Masters of Privacy (Sergio Maldonado)
Explorez tous les épisodes de Masters of Privacy
| Date | Titre | Durée | |
|---|---|---|---|
| 28 Jan 2025 | Data Protection vs. Privacy and Data Privacy: a January 28th conundrum | 00:16:47 | |
What should we celebrate on January 28th? What is the difference between Privacy and Data Protection? What about Data Privacy? Will Data Protection (or Data Privacy) evolve to encompass many of the things we now discuss in the context of AI regulation? We have asked Carissa Véliz (Oxford University), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Markus Wünschelbaum (Advisor, Hamburg Data Protection Authority), Brendan Quinn, and Tim Turner. What do you think? Feel free to participate in the conversation by finding this episode’s post on:
References:
| |||
| 19 Jun 2024 | Newsroom: Spring 2024 | 00:22:00 | |
We are closing this season with a Spring Newsroom before we officially kick off the summer, summarizing everything that’s happened in the past quarter across our usual five sections: ePrivacy (enforcement, regulatory updates), MarTech/ AdTech, AI/ Competition/ Digital Markets, PETs/ Zero-Party Data, Future of media. This includes:
A full transcript with links and additional resources can be found on the PrivacyCloud blog.
| |||
| 21 Jan 2022 | Maciej Zawadziński: A future without Google Analytics | 00:26:40 | |
Maciej Zawadziński is an AdTech and MarTech expert, founder of several successful companies and online privacy rights advocate. Striving towards more conscious data use and a healthier digital advertising ecosystem, Maciej is currently devoting his knowledge and skills to developing Piwik PRO – a privacy-focused analytics platform, the perfect alternative to Google Analytics.
We have debated the immediate consequences of recent developments concerning the use of Google Analytics in the European Union, as well as other important topics for Marketing Technology and Digital Analytics professionals: valid consent, sample sizes, the avoidance of cookie banners altogether, and the future of data-driven marketing. References: | |||
| 03 Nov 2024 | Lukasz Olejnik: Propaganda, misinformation, the DSA, Section 230, and the US elections | 00:28:30 | |
Dr Lukasz Olejnik (@lukOlejnik), LL.M, is an independent cybersecurity, privacy and data protection researcher and consultant. Senior Visiting Research Fellow of the Department of War Studies, King’s College London. He holds a Computer Science PhD at INRIA (French Institute for Research in Digital Science and Technology), and LL.M. from University of Edinburgh. He worked at CERN (European Organisation for Nuclear Research), and was a research associate at University College London. He was associated with Princeton's Center for Information Technology Policy, and Oxford's Centre for Technology and Global Affairs. He was a member of the W3C Technical Architecture Group. Former cyberwarfare advisor at the International Committee of the Red Cross in Geneva, where he worked on the humanitarian consequences of cyber operations. Author of scientific articles, op-eds, analyses, and books Philosophy of Cybersecurity, and “Propaganda”. He contributes public commentary to international media. References:
| |||
| 17 Feb 2023 | Sunny Kang: Machine Learning meets Privacy Enhancing Technologies | 00:22:02 | |
Sunny Seon Kang is Global Privacy Counsel at VISA, specializing in AI Governance and Privacy Enhancing Technologies. She is well versed in comparative privacy law across the US, the EU and the UK. She has studied at Stanford and Berkeley in the US, as well as UCL in London, and is a member of the New York Bar. With Sunny we are discussing a highly complex but very exciting topic: Privacy-Preserving Machine Learning, as well as a more generic understanding of Privacy Enhancing Technologies. References:
| |||
| 04 Mar 2024 | Dragos Tudorache: Dealing with foundation models, data protection, and copyright matters in the EU AI Act | 00:32:23 | |
Dragos Tudorache is a Member of the European Parliament and Vice-President of the Renew Europe Group. He is the LIBE rapporteur on the AI Act, and he sits on the Committee on Foreign Affairs (AFET), the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA), the Subcommittee on Security and Defence (SEDE), and the European Parliament's Delegation for relations with the United States (D-US). He was the Chair of the Special Committee on Artificial Intelligence in the Digital Age (AIDA). Dragos began his career in 1997 as a judge in Romania. Between 2000 and 2005, he built and led the legal departments at the Organization for Security and Co-operation in Europe (OSCE) and the UN missions in Kosovo. After working on justice and anticorruption at the European Commission Representation in Romania, supporting the country’s EU accession, he joined the Commission as an official and, subsequently, qualified for leadership roles in EU institutions, managing a number of units and strategic projects such as the Schengen Information System, Visa Information System, and the establishment of eu-LISA1. During the European migration crisis, Dragos was entrusted with leading the coordination and strategy Unit in DG-Home, the European Commission Directorate-General for Migration and Home Affairs, until he joined the Romanian Government led by Dacian Cioloș. Between 2015 and 2017, he served as Head of the Prime Minister’s Chancellery, Minister of Communications and for the Digital Society, and Minister of Interior. He was elected to the European Parliament in 2019. His current interests in the European Parliament include security and defense, artificial intelligence and new technologies, transatlantic issues, the Republic of Moldova, and internal affairs. We have addressed the following questions around the new EU AI Act:
References:
| |||
| 20 Oct 2024 | Monica Meiterman-Rodriguez: automation, data minimization and comparative law in DSRs (US focus) | 00:37:48 | |
Monica Meiterman-Rodriguez is a Partner at Tueoris, an international privacy and security consulting firm, currently residing in Barcelona. She utilizes her US law degree and her experience in data protection and privacy to assist global clients in developing, maintaining, or growing their privacy programs. She has experience supporting compliance across global regulations including US state and federal requirements, EU/UK GDPR, PIPEDA, LGPD, etc. in addition to advising on specialized matters in the AdTech space such as targeted advertising, data analytics, AI and growing industry guidance (e.g., IAB, DAA, etc.). Monica is a member of the New York State Bar, New Jersey State Bar, as well as a Certified Information Privacy Professional (CIPP/US/E) and the Chapter Chair of the IAPP in Barcelona (Spain). References:
| |||
| 27 Oct 2022 | Stephan Grynwajc: A lawyer’s take on EU-US data transfers and the Canadian approach | 00:21:27 | |
Stephan Grynwajc is admitted as a lawyer in the EU, the UK, the US and Canada, having worked as a privacy practitioner and DPO in both Europe and North America for the last 20 years. His own law firm offers external DPO services to EU/UK and US/Canada-based companies. Stephan is also a partner specialized in international privacy at Outside GC, a bicoastal US law firm. Stephan publishes regularly on various privacy topics, including for the IAPP Privacy Advisor. He is also an Adjunct Professor on privacy and data protection at various universities. References: | |||
| 22 Dec 2024 | Lokke Moerel: using personal data in the development and deployment of AI models | 00:23:31 | |
Lokke Moerel is a leading global expert on new technologies, Artificial Intelligence (AI), Big Data, and the Internet of Things, as well as Morrison & Foerster’s lead counsel on Binding Corporate Rules (BCR), with vast experience advising multinational companies in obtaining their BCR approvals throughout the EU. She has also authored the leading textbook on the subject, published by Oxford University Press. We recorded this interview prior to the publication of the European Data Protection Board’s opinion on AI models and GDPR principles, following both a discussion paper issued by Hamburg’s Supervisory Authority (“Do LLMs contain personal data?”) and an announcement by the Irish Data Protection Commissioner that it would open an investigation into Google’s PaLM model. A separate interview on the same topic, with Jorge Garcia Herrero, was released last week on our Spanish-language channel. References:
| |||
| 05 Dec 2023 | Renzo Marchini: Unintended consequences of the EDPB’s Guidelines on storage and access beyond cookies | 00:31:00 | |
