accept: When I click "deny" and visit their site, they show a popup saying "Lower quality ads may be displayed." This includes (definitely low quality...) ads from Outbrain, with many network requests to outbrain.com and outbrainimg.com: The problem is, per the Schrems II ruling these are also not GDPR-compliant. Because US companies are required to share information with the US government and IP addresses are personal information, the GDPR requires sites to get consent from users before sending any of their information to American companies or their subsidiaries. European courts have applied this ruling to fine sites for using Google Analytics, Google Fonts, and the Akamai CDN. Since Outbrain is an American company, based in NYC, this is not compliant. Schrems II compliance rules out all commercially available adtech options I know about, and the only fully GDPR-compliant sites I've seen are ones where clicking "reject" means you don't get any ads at all. As a somewhat speculative aside, I think there's another problem with these consent popups: when you visit the site they read your cookies. Pe...

Link to original articleWelcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Can Ads be GDPR Compliant?, published by jefftk on January 8, 2023 on LessWrong. I think the online ads ecosystem is most likely illegal in Europe, and as more decisions come out it will become clear that it can't be reworked to be within the bounds of the GDPR. This is a strong claim, but before I get into backing it up here's some background on me: I'm not a lawyer or an expert in privacy regulation; this is something I follow because I'm interested in it. I worked in ads until, but I'm speaking only for myself. I don't expect to go back into the industry. June 2022 So, how are sites not compliant? When you visit a site in Europe, or an international site as a European, you'll typically see a prompt like this: In this screenshot El País is asking for permission to use cookies and use your data to personalize ads. Why are they asking you? A combination of two regulations: The ePrivacy Directive (2002) which requires the site to get your consent before using cookies or other storage on your device unless they're strictly necessary to provide a service you requested. The GDPR (2016) which tightly limits what companies can do with your data without your consent. The idea is, if you click "accept" then they can say they had your consent for all the advertising stuff they do. But I think it's very unlikely this is compliant with the GDPR. For example, in a recent case France's data privacy regulator CNIL recently fined Microsoft €60M (full text) for a similar popup on Bing. I'm going to come back to this decision later because it has other implications, but in paragraph 65 the CNIL ruled that their cookie banner was not collecting valid consent because it took more clicks to refuse cookies than to accept them. The principle here is that for consent to be valid under the GDPR it needs to be just as easy to give consent as it is to refuse it. This is not widely respected today, since for most companies it's going to be much more profitable to put up a not-really-legal banner that heavily pushes users towards saying yes and hope they don't get in trouble, but as the data protection agencies continue their enforcement I think this will become less practical. Another approach you see on a few sites is the one that Der Spiegel takes: They offer a choice between accepting their standard ad stuff or paying to subscribe to the site (more details). I'm glad they're giving users the choice here and I think this should be legal, but I'm pretty sure it isn't right now. The problem is that the user's consent isn't "freely given" in terms of the GDPR's Article 4(11) if they would otherwise have to pay for access. The third option is to have a cookie banner that is as easy to reject as it is to accept: When I click "deny" and visit their site, they show a popup saying "Lower quality ads may be displayed." This includes (definitely low quality...) ads from Outbrain, with many network requests to outbrain.com and outbrainimg.com: The problem is, per the Schrems II ruling these are also not GDPR-compliant. Because US companies are required to share information with the US government and IP addresses are personal information, the GDPR requires sites to get consent from users before sending any of their information to American companies or their subsidiaries. European courts have applied this ruling to fine sites for using Google Analytics, Google Fonts, and the Akamai CDN. Since Outbrain is an American company, based in NYC, this is not compliant. Schrems II compliance rules out all commercially available adtech options I know about, and the only fully GDPR-compliant sites I've seen are ones where clicking "reject" means you don't get any ads at all. As a somewhat speculative aside, I think there's another problem with these consent popups: when you visit the site they read your cookies. Pe...

Milla ja Laura juttelevat Hannes Saarisen kanssa Cloud Actista ja tietysti tietojensiirroista. Mitä Cloud Act oikein on, ja miksi se jatkuvasti pomppaa mukaan Schrems II -keskusteluissa? Onko näillä kahdella mitään tekemistä keskenään? Mitkä ovat Cloud Actin aiheuttamat tietosuojaongelmat, ja tuleeko näihin ongelmiin jotain korjausta tulevaisuudessa? Jakson nimestä: Pilvi ei itse asiassa sano Pilvilaista mitään, koska hän ei päässyt jaksoon mukaan. Vitsi oli kuitenkin liian hyvä käyttämättä jätettäväksi.    EDPB ja EDPS lausunto Cloud Actista: https://edpb.europa.eu/sites/default/files/files/file2/edpb_edps_joint_response_us_cloudact_annex.pdf  Alankomaiden tilaama Cloud Act memo liittyen tietojensiirtoihin (löytyy blogin kautta): https://www.pinsentmasons.com/out-law/news/dutch-memo-us-cloud-act-europe  Voit seurata TietosuojaPodia Twitterissä täältä: https://twitter.com/PodPrivacy Voit lähettää meille palautetta Twitterin yksityisviestinä, hashtagilla #tietosuojapod tai sähköpostilla tietosuojapod@protonmail.com Seuraa meitä myös Instagramissa ja LinkedInissä nimellä privacypod!

