Serious Privacy

Send us a textOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal discuss the potential new law for Colorado, the Colorado Privacy Act, SB21-190. On June 8, it was passed by the House, meaning it is now ready for the governor’s signature. If it passes, it will be the third state omnibus privacy law in the US, with Virginia having passed the Consumer Data Protection Act (CDPA) earlier this year and of course, the California Consumer Privacy Act (CCPA). In this episode, we cover elements such as government practices, individual rights, the extensive opt outs, and key definitions. For example, one topic is centered on how in Colorado bills can become law by “letting it ride” after 30 days - and why Colorado has 30 days for the governor to sign. This contrasts with the federal provision of the pocket veto. Join us as we discuss the specifics of the potential Colorado Privacy Act, its penalties, and its comparisons to the CCPA, Virginia CDPA, and the GDPR. More detail on the Colorado Privacy Act can be found on TrustArc’s website, where we provide extensive detail in a series of four blogs - Part I - a general overview with key definitions and enforcement Part II - individual rightsPart III - special processing activities and opt outs (sales of data, profiling, targeted ads)Part IV - responsibilities of the parties and contractsIf you did not catch today's webinar on the SCCs and EU activities, please feel free to watch it - hot off the presses with both Paul and K. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn page for Serious Privacy, so please follow for more in-depth discussion. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textOn 21 June 2021, the European Data Protection Board (EDPB) released the long-awaited updated Recommendations on possible supplementary measures when transferring personal data out of the European Economic Area (EEA). These Recommendations align with the new Standard Contractual Clauses for International Transfers that were released by the European Commission on 4 June 2021 and require organisations to conduct third country risk assessments before transferring personal data. In this episode, Paul Breitbarth and K Royal discuss the details of the new European guidance, but also comment on how to do all this work in practice. Is it for example reasonable to expect such detailed assessments from companies? Is the risk-based approach really back? And how does all of this guidance relate to the whole debate about the scope of application of the GDPR. The lawyers in Paul certainly don’t seem to agree on the interpretation of the GDPR… As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favourite podcast app. ResourcesTrustArc has a website providing further guidance on International Data Transfers Paul and K are doing a webinar on International Transfers on 30 June 2021 at 11am ET. You can register here. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal connect with Representative Domingo DeGrazia, of the Arizona House of Representatives to discuss the privacy legislation he has proposed (HB 2865), but which has not gained significant ground in Arizona. He is a licensed attorney, has professional experience in aerospace and computers, and is a Certified Information Privacy Professional / US through the International Association of Privacy Professionals.This was his third year proposing privacy law for Arizona and he intends to continue. In speaking with Rep. DeGrazia, Paul and K were interested in his philosophy, drivers, and influencers towards state privacy law. The conversation includes elements on how bills are passed on a state level, including one-year versus two-year legislatures. Arizona has a one-year session, so bills that do not pass must be filed again the next year. He also discusses how he was motivated by the Washington proposed privacy act (the most recent that did not pass SB 5062), the California Consumer Privacy Act, and the European Union’s General Data Protection Regulation - and you can see these influences in his bill.Join us as we discuss private right of action, data breach notification, and the level of education that needs to happen for legislators to understand the importance of privacy law. Rep. DeGrazia shared his thoughts on a federal privacy law, too. We also discuss Arizona’s inclusion of privacy in its constitution, one of only eleven (11) states to do so, along with a (very brief mention) of a recent Arizona Supreme Court Case, Arizona v. Mixton, which involved privacy. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textOn this week's episode  of #SeriousPrivacy, Paul Breitbarth and K Royal discuss the new Standard Contractual Clauses (SCCs) for international transfers that were adopted by the European Commission on 4 June 2021. These model contracts, that come in four modules, finally replace the old SCCs, some of which date back to the early 2000s. The modernised versions are fully GDPR compliant, embrace the accountability principle and include many requirements to address the limitations set by the Schrems II decision.Listen to the conversation to get a better understanding of what the new SCCs entail and how they can (and cannot) be used by organisations. You will hear more about why some non-European companies will not have to use SCCs going forward, but also on the assessments that you will need to undertake. Since recording the episode, the timelines for the Transfer SCCs have become clear too:27 June 2021 - the new SCCs become applicable27 Sept 2021 - the old SCCs become invalid for new contracts27 Dec 2022 - all SCC-based contracts will need to be updatedResourcesTrustArc blog introducing the new SCCsTrustArc microsite with all international transfer related information As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal connect with Dr. Eric Cole, on the release of his new book today Cyber Crisis - Protecting Your Business from Real Threats in the Virtual World.  