Renzo Machini is a London-based partner at Fieldfisher's Data and Privacy team. He holds CIPP/E, CIPT and FIP certifications from the IAPP and is well versed in Cloud Computing, Big Data and other technologies overlapping with privacy and GDPR compliance. He has authored "Cloud Computing: A practical introduction to the legal issues" and, prior to becoming a solicitor, he worked for five years as a software engineer at Logica (now CGI), a major independent UK software house. With Renzo we are directly addressing the biggest elephant in the ePrivacy room today: What are the unintended consequences of the EDPB’s recent Guidelines on the technical scope of article 5.3 of the ePrivacy Directive? References:
| |||
| 10 Mar 2021 | Elizabeth Renieris: On the illusion of control and the trade-offs of innovation | 00:27:57 | |
Elizabeth Renieris is the Founding Director of the Notre Dame IBM Technology Ethics Lab, a Technology and Human Rights Fellow at the Carr Center for Human Rights Policy at the Harvard Kennedy School, and a Fellow at Stanford's Digital Civil Society Lab. She's an expert in cross-border data governance, and the ethical and human rights implications of emerging technologies. References: | |||
| 26 Jan 2021 | Dr. Augustine Fou: How AdTech Harms Society And Violates Privacy | 00:39:11 | |
Dr. Augustine Fou is a digital marketer of 25 years, currently working as an independent cybersecurity and ad fraud investigator. He was Chief Marketing Science Officer at the Advertising Research Foundation and Group Chief Digital Officer at Omnicom’s Healthcare Consultancy Group. Dr. Fou taught digital marketing at NYU and Rutgers University and he got his PhD, at the age of 23, in Materials Science & Engineering from MIT. References: | |||
| 17 May 2022 | Spring Newsroom: ePrivacy, MarTech, Competition, Zero-Party Data, and the Future of Media | 00:17:43 | |
Hi again! We are bringing our regular “Newsroom” updates to this channel, covering quarterly news on five particular topics:
We will add relevant links on a subsequent blog post. Please find more information and resources on mastersofprivacy.com | |||
| 18 Jun 2023 | Newsroom: Spring 2023 | 00:46:39 | |
With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ Notes: A more comprehensive coverage of all relevant updates can be found on our blog. The topics below have been specifically addressed during this recording: GDPR fines reached a new record when the Irish DPA, following considerable pressure from the EDPB, issued a 1.2bn EUR fine to Meta for its inability to comply with the Schrems II CJEU doctrine. The company behind Facebook, Instagram, and WhatsApp was also asked to cease all data transfers to the US. It was made clear that there is no possible way to either rely on SCCs (already updated to their latest post-Schrems II version, and already complemented with additional safeguards that only stopped short of end-to-end encryption) or any of the available derogations. This leaves the upcoming EU-US Data Privacy Framework as the only way out of the current deadlock, which affects a vast majority of businesses operating in the European Union. LinkedIn is expecting its own GDPR fine in Ireland. Microsoft has set aside $425m for the expected DPC blow, as the supervisor completes an investigation initiated in 2018. The Austrian supervisor sided with NOYB/Max Schrems and considered that a website had breached the GDPR through the inclusion of a Meta/Facebook pixel and Single Sign-On widget (resulting in a personal data transfer to the United States). It appears from the decision that isolating any of these two features would not have made a difference, and, as well explained by Jorge García Herrero (ES), this misses a few key technical details: Whereas the SSO will only result in a transfer of limited information from Meta to the website (ie. In the opposite direction), the Facebook pixel collects entirely new hits or “events” for existing users of the platform. Also, Meta was here considered a mere data processor despite the fact that the company seems to be in full control of the purposes and means of the processing (note: the EDPB Guidelines on targeting social media users make Meta a joint controller in the use of Facebook pixels for paid advertising scenarios). TikTok suffered additional blows on the basis of both the privacy risks entailed in the Chinese Government accessing personal information about US or EU citizens, and the ability of its secret algorithm to curate the specific content made available to said individuals, thus exerting an undesirable level of influence. While its US CEO, Shou Zi Chew, testified before Congress, The US Federal Government, as well as many others throughout Europe, forbid their own personnel the use of the app on their official devices. Montana announced fines for the Google Play and Apple iOS stores if the app was not hidden for Montana-based individuals by January 1st 2024. The EU Commission announced that it would stress-test Twitter’s ability to respond to disinformation in line with the upcoming Digital Services Act to ascertain whether it will already be at risk of breaching the new legal framework before it enters into force on August 25th. The company had announced its withdrawal from a voluntary code of conduct. Filtering out the robots on a given website (through the typical prompt that only a human should be able to respond to successfully) has just become more expensive. France’s CNIL issued an #ePrivacy fine to scooter company Citiscoot for its retrieval of device information in the use of Google reCAPTCHA (it was accompanied by a separate breach of the GDPR due to its excessive collection of geo-location data). For its part, the Finnish DPO ordered (FI) the Finnish Meteorological Institute to disable the same tool (Google reCAPTCHA) on the basis of the resulting EU-US data transfers in the current post-SchremsII scenario - in this case Google Analytics was also involved in this decision for the same reasons, and the Institute ending up removing both tools from its website as well as being asked to delete all of the historical data available. CNIL issued a 380k EUR fine to pan-European medical advice service Doctissimo for various GDPR infringements as well as a breach of the ePrivacy Directive (responsible for 100k of the total amount) consisting in serving two advertising cookies after users have selected the Reject All option in the website’s consent banner. FTC enforcement actions involving the use website/app user data for digital marketing purposes (healthcare, children): GoodRx, Betterhelp, Edmodo, Premom. The CNIL published the results of its own research on the use of cookies (assisted by CookieViz, an auditing tool developed internally, now open sourced) and the evolution of acceptance rates and third party cookie numbers over time. Other than a reminder of the 421 EUR piling up in cookie-related fines since 2020, the report contains interesting conclusions:
The IAB released TCF 2.2 on May 16th, finally removing the extremely confusing legitimate interest selectors for advertising and content personalization, replacing purposes and feature descriptions with a more user-friendly language, standardizing information about vendors, and providing a path for end users to withdraw their consent. CMPs are due to implement these changes by September 30th 2023. Following the TCF 2.2 announcement, Google has started reviewing and certifying Consent Management Platforms introducing new requirements under its Additional Consent Mode specification (important to remember that Consent Mode’s Ghost call is still considered in breach of ePrivacy unless consent is specifically requested). | |||
| 20 Nov 2023 | Arielle Garcia: How privacy awareness leads to respectful, effective marketing | 00:26:38 | |
Arielle Garcia combines a really good understanding of the advertising industry with award-winning expertise in privacy and responsible data use. She is the founder of ASG solutions, a consultancy firm specifically focused on helping marketers drive sustainable growth through respectful marketing and was previously UM Worldwide’s Chief Privacy Officer. She holds a JD from Fordham University and has been recognised as a Top Woman in Media and AdTech by AdExchanger in 2023 (as well by others in prior years). In 2021 she was inducted to the American Advertising Federation’s Advertising Hall of Achievement due to her impact on the industry. What we have covered in this episode:
References: | |||