Vi har talt med en ekspert om Joe Bidens executive order, så du ikke selv behøver læse den. I dette afsnit gennemgår vi sammen med Birgitte Toxværd, advokat og partner i Horten, den executive order, som det Hvide Hus har lavet i forbindelse med tredjelandsoverførsler. Birgitte giver også sit bud på, om Max Schrems kan vinde Schrems III.Du lærer:- Hvad en executive order egentlig er for en størrelse,- Hvorfor den er lavet,- Hvordan indholdet ser ud og - Hvordan det løser (eller ikke løser) de problemer, som EU-domstolen påpegede i forbindelse med Schrems II sagen.Det handler rigtigt meget om nogle helt grundlæggende ting i den juridiske verden.Hvornår er noget en domstol - for eksempel?Lyt med og bliv klogere.Birgitte Toxværd har arbejdet med databeskyttelsesret i mere end 15 år og er en af landets mest erfarne rådgivere. Hun er advokat og partner i Horten. Følg hende på Linkedin: https://www.linkedin.com/in/btoxvaerd/Vært: Jacob Høedt Larsen (find og følg ham på Linkedin - https://www.linkedin.com/in/jacobhoedtlarsen/)Privacy League er en podcast fra Wired Relations, hvor vi taler om GDPR og informationssikkerhed. Privacy League er også et fællesskab omkring GDPR og informationssikkerhed, som du kan blive medlem af på www.wiredrelations.com/pl. Vi mødes blandt andet hver onsdag kl. 14 online, hvor vi udveksler erfaringer og ideer om alle mulige emner inden for GDPR og informationssikkerhed.

Fjärde avsnittet av fem som görs i samarbete med Conversionista där fem olika områden inom CRO utforskas. Både hur vi jobbar idag och hur vi kan komma att arbeta i framtiden. I det här avsnittet pratar jag med Max Hammarberg som är data quality expert om datakvalitet, vad det är och varför det är viktigt. Samt dess roll inom både marknadsföring och konverteringsoptimering idag. Och inte minst hur vi säkerställer att vi kan lita på vår data. Datakvalitet är ett område som vuxit starkt de senaste åren och har blivit allt viktigare efter GDPR, cookie-lagstiftning, Apples ITP och ATT samt tredjepartskakans utfasning. Det här är ett bra avsnitt för dig som vill förstå hur datakvalitet och hur det påverkar oss marknadsförare. Och jag är säker på att du kommer kunna ta med dig en massa nya insikter kring data, datakvalitet och var vi är på väg. Om gästen Max Hammarberg är data quality expert och en del av Data Quality-teamet på Conversionista i Stockholm. Där har han varit med och byggt upp teamet som nu består av 12 personer fokuserade på datakvalitet. Teamet arbetar med att hjälpa företag säkerställa att man har rätt typ av data av hög kvalitet för att göra det möjligt att fatta datadrivna beslut. Och arbeta effektivt med marknadsföring. En brygga mellan IT och marknadsteamet. Max har gedigen erfarenhet som webbanalytiker med en djup teknisk förståelse. Och han är en av Sveriges främsta experter på området. Om avsnittet Max och jag pratar i avsnittet om vad datakvalitet är, dess roll inom marknadsföring och varför det är ett så viktigt område idag. Samt varför det är grunden för att kunna arbeta datadrivet och ta datadrivna beslut. Han berättar bland annat om de sex KPI:er man kan använda för att bedöma datakvalitet, hur man använder dem och varför målet inte är att vara perfekt på alla. Max berättar också hur hans arbetsprocess ser ut när han tar sig an ett projekt. Och varför det är så viktigt att välja vilka datapunkter som är viktiga. Du får dessutom höra om: Datakvalitet inom marknadsföring idag Skillnaden mellan analytics och datakvalitet Hur man vet att man kan lita på sin data Problemet med att ha för mycket data Hur datakvalitet skapar högre trovärdighet Vad skiftet till Google Analytics 4 innebär Varför det är så viktigt att alliera sig med IT Plus en massa mer… Vi pratar också om vad den cookielösa framtiden kommer innebära för oss marknadsförare och hur den kommer påverka hur vi arbetar med marknadsföring. Max levererar även ett antal andra intressanta spaningar och mängder med bra insikter. Du hittar som vanligt länkar till allt vi nämnde här i poddinlägget. Plus ett antal extra länkar och en lista på webbanalysverktyg. Efter länkarna hittar du även tidsstämplar till olika sektioner i avsnittet. Länkar Max Hammarberg på LinkedIn Conversionista (webbsida) Conversionista (LinkedIn) Conversion Manager (utbildning) Google Analytics 4 (verktyg) Piwik Pro (verktyg) MixPanel (verktyg) Matomo (verktyg) Adobe Analytics (verktyg) Simo Ahava (blogg) Varför sitter vi lugnt i båten när omvärlden mobiliserar för en cookielös framtid? - IAB Sverige (artikel) Google Analytics and data transfers: how to make your analytics tool compliant with the GDPR - CNIL (artikel) Schrems II a summary – all you need to know - GDPR Summary (artikel) Tidsstämplar [3:40] Max inleder med att förklara vad datakvalitet är, och vad det inte är. Samt introducerar de sex KPI:erna man ofta pratar om kring datakvalitet. [6:54] Om hur man använder KPI:erna för att bedöma om man har hög eller låg datakvalitet. Och varför det inte är bra att sikta på att ha perfekt enligt alla 6. [8:04] Max förklarar hur han ser på skillnaden mellan analytics och datakvalitet. Och hur man har gjort uppdelningen på Conversionista. [10:34] Vilken roll han ser att datakvalitet har på företag idag och i arbetet med att bli datadriven.

Nyeste udvikling i den konfliktfyldte føljeton om dataoverførsel, er oktoberdekretet fra Joe Biden, der er resultat af to års arbejde, siden EU-domsstolen i 2020 erklærede den ellers indgåede Privacy Shield-aftale ulovlig. Dekretet skal få dataoverførslen og milliardforretninger tilbage på skinner igen. Så hvad er nyt? Kan EU-borgere nu få deres ret prøvet ved en amerikansk domstol? Imødekommer dekretet EU-dommens kritiske punkter, eller er det blot gammel vin på ny flaske? Det undersøger vi i seneste episode af Magtens Tredeling, hvor vi taler med de samme to juridiske eksperter, der for to år siden udlagde konsekvenserne af Schrems II-dommen. Medvirkende: Advokaterne Tim Krarup Nielsen, partner hos DAHL advokater og CBS-professor Søren Sandfeldt Jacobsen, Gorrissen Federspiel. Vært: Dan Poulsen.