Fascinating insight, especially given the Colonial Pipeline incident recently, but a book that is not intended to be fairytales and happily-ever-afters. Dr. Cole holds a master’s degree in computer science from New York Institute of Technology and a doctorate from Pace University, with a concentration in information security. He was a CIA hacker, a member of the commission on cybersecurity for the forty-fourth president and is a member of several executive advisory boards, including the Forbes Technology Council. He was inducted into the 2014 Infosecurity Hall of Fame. This is his seventh book, and he not only knows this subject well he knows how to present it so we understand it.In this episode, we dive deep into the connection between cybersecurity and privacy. Coincidentally, the Transportation Security Administration (TSA) just released its first ever regulation on pipeline companies - which includes cyberprotection and breach response. He also provides guidance, such as two-factor authentication truly is the best deterrent the average person can put in place to secure their accounts. If someone hijacks your accounts and implements it before you do, you will have a Herculean task to recover your own accounts. As he states in chapter 8 “In cyberspace, it’s anarchy, and in anarchy, you need to protect yourself.” Join us as he shares the top 4 things that need to be addressed to keep data secure. We also discuss the relationships between privacy and security, the typical CEO perspective on privacy officers, and how hundreds of thousands of offices were opened due to COVID… and we still are not addressing remote work protocols. Lastly, did you know that ethical criminals make a difference in the ransomware world. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal discuss the European Union’s General Data Protection Regulation, because three years ago from the day this episode was released (May 25, 2021), the GDPR went into effect.  And whether you consider it three years or or five (per this Twitter debate), it was a world-changing event. In this episode, they talk about the changes seen in the past three years, including the two years before that when the GDPR was passed. They discuss penalties and amounts known, but also the most frequent violations. Companies can learn alot by looking at enforcement to know where to prioritize their compliance activities - or at least what to check to make sure it is properly in place. They discuss the locatemyfamily.com that has been in the news lately, including for not appointing a European representative, and the challenges the data protection authorities faced to investigate the complaints across the ocean.In addition, they discussed how the GDPR impacted US legislation, such as the concept of controllers and processors, and the definition of sensitive personal data. The GDPR influenced the California Consumer Privacy Act (CCPA), or more so the California Consumer Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA) - the latter two take effect in 2023. There is discussion of the importance of EU representatives - and there is a passing mention of the upcoming standard contractual clauses. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal connect with Ray Everett, Founding Member & Chief Privacy Intelligence Officer at Data Secrets, a company that develops solutions focused on identifying risk wherever applications are accessing your data -- in the public cloud, in SaaS applications, and on-premise. He has a long history working as a privacy professional, including at TrustArc, and was appointed as the first Internet-era Chief Privacy Officer in 1999 - starting with speaking on an U.S. Federal Trade Commission panel as a law student and moving into founding what is now the International Association of Privacy Professionals (#IAPP).In this episode, we talk about APIs and SDKs - the benefits and challenges, along with managing them in a world that focuses on privacy and data protection. This brings in the requirement for data inventories and visibility into the movement of data, which is critical to identify early if there has been a data breach or unauthorized data access.Join us as we explore mobile apps, AI, and external storage considerations. The conversation ranges from Privacy by Design to DevOps, focusing on understanding the movement of data as well as why understanding the movement is important.  