| 22 May 2024 | Alan Chapell: The many struggles of Google’s Privacy Sandbox, and how to deploy it in compliance with EU and US privacy laws | 00:30:43 | |
Can Google overcome competition and performance concerns to make the Privacy Sandbox a reality? Does it really matter in terms of privacy compliance, in the face of the EU ePrivacy Directive? How would Universal Opt-Outs affect the Topics API in the US? Alan Chapell is outside privacy and AI counsel for dozens of AdTech and Mart¿Tech companies. He started his career in the digital space in 1997 at Jupiter Research and is now the principal analyst at The Chapell Report, which is a monthly report focusing on the intersection between privacy, competition, addressability and AI in the digital media space. Mr. Chapell is board chair of the Network Advertising Initiative, the premier trade association for 3rd party AdTech marketplace. He is also an accomplished musician. His band, “Chapell”, is about to release their 7th album, “The Underground Music Show”, on all major streaming services. References:
| |||
| 06 May 2024 | Stephen Almond (ICO): data protection law as a primary tool to ensure AI governance | 00:25:04 | |
“There is a UK AI Regulation - It is called the UK GDPR” (John Edwards, February 2024). Stephen Almond is Executive Director for Regulatory Risk at the UK’s Information Commissioner’s Office (ICO), leading the teams charged with engineering information rights into the fabric of new ideas, technologies and business models as part of our dynamic digital economy, including through the Digital Regulation Cooperation Forum. Prior to joining the ICO, Stephen led a World Economic Forum initiative to promote the adoption of a more agile, innovation-enabling approach to regulation with governments and tech firms worldwide. He previously worked in leadership roles across the UK Government, including creation of the White Paper on Regulation for the Fourth Industrial Revolution and roll-out of the Regulators’ Pioneer Fund, which invested in regulatory sandboxes and similar initiatives to unlock technological innovation. References:
| |||
| 29 Sep 2024 | Jonathan Mendez: making the most of first-party data in the age of AI | 00:42:16 | |
Jonathan Mendez has been a founder and leader in Adtech and Martech for two decades, with a focus on building first-party data products to optimize media performance. He is the founder and CEO at Neuralift AI, having prior to that been Chief Digital Officer at a major cruise line, and having also spent five years building composable CDPs (Customer Data Platform) for global retail brands and telcos. He was also the Founder and CEO of Yieldbot, which in 2016 was the fourth largest Digital Advertising Network. He was also the CSO at Offermatica, eventually acquired by Omniture, now part of Adobe. Jonathan’s blog has been active for 17 years and is a recognized source of insights into AdTech, MarTech or Media. References:
| |||
| 28 Nov 2023 | Newsroom: Fall 2023 | 00:18:31 | |
Nina and Sergio run through the most relevant news of the past three months at the usual intersection of marketing, data, privacy, and technology - stopping at a few less commented and yet quite relevant fines, guidelines, or upcoming legal frameworks. In particular, this episode covers:
Best of all, we managed to avoid OpenAI’s drama. With Nina Müller and Sergio Maldonado. References:
| |||
| 01 Jun 2022 | Mike J. Schmidt: digital identity and educated choices | 00:30:45 | |
Mike J. Schmidt has extensive experience as an Advisor and Solutions Architect working worldwide in Identity Access Management (IAM), Data Privacy, and AI. He was one of the founders of MyData Global’s Canada Hub and has recently relocated to Spain. Together we are revisiting a few key topics: personal agency, identity, informed consent, MyData Operators, and AI. References: | |||
| 16 Mar 2023 | Winter 2023 Newsroom | 00:37:05 | |
With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. __ This was a pretty active season in terms of regulatory updates and decisions or guidelines coming out of supervisory bodies: Spain’s AEPD issued a decision on the use of Google Analytics by the Royal Academy of Spanish Language (“RAE”), becoming the first EU Data Protection Agency to see the glass half full in the use of the widespread digital data collection service (having been considered high-risk in Denmark, Italy, France, the Netherlands and Austria). It must however be noted that the RAE was only using the most basic version of the tool, without any AdTech integrations or individual user profiling - and in this regard aligned with the CNIL’s long-standing guidelines for the valid use of the tool. At EU level, the Artificial Intelligence Act (which we have covered this quarter in a couple of Masters of Privacy interviews) made fast progress with the Council adopting its final position. At the same time, new common rules on cybersecurity became a reality with the approval of the NS2 Directive (or v2 of the Network and Information Security Directive) on November 28th. The updated framework covers incident response, supply chain security and encryption among other things, leaving less wiggle room for Member States to get creative when it comes to “essential sectors” (such as energy, banking, health, or digital infrastructure). Across the Channel, the UK’s Data Protection Agency (ICO) issued brand new guidelines on international data transfers, providing a practical tool for businesses to properly carry out Transfer Risk Assessments and making it clear that either such tool or the guidelines provided by the European Data Protection Board will be considered valid. Already into the new year, the European Data Protection Board (EDPB) issued two important reports, on valid consent in the context of cookie banners (in the hope to agree on a common approach in the face of multiple NOYB complaints across the EU) and the use of cloud-based services by the public sector. The former concluded that the vast majority of DPAs (Supervisory Authorities) did not accept hiding the “Reject All” button in a second layer - which most notably leaves Spain’s AEPD as the odd one out. They did all agree on the non-conformity of: a) pre-ticked consent checkboxes on second layer; b) a reliance on legitimate interest; c) the use of dark patterns in link design or deceptive button colors/contrast; and d) the inaccurate classification of essential cookies. The latter concluded that public bodies across the EU may find it hard to provide supplementary measures when sending personal data to a US-based cloud (as per Schrems II requirements) in the context of some Software as a Service (SaaS) implementations, suggesting that switching to an EEA-sovereign Cloud Service Provider (CSP) would solve the problem and getting many to wonder whether it also refers to US-owned CSPs, which would leave few options on the table and none able to compete at many levels in terms of features or scale. All of which can easily lead us to the latest update on the EU-US Data Privacy Framework: The EDPB released its non-binding opinion on the status of the EU-US Data Privacy Framework (voicing concerns about proportionality, the data protection review court and bulk data collection by national security agencies). The EU Commission will now proceed to ask EU Member States to approve it with the hope of issuing an adequacy decision by July 2023. This would do away with all the headaches derived from the Schrems II ECJ decision (including growing pressure to store personal data in EU-based data centers), were it not for the general impression that a Schrems III challenge looms in the horizon. In the United States, long-awaited new privacy rules in California (CPRA) and Virginia (CDPA) entered into force on January 1st. Although both provide a set of rights in terms of ensuring individual control over personal data being collected across the Internet (opt-out, access, deletion, correction, portability…), California’s creates a private right of action that could pave the way for a new avalanche of privacy-related lawsuits.In any case, only companies meeting a minimum threshold in terms of revenue or the amount of consumers affected by their data collection practices (both of them varying across the two states) will have to comply with the new rules. Lastly, Privacy by Design will become ISO standard 31700 on February 8th, finally introducing an auditable process to conform to the seven principles originally laid out by Anne Cavoukian as Ontario(Canada)’s former Data Protection Commissioner.