After several years of negotiation following the invalidation of the Privacy Shield by the European Court of Justice (CJEU), on October 7, the president signed an Executive Order, and the attorney general issued regulations, implementing the agreement between the U.S. and the EU announced earlier this year to replace the Privacy Shield framework. The European Commission (EC) has issued a statement that these actions will “address the concerns raised by the Court of Justice of the European Union in the Schrems II decision.” The EC is expected to make this framework the basis of an adequacy finding that the U.S. provides privacy protections that are essentially equivalent to European law.

A new executive order from President Joe Biden aims to bolster U.S. privacy protections in a way that ensures such data transfers comply with EU laws, thus theoretically streamlining the flow of that data across the Atlantic to the U.S. Such transfers have been a troubled and complex issue for years . On today's show we are joined by Crowell & Moring Senior Counsel Christiana State, who focuses on privacy and cybersecurity from the firm's San Francisco office. She specializes in and advises on issues related to technology and commercial transactions, and M&A corporate activities like the ones we are talking about today. 

On this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Outschool discuss the 10-7 series of deliberately machinated and long-awaited political events surrounding the EU-US data transfer mechanism that is intended to replace the Privacy Shield, invalidated under Schrems II back in 2020 - the “thingie.” Plus, the UK-US joint statement on adequacy consideration. These various events comprise the Executive Order (the Fact sheet along with the information on the European Commission site), the Department of Commerce statement, the Department of Justice from the Office of the Attorney General on the Data Protection review Board final rule, and the NOYB's response. As expected, and TrustArc predicted, those companies who remained in the Privacy Shield will have a transition plan. For additional information, please also see various analyses from the IAPP and the Future of Privacy Forum.  Carry the conversation further and connect with us to discuss.As always, if you have comments or questions, let us know - LinkedIn, Twitter @podcastprivacy @euroPaulB @heartofprivacy @trustArc and email seriousprivacy@trustarc.com. Please do like and write comments on your favorite podcast act so other professionals can find us easier. 

Tervetuloa takaisin TietosuojaPodin pariin kesälomien jälkeen! Jos sinulla oli kesällä parempaakin tekemistä kuin seurata tietosuojauutisia, tässä on tilaisuutesi lähteä taas päivittämään tietojasi ajantasalle. Kesän aikana ei ihan Schrems II -tason uutispommeja tänä vuonna tullut, mutta yhtä jos toista pienempää liikehdintää tietosuojakentällä on ehtinyt lomien aikana tapahtua. Käymme läpi Postiskandaalia eli Twitterissä syntynyttä myrskyä vesilasissa koskien Postin alihankkijan tietojenkäsittelyä. Tämän lisäksi paljon asiaa evästeistä ja katsaus kesän aikana julkaistuihin tietosuojavaltuutetun päätöksiin. Bonuksena jaksossa myös Panun vinkit parempaan riippumattoelämään. Ja hei, jos olet aina halunnut saada äänesi kuuluviin podcastissa, nyt on tilaisuutesi! Suunnitelemme syksyn jaksoja ja epäilemme, että vakioraadin ääniä on kuultu jo ihan tarpeeksi. Laita viestiä siis tuttuja kanavia pitkin, jos haluat johonkin syksyn jaksoon vieraaksi.   Postiskandaali https://www.mtvuutiset.fi/artikkeli/postin-kayttaman-palvelun-ilmoitettiin-keraavan-kayttajalta-vuoden-tilitiedot-ja-viittaa-poliittiseen-profilointiin-postin-mukaan-kyseessa-viestintamoka/8485774 Metan tiedonsiirrot jatkoajalla https://iapp.org/news/a/irish-dpc-files-draft-order-to-halt-metas-data-transfers-to-us/ https://www.politico.eu/article/europe-eu-avoids-facebook-blackout-social-media/ NOYBin viimeisimmät evästevalitukset https://noyb.eu/en/226-complaints-lodged-against-deceptive-cookie-banners Evästeet jatkavat elämäänsä Chromessa https://blog.google/products/chrome/update-testing-privacy-sandbox-web/ ”Reject All” Googlen palveluissa https://blog.google/around-the-globe/google-europe/new-cookie-choices-in-europe/ TSV:n viimeaikaisia ratkaisuja https://tietosuoja.fi/-/sijoituspalvelujen-tarjoajalle-huomautus-tietosuojasaannosten-vastaisesta-kaytannosta-tunnistamiseen-tarvittavien-tietojen-pyytamisessa https://tietosuoja.fi/-/otavamedialle-seuraamusmaksu-puutteista-tietosuojaoikeuksien-toteutuksessa   Voit seurata TietosuojaPodia Twitterissä täältä: https://twitter.com/PodPrivacy Voit lähettää meille palautetta Twitterin yksityisviestinä, hashtagilla #tietosuojapod tai sähköpostilla tietosuojapod@protonmail.com Seuraa meitä myös Instagramissa ja LinkedInissä nimellä privacypod!

