Serious Privacy

Send us Fan MailOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal discuss the summer news. From a major GDPR fine (CNIL, WSJ, LQDN), to a tech company planning to monitor smartphones for child pornography (WaPo, IAPP), and from CCPA enforcement in California to cookie consent banner complaints (noyb), it is all discussed during this episode. If you want to stay up-to-date on a daily basis of all the privacy news and its implications for global data protection compliance, why not take a look at TrustArc’s suite of Nymity products dedicated to privacy knowledge? Also referenced in this episode:Our recent webinar on privacy and health dataOur forthcoming webinar on the Brazilian LGPDThe U.S. Supreme Court judgment in TransUnion LLC v. RamirezUse of ANPR cameras for facial recognition (NRC, in Dutch)Vacancy for the position of Executive Director of the California Privacy Protection AgencyThe Mintz Matrix for data breach notification requirements Appointments to the Brazilian CNPD (in Portuguese)Future of Privacy Forum paper on Health DataAs always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailThis week, #SeriousPrivacy is in summer mode, with a special episode from the borders of Lake Geneva in Switzerland. Paul Breitbarth had the opportunity to speak to Massimo Marelli, Head of the Data Protection Office of the International Committee of the Red Cross and the Red Crescent (ICRC). Massimo is one of the authors of the Handbook on data protection in humanitarian action, and leading the various efforts of the ICRC to meet data protection standards both at headquarters and in the field.K Royal provides a short introduction explaining a little about the definition of "International organization" in Article 4 of the GDPR - "‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries."  As promised here is a list of international organizations.  -In this episode, you will hear about why data protection would matter in a humanitarian crisis situation, how the ICRC is dealing with personal data across the board and what efforts are made to raise awareness for data protection in other humanitarian organisations. Part of the awareness raising effort is the Data Protection Officer (DPO) Humanitarian Action Certification that was recently launched by Maastricht University and is supported by TrustArc. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn page for Serious Privacy, so please follow for more in-depth discussion. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal meet up with Tash Whitaker, who is an outsourced DPO as a service. Not all organizations have the capability to organise the DPO role in house. Maybe they are too small, or they are just lacking the right people or qualifications to take on the role. For those companies, the outsourced DPO is a great option to consider.  A year after the entry into force of GDPR, the IAPP estimated that already some 500.000 organisations has appointed and registered a data protection officer, and that number has only grown since. And Europe is of course not the only region in the world that knows the mandatory requirement to appoint a DPO. And then we are not even talking about the voluntary appointment of a DPO, in order to ensure that organisations have their data processing operations under control.Join us as we discuss challenges and surprises in an outsourced role of DPO, helpful both for companies who realize they need a DPO but not sure how to obtain one and for those privacy professionals thinking of making the leap off the corporate bridge. And always, the solution for a successful internal or external DPO is the TrustArc Platform - we don't talk about products much in the podcast, so please do contact sales@trustarc.com for information on our solutions - especially Privacy Central!As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn page for Serious Privacy, so please follow for more in-depth discussion. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal met with Emerald de Leeuw, Global Head of Privacy at Logitech. She has a wealth of experience in the tech markets, being an entrepreneur, and a high-level executive in a global and male-dominated field. In this episode, we want to leverage her experience in coming into a company and what do you focus on first?  Do you do a risk assessment, meet the key players, review the policies, what? Where do you start?Along the way, we also touch on some of the current topics in privacy, cybersecurity, and data protection. Other topics included technology and its advances as well as how COVID has impacted the way the privacy office works. Do we need to be in person? Are we equipeed to work remotely?  What are we missing if we don’t have water cooler conversations?Join us as we discuss this and more: what should new privacy officers do when they start a new job? What is key to your success? And a little about DIY home projects and West Wing.As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn page for Serious Privacy, so please follow for more in-depth discussion. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal covered a broad range of privacy developments along with responding to questions from listeners. New developments includ the new Colorado Privacy Act, SB21-190. Signed by Governor Jared Polis on July 7, it is now the third state omnibus privacy law in the US, with Virginia having passed the Consumer Data Protection Act (CDPA) earlier this year and of course, the Calfornia Consumer Privacy Act (CCPA). We have a 4 part series on the Colorado Privacy Act. We also did a podcast on it a little while back.In this episode, we also discussed the anniversary of Schrems II, the ongoing efforts to establish a Privacy Shield replacement, international data transfers, and GDPR validation (TrustArc has you covered on both of the latter two). And during the episode, there are references to guidance on Codes of Conduct that has now come out by the European Data Protection Board (we'll get you more information!) or in relation to US state laws, Ohio just had its privacy bill introduced. Privacy things happen quickly.Join us as we also discuss some basic topics such as business and publicly available personal information (the difference between Europe and US),  interacting with individuals (who are not controllers as noted in EDPB guidance), EU data centers, and UK surveillance. Some of the items were driven by fan questions, so please keep sending them in, such as on the LinkedIn page for Serious Privacy. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a , so please follow for more in-depth discussion. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn 28 June 2021, the European Commission announced it has approved two adequacy decisions for the United Kingdom (UK). With these decisions, one under the General Data Protection Regulations (GDPR) and one under the European law enforcement directive, the Commission confirms the UK offers a level of data protection that is essentially equivalent to that in the European Union (EU). With this hurdle out of the way, personal data can continue to flow freely from the EU to the UK, without the need for additional safeguards or regulator approval. The free flow of data in the other direction, from the UK to the EU, had already been confirmed by the British government at the time the UK ceased being a member of the EU. But will the UK adequacy decisions stand the test of time? Not only do they expire automatically after four years, but the opponents are also sharpening their knives for a challenge in court. And the UK Government seems eager to drop the memory of the GDPR, and to replace the UK GDPR with a more trade and business friendly data protection law. This week, Paul Breitbarth and K Royal discuss the details of the UK adequacy decisions and the future of data protection law in Britain with our own UK expert Ralph O'Brien. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn page for Serious Privacy, so please follow for more in-depth discussion.Resources:TrustArc Blog on the UK Adequacy DecisionsWebinar on EU International Transfer developmentsTrustArc Microsite on international  data transfers   If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal discuss the potential new law for Colorado, the Colorado Privacy Act, SB21-190. On June 8, it was passed by the House, meaning it is now ready for the governor’s signature. If it passes, it will be the third state omnibus privacy law in the US, with Virginia having passed the Consumer Data Protection Act (CDPA) earlier this year and of course, the California Consumer Privacy Act (CCPA). In this episode, we cover elements such as government practices, individual rights, the extensive opt outs, and key definitions. For example, one topic is centered on how in Colorado bills can become law by “letting it ride” after 30 days - and why Colorado has 30 days for the governor to sign. This contrasts with the federal provision of the pocket veto. Join us as we discuss the specifics of the potential Colorado Privacy Act, its penalties, and its comparisons to the CCPA, Virginia CDPA, and the GDPR. More detail on the Colorado Privacy Act can be found on TrustArc’s website, where we provide extensive detail in a series of four blogs - Part I - a general overview with key definitions and enforcement Part II - individual rightsPart III - special processing activities and opt outs (sales of data, profiling, targeted ads)Part IV - responsibilities of the parties and contractsIf you did not catch today's webinar on the SCCs and EU activities, please feel free to watch it - hot off the presses with both Paul and K. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app. We also have a LinkedIn page for Serious Privacy, so please follow for more in-depth discussion. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn 21 June 2021, the European Data Protection Board (EDPB) released the long-awaited updated Recommendations on possible supplementary measures when transferring personal data out of the European Economic Area (EEA). These Recommendations align with the new Standard Contractual Clauses for International Transfers that were released by the European Commission on 4 June 2021 and require organisations to conduct third country risk assessments before transferring personal data. In this episode, Paul Breitbarth and K Royal discuss the details of the new European guidance, but also comment on how to do all this work in practice. Is it for example reasonable to expect such detailed assessments from companies? Is the risk-based approach really back? And how does all of this guidance relate to the whole debate about the scope of application of the GDPR. The lawyers in Paul certainly don’t seem to agree on the interpretation of the GDPR… As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favourite podcast app. ResourcesTrustArc has a website providing further guidance on International Data Transfers Paul and K are doing a webinar on International Transfers on 30 June 2021 at 11am ET. You can register here. If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn this week of #SeriousPrivacy, Paul Breitbarth and K Royal connect with Representative Domingo DeGrazia, of the Arizona House of Representatives to discuss the privacy legislation he has proposed (HB 2865), but which has not gained significant ground in Arizona. He is a licensed attorney, has professional experience in aerospace and computers, and is a Certified Information Privacy Professional / US through the International Association of Privacy Professionals.This was his third year proposing privacy law for Arizona and he intends to continue. In speaking with Rep. DeGrazia, Paul and K were interested in his philosophy, drivers, and influencers towards state privacy law. The conversation includes elements on how bills are passed on a state level, including one-year versus two-year legislatures. Arizona has a one-year session, so bills that do not pass must be filed again the next year. He also discusses how he was motivated by the Washington proposed privacy act (the most recent that did not pass SB 5062), the California Consumer Privacy Act, and the European Union’s General Data Protection Regulation - and you can see these influences in his bill.Join us as we discuss private right of action, data breach notification, and the level of education that needs to happen for legislators to understand the importance of privacy law. Rep. DeGrazia shared his thoughts on a federal privacy law, too. We also discuss Arizona’s inclusion of privacy in its constitution, one of only eleven (11) states to do so, along with a (very brief mention) of a recent Arizona Supreme Court Case, Arizona v. Mixton, which involved privacy. As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Send us Fan MailOn this week's episode  of #SeriousPrivacy, Paul Breitbarth and K Royal discuss the new Standard Contractual Clauses (SCCs) for international transfers that were adopted by the European Commission on 4 June 2021. These model contracts, that come in four modules, finally replace the old SCCs, some of which date back to the early 2000s. The modernised versions are fully GDPR compliant, embrace the accountability principle and include many requirements to address the limitations set by the Schrems II decision.Listen to the conversation to get a better understanding of what the new SCCs entail and how they can (and cannot) be used by organisations. You will hear more about why some non-European companies will not have to use SCCs going forward, but also on the assessments that you will need to undertake. Since recording the episode, the timelines for the Transfer SCCs have become clear too:27 June 2021 - the new SCCs become applicable27 Sept 2021 - the old SCCs become invalid for new contracts27 Dec 2022 - all SCC-based contracts will need to be updatedResourcesTrustArc blog introducing the new SCCsTrustArc microsite with all international transfer related information As always, if you have any questions or comments, please feel free to contact us at seriousprivacy@trustarc.com. In addition, if you like our podcast, please do rate and comment on our program in your favorite podcast app.  If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.