Enforcement updatesIt’s been interesting to see how continental Data Protection Agencies (“DPAs”) keep milking the cow of the ePrivacy Directive’s lack of a one-stop-shop for US or China-based Big Tech giants. The long-awaited ePrivacy Regulation never arrived to keep this framework in sync with the GDPR (which does have a one-stop-shop), and this leaves an opening for any DPA to avoid referring large enforcement cases involving such players to the Irish Data Protection Commissioner (“DPC”) whenever cookie consent is involved. This criterion has been further strengthened by the recent conclusions of EPDB cookie banner task force. Microsoft was the last major victim of this particular gap (following Meta and Google), receiving a 60-million euro fine from France’s DPA (CNIL), which shortly after honored TikTok with a 5m euro fine (once again, due to the absence of a “Reject All” button on its first layer - or “not being as easy to reject cookies as it is to accept them”) and, not having had enough, went on to give Apple an 8m euro fine for collecting unique device identifiers of visitors to its App Store without prior consent or notice, in order to serve its own ads (which is akin to a cookie or local storage system when it comes to article 5.3 of the ePrivacy Directive). The CNIL ePrivacy-related enforcement spree did not stop short at Big Tech. Voodoo, a leader in hyper-casual mobile games, was also a target, receiving a 3 million euro fine for lack of proper consent when serving an IDFV (unique identifier “for vendors”, which Apples does allow app publishers to set when IDFA or cross-app identifiers have been declined via the App Tracking Transparency prompt). Putting the ePrivacy Directive aside, and well into pure GDPR domain, Discord received a 800k euro fine (again, at the hands of CNIL) on the basis of: a) a failure to properly determine and enforce a concrete data retention period; b) a failure to consider Privacy by Design requirements in the development of its products; c) accepting very low security levels for user-created passwords; and d) failing to carry out a Data Protection Impact Assessment (given the volume of data it processed and the fact that the tool has become popular among minors). And yet, one particular piece of news outshined mostly everything else in this category: Ireland’s DPC imposed a 390 euro fine on Meta following considerable pressure from the EDPB for relying on the contractual legal basis in order to serve personalized advertising - itself the core business model of both social networks. We had a debate on the matter with Tim Walters (English) and Alonso Hurtado (Spanish) on Masters of Privacy, and published an opinion piece on our blog. This last affair is a good segue into Twitter’s latest troubles. Its new owner, Elon Musk, not content with having fired key senior executives in charge of EU privacy compliance (including its Chief Privacy Officer and DPO), has suggested that he will oblige its non-paying users to consent to personalized advertising. The Irish DPC (once again, in charge of its supervision under the one-stop-shop rule) asked Twitter for a meeting in the hope to draw a few red lines. Meanwhile, the Spanish AEPD, still breaking all records in terms of monthly fines, sanctioned UPS (70,000 euros) for handing out a MediaMarkt (consumer electronics) delivery to a neighbor, thus breaching confidentiality duties. This will have a serious impact on the regular practices of courier services in the country. Back in the United States, Epic Games and the FTC agreed to a $520m fine for directly targeting children under the age of 13 with its Fortnite game (a default setting that allows them to engage in voice and text communications with strangers has made it worse), as well for using for “dark patterns” in in-game purchases. Separately, in what we believe it is a first case of its kind, even in the EU (with the ECJ FashionID case possibly being the closest we have been to it). Betterhelp has received an FTC $7,8m fine for using the Facebook Lookalike Audiences feature (and alternative offerings in the programmatic advertising space, including those of Criteo, Snapchat or Pinterest) to find potential customers on the basis of their similarity with the online mental health service’s current user base. This involved sensitive data and follows repetitive disclaimers by Betterhelp that data would in no case be shared with third parties. On the private lawsuits front (especially important in the US), Meta agreed to pay $725m after a class action was brought in California against Facebook on the back of the ever-present Cambridge Analytica scandal. Also, the Illinois Biometric Information Privacy Act (BIPA) kept putting money into the pockets of claimants and class action lawyers, in this case forcing Whole Foods (an upscale organic food supermarket chain owned by Amazon) to settle for $300.000 - we have previously previous cases against TikTok, Facebook or Snapchat, albeit it was the monitoring, via “voiceprints”, of its own employees (rather than its customers) that triggered this particular lawsuit. Legitimate Interest strikes back To finish with this section, very recent developments justify turning our eyes back to the UK and the EU as there is growing momentum for the acceptance of the legitimate interest as a legal basis for purely commercial or direct marketing purposes: While the CJEU decides on a question posed by a Dutch court in January, in which the DPA issued a fine to a tennis association for relying on legitimate interest to share member details with its sponsors (who then sent commercial offers to them), a UK court (First-Tier Tribunal) has ruled against the ICO (UK DPA) and in favor of Experian (a well-known data broker) for collecting data about 5.3m people from publicly available sources, including the electorate register, to build customer profiles and subsequently selling them to advertisers. Experian has relied on legitimate interest and found it too burdensome to properly inform every single individual (this being the ICO’s main point of contention). The decision does appear to indicate that using legitimate interest would not be possible if the original data collection had been based on consent, but even this is not entirely clear. So, just to make it even more clear and simple, the UK Government presented a new draft of a new UK Data Protection Bill on March 8th that includes a pre-built shortcut to using legitimate interest without need for the so-called three part test (purpose, necessity, balancing). Data controllers can now go ahead with this legal basis if they find their purpose in a non-exhaustive list provided - which includes direct marketing. Competition and Digital MarketsGoogle was sued by the Department of Justice for anti-competitive behavior in its dominance of the AdTech stack across the open market (or the ads that are shown across the web and beyond its own “walled gardens”), using its dominance of the publisher ad server market (supply side) to further strengthen its stranglehold of the demand side (advertisers, many of them already glued to its Google Ads or DV360 platforms in order to invest in search keywords or YouTube inventory) and, worse, artificially manipulating its own ad exchange to favor publishers at the expense of advertisers - thereby reinforcing the flywheel, as digital media publishers found themselves with even less incentives to work with competing ad servers. Zero-Party Data and Future of Media(The piece of news below obliges us to combine both categories this season) The BBC has rolled out its own version of SOLID pods to allow its own customers to leverage their own data (exported from Netflix, Spotify, and the BBC) in order to obtain relevant recommendations while staying in full control of such data. Perhaps a little step towards individual agency, but a giant one for a digital media ecosystem mostly butchered by the untenable notice-and-consent approach derived from the current legal framework - which takes us back full circle to Elizabeth Renieris’ new book.