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (BfDI) steht stets im Fokus der Öffentlichkeit. Seiner Aufsicht unterliegen nicht nur die deutschen Niederlassungen von Meta (ehemals Facebook) und Google, sondern auch etliche große deutsche Medienhäuser, etwa der Springer-Konzern. Mit Spannung war daher im vergangenen Jahr erwartet worden, wer dem scheidenden, langjährigen BfDI Johannes Caspar folgen wird. Im November 2021 übernahm der Jurist Thomas Fuchs nach seiner Wahl durch die Hamburger Bürgerschaft das Amt. Fuchs war zuvor 13 Jahre lang Direktor der Medienanstalt Hamburg/Schleswig-Holstein. Er ist also im Bereich der behördlichen Aufsicht kein Unbekannter. In der aktuellen Episode 67 des c't-Datenschutz-Podcasts erzählt er von seinen ersten Monaten als oberster Hamburger Datenschützer. Fuchs betont, dass er einen kooperativen Ansatz seiner Behörde in den Vordergrund stellt. Datenschutz sei in den vergangenen vier Jahren vorwiegend als das "scharfe Schwert", die Drohung mit dem Bußgeld, wahrgenommen worden. Es gebe aber ein großes Bedürfnis nach demokratischer Datennutzung, etwa für Forschung und Mobilität: "Das möchte ich von Anfang an begleiten", betont Fuchs. Als Beispiel für verfehlte Regulierung nennt er die Pläne zu einem Impfregister: "Wir haben in der Coronapandemie brutalen Datenmangel. Viele haben gesagt, ein Impfregister geht datenschutzrechtlich nicht. Ich würde sagen: Das ginge sehr wohl datenschutzkonform, wenn klar geregelt würde, wer darauf zugreifen darf." Das Werk seines Vorgängers will Fuchs fortführen: "Wir beschäftigen uns weiterhin intensiv mit Meta und Google, und wir haben auch noch Einfluss auf die Entscheidungen, die allerdings in Irland getroffen werden." Fuchs ist guter Dinge, dass die irische Datenschutzbehörde als in der EU zuständige Aufsicht über die großen Tech-Konzerne gerade die Zügel anzieht. "Eine Entscheidung zur Datenübermittlung von Facebook in die USA steht beispielsweise unmittelbar bevor." Bauchschmerzen bereitet Hamburgs neuem BfDI die Ausformulierung der EU-Datenstrategie. Gesetze wie der Data Act oder der Data Governance Act seien zwar für sich genommen "spannend und relevant". Aber es sei "schlicht eine Katastrophe", dass sie keine Ausnahmen zur DSGVO enthalten, sondern komplett mit ihr in Einklang zu bringen sind: "Künftig dürften noch mehr Projekte gar nicht erst in Angriff genommen werden, aus Angst davor, irgendwie gegen Datenschutzrecht zu verstoßen." Die DSGVO müsse sich in einen Binnenmarkt einbetten, der auch Wirtschaftsinteressen berücksichtigt, sonst sei sie nicht zukunftsfähig.

I forsommeren 2020 talte vi med Ole Kjeldsen fra Microsoft, Henning Mortensen fra Rådet for Digital Sikkerhed, Lene Gram Skjoldager fra Wired Relations og Max Gersvang Sørensen fra Gorrissen Federspiel om, hvordan vi skulle håndtere Schrems II. Det er stadig muligt at blive klogere af samtalen.Vært: Jacob Høedt LarsenVært: Jacob Høedt Larsen.Privacy League er en podcast fra Wired Relations, hvor vi taler om GDPR og informationssikkerhed. Privacy League er også et fællesskab omkring GDPR og informationssikkerhed, som du kan blive medlem af på www.wiredrelations.com/pl

Today, we're speaking with Kasey Canlas, UX Research Operations Lead at Genesys. With new Data Privacy laws frequently emerging, such as GDPR and the more recent Schrems II court decision, it can be challenging to evaluate your research practice to see if current processes are compliant. Kasey will be speaking at ReOpsConf2022 where she will give actionable steps for the audience to take to build a secure data-privacy-compliant research practice, such as how to evaluate existing processes, what information needs to be documented, along with essential steps and best practices to add to your strategy.  Episode Transcript: Episode 10 ResearchOps Podcast - Kasey Canlas - Transcript

In the 100th episode of Serious Privacy, Paul Breitbarth and Dr. K Royal connect with two of the biggest names in the privacy field, Chris Babel, the CEO of TrustArc and Hilary Wandall, Chief Compliance Officer at Dun and Bradstreet. Both Chris and Hilary were instrumental in launching Serious Privacy and critical to its success.In this completely unscripted and candid conversation, the four of them touch on both philisophical aspects of privacy and practical application. No topic was off limits! They ranged from the replacement to Privacy Shield to the growth of privacy as a career to ESG. Join them for a rousing discussion - that goes a little longer than usual. And as a special treat, we also have an interview with Immaculate Kassait, the Data Commissioner of Kenya. Feel free to comment on Twitter (@podcastprivacy @trustarc @euroPaulB @heartofprivacy) or on LinkedIn for Serious Privacy your thoughts in response.Don't forget to catch K at IAPP Global Summit April 11 - 13 for stickers and spur-of-the-moment interviews and also register for upcoming TrustArc webinars.

The recently announced Transatlantic Data Privacy Framework will foster data flows between the US and the EU, addressing the concerns raised by the Schrems II. decision. The US-made an unprecedented commitment to strengthen the privacy protection applicable to US signals intelligence activities within the new framework. New safeguards will be implemented to protect citizens' rights while advancing cross-border data flows. The next step is to translate this framework agreement into legal documents that will be put into practice on both sides of the Atlantic. But what does this mean for data privacy in practice? What are the major challenges, and what can we expect in the long run? We spoke to J. Scott Marcus, Senior Fellow at the EU's economic think tank, Bruegel, about the history and future of transatlantic data flows. Read on to learn how synthetic data can solve cross-border data sharing!

