Masters of Privacy

Joana is Partner at Cuatrecasas, where she leads the Technology, Media and Telecom team. She has also worked for 3 years at ANACOM, Portugal's telecom and media regulator and one of the two supervisory authorities when it comes to the ePrivacy Directive in Portugal, the other being the Portuguese Data Protection Authority. Besides being fully versed in the opportunities presented by blockchain technologies, and having advised startups in the crypto space, Joana is co-author of the chapters on Portugal in The Privacy, Data Protection and Cybersecurity Law Review, 7th Edition (2020) as well as other relevant publications and I was happy to find out that she is also a Queen Mary’s University alumni (as I am myself).  With Joana we will cover: Challenges of decentralized technologies in the management of personal information The web3 opportunity for increased individual agency and control Specific issues: right to be forgotten, international data transfers, roles (who is a data controller?), data breaches The European Digital Identity References: Joana Mota Agostinho on LinkedIn Chris Topalis (2021): Web3 & DAOs, What are they? Elizabeth Renieris (2019): Forget erasure. Why blockchain is really incompatible with the GDPR Introduction to the European Digital Identity initiative

Sunny Seon Kang is Global Privacy Counsel at VISA, specializing in AI Governance and Privacy Enhancing Technologies. She is well versed in comparative privacy law across the US, the EU and the UK. She has studied at Stanford and Berkeley in the US, as well as UCL in London, and is a member of the New York Bar. With Sunny we are discussing a highly complex but very exciting topic: Privacy-Preserving Machine Learning, as well as a more generic understanding of Privacy Enhancing Technologies.  References: Sunny Seon Kang on LinkedIn US Algorithmic Accountability Act (Proposal) EU AI Regulation (Proposal)

Tim Walters is a strategist, analyst, advisor, and speaker sitting at the intersection of data privacy, customer experience, and marketing strategy. Privacy Lead at Content Advisory, as well as founder of Zero Theory, Tim previously founded The Digital Clarity Group. He has also been a Senior Analyst at Forrester Research.  Some of his keynotes and publications include: “The Total Impossibility of Customer Experience Management”, “Data Privacy Goes Mainstream: An Unexpected Opportunity For Customer Experience”, and “Trust Is Imperative in the Customer Experience Era.” References: Tim Walters on Twitter Tim Walters on LinkedIn Ireland’s Data Protection Commissioner decisions on Facebook and Instagram An analysis of the DPC decisions, the options on the table, and some potential consequences (Sergio Maldonado) Peter Hense on Masters of Privacy: How first-party data will kill CMPs

Jose Belo (FIP, CIPP/E, CIPM) is a legal professional and Data Protection Officer, specialized in data protection, privacy and compliance. Jose is currently an International Research Fellow at the ISLC at the University of Milan (Italy). His last professional engagement was as Head of Data Privacy at Valuer.ai, an AI-powered tech company from Copenhagen, Denmark. Since January 2022, Jose has been appointed as a Member of the IAPP European Advisory Board. Jose is also, currently, co-chair of the IAPP Copenhagen Chapter.  Formerly, Jose was co-chair of the Portugal and Luxembourg Chapters of the IAPP. We cover, in this order: The need for data protection professionals to take on AI-related compliance challenges How to address upcoming AI-powered MarTech and AdTech scenarios  References: Jose Belo on LinkedIn Jose Belo at PrivSec Global IAPP Contributions by Jose Belo

Sandy Tsakiridi is a ​​dual-qualified Senior Legal Counsel in HSBC's global Data Privacy team. As part of her responsibilities, she provides advice on privacy-related matters, including privacy risk management across all customer-facing lines of business and internal functions of the HSBC Group. Prior to her current role, Sandy worked as an external legal counsel in leading international law firms and one of the Big Four in Brussels and London.  Sandy holds a Bachelor and four postgraduate degrees in law from University College London (UCL), the London School of Economics & Political Science (LSE), Université Paris 1 - Panthéon Sorbonne and the Brussels School of Competition. She is an Advisory Board Member of the International Association of Privacy Professionals (IAPP). We cover, in this order: What can we expect from the upcoming EU Artificial Intelligence Act?  What does it take to deploy an AI Governance Framework in the Financial Services sector? References: Draft EU AI Act Sandy Tsakiridi on LinkedIn Recorded contents of the Legal AI Summit (Sandy was a speaker in 2022) Upcoming changes to UK Data Protection laws  

Brendan Quinn (Esq.) is a qualified Irish Solicitor, New York Attorney, and Fellow of the Chartered Certified Accountants (FCCA), holding an LL.M from University College Dublin and Higher Diplomas in Computer Science and Data Analytics, as well as a postgraduate in Financial Technology. He is also the author of Data Protection Implementation Guide: A Legal, Risk and Technology Framework for the GDPR (Wolters Kluwer, September 2021).  Among other things, our guest helps innovative software companies in their compliance with Privacy by Design and data security requirements, including data anonymization research and DPIAs. We cover, in order: Things that tend to be missing in Data Protection Impact Assessments (DPIA) New avenues for GDPR enforcement stemming from the Whistleblower Directive and the Collective Redress Directive Interplay between the GDPR and data protection provisions contained in the new Digital Services Act and Digital Markets Act. References: Data Protection Implementation Guide: Discount code for 25% off on the Wolters Kluwer website (valid until December 31st 2022): 25EOY2022 Brendan Quinn on LinkedIn EU Whistleblower Directive EU Collective Redress Directive