| |||
| 25 Nov 2022 | Sandy Tsakiridi: Practical considerations on AI Governance and the upcoming EU AI Act | 00:37:27 | |
Sandy Tsakiridi is a dual-qualified Senior Legal Counsel in HSBC's global Data Privacy team. As part of her responsibilities, she provides advice on privacy-related matters, including privacy risk management across all customer-facing lines of business and internal functions of the HSBC Group. Prior to her current role, Sandy worked as an external legal counsel in leading international law firms and one of the Big Four in Brussels and London. Sandy holds a Bachelor and four postgraduate degrees in law from University College London (UCL), the London School of Economics & Political Science (LSE), Université Paris 1 - Panthéon Sorbonne and the Brussels School of Competition. She is an Advisory Board Member of the International Association of Privacy Professionals (IAPP). We cover, in this order:
References:
| |||
| 07 Oct 2022 | Tara Taubman-Bassirian: Instagram, one-stop havens and the future of enforcement | 00:31:51 | |
Tara Taubman-Bassirian is a French lawyer specialized in Privacy, Internet law and Intellectual Property. She is a published author, for many years raising awareness of privacy, data protection and cybersecurity issues. Tara has also launched an initiative, Fly A Kite, to raise cybersecurity awareness especially to keep kids safe online. She also holds an LLM from Queen Mary University. References: | |||
| 25 Feb 2024 | Dr Augustine Fou: Dismantling marketing attribution, ad fraud controls and the business case for third party cookies | 00:26:26 | |
Dr. Augustine Fou has nearly three decades of experience in digital marketing, including client-side experience at American Express and agency-side experience at IPG and Omnicom, where he served as Group Chief Digital Officer of eight agencies serving pharma and medical device clients. Dr. Fou also taught digital strategy at Rutgers University's executive education program and NYU's School of Continuing and Professional Studies. With Dr. Fou we will aim to answer the following questions:
References:
| |||
| 25 Nov 2024 | Robert Bateman: the EDPB’s Opinion on auditing subprocessors and the future of Meta’s unskippable ads | 00:32:27 | |
Robert Bateman is a data protection writer, trainer, and consultant. He has published innumerable articles on the topic, as well as led panel discussions and interviewed key well-known figures in the space on stage, at well-known privacy conferences. Besides freelancing as content creator, he is an associate with Act Now Training and a Subject Matter Expert with Heward Mills, a data protection consultancy. With Robert, who’s here for a second time, we are going to revisit recent EDPB (or European Data Protection Board) opinions on data processor auditing requirements and Meta’s Consent or Pay model, with its latest twist in mind (a brand new third option with generic, unskippable ads). References:
| |||
| 03 Sep 2024 | Newsroom: Summer 2024 | 00:28:07 | |
Ok, the summer is nearly over, which means it is time for a Newsroom summarizing everything that’s happened in the last two months at the intersection of marketing, data, privacy and technology. California and the FTC have more specific weight on our list this time around - perhaps because much of Europe, including regulators and hackers, was OOO during the entire month of August. So, expect to hear about:
(And yes, also about Google’s monopoly, the resilience of 3rd party cookies and Apple’s DMA struggles, but only in passing, as you’ve probably had enough of those.) Expect us to follow the usual structure: ePrivacy & Regulatory Updates; MarTech & AdTech; AI, Competition and Digital Markets; Zero-Party Data and Customer Centricity; Future of Media. With Celine Takatsuno and Sergio Maldonado. References:
Also, find a full blog post on the Masters of Privacy website. | |||
| 06 Jan 2025 | Carey Lening: Privacy Disasters, Bluesky’s firehose, and the EDPB opinion on LLMs and personal data | 00:41:37 | |
Carey Lening, JD, CDPP writes, speaks, and consults on data protection, law, technology, and fractal complexity in systems. Currently based in Ireland, Carey has over 20 years of experience in thinking about hard problems and helping people arrive at practical solutions. Besides providing data protection compliance support to select clients, Carey runs Privacat Insights, a newsletter that offers a paid tier with exclusive content, members-only Q&A, a slack channel and a yearly meetup. References:
| |||
| 15 Jan 2024 | Molly Martinson: Dealing with data processors, sensitive data and opt-out signals in the growing patchwork of US state privacy laws | 00:34:35 | |
Molly Martinson is a lawyer at Wyrick Robbins, a Raleigh-based law firm with outstanding privacy compliance credentials. She advises clients on a whole range of applicable privacy frameworks (CCPA, CPRA, FCRA, CAN-SPAM, COPPA, HIPAA), data breaches, laws regulating data brokers, and laws governing website and mobile application privacy policies. She also regularly advises international and U.S.- based clients on the applicability and requirements of the EU General Data Protection Regulation (GDPR). Molly received her B.A., cum laude from Wake Forest University and her J.D. with honors from UNC Schoolors Writing Scholar. She also received the Gressman-Pollitt Award for Excellence in Oral Advocacy. Molly served as a law clerk to the Honorable Robert N. Hunter, Jr. on the Supreme Court of North Carolina and the North Carolina Court of Appeals before entering private practice. References:
| |||
| 19 Jan 2021 | John Marshall: Free is bad | 00:33:15 | |
John Marshall is the author of Free Is Bad, as well as a serial entrepreneur and a patent holder in analytics tracking. His companies built advertising and analytics tools and delivered the first distance-learning training courses in digital marketing. He has recently turned his focus to the nature of web advertising and consumer behavior, becoming a firm believer that our current relationship with the web as a free service has led to untenable compromises in service, information, and truth. References: | |||
| 16 Feb 2025 | Daniel Rosenzweig: OK, fingerprinting | 00:44:27 | |
As of today, February 16th, Google’s platform policies allow the collection, sharing and usage of IP addresses and other signals across websites, apps, gaming consoles or Connected TV. This has been perceived as a direct contradiction of the company’s long-term anti-fingerprinting policy. The company is expecting that a growing reliance on Privacy Enhancing Technologies will do away with the resulting privacy risks. Daniel B. Rosenzweig is the Founder & Principal Attorney at DBR Data Privacy Solutions. He advises clients on legal and technical compliance with data privacy and AI laws, and counsels companies on industry mobile app store requirements, AdTech, and privacy-enhancing technologies (PETs). Daniel’s legal practice is unique in that he develops and codes technical solutions to help serve as a bridge between legal, marketing, and technical teams, in addition to providing clients the usual legal services. References:
| |||
| 22 Jan 2024 | Tejas Manohar: Data activation and composable CDPs in a privacy-first world | 00:32:27 | |
Tejas Manohar is the co-founder and co-CEO of Hightouch. Prior to founding Hightouch, Tejas was an early engineer at Segment, a leading Customer Data Platform (CDP) acquired by Twilio. The following topics have been covered in this interview:
References: | |||
| 09 Mar 2025 | Daniel Solove: On Privacy and Technology | 00:48:48 | |
Daniel Solove has just published a new book, On Privacy and Technology. We went through a few key concepts from it, and also had a chance to revisit other core ideas in the author’s work. Professor Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove is the author of more than 10 books and 100 articles about privacy. He has also written a children’s fiction book about privacy. He is one of the most cited law professors in the law and technology field. Professor Solove has been interviewed and quoted in hundreds of media articles and broadcasts and has been a consultant for many Fortune 500 companies and celebrities. It is to him that we owe the famous taxonomy of privacy harms, as well as very recent papers on Privacy and AI or Privacy and Data Scraping. References:
| |||
| 12 Sep 2023 | Newsroom: Summer 2023 | 00:25:01 | |
Have you spent the past three months isolated from the world? We are bringing you up to speed with a long list of updates and news at the intersection of marketing, data, privacy, and technology. Visit this episode's blog post on Masters of Privacy for a long list of references and notes. | |||
| 06 Nov 2023 | Cristiana Santos and Victor Morel: The problem with CMPs and TCF-based cookie paywalls | 00:33:37 | |
Cristiana Santos is Assistant Professor in Privacy and Data Protection Law at Utrecht University, holding a joint international Doctoral Degree in Law, Science and Technology from the University of Bologna, and a Ph.D. in Computer Science from the University of Luxembourg. She is an expert of the Data Protection Unit at the Council of Europe; expert for the implementation of the EDPB's Support Pool of Experts; and expert of the Digital Persuasion or Manipulation Expert Group. She holds an International Chair Starting Career position at the National Institute for Research in Digital Science and Technology (INRIA, 2023-2026) to work on technical and legal aspects of data protection. Prior to joining academia, Cristiana was a lawyer and worked as a legal adviser and lecturer at the Portuguese Consumer Protection Organization. Victor Morel holds a Ph.D in Computer Science from INRIA and works at the Security & Privacy Lab of Chalmers University in Gothenburg (Sweden). He is working on usable privacy for IoT applications, and his interests encompass privacy, data protection, networks security, usability and Human-Computer Interactions, applied cryptography, and the broad spectrum of ethics in technology. He is also a member of FELINN’s collegiate council, a French association (1901) defending decentralization, privacy, and free software through popular education. Cristiana and Victor have co-authored a recent paper titled “Legitimate Interest is the New Consent – Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls”. With them we are directing our attention to consent walls in the context of publishers and the open market, having already dedicated two recent interviews to the “consent or pay” model as it concerns Instagram and Facebook (ie. Meta). We will also try to understand the challenges and potential conflicts of interest faced by CMP (Consent Management Platform) vendors. References:
| |||
| 06 Apr 2023 | Mattia Fosci: The publisher’s dilemma in a first-party data world | 00:32:53 | |
As a lawyer turned entrepreneur, Dr. Mattia Fosci combines privacy and AdTech expertise. He is the founder and CEO of Anonymised, an advertising platform that helps publishers understand and monetise their audiences at scale across all browsers and devices, using only anonymous data. We have covered or touched on:
References:
| |||
| 19 Jan 2023 | Tim Walters: The bigger picture on Facebook and Instagram being deprived of a contractual legal basis | 00:34:44 | |
Tim Walters is a strategist, analyst, advisor, and speaker sitting at the intersection of data privacy, customer experience, and marketing strategy. Privacy Lead at Content Advisory, as well as founder of Zero Theory, Tim previously founded The Digital Clarity Group. He has also been a Senior Analyst at Forrester Research. Some of his keynotes and publications include: “The Total Impossibility of Customer Experience Management”, “Data Privacy Goes Mainstream: An Unexpected Opportunity For Customer Experience”, and “Trust Is Imperative in the Customer Experience Era.” References:
| |||
| 09 Feb 2025 | Markus Wünschelbaum: ripple effects of the new AI Act prohibitions on AdTech and the broader digital economy | 00:29:38 | |
This was a really eventful week for AI regulation, with the first rules of the AI Act starting to apply on Sunday, February 2nd and the EU Commission releasing Guidelines on Tuesday (prohibited practices) and Thursday (scope of AI systems). To cap it all, a first-ever class action under the new framework (alongside the GDPR and the Digital Services Act) was filed on Wednesday against X-Twitter and TikTok. The following conversation with Markus Wünschelbaum, with a particular focus on digital advertising and AdTech, preceded and rightly anticipated these developments. Dr. Markus Wünschelbaum currently serves as Policy and Data Strategy Advisor to Hamburg’s Data Protection Commissioner Thomas Fuchs. In this role, he advises on key data protection & AI policies and strategic initiatives. Previously, he was responsible for imposing fines, fundamental GDPR issues, and freedom of information. He began his career focusing on the intersection of labor law and data protection, having published an acclaimed doctoral thesis on this topic and working at an international law firm. References:
| |||
| 02 Apr 2024 | Ellison Anne Williams: Homomorphic Encryption and its interplay with other PETs | 00:24:13 | |
What is Homomorphic Encryption? Can it be leveraged in the context of cross-vertical challenges? Dr. Ellison Anne Williams is the Founder and CEO of Enveil, the pioneering data security startup protecting Data in Use. She has more than a decade of experience spearheading avant-garde efforts in the areas of large scale analytics, information security and privacy, computer network exploitation, and network modeling at the National Security Agency and the Johns Hopkins University Applied Physics Laboratory. In addition to her leadership experience, she is accomplished in the fields of distributed computing and algorithms, cryptographic applications, graph theory, combinatorics, machine learning, and data mining and holds a Ph.D. in Mathematics (Algebraic Combinatorics), a M.S. in Mathematics (Set Theoretic Topology), and a M.S. in Computer Science (Machine Learning).
References:
| |||
| 24 Mar 2021 | Jodi Daniels: Privacy compliance in a cookieless world | 00:27:23 | |
Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional and serves as the outsourced privacy office for companies. References: | |||
| 30 Oct 2023 | Jeff Jockisch: AI-powered phishing attacks in the age of the Delete Act | 00:26:51 | |
Jeff Jockisch is an independent data privacy researcher at PrivacyPlan. He is also Chief Privacy Officer and partner at Avantis Privacy. Prior to compiling the largest known database of data brokers, he spent many years working with startups, technology, and data. He studied Organizational Behavior at Cornell and holds a CIPP/US accreditation (IAPP). Our primary questions today: Can the (brand new) California "Delete Act" or the GDPR be sufficient to avoid major AI-powered phishing attacks? Is there anything else that we could do as individuals or businesses? References:
| |||
| 08 Jan 2021 | Stephane Hamel: Faith, trust, and pixie dust | 00:23:43 | |
Stéphane Hamel is a seasoned independent digital marketing and analytics consultant, innovator, speaker and startup & agency advisor. He is also Digital Marketing Program Director for the Faculty of Business Administration at Laval University (Quebec City, Canada). He has recently embarked on a mission to protect user privacy and the ethical use of data. References:
| |||
| 29 Jun 2023 | Catherine King: from words to action in data ethics | 00:25:18 | |
Catherine King is a content creator, moderator, enabler and instructor in the fields of data ethics and also the broader data and analytics space. She is currently global head of brand engagement at Orbition. Catherine was recently a speaker at the Ethics in eCommerce Summit in London (put together by the Ethical Commerce Alliance) in which we coincided. With her we have explored a more controversial and practical approach to data ethics, under the acceptance that morals reflect a particular stance in a wide range of really important social issues, rather than a universal truth applicable to all. References: | |||
| 19 Feb 2024 | Stefan Filipović: Young DPOs - Challenges and Opportunities | 00:28:38 | |
Stefan Filipović is a privacy lawyer that began his career at the outset of GDPR enforcement in 2018. Throughout the years, he has built his expertise by working at a law firm focusing on IP and privacy, at a university as a researcher investigating legal challenges in regulating AI-based technology, and as a privacy officer and a counsel for a few Norwegian companies. Today he is a DPO at reMarkable. For several years, he also volunteered at ICANN, and for a period of time, at NIST’s privacy workforce. Beyond his focus on privacy compliance, he maintains a strong passion for information security, computer science, and risk management, as well as corporate governance and finance. References:
| |||
| 27 Apr 2023 | Eve-Christie Vermynck: Responding to a personal data breach | 00:24:42 | |
Eve-Christie Vermynck is a dual-admitted lawyer (civil law, common law) working at Skadden, Arps, Slate, Meagher & Flom. She advises clients on Cybersecurity, Privacy, IT/IP, blockchain and related topics. She is also a member of the Data Law Committee at The City of London Law Society. With Eve-Christie we are going to discuss the specific practical steps when it comes to dealing with personal data breaches in the UK or the EU. References: | |||
| 22 Sep 2024 | Heidi Saas: AI compliance for MarTech vendors and data controllers | 00:28:58 | |
What extra steps should data processors and controllers worry about now that every cloud-based tool is somehow AI-powered? A basic transparency principle is common across FIPPs, governance frameworks and existing AI regulations (EU, Colorado), but even that can sometimes become a luxury. Attorney Heidi Saas (CIPP/US) has over eighteen years of experience in consumer rights, six years in data privacy, and three years of ethical AI and governance experience. Her projects currently involve working with CEOs, CTOs, CISOs, DPOs, and CMOs of companies in various industries on regulatory strategy, privacy program designs, risk management, implementation, and monetization of data assets within their privacy ecosystems. She also works with businesses to provide ethical AI advisory, and pre-audit consulting services, as well as regulatory compliance, legal consulting, and public speaking events. References:
| |||
| 06 Oct 2024 | AI governance, MHMD, and third-party risks at PSR 2024 | 00:33:00 | |
The IAPP’s annual “Privacy. Security. Risk.” event took place in Los Angeles last week. Both Celine Takatsuno and Sergio Maldonado attended, took some notes, and now share their experiences and takeaways. References:
| |||
| 28 Dec 2020 | Milton Pedraza: The case for Personal Data as intellectual property | 00:27:37 | |
Milton is the CEO of the Luxury Institute, as well as a private investor, a frequent guest speaker at Columbia University, and a well-known entrepreneur. Of particular relevance to us, Milton is an investor in DataLucent and Digi.me, the former of which has recently launched an Advanced Personalization Xchange (APX) together with the Luxury Institute. References:
| |||
| 08 Jan 2024 | Romain Robert: Pay or OK in AdTech - How it started and where it’s going | 00:41:01 | |
Romain Robert is member of the litigation chamber of Belgium’s Supervisory Authority. He worked in various Brussels law firms between 2002 and 2011. Between 2007 and 2011, he was also a researcher at the Research Centre in Law and Society at the University of Namur. In 2011, he joined Belgium’s Supervisory Authority as a legal advisor. He worked as legal officer at the Policy and Consultation Unit of the European Data Protection Supervisor (EDPS) as of 2015 and joined the Secretariat of the European Data Protection Board (EDPB) in May 2018. In April 2020, Romain joined NOYB - an NGO conducting strategic litigation to enforce digital rights - where he was Program Director until July 2023. References:
| |||
| 15 Apr 2024 | Amy Worley: US privacy compliance for B2B startups, cross-border AI regulation, and a first glance at the American Privacy Rights Act | 00:29:33 | |
Amy Worley is Managing Director at BRG, a global leader in data protection, information security, and AI governance. A licensed attorney, certified privacy professional, and certified information systems security professional, Amy formerly served as the Chief Privacy Officer for a billion-dollar pharmaceutical and medical device company and now serves as a fractional Data Protection Officer for several multinational companies. Amy’s consulting practice is focused on helping clients implement sustainable programs that result in meaningful compliance with state, national, and regional laws and build corporate trust. She is passionate about the intersection of data, people, and power.