As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textIn this episode of Serious Privacy, Paul Breibarth and K Royal connect with the Global Privacy Officer at GameStop, Seán Dunne. He really knows the company well, given that he started in retail operations almost 12 years ago. Now, he is responsible for global data protection compliance with laws ranging from the familiar GDPR and CCPA, to the less well known Canadian anti-spam legislation, and the privacy laws of Australia and New Zealand. This is quite the perspective to share with our listeners who are curious about the challenges one faces with a truly global privacy office, that includes major operations in the US, Canada, Australia, and New Zealand, but is based in Europe. Gamestop operates on multiple fronts with online and brick and mortar locations, multiple streams of operations and data flows, and has consumers at various ages. It is quite complex, but fascinating to understand his priorities, challenges, and daily approach. We spoke about an EU privacy person managing the US privacy operations (particularly challenging), new state laws, the possibility of a federal law in the US, Privacy Shield, SCCs, and the criticality of a privacy dictionary. Join us as we discuss global privacy operations, preferences for “data protection” versus “privacy,” and the skills needed to be a successful privacy professional. Coming from the tech side of business, Seán has interesting insight on collaboration. As always, if you have comments or feedback, please contact us at seriousprivacy@trustarc.com. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textEvery year, in the final week of January, privacy professionals from around the world assemble in the north of Brussels for the Computers, Privacy and Data Protection Conference. In recent years, on the final day, the European Data Protection Law Review awards a young scholar award and hosts a panel to discuss the nominated papers. In this episode of Serious Privacy, Paul Breibarth and K Royal host the third of this year’s three finalists for the EDPL Award. Please join us for a conversation with Katherine Quezada Tavárez, a legal researcher at KU Leuven Centre for IT & IP Law (CiTiP) and LLM graduate of the Catholic University of Leuven, Belgium, but also holds a law degree from the Universidad Autónoma de Santo Domingo in the Dominican Republic, her mother country. Katherine wrote her paper on the Impact of the Right of Access in the Balance between Security and Fundamental Rights, not just focusing on the GDPR, but also on the EU’s Law Enforcement Directive and the so-called PNR Directive (Passenger Name Record), on the collection and use of traveller’s data for law enforcement and counter terrorism purposes.  Join us as we discuss the rights individuals have to data held by law enforcement and why it is important that people know of these rights. Katherine provides some examples of how individuals may be impacted by incorrect information - which as you can imagine, could have disastrous consequences. Her main focus is on balancing the needs of the community (law enforcement) with the needs of the individual. Along the way, we also touch on Malta, the Dominican Republic, and FOIA (Freedom of Information Act in the U.S.).As always, if you have comments or feedback, please contact us at seriousprivacy@trustarc.com. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us a textIn this episode of Serious Privacy, Paul Breibarth and K Royal tackle the slew of development (or non-developments) in privacy around the world. What a week in privacy! We had the proposal for AI Regulation published in the EU, the UK adequacy opinion, and of course, several privacy bills in states around the US, and the United States Supreme Court decision in AMG Capital Management, LLC et al. v. Federal Trade Commission, decided the morning of the episode recording. The AI proposal has garnered much conversation, such as in this article by Politico and the summary by Dr. Gabriela Zanfir-Fortuna of the Future of Privacy Forum.  Paul and K discuss various aspects of the proposal including a few unexpected recommendations, or lack thereof. However, the UK adequacy opinion was not as surprising, but quite interesting. Once we turned to the US and state privacy bills, the end was near for several key states, and by the time this episode is live, we know that the Washington bill is dead once again. However, there remains hope for a couple of others given the dates of when sessions end, such as Florida - which we should know in a few days - it is scheduled for its third reading at this time. About 15 states still had bills at the time (see webinar on update by TrustArc on state privacy bills), and of course, the next legislative season may see more change. The FTC decision by the USSC was top of mind given its impact on FTC authority, which also led to discussions of the federal privacy bill by Rep. DelBene which proposes quite an expansion of FTC authority.  Please see this statement released by the FTC on the matter. This case was reminiscent of a prior case with LabMD (yes, different enforcement actions, but still speaking to FTC authority).Join us as we discuss these developments and more in this episode of Serious Privacy. As always, if you have comments or feedback, please contact us at seriousprivacy@trustarc.com. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.