Fredrik får återbesök av Bartek Tatkowski. Vi diskuterar GDPR, robotar som jobbar åt en, och - som en sorts uppföljning från en punkt i förra veckans avsnitt - frontendutveckling utan byggsteg. Vi inleder med GDPR - hur det kanske börjar bli lite mer allvar samtidigt som många försöker komma runt reglerna. Golvet är kanske lite mer lava nu än tidigare? Efter GDPR blir det mer upplyftande: trevliga hushållsrobotar som gör livet enklare. Bartek blev glatt överraskad av en robotdammsugare och gick raskt vidare med ett … oväntat stort … antal robotgräsklippare. Fredrik delar med sig av sin expertis kring att klippa av, reparera, och flytta guidekablar. Sist men inte minst blir det något av uppföljning från förra veckan. I listan vi då diskuterade nämndes bland annat att undvika byggsteg i sin webbutveckling om man har möjlighet. Då undrade vi mest om man faktiskt kunde komma dit, men Bartek har provat och har fina exempel på verktyg som gör det möjligt. Ett stort tack till Cloudnet som sponsrar vår VPS! Har du kommentarer, frågor eller tips? Vi är @kodsnack, @tobiashieta, @oferlund, och @bjoreman på Twitter, har en sida på Facebook och epostas på info@kodsnack.se om du vill skriva längre. Vi läser allt som skickas. Gillar du Kodsnack får du hemskt gärna recensera oss i iTunes! Du kan också stödja podden genom att ge oss en kaffe (eller två!) på Ko-fi, eller handla något i vår butik. Länkar Bartek Avsnitt 440 Alla avsnitt med Bartek Bartek poddade tidigare i Kompilator GDPR The floor is lava - Barteks artikel om GDPR-utvecklingen The floor is lava - leken Inte nudda mark Google analytics är inte förenligt med Schrems II Schrems II Max Schrems noyb.eu Max artikel om att EU och USA kom överens om att Schrems II inte finns Dark patterns Ublock origin Läsläget i Safari 1blocker Super agent finns till alla stora webbläsare Roborock Lidar Tesla ser med kameror istället för lidar Plastpluppar som man skarvar sin gräsklipparkabel med USA ska avskaffa tidsomställning EU:s beslut om att sluta ställa om klockan har … hamnat långt ner på dagordningen PHP Jquery ASP.net AJAX JSON SPA - single-page application Angular Knockout Babels torn Babel Resumé-driven development Dependency injection Vue React Grunt Gulp Ruby on rails Hotwire Laravel Livewire Blazor htmx DOM Kodjobb Alpine.js Razor pages Preact JSX Tailwind CSS Kompilatoravsnittet om Tailwind Bootstrap Listan förra veckan - punkt 55 sa bland annat att undvika byggsteg om man kan Yarn Titlar På GDPR-fronten Inte nudda mark Inte GDPR:s fel På det glada nittiotalet En stor fet “neka allt” Är vi klara med GDPR? Beijing robot company, limited N robotgräsklippare När roboten klipper av Ett nödtema På gränsen till en boomer När jag upptäckte PHP Bara vanlig magi Ett fulhack från början 200 mb NPM-paket Bygga ett torn med Babel Resumé-driven development Jag vill bara ha min index.php En trio med bibliotek Inga byggsteg alls

Denne episode udgives i anledning af, at Datatilsynet har offentliggjort en ny vejledning om cloud (https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/mar/ny-vejledning-og-ekspertgruppe-om-brug-af-cloud). Episoden ligger samtidig i forlængelse af tidligere episoder i podcasten om cloud (https://soundcloud.com/datatilsynet/14-cloudbaserede-tjenester-er-der-noget-jeg-skal-vaere-saerligt-opmaerksom-pa) og tredjelandsoverførsler efter Schrems II-dommen (https://soundcloud.com/datatilsynet/21a). Værterne er IT-sikkerhedsspecialist og jurist Allan Frank og souschef Makar Juhl Holst fra Datatilsynet.

International data flows play a central role in the European economy, particularly when it comes to the processes of digitalisation. At the same time, international flows of personal data can present risks to the fundamental rights of European citizens. Legal conflicts concerning international data flows can also pose uncertainties for businesses, as was demonstrated by the Schrems II judgement of July 2020. In this event an expert panel discusses how Europe can best promote the benefits of international data flows while protecting European citizens' fundamental rights. This expert panel includes: Bruno Gencarelli, Head of Unit for International Data Flows and Protection Una Fitzpatrick, Director of Technology Ireland

Il Colonnello Marco Menegazzo è il Comandante del Gruppo Privacy nell'ambito del Nucleo Speciale Tutela Privacy e Frodi Tecnologiche della Guardia di Finanza che supporta il Garante per la protezione dei dati personali nell'ambito delle ispezioni che vengono svolte.In questo episodio di Diritto al Digitale discute con Giulio Coraggio di DLA Piper del loro ruolo nello svolgimento delle ispezioni richieste dal Garante, delle mancanze di conformità alla normativa privacy che identificate più di frequente e di come la conformità con le linee guida sui cookie e ai requisiti per il trasferimento dei dati fuori dello SEE ai sensi della sentenza Schrems II siano tra gli argomenti su cui si focalizzeranno principalmente nei prossimi mesi.Su di un simile argomento, può essere interessante l'episodio del podcast "Come preparare la propria azienda ad una ispezione del Garante privacy?".

Helsedata er oftest persondata, og dermed har personvernforordningen (GDPR) og Schrems II-dommen fått stor betydning for hvordan vi kan håndtere, jobbe med og samarbeide om helsedata. Kravene til sikker håndtering av våre data gir god sikkerhetsutvikling, men fører også med seg utfordringer for aktørene. Med oss har vi advokat Øyvind Eidissen som er partner i Schjødt, og Einar Martin Aandahl som er lege, forsker og CEO i Ledidi. Sammen dekker de både tekniske og juridiske aspekter rundt bruk og prosessering av helsedata i lys av ulike reglementer. Kan teknologi som confidential computing løse Schrems II?