References:
| |||
| 04 Feb 2024 | Peter Craddock: Could core advertising components fall under the “strictly necessary” ePrivacy exemption? | 00:39:43 | |
Could we re-interpret article 5.3 of the ePrivacy Directive so that the “strictly necessary” (to provide a service) consent exemption gives shelter to the core technical building blocks of advertising solutions making journalism possible? Can we not deal with personal data (should it be involved at all) or behavioral targeting (should it be the case) separately under the GDPR? Peter Craddock helps us answer that question. Our guest is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. Peter is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area. References:
| |||
| 10 Nov 2024 | Peter Craddock: ePrivacy exceptions, advertising, analytics, the limits of consent and server-side processing | 00:59:14 | |
The EDPB has finally adopted its much feared Guidelines on the scope of article 5.3 of the ePrivacy Directive, but consent may still be avoided in some cases not specifically covered by an exemption (e.g., analytics). Absent such an exception, and in light of dismal consent rates, publishers and platforms have embraced highly controversial “Consent or Pay” models. Plan C? Server-side processing (Conversion APIs, Enhanced Conversions, Data Clean Rooms…), not without its own challenges. We have gone through all of it with Peter Craddock in his second appearance on Masters of Privacy. Peter Craddock is a lawyer as well as a software developer, and he uses this dual background to help clients find legal solutions to technical problems and technical solutions to legal problems. He is based in Brussels and helps international companies with their global data strategy and with EU data litigation. He notably has strong expertise in the legal aspects of digital advertising and adtech, and has been one of the most prominent commentators of recent legal developments in that area. References:
| |||
| 28 May 2023 | Adam Klee: combining media addressability, privacy compliance and customer empowerment | 00:36:00 | |
Adam Klee has an impressive resume in the AdTech world, having worked at Disney, Google, NBC, Twitter, Polar, or Spotify. He is the founder of Licorice, a platform that “gives consumers the privacy they want and publishers the data they need”. Adam’s passion for solving this problem comes from both his years developing new ways to help drive better yield for publishers, and his experience as a consumer, where he thinks privacy should come standard. We are covering:
References:
| |||
| 10 Jun 2024 | John Cavanaugh: Privacy as a grassroots movement | 00:32:39 | |
John Cavanaugh is a founding member of the Plunk Foundation, a non-profit dedicated to empowering individuals and communities so they have autonomy over their digital identities and protect their sensitive information. John is helping promote digital data privacy for women, children, veterans, and marginalized communities. Our mission today: exploring a grassroots approach to privacy or data protection. References:
| |||
| 19 Aug 2024 | Tony Fish: Is our philosophy of data consistent with our approach to privacy and data ethics? | 00:35:21 | |
Tony Fish is an investor, author and self-confessed maverick. He has been building digital businesses since 1990, with a first exit in 1995 and many businesses founded, co-founded, sold and listed after that. He thrives in complex, groundbreaking and uncertain environments, being currently focused on rethinking corporate governance models, ethics and AI, data policy and evidence-based decision making in volatile situations. He is a speaker and author of four books, as well as a visiting fellow for entrepreneurship and innovation at Henley Business School, has taught at London Business School in AI and Ethics, the London School of Economics and Sydney Business School. His latest book (“Decision-making in uncertain times”) has been widely available since early June. References:
| |||
| 02 Mar 2025 | Mark Jaffe (Rivian): connected cars, assisted driving, and Privacy by Design | 00:35:02 | |
What is the best way to address privacy risks in the context of connected cars? Is data minimization compatible with assisted driving? What is the meaning of “Core Vehicle Data”? Mark Jaffe leads the Rivian ethics, compliance and privacy program. This includes ethical culture, compliance oversight, privacy, and investigations. Prior to joining Rivian, Mark was Senior Vice President for Privacy at Teleperformance, a global business process outsourcer with over 400,000 employees operating in over 80 countries, spending almost two years in Singapore managing privacy issues in the Asia Pacific region. He has also dealt with data protection compliance in Europe, Middle East, and Africa. Prior to that, Mark spent 17 years at AT&T in global privacy roles as well as global compliance and ethics roles. Our guest is a frequent speaker on a variety of topics related to privacy compliance and data ethics. Mark earned his B.A., cum laude, from Duke University and his J.D., cum laude, from Northwestern University. References:
| |||
| 18 Dec 2020 | Masters of Privacy: Intro | 00:00:55 | |
Hoping to better understand a human-centric, demand-led future, we have spent a few months interviewing entrepreneurs and pioneers at the intersection of Marketing, Data, Privacy, and Technology. This channel is our attempt to expand on this effort and share our learnings along the way. Masters of Privacy is hosted and maintained by PrivacyCloud, a Spain and US-based company that helps people, marketers, and publishers take control of their data, their money, and their experiences. | |||
| 12 Jan 2025 | Dan Stone: how to own our identity, protect personal data, and escape LinkedIn | 00:43:32 | |
Can we introduce greater individual agency in the management of identity? Will that lead to better controls over personal data and less privacy risks? What is the problem with LinkedIn? Are we turning a page in the evolution and potential mass adoption of cryptographic solutions? How can we avoid storing personal information on the blockchain? Dan has spent his career building products from 0-1 at the intersection of predictive analytics, AI/ML, and privacy. He most notably served as a Group Product Manager at Google, where he built Google’s most sophisticated personalized marketing and cross-identity measurement products, Google Analytics and Google Signals, respectively. Prior to co-founding Icebreaker, he served as a Group Product Manager at Coinbase, where he led Consumer Trading, earning a patent for AI-assisted multi-chain intent orchestration. He holds a BS in Management Science from the Massachusetts Institute of Technology. References:
| |||
| 28 May 2024 | Brian Focht: Can the American Privacy Rights Act find a path to survival? | 00:37:01 | |
Does the inclusion of both a private right of action and a general preemption of overlapping state laws (not limited to privacy, but also including AI or confidential information) condemn the APRA to the fire? Brian Focht is a cybersecurity and data privacy attorney practicing in Charlotte, North Carolina. His legal practice is focused on helping clients ranging from individuals to international corporations, and involves nearly every aspect of law that touches on cybersecurity and data privacy, including identity theft, internal corporate policies and procedures, data breach response and recovery, and litigation. He is a 2003 Graduate of the University of North Carolina at Chapel Hill, a 2007 Graduate of the Wake Forest University School of Law, and a Certified Information Privacy Professional (U.S.) and AI Governance Professional. In addition to his legal practice, he is the founder and co-host of the Fearless Paranoia podcast, which attempts to make the world of cybersecurity more accessible and understandable to those not in the IT industry. On top of that, Brian maintains the Resilience Cybersecurity and Data Privacy blog, offering tips and suggestions for keeping yourself safe in the increasingly hazardous digital world. References:
| |||
| 13 Oct 2024 | Simon Hania (Uber): Uber Ads, vendor audits, location data, AI, and the role of the DPO | 00:28:41 | |
Simon Hania is Global Data Protection Officer at Uber, heading the team that independently advises on and monitors Ubers compliance with data protection laws. In the past Simon held the position of VP Privacy & Security at TomTom and before that various positions in IT service management. Simon is a trained engineer who has learned to love the law. References:
| |||
| 03 Mar 2023 | Joana Mota: Privacy compliance in a web3 world | 00:25:00 | |
Joana is Partner at Cuatrecasas, where she leads the Technology, Media and Telecom team. She has also worked for 3 years at ANACOM, Portugal's telecom and media regulator and one of the two supervisory authorities when it comes to the ePrivacy Directive in Portugal, the other being the Portuguese Data Protection Authority. Besides being fully versed in the opportunities presented by blockchain technologies, and having advised startups in the crypto space, Joana is co-author of the chapters on Portugal in The Privacy, Data Protection and Cybersecurity Law Review, 7th Edition (2020) as well as other relevant publications and I was happy to find out that she is also a Queen Mary’s University alumni (as I am myself). With Joana we will cover:
References: | |||
| 12 May 2021 | Monographic: A legal approach to "cookieless" marketing | 00:23:41 | |
As an answer to the obvious legal challenges of ID-based, cross-media deduplication (currently greater than those faced by third-party cookies), Google Chrome’s Privacy Sandbox, and its related W3C Working Group, provides a framework for advertisers and publishers to leverage a browser-level interest graph while preserving anonymity, through the use of aggregate data and minimum audience thresholds. As key drawbacks, there is little control on the consumer side, and local storage could result in data leaks when coexisting with either shared-identity, third-party cookies, and platform-specific IDs or walled gardens. We will address these and other issues from a legal perspective (ePrivacy + GDPR, mostly), and your humble host (Sergio Maldonado) will be on his own for this particular mission. References:
| |||
| 16 Sep 2024 | Daniel Jaye: non-deprecated cookies (II), hyper-federated data, p3p and publishers | 00:23:14 | |
This is our second interview analyzing the impact of Google’s decision not to deprecate third-party cookies on its Chrome browser. Daniel Jaye is a seasoned technology industry executive and currently is CEO and founder of Aqfer, a Marketing Data Platform on top of which businesses can build their own MarTech and AdTech solutions. Daniel has provided strategic, tactical and technology advisory services to a wide range of marketing technology and big data companies. Clients have included Brave Browser, Altiscale, ShareThis, Ghostery, OwnerIQ, Netezza, Akamai, and Tremor Media. He was the founder and CEO of Korrelate, a leading automotive marketing attribution company -purchased by J.D. Power in 2014- as well as the former president of TACODA -bought by AOL in 2007. Daniel was also the founder and CTO of Permissus, an enterprise privacy compliance technology provider. All of the above were preceded by his role as founder and CTO of Engage, acting CTO of CMGI and director of High Performance Computing at Fidelity Investments. He also worked at Epsilon and Accenture (formerly Andersen Consulting). Daniel Jaye graduated magna cum laude with a BA in Astronomy and Astrophysics and Physics from Harvard University.
References:
| |||
| 17 Mar 2021 | Sille Sepp: MyData Global and the fight for Human Centricity | 00:29:05 | |
Sille Sepp serves as the Programmes Lead for MyData Global, an international nonprofit aiming to empower individuals by improving their right to self-determination regarding their personal data. With a background in Sociology and Urban Governance, Sille is especially keen to explore the MyData concept in the urban context, and the implications of digital technologies and the data economy on society. References: | |||
| 23 Oct 2023 | Robert Bateman: Consent or Pay | 00:44:35 | |
Robert Bateman is a data protection writer, trainer, and consultant. He has published innumerable articles on the topic, as well as led panel discussions and interviewed key well-known figures in the space on stage, at well-known privacy conferences. Besides freelancing as content creator, he is an associate with Act Now Training and a Subject Matter Expert with Heward Mills, a data protection consultancy. With Robert we have addressed the recent public outcry about Instagram and Facebook becoming paid services for whoever does not want to see ads or consent to the data processing involved in running them. Given that we have already got used to seeing cookie walls on European news websites (in Germany, France, or Italy), we have aimed to open the wider debate around “Consent or Pay” business models. References:
| |||
| 13 Nov 2023 | Jeffrey Bustos: Retail Media, privacy, and the future of addressability | 00:23:55 | |
Jeffrey Bustos is the VP, MAD (Measurement Addressability Data) + Commerce at the IAB where he develops industry standards and guides for measurement and addressability solutions to enable revenue growth, efficiency, and scale with a focus in Retail Media Networks, Video / Advanced Television, and Privacy Enhancing Technology. His projects include: Categorization & Definitions Buyers Guide for Retail Media, Data Clean Rooms and Privacy Preserving Solutions Research, and Attention & Engagement Metrics Standards. Previously, Jeffrey worked at GroupM where he led Data & Audience Strategy for eCommerce clients, assisting them with cookieless solutions, audience strategy & activation, as well as data taxonomy & identity resolution for CDPs and Data Clean Room activations. References:
| |||
| 09 Oct 2023 | Katharine Jarmul: Demystifying Privacy Enhancing Technologies | 00:25:21 | |
Katharine Jarmul is a privacy activist and data scientist focused on privacy and security in data science workflows. She’s a principal data scientist at Thoughtworks and has worked at various companies in the US and Germany before that. She is also a frequent keynote speaker at software and AI conferences. Katharine has recently published “Practical Data Privacy” (O’Reilly, 2023), in which she provides a deep dive of Privacy Enhancing Technologies (“PET”), including detailed answers to increasingly common questions: How can we actually anonymize data? How does federated learning work? Can we already leverage Homomorphic Encryption to run analysis or work with data even while it is encrypted? How can we compare and pick the most appropriate PETs? Can we use open source libraries? In our discussion:
References: | |||
| 08 Dec 2024 | Rie Aleksandra Walle: revisiting legitimate interest for marketing or analytics after KNLTB, privacy fundamentalism, and how the GDPR lost its sparkle | 00:35:27 | |
Has honour been restored to the Legitimate Interest legal basis after the CJEU Royal Dutch Tennis Association decision and subsequent EDPB Guidelines? Is the GDPR showing signs of rustiness? Has it instead become a new religion? Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment. Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast. References:
| |||
| 25 Sep 2023 | Ito Onojeghuo: Effective Privacy Notices | 00:29:16 | |
Ito Onojeghuo works with a number of global establishments as an independent Data Protection Consultant, Group Data Protection Officer, and EU Representative. She is also the CEO at ALLNETLAW, which is a leading UK-based IAPP Training Partner. Besides holding an LL.M in Internet law and policy, Ito is a Fellow of Information Privacy (FIP), a Certified Information Privacy