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. References: Full Newsroom (Fall 2022) Tara Taubman-Bassirian on the Instagram fine Peter Hense on valid consent Cory Underwood on Google Analytics and Sephora Derek A. Lackey on Joe Biden’s Executive Order (a marketer’s perspective) Stephan Grynwajc on Joe Biden’s Executive Order (a lawyer’s perspective) Selected updates:  Enforcement Starting with Europe, the most discussed recent case, and perhaps the most complex, is Ireland’s 405m EUR fine to Meta for the manner in which it exposed contact details for 13-17 year olds on Instagram business accounts. At its core: the European Data Protection Board (EDPB)’s intervention to find a compromise between the Data Protection Commissioner (leading supervisory authority for most US tech giants) and other Data Protection Agencies accusing it of resting on its laurels.  Perhaps even more relevant to the interplay that we mostly care about (MarTech/AdTech + Privacy) was the French DPA’s announcement of a potential 60m EUR fine for Criteo. All hints point to a lack of proper oversight in the obtention of valid consent through publishers and advertisers. The role of these two was instrumental in building what the company had once claimed were “IDs and interests for 72% of all internet users”, so this case could bring us full circle into the Consent Management Platforms debate and whether they can be relied upon. All in all, it is no wonder that Criteo has moved firmly into first-party data territory, now calling itself a Commerce Media platform.  The Digital Analytics space got its own share of excitement too. Denmark became (with Austria, France, and Italy) the fourth country to make it clear that Google Analytics breached the GDPR unless additional measures are taken. As explained in detail by France’s CNIL, the only way to avoid scrutiny was using a reverse proxy (a company’s own EU-based server, filtering out important pieces of information prior to forwarding calls to Google’s servers). As many will remember, this was only the tip of the iceberg of the 101 complaints filed by NYOB against companies using either Google Analytics or the Facebook pixel.  Next in line was TikTok, quickly catching up with Meta/Facebook and Google in terms of privacy violations, penalties, privacy lawsuits and privacy-related scandals. Its latest trophies: the UK’s DPA (ICO)’s proposed 27m GBP fines for its mishandling of children’s data (they were allowed to sign up without parental consent, information provided was insufficient, and special categories of data were being processed), a 92 million settlement in Illinois (under the State’s Biometric Information Privacy Law on which every major social media platform has stumbled before) and recent coverage of the manner in which its tracking pixels follow everyone around the web. Legal updates It may not be a new law or court case, but Joe Biden’s Executive Order to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) is the biggest piece of news on this front. All going well in Brussels, it could put an end to the nightmare currently faced by the millions of customers of US-based SaaS MarTech and AdTech solutions that happen to process data on US soil, including Google Analytics, Mailchimp, HubSpot, or Salesforce Marketing Cloud.  For its part, the UK wants out of the GDPR and this could actually result in a more dynamic environment (it relied on an Oxford University research that claimed that the GDPR is costing UK businesses 8% of their profits). For one thing, they are proposing to let small businesses get on with their lives.  Future of media Elon Musk completed his acquisition of Twitter, announcing monthly charges to its heaviest users - starting with those displaying a “verified” blue icon, who happen to be the ones caring the most about the status their identity or following confers to them. This was criticized as a “misinformation nightmare”, in very timely Halloween fashion. 

Stephan Grynwajc is admitted as a lawyer in the EU, the UK, the US and Canada, having worked as a privacy practitioner and DPO in both Europe and North America for the last 20 years. His own law firm offers external DPO services to EU/UK and US/Canada-based companies. Stephan is also a partner specialized in international privacy at Outside GC, a bicoastal US law firm. Stephan publishes regularly on various privacy topics, including for the IAPP Privacy Advisor. He is also an Adjunct Professor on privacy and data protection at various universities. References: Privacy at the Crossroads: A Comparative Analysis of Regulation in the U.S., the EU and Canada Joe Biden’s Executive Order Summary of Privacy laws in Canada Law Office of S. Grynwajc (and LinkedIn Page) Outside GC IAPP Privacy Advisor

Derek A. Lackey is Managing Director of Newport Thomson, a Privacy Agency based in Toronto. With more than 30 years of marketing, advertising and privacy experience, he is focused on data protection & privacy and its effect on the brand. Derek is the author of “CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians”, and looks to simplify the implementation of new data management practices within organizations.  This will be the first of two separate perspectives on the basic premises that make EU-US data transfers so difficult (in the aftermath of Joe Biden’s Executive Order paving the ground for the Data Privacy Framework). We will also get a first impression of the Canadian scenario as an interesting blend of both approaches. References: Newport Thomson Derek A. Lackey on LinkedIn Joe Biden’s Executive Order Max Schrems’ first reaction to the EO CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians

Peter Hense is a partner at Spirit Legal, Germany. He specializes in data privacy litigation, particularly in the area of Advertising Technology. In this episode we discuss the uselessness and potential demise of Consent Management Platforms (CMPs) in a first-party data future. We will also touch on Data Clean Rooms and whether they actually deserve the label. References:  Peter Hense on Twitter Spirit Legal Introductory article (Sergio Maldonado) Brave’s announcement: Automated removal of consent pop-ups Consent-O-Matic: OneTrust files patent to circumvent CMP blockers (Vice Media) Tilman Herbrich on Data Clean Rooms