Debbie Reynolds, “The Data Diva,” talks to Ralph O'Brien, Founder, and CEO of Reinbo Consulting Ltd., the United Kingdom. We discuss his journey into Data Privacy, the most surprising thing in Data Protection and Data Privacy since GDPR was enacted, the need for a multidisciplinary approach to Data Protection, his primary concern about Data Protection, Data Protection in the UK after Brexit, the impact of Schrems II and EU adequacy on the UK, law enforcement uses of data vs. the GDPR, the geopolitical Data Privacy landscape of the EU, US, and the UK, Personal Information Protection Law (PIPL) in China, the trend toward more data localization and criminal penalties in Asia/Pacific, penalties may be harsh and swift, the Importance of UK Lloyd vs. Google case, the concern of big corporations over class-action lawsuits for privacy infractions,  and his hopes for Data Privacy in the future.Support the show (https://www.paypal.com/donate/?hosted_button_id=REGNEQPG4USC8)

Den österrikiska dataskyddsmyndigheten har beslutat att användande av Google Analytics bryter mot GDPR. Och vi kan räkna med liknande beslut av svenska Integritetsskyddsmyndigheten inom kort. Beslutet kommer utifrån domen Schrems II som har mer än 1,5 år på nacken. Det är verkliga värden som står på spel när amerikanska nätjättars intressen mot medborgarnas integritet. Det finns inga ursäkter längre för att inte Schrems II-anpassa sin verksamhet. I detta avsnitt av podden Ehandelstrender samtalar programledaren Urban Lindstedt med Fatima Ekekrantz är COO hos Symplify och Daniel Melin, Moln- and Datacenterstrateg på Skatteverket. Domen Schrems II förbjuder företag, myndigheter och organisationer att dela personuppgifter med amerikanska bolag, eftersom amerikanska underrättelsemyndigheter har rätt att begära tillgång till personuppgifter från amerikanska företag. Vi vet dessutom att Sverige är ett land av tio som amerikanska myndigheter pekat ut som särskilt intressanta ur underrättelsesynpunkt. Det är lätt att skratta åt att företag bötfälls för att de använt Google Fonts på sin hemsida, men amerikanskt industrispionage hotar i allra högsta grad vår framtida välfärd. Däremot skrattar vi åt att Meta hotar med att lägga ner tjänster som Facebook och Instagram i Europa och därmed tacka nej till en fjärdel av sina intäkter. Schrems II har större implikationer än att e-handlare måste välja bort Google Analytics, att mäta marknadsföring genom Facebooks pixel eller använda Facebook Connect. Det är inte heller tillåtet att lagra kunders mejladresser eller ip-nummer hos Amazon Webservice och andra amerikanska molntjänster. Den självklara frågan att ställa vid alla upphandlingar är: Är era tjänster Schrems II-säkrade?

Dit is aflevering 53 van Licht op Legal. In deze aflevering gaat Elze ‘t Hart, advocaat Information Technology en Privacy bij Van Benthem & Keulen, in op de doorgifte van persoonsgegevens buiten de Europese Unie (EU). In deze podcast legt Elze uit wat onder doorgifte, waaronder het toegang geven tot en het doorsturen van persoonsgegevens, verstaan wordt. Vervolgens bespreekt Elze onder welke voorwaarden persoonsgegevens op grond van de AVG buiten de EU mogen worden doorgegeven. Daarnaast gaat Elze kort in op het Schrems II arrest en bespreekt zij de waarborgen die op grond van de AVG moeten worden genomen en de stappen die u moet zetten om te zorgen dat uw organisatie voldoet aan de AVG met betrekking tot doorgifte van persoonsgegevens. Wilt u meer weten over de doorgifte van persoonsgegevens buiten de Europese Unie? Neem dan contact op met Elze 't Hart. Heeft u suggesties voor een onderwerp of wilt u dat onze experts hun licht laten schijnen op uw juridische vraagstuk? Stuur dan een mail naar lichtoplegal@vbk.nl.Licht op Legal kunt u via onze website, Spotify, Apple Podcasts of uw eigen favoriete podcastapp beluisteren.Dit is een podcast van Van Benthem & Keulen. U vindt ons op:vbk.nlLinkedInTwitterFacebookInstagram See acast.com/privacy for privacy and opt-out information.

Nos toca otro alto en el camino para repasar las últimas novedades en ePrivacy, MarTech/AdTech, Zero-Party Data y Customer Centricity, Competencia y mercados digitales, y futuro de los medios.  Con Cris Moro y Sergio Maldonado Referencias: Directrices para el uso de Google Analytics sin consentimiento de cookies (Holanda) Resolución austríaca en contra de usar Google Analytics Especificación de Topics API en Privacy Sandbox Conflicto entre el RGPD y la Directiva de Contenidos Digitales En nuestra web puedes encontrar el post completo con todas las noticias comentadas y sus fuentes.

1. The Independent Human Rights Act Review by the UK Government (link).2. Irish DPC's Children Front and Centre Fundamentals for a Child-oriented Approach to Data Processing, December 2021 (link).3. Austrian DPA says that The Use of Google Analytics violates the "Schrems II" decision (link). Some facts about Google Analytics data privacy (link).4. EDPS research report on Government access to data in third countries including China, India and Russia, November 2021 (link).5. EDPS Decision on the retention by Europol of datasets lacking Data Subject Categorisation (link).6. EDPB on the law enforcement directive (LED) (link).7. European Parliament's research paper on Rethinking biometrics in the era of artificial intelligence (link).8. Shinigami Eyes banned in Norway (link).9. Chinese Internet Information Service Algorithm Recommendation Management Regulations (link).10. Open Rights Group's Adtech Challenge in Killock and Veale & Ors v Information Commissioner (GI/113/2021 and ors) (link).11. French CNIL fines Google €150M and Facebook €60M for making refusing cookies not as easy as accepting them (link).12. Meta's Threat Report on the Surveillance-for-Hire Industry (link).

Stockholm kommune har smidt Microsoft 365 ud. Dermed må kommunens mere end 40.000 ansatte i fremtiden anvende et andet system. Ifølge Stockholms Kommune skyldes det, at de ikke kan få tilstrækkelige garantier mod, at personoplysninger i kommunens systemer udleveres til amerikanske myndigheder.Det er en fair indvending. Men hvorfor kan de danske offentlige myndigheder så sagtens bruge 365 herhjemme? Computerworlds strategi- og Ledelsesredaktør Jakob Schjoldager har fulgt GDPR, Schrems II og cloud-markedet med en næsten skræmmende intensitet de sidste par år – og lige om lidt kan du høre hans udlægning af sagen. Og apropos Microsoft, så ankom techgigantens nyeste computer – en Surface Pro – til redaktionen forleden. Computerworlds teknologiredaktør Niels de Boissezon tøver ikke når han kalder den ”Den bedste Surface til dato.”Det er jo ikke til at stå for. Så sidst i denne episode af Inde i maskinen får du et par grunde til, at Niels er faldet for den nye Surface Pro 8.

L'Autorità di controllo Austriaca DSB risponde a NOYB di Max Schrems sulla liceità del trasferimento dei servizi Google Analytics. La decisione è interessante perché chiarisce l'importanza delle misure tecniche, in parte smentendo chi riteneva che fosse sufficiente utilizzare data center in europa per rispettare la sentenza Schrems II della Corte di Giustizia Europea.

2021 är över och 2022 är här. Anders och Linus bjuder därför på en ny lista där de tagit fram sina fem bästa tips och spaningar för 2022 till alla som arbetar med kommunikation. Det blir snack om hur du kan vässa målgruppsanalysen, optimera distributionen av innehåll och hur pandemin kommer öka kraven på självständigt arbete. Dessutom: hur ska du hantera Schrems II-domen? Och vad innebär det för content-skapandet när allt fler följare bara vill konsumera innehållet snarare än att interagera med det? ---------------------------- Vi är tacksamma för synpunkter och feedback. Vi tar även gärna emot tips på ämnen och gäster i vår podcast. Eller så kanske du vill att vi ska komma till din arbetsplats och snacka media och kommunikation?  Följ oss på Facebook: http://facebook.com/svenssonmattisson Kontakta oss på: svenssonmattisson@hotmail.com

I terminens sista, tillika det 297:e, avsnittet är de båda pedagogerna tillbaka i studion för att sammanfatta året som gick. Det blir återblickar, listor och betraktelser, allt med skolan som utgångspunkt. I denna tvådelade julspecial bidrar även Patrik Landström med ett inpass om AI i Linköpings kommun. I årets sista avsnitt bjuds det på ett muntligt julbord som bland annat innehåller, keywords, trender, Elon Musk, Schrems II, Quizlet, Flickr, kattunge-advokaten, födelsedagsbarn, Clubhouse, statistik och utmaningar lärare kämpat med under 2021. Även denna gång är det mesta sig likt. Det blir ett samtal (uppdelat på två avsnitt) om skola, digitalisering och lite annat. 

I terminens sista, tillika det 297:e, avsnittet är de båda pedagogerna tillbaka i studion för att sammanfatta året som gick. Det blir återblickar, listor och betraktelser, allt med skolan som utgångspunkt. I denna tvådelade julspecial bidrar även Patrik Landström med ett inpass om AI i Linköpings kommun. I årets sista avsnitt bjuds det på ett muntligt julbord som bland annat innehåller, keywords, trender, Elon Musk, Schrems II, Quizlet, Flickr, kattunge-advokaten, födelsedagsbarn, Clubhouse, statistik och utmaningar lärare kämpat med under 2021. Även denna gång är det mesta sig likt. Det blir ett samtal (uppdelat på två avsnitt) om skola, digitalisering och lite annat.

mericans in the age of COVID-19 are relying more than ever on digital networks to work, socialize, and learn—which makes safeguarding the privacy and security of those networks even more essential. The 2021 Cato Surveillance Conference brings together an outstanding lineup of academics, technologists, policymakers, and privacy advocates to discuss the most pressing topics in privacy and digital civil liberties, kicking off with a keynote address from Sen. Ron Wyden (D‑OR). Speakers will examine how the “surveillance‐​industrial complex” is increasingly outsourcing surveillance that used to be the exclusive province of intelligence agencies to a burgeoning private surveillance industry. We'll look at how a year of virtual classrooms has given rise to a disturbing trend of schools employing spyware to monitor students. We'll explore how anonymity—increasingly the scapegoat for everything toxic about online culture—is crucial to free speech and a vibrant culture of dissent. And we'll demonstrate just how vulnerable the ubiquitous “Internet of Things” makes us with a live hacking demonstration. Join us live online, streaming from the Cato Institute. See acast.com/privacy for privacy and opt-out information.

Beskrivelse: I tiende episode av sesong 2 har vi fått besøk av en av Norges fremste eksperter på GDPR, Jan Sandtrø. I episoden snakker vi om hvorfor GDPR og informasjonssikkerhet henger så tett sammen, databehandleravtaler, overføringsgrunnlag, Schrems II, med mer! Level: 100 Kilder som nevnes/anbefales: – https://sandtro.no Medvirkende: - Olav Østbye, Cloudworks - Karim El-Melhaoui, NBIM – Jan Sandtrø, advokat og GDPR ekspert Følg oss! - https://www.linkedin.com/company/O3CYBER - https://twitter.com/O3CYBER - https://facebook.com/O3CYBER.no Ris og ros? Gi oss gjerne en tilbakemelding, både positive og forbedringspotensiale. Dette kan du gjøre via kontakt oss i menyen på nettsiden vår, CastO3.no Forslag til nye episoder? Skulle du ha noen ønsker/forslag til nye episoder så ta gjerne kontakt med oss på den måten du selv ønsker, se nettsiden vår CastO3.no

The Schrems II judgment was designed to identify available options to transfer data from the European Union (EU)  to the United States (US), including implications on cross-border data transfers beyond the EU and US.Daniel J. Solove (President and CEO at TeachPrivacy) and Justin Antonipillai (CEO and Founder at WireWheel) are joined by Peter Swire (Senior Counsel at Alston & Bird), Kenneth Propp (Senior Fellow at Atlantic Council), and Shannon Yavorsky (Privacy and Data Security Partner at Orrick) to discuss current issues between the European and American approach vs. policy, as they relate to cross-border transfer flows.You can also follow WireWheel on social media to track the latest news in the Privacy world!Follow us on Linkedin,  Twitter, Youtube or Facebook.To learn more about WireWheel Data Privacy Management solutions, visit www.wirewheel.io.Any questions? You can contact us at marketing@wirewheel.io!

Lige nu holder et af verdens største cloud-firmaer, Amazon Web Services, også kendt som AWS, en kæmpe konference i Las Vegas med 35.000 deltagere. Det er 10. gang AWS afholder Re:Invent. En konference hvor præsenterer en række nye produkter og trends for selskabets mange cloud-kunder i hele verden.Jakob Schjoldager, Computerworlds strategi- og Ledelsesredaktør, er taget til Las Vegas for at følge cloud-giganten i denne uge. Og han er stået tidligt op for at give sit bud på de tre store emner på cloud-konferencen. I denne reportage kan du derfor høre om hvordan AWS kæmper med Schrems II-dommen og de stadigt strammere europæiske dataregulerings-regler, hvad den nye topchef Adam Selipsky ser som fremtiden for cloud og hvordan AWS ser lokale partnere som en stadig større del af deres forretning. Vært på denne episode er Computerworlds chefredaktør Lars Jacobsen.

Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss a framework for building accountability into AI from an article in Harvard Business Review by Stephen Sanford.In this episode, Bill and Rob are joined by James Hart of Lighthouse. They discuss this critical component of Microsoft 365 and its important role in maximizing the effectiveness of ediscovery workflows and mitigation strategies. Key questions from their conversation include: What are unindexed items and how critical are they to efficiency in ediscovery workflows?After identifying unindexed items, what is the next step and how do you approach it?What are some key strategies for handling unindexed items?How are different organizations approaching unindexed items from a policy perspective?What are best practices for approaching this unique issue in Microsoft 365?In conclusion, our co-hosts end the episode with key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage, rate us on Apple and Stitcher, and join in the conversation on Twitter.Related LinksBlog Post: An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance ConsiderationsBlog Post: Making the Case for Information Governance and Why You Should Address It NowWhite Paper: The Impact of Schrems II and Key Considerations for Companies Using M365Podcast: Keeping Up with M365 Software UpdatesAbout Law & CandorLaw & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, visit the podcast homepage.

Nicola Aliperti, DPO di Coca-Cola Company illustra le sfide principali della privacy e cybersecurity che ha dovuto affrontare per un gigante come The Coca-Cola Company. Nicola Aliperti nasce come ingegnere informatico, ma con l'avvento del GDPR si è avvicinato alla privacy curandone prima l'aspetto tecnico e ora assumendo il ruolo di Data Protection Officer Europe di The Coca Cola Company. In questo podcast, racconta a Giulio Coraggio, Location Head del dipartimento di Intellectual Property & Technology di DLA Piper, quali siano le caratteristiche che a suo giudizio deve avere un DPO, che problematiche ha dovuto affrontare nel progetto di compliance privacy di The Coca Coca Company in tutta Europa e come vede il futuro con le sfide della cybersecurity e del trasferimento dei dati fuori dello SEE dopo la sentenza Schrems II.Su di un simile argomento, è possibile leggere l'articolo "Il Garante estende la definizione di dato personale e rende il parere del DPO utile per ridurre sanzioni privacy".

Bonus Episode presented by CBA National, After the pandemic: The future of justice, Ep 7Yves Faguy discusses privacy law and data protection with privacy and cybersecurity lawyer Sinziana Gutiu. Gutiu shares her insights into trends shaping the privacy debate at home and abroad, the impact of the Schrems II ruling, Quebec's effort at updating its privacy law regime, and coming tech developments that we should be thinking about while crafting new laws.To contact us (please include in the subject line ''Podcast''): national@cba.orgPlease subscribe, rate and review our podcast if you are enjoying it on Apple Podcasts.

In this episode of R&G Insights Lab's podcast series, Culture & Compliance Chronicles, litigation & enforcement attorney Tina Yu speaks with Ropes & Gray partners who focus on data, privacy and security across the firm's enforcement and transactional practices. In the first part of a two-part discussion, Ed Black and Rohan Massey discuss the legal issues that are raised as more companies utilize data for both commercial and compliance purposes. In a wide-ranging conversation, they discuss: transparency around the use of data, especially in light of data protection laws; how organizations can make the most of their data while still fulfilling their legal obligations; the international transfer of data after the CJEU's recent decision in Schrems II; and the interplay between AI and data protection law.

Conversamos com a NOYB! O papo foi com um representante da entidade, o advogado Romain Robert, especialista em proteção de dados. Como todos já devem saber, o Centro Europeu de Direitos Digitais - NOYB (None of Your Business)*é uma entidade sem fins lucrativos sediada em Viena, Áustria, fundada por Max Schrems e que já foi responsável por provocar duas emblemáticas decisões na Corte de Justiça da União Europeia, invalidando o Safe Harbor Agreement (2015) e, recentemente, o Privacy Shield.Viviane e Fabrício conversaram especialmente sobre este último caso, conhecido como Schrems II, e que repercutiu fortemente desde o reconhecimento, em 16 de julho último, da não adequação dos Estados Unidos para a transferência internacional de dados estabelecida com base no acordo Privacy Shield (Escudo de Privacidade), que foi tornado sem efeito, e, por outro lado, do reconhecimento, pelo tribunal, da validade das Cláusulas Contratuais Padrão envolvendo transferência internacional para os Estados Unidos da América, desde que observadas algumas condições adicionais pelos controladores de dados pessoais.Além de regatar os principais pontos da decisão, um pouco de aconselhamento foi dado também ao Brasil e aos profissionais de privacidade sobre as atividades que envolvem fluxo internacional de dados pessoais.Vale muito a pena ouvir este episódio internacional! Uma baita lição para nós, brasileiros.Beijos e abraços,Viviane e Fabricio

Welcome to TechCrunch daily news, a round up of the top tech news of the day. --Apple starts making the current iPhone in India --Revolut's Series D gets bigger --and an electric truck maker says they'll be on the road by next year. Here's your Daily Crunch. The big story is: The big Schrems II judgement that nullifies the EU-U.S. cross-border Privacy Shield that essentially protected companies in cases where they were transferring personal data of European residents to the U.S.