The Privacy Advisor Podcast

Martin Abrams knows a little something about information privacy and consumer policy. Over the course of the last 40-plus years, Abrams has had his hands in a number of initiatives, including as co-founder and president of the Center for Information Policy Leadership and founder of the Information Accountability Foundation. He took part in the development of the APEC Cross Border Privacy Rules and the OECD's Working Party on Information Security and Privacy. Abram's work on transparency and accountability has been influential on policy makers around the world. At the latest Global Privacy Assembly in Bermuda, Abrams announced he was retiring from his full-time position at IAF and taking more time to be with his family. IAPP Editorial Director Jedidiah Bracy caught up with Abrams to take a look back at his career, the changes he's seen in information policy and where he thinks data policy and regulation are heading.

The EU AI Act negotiations recently hit a major roadblock after EU Council Member States France and Germany unexpectedly pushed back on the European Parliament's draft position on regulating foundation models. The obstacle was so sudden, it appeared the negotiations were in a stalemate. Though the issue has not yet been fully resolved, the Spanish presidency of the EU Council is reportedly working with Member States to find a position that is workable for the European Parliament. This comes as the IAPP hosts its sold out Data Protection Congress 2023 in Brussels, Belgium. To be sure, the foundation model issue is not the only sticking point remaining in the trilogue negotiations. There are others. To get the inside scoop, I had the chance to catch up with EU AI Act co-rapportuer Dragoș Tudorache and Kai Zenner, head of staff for German MEP Axel Voss about the negotiations, the obstacles and whether there will be an agreement before next year's parliamentary elections.

As automated systems rapidly develop and embed themselves into modern life, policy makers around the world are taking note and, in some cases, stepping in. Earlier this year, the Biden-Harris administration took an early step by releasing a Blue Print for an AI Bill of Rights. Comprising five main principles, as well as what should be expected of automated systems, while offering a slate of real-world examples of the potential harms and benefits of artificial intelligence, the Blueprint is a must-read for AI governance and privacy professionals working in the space. Suresh Venkatasubramanian is a Professor of Computer Science and Data Science at Brown University. He also co-authored the Blueprint while serving as Assistant Director for Science and Justice in the White House Office of Technology and Policy. IAPP Editorial Director Jedidiah Bracy recently caught up with Suresh to learn more about his work on the Blueprint, how it fits into the broader spectrum of existing AI guidelines and frameworks, and what professionals should know about this rights-based document.

In June 2013, a series of high-profile U.S. government surveillance disclosures to major media outlets rippled throughout the world and changed the calculus for the privacy profession. Hard to believe it's now been 10 years since an unknown U.S. government contractor leaked to the world massive amounts of information about top secret U.S. intelligence programs. Within weeks, Edward Snowden became a household, if not, controversial name — not only in the privacy profession — but to consumers and citizens far and wide. A lot has transpired since the summer of Snowden in 2013. The U.S. has altered some of its surveillance laws, and the trans-Atlantic relationship between the U.S. and EU has grown complicated after a series of data transfer agreements were struck down by the EU's highest court. The third such agreement is pending. Though the privacy world is constantly changing, it seems fitting to stop and take stock of this last decade to see how much, if anything, has changed. To help measure the ripple effect, IAPP Editorial Director Jedidiah Bracy chatted with IAPP Senior Research Fellow Muge Fazlioglu and Research and Insights Director Joe Jones to uncover what's changed in the U.S. and abroad, as well as how consumer attitudes have evolved since then.

We often focus on consumer policy when discussing privacy laws and obligations, but companies must protect their employee data, as well. Navigating complex employee privacy and labor laws in the U.S., for example, can be challenging, and new state laws, like the California Privacy Rights Act, apply more pressure on privacy pros charged with ensuring employee data is protected and handled appropriately. Littler Mendelson Privacy and Data Security Practice Group Co-Chair Zoe Argento knows the workplace privacy field well and advises clients on a wide range of issues. IAPP Editorial Director Jedidiah Bracy recently caught up with Argento to discuss some of the pressing trends in the workplace privacy space, including CPRA obligations, workplace surveillance and artificial intelligence issues, international data transfers and data security best practices.

The prospect of day-to-day life with artificial intelligence is no longer a future endeavor. AI systems comprise countless applications across public and private organizations, and through open-sourced systems, such as ChatGPT, AI is now consumer-facing and usable. The U.S. National Institute of Standards and Technology was directed by the National Artificial Intelligence Initiative Act of 2020 to create a voluntary resource for organizations designing, developing, deploying or using AI systems to help manage risk and to promote trustworthy and responsible development of AI systems. As a result, NIST released the AI Risk Management Framework 1.0 along with supplementary documents to help organizations. To learn more about the newly released framework and how organizations should approach it, IAPP Editorial Director Jedidiah Bracy caught up with NIST Research Scientist and Principle Investigator for AI Bias Reva Schwartz.

In early February, the U.S. Federal Trade Commission published a proposed order that fines telehealth and discount prescription provider GoodRX $1.5 milllion. Though part of the case involves deception – one of two prongs under the FTC Act – the case also raises the first-of-its-kind use of the Health Breach Notification Rule. To help better understand the novel and complex issues that are embedded in the case, IAPP Editorial Director Jedidiah Bracy caught up with Wilmer Hale Partner Kirk Nahra to discuss some of the takeaways privacy pros in any industry vertical should consider.

Without a doubt, 2022 was a packed year for privacy-related news and developments. But according to Goodwin Partner and IAPP Westin Emeritus Senior Fellow Omer Tene, 2023 is set to call and raise the stakes. To be sure, 2023 didn't hesitate. On Jan. 4, just a few days before we sat down for our interview, the Irish Data Protection Commission levied a massive 390 million euro fine on Meta social networks Facebook and Instagram. Yet, that's only the tip of the iceberg. In this episode of The Privacy Advisor Podcast, which was recorded January 10, IAPP Editorial Director Jedidiah Bracy sat down with Tene to discuss what he thinks will be some of the biggest developments in privacy in 2023, including why he believes a federal U.S. privacy law still has a chance in the new U.S. Congress.

California has long led the way on many privacy-related laws, going back to at least 2002 when it passed the first data breach notification law in the U.S. More recently, passage of the California Consumer Privacy Act and the California Privacy Rights Act has prompted other states to follow suit. Baker McKenzie Partner Lothar Determann has long practiced and taught international data privacy law, and beginning in 2013, published the book, "California Privacy Law." Now in its fifth edition and published by the IAPP for the last three editions, the new edition comes as the CPRA goes into effect, with implementing regulations on the way. IAPP Editorial Director Jedidiah Bracy caught up with Determann to talk about the California's privacy regime, what companies should be doing to comply, what's new in the updated book, and what's on the horizon for federal and state privacy law in the U.S. and beyond.

With the rise of data subject rights in privacy law, privacy practitioners are often challenged with operationalizing what can be a complex and risky endeavor. California, through the CCPA and CPRA, has emerged as a leader on this in the United States. Advocacy organization Consumer Reports has not only been working on policy with states like California on data subject rights but also with industry on standardizing consumer data rights. With a number of companies in the privacy tech vendor space, CR is announcing the open standard called the Data Rights Protocol. It's also in the early stages of acting as an authorized agent on behalf of consumers, with a service its calling Permission Slip. IAPP Editorial Director Jedidiah Bracy talks with Ginny Fahs, associate director of product R&D for Consumer Reports Digital Lab, and Technology Policy Director Justin Brookman, to learn about their open-sourced protocol and what they're doing to help both consumers and organizations operationalize data subject rights.