The Privacy Advisor Podcast

The complexity and significance of international data flows have long been one of the major issues for privacy and digital responsibility professionals. In the last decade, two major frameworks - the EU-US Safe Harbor and EU-US Privacy Shield agreements - were both invalidated by the Court of Justice of the European Union. The EU-US Data Privacy Framework, however, remains intact, though it has faced one legal challenge in the last year. Bill Guidera, who serves as deputy assistant secretary in the U.S. International Trade Administration, leads a team that helps drive policy conditions for US digital, financial, supply chain and other service industries to innovate domestically and abroad. The team plays a significant role in administering and overseeing the DPF and plays a key leadership role on behalf of the US in the Global Cross-Border Privacy Rules Forum. IAPP Editorial Director Jedidiah Bracy caught up with Mr. Guidera to discuss how the DPF is faring, the Latombe legal challenge to the framework, as well as the latest updates to the CBPR Forum, recent reciprocal trade agreements with Argentina and Bangladesh, and the ITA's work in artificial intelligence. Here's what he had to say.

It's no secret that large language models and artificial intelligence systems require massive amounts of data, which often runs up against fundamental privacy principles like purpose limitation and data minimization. Privacy and data protection laws - like the EU General Data Protection Regulation - feature concepts like the right to be forgotten and data subject access requests. But these are often in tension with modern AI systems. Some tools, however, are emerging. One of those methods is "machine unlearning," a suite of approaches to help remedy deletion requests of information that's already been used to train an AI model. Jevan Hutson, acting assistant professor and director of the Tech-Law Clinic at the University of Washington School of Law, recently co-wrote a law review article on machine unlearning and its implications for privacy law. In this episode, Hutson explains the concept of machine unlearning and how its suite of techniques can add to the tool belts practitioners and regulators alike.

The Asia-Pacific region is home to more than half the world's population - at 60% - with approximately 4.75 billion people. In recent years, India and Vietnam, to name just two, have enacted comprehensive data protection laws. Near the end of 2025, India finalized its highly anticipated regulations for the Digital Personal Data Protection Act and Vietnam's Personal Data Protection Law became effective on the first of January this year. Hogan Lovells Partner Charmian Aw has long practiced in the region, specializing in APAC data protection, privacy, AI governance and cybersecurity law and offers developments of the region in the IAPP's Asia-Pacific Dashboard Digest. She also joined the IAPP Publications Advisory Board this year. While attending the UK Data Protection Intensive in London, IAPP Editorial Director Jedidiah Bracy sat down with Charmian Aw to discuss the latest developments in the region, specifically regarding India and Vietnam. Here's what she had to say.

The California Privacy Protection Agency was formed six years ago as mandated by the California Privacy Rights Act. As the first dedicated privacy regulator in the U.S., CalPrivacy - as it's called colloquially - implements and enforces both the CPRA and California Consumer Privacy Act. Under the state's Delete Act, it also oversees California's data broker registry and the Delete Request and Opt-Out Platform, known as DROP. Tom Kemp serves as executive director for CalPrivacy and is almost a year into his tenure after taking on the role in April 2025. On 1 January 2026, the DROP system went into effect and now boasts more than 215,000 registrants with more than 500 registed data brokers. The agency is also implementing a number of regulations in the state, including for automated-decision making, risk assessments and cybersecurity audits. IAPP Editorial Director Jedidiah Bracy caught up with Tom Kemp to learn more about the DROP system and the agency's priorities in the year to come.

Omer Tene, a partner at Goodwin and an expert in data protection and AI governance, discusses the pivotal shifts ahead for digital policy in 2026. He highlights the impact of changing geopolitics on data regulations and the push for digital sovereignty in Europe. Tene also delves into the complexities of U.S. state AI laws, emphasizing the need for companies to navigate this evolving landscape. Furthermore, he addresses the growing concerns around kids' online safety and predicts a surge in privacy regulations and enforcement in the coming year.

Laura Caroli, a former lead negotiator for the EU AI Act and seasoned expert in AI governance, shares her insights on the recent changes proposed in the EU's Digital Omnibus package. She critiques delays in regulating high-risk AI, emphasizing the legal oddities and implications for compliance. Caroli discusses the challenges member states face in enforcement readiness and the influence of industry on standardization processes. She also warns about weakened AI literacy obligations and the ramifications of removing registration for non-high-risk systems, predicting a complex negotiation landscape ahead.

Lorrie Cranor has long been a leader in the privacy space. As Director and Bosch Distinguished Prof. in Security and Privacy Technologies at Carnegie Mellon's CyLab Security and Privacy Institute, Prof. Cranor is on the cutting edge of usable privacy and security. Her work has influenced researchers to view privacy as a fundamental design standard rather than an abstract ideal and has helped reshape the technology field with more than 200 co-authored research papers on online privacy and security. She has also served as chief technologist at the US Federal Trade Commission and co-founded Wombat Security Technologies, among many other initiatives. Much of her work has focused on understanding how people interact with digital systems and where those systems failed. But, Prof. Cranor is also a mom and has raised three children. She has published new, illustrated book, called Privacy Please!, which Is geared for children aged 4-6, to help them and their parents understand what privacy means and why it matters. IAPP Editorial Director Jedidiah Bracy caught up with Prof. Cranor to discuss her new book, what inspired it, and how this book can help children develop a sense of privacy, autonomy and expression. We also discuss some of the broader children's privacy issues that are emerging in jurisdictions around the world, including through social media bans and age verification laws. Here's what she had to say.

Anu Talus, the newly elected Chair of the European Data Protection Board, dives into the complexities of GDPR and its ongoing evolution. She highlights the Helsinki Statement aimed at simplifying compliance for SMEs and discusses the importance of consistent cross-border enforcement. Talus emphasizes the need for transparency in AI and the balance between data protection and innovation. She also touches on draft opinions regarding the UK's adequacy and the significance of engaging with other nations to ensure collaborative data protection efforts.

As artificial intelligence continues to coalesce in the modern economy, AI governance only grows in significance. Brenda Leong, director of ZwillGen's AI division, and Andrew Burt, CEO of Luminos, have long been on the front lines of AI's emergence and busy helping organizations navigate this space. In a first for The Privacy Advisor Podcast, we're featuring a guest host, my colleague Alex LaCasse, a staff writer here for the IAPP. LaCasse has been covering compliance technology for the IAPP in recent years and recently caught up with Leong and Burt to learn more about their work in AI governance and the strategies and tools they leverage to help companies maintain customer trust.

Ulrich Baumgartner, a partner at Baumgartner Baumann and data protection expert, discusses the landmark CJEU ruling on personal data. He unpacks the shift from an absolutist to a relative approach to identifiability, clarifying implications for GDPR compliance. The conversation touches on pseudonymization, the needed revisions in EDPB guidance, and the potential impacts on data processing agreements. Baumgartner also highlights the emerging relevance of privacy-enhancing technologies as legal definitions evolve, offering actionable insights for data professionals.