The Privacy Advisor Podcast

Though many privacy pros are still grappling with the EU General Data Protection Regulation, the EU is now busy leading a new generation of data regulations. As part of its Digital Single Market strategy, the EU is looking to not only protect data but also to create frameworks that allow for data flows, while aiming to mitigate hate speech and misinformation. Through an ambitious line of of proposed laws – including the Data Act, Data Governance Act, Digital Markets Act, Digital Services Act and the AI Act – the EU is poised to place a slew of new requirements for companies doing business in the region. Though not all privacy-related, privacy pros should be paying attention to this space. To catch up on this flurry of activity, IAPP Editorial Director recently chatted with journalist Luca Bertuzzi.

Cybersecurity is inextricably connected to privacy in countless ways. Like privacy law and regulation in the U.S., cybersecurity stands on a patchwork quilt of rules, laws, regulations and court cases. Stanford Cyber Policy Center Senior Policy Advisor Jim Dempsey has been teaching cybersecurity law since 2015 and worked in the area for decades, whether as an academic, a government representative on the U.S. Privacy and Civil Liberties Oversight Board, or an advocate at the Center for Democracy & Technology. He's long thought about the cybersecurity space and how it matches up to privacy and data protection. In fact, he's thought so hard on this subject that he published a new book with the IAPP called "Cybersecurity Law Fundamentals." IAPP Editorial Director Jedidiah Bracy recently caught up with Dempsey to discuss cybersecurity's current state of play, the biggest issues companies face from a world burgeoning with adversaries and what to look for in his new book.

Data protection and competition enforcement have been on a collision course in recent years. The Big Tech platforms have amassed powerful market share with vast amounts of user data. This inevitable convergence is shaping up on both sides of the Atlantic. U.S. President Joe Biden has appointed notable antitrust proponents to powerful government positions in recent months. And in Brussels, the European Commission has released a slew of draft legislation to help bolster its Digital Single Market efforts, curtail Big Tech hegemony, and promote competition. Journalist Samuel Stolton has been following these developments with an ear to the ground in Brussels. Host Jedidiah Bracy recently caught up with Stolton right as news emerged that Amazon faces a record $888 million fine related to GDPR violations.

On July 13, Ohio Lt. Governor Jon Husted announced the introduction of the Ohio Personal Privacy Act. The law applies to organizations doing business in Ohio or whose products or services target consumers in the state. Businesses with annual gross revenues exceeding $25 million, or process personal data of 100,000 or more Ohio consumers, or derive 50% of gross annual revenues from the sale of personal data would be covered. Like other laws, it does offer some consumer rights, including correction, deletion and portability, as well as an opt-out right for the sale of personal data. Most notably, the OPPA includes a carve out for businesses that reasonably conform with the U.S. National Institution of Standards and Technology's Privacy Framework. Host Jedidiah Bracy recently caught up with Husted to discuss the bill, the NIST provision, and what the OPPA could mean for the future of privacy law at the state, federal and international levels.

Voice-activated products and services are proliferating, while voice-recognition technology is on the rise. In addition to popular voice-activated assistants, call centers are beginning to use advanced voice-intelligence technology in novels ways. The technology could lead to plenty of innovation, but the potential privacy, safety and fairness issues will need some thinking. In his new book "The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet," Joseph Turow describes the rise of what he calls the "voice intelligence industry" and how artificial intelligence is enabling personalized marketing and profiling through voice analysis. IAPP Editorial Director Jedidiah Bracy caught up with Turow to discuss the potential privacy issues and what privacy pros and policy makers should be thinking about with this nascent industry.

Notice and consent have been foundational principles in privacy and data protection for decades. But do they provide individuals with the ability to make informed decisions as they navigate products and services? Will laws like the California Privacy Rights Act help change how companies design their privacy notices? For Jennifer King, the Privacy and Data Policy Fellow at Stanford's Institute for Human-Centered Artificial Intelligence, the notice-and-consent paradigm as it currently stands is a "farce" that needs an overhaul, not just from a legal standpoint, but also from a human-technology interaction perspective. IAPP Editorial Director Jedidiah Bracy chats with King about what's needed for an effective paradigm shift in this space.

Prospects for a federal privacy law in the U.S. ramped up in recent years, but even though data protection is a bipartisan issue, nothing has come close to passing. At the same time, U.S. state activity is swarming, and many countries around the world are developing and implementing their own national privacy laws. So what's it going to take for the U.S. to pass a federal law? Rep. Suzan DelBene, D-Wash., was the first congressional lawmaker to propose federal privacy legislation in 2021. Her bill received praise from the U.S. Chamber of Commerce and other industry groups for its approach, but does the bill have what it takes to cross the finish line? The Privacy Advisor Podcast host Jedidiah Bracy recently caught up with DelBene to talk about her proposed bill, the state of play on Capitol Hill, and what it will take for the U.S. to pass federal privacy legislation.

Artificial intelligence and machine learning technologies are rapidly developing across virtually all sectors of the global economy. One nascent field is empathic technology, which, for better or worse, includes emotion detection. It is estimated that the emotion detection industry could be worth $56 billion by 2024. However, judging a person's emotional state is subjective and raises a host of privacy, fairness, and ethical questions. Ben Bland has worked in the empathic technology space in recent years and now chairs the IEEE's P7014 Working Group to develop a global standard for the ethics of empathic technology. We recently caught up to discuss the pros and cons of the technology and his work with IEEE.

U.S. government surveillance bubbled back up in headlines in recent weeks. Portugal's data protection authority halted transfers of data to the U.S. after complaints that census data were being sent back to the U.S. The same week, a U.S. Foreign Intelligence Surveillance Court decision was published, in which it renewed a U.S. surveillance program even though it found some Federal Bureau of Investigation employees illegally accessed email data. This comes as the U.S. and EU try to hammer out a renewed data transfer agreement in the wake of the "Schrems II" decision that invalidated Privacy Shield. April Falcon Doss worked at the U.S. National Security Agency for 13 years. In 2017, Doss joined the U.S. Senate Select Committee on Intelligence for the Russia investigation. She also wrote a book, "Cyber Privacy: Who Has Your Data and Why You Should Care," and took a new job at Georgetown University Law Center. Host Jedidiah Bracy recently caught up with Doss to discuss the state of play of U.S. surveillance law, her new book, what she found out while investigating the 2016 presidential election, and what's on the horizon with her new gig at Georgetown.

The Norwegian Consumer Council made waves in early 2021 after its complaint to Norway's data protection authority, Datatilsynet, against Grindr resulted in an intention to fine the company $12 million, the highest fine ever levied by the nation's DPA. Grindr responded to the proposed enforcement action, arguing it has refined its consent mechanism, but the case isn't over. The NCC has long worked with other advocacy organizations to bring protections and awareness for consumers around privacy issues in the marketplace. In 2018, they released an in-depth report on "dark patterns" to demonstrate how companies nudge users into making decisions that may not always be in their best interest. IAPP Editorial Director Jedidiah Bracy, CIPP, recently caught up with the NCC's Finn Myrstad to discuss the NCC's case against Grindr and, more broadly, what companies can do to avoid using dark patterns at the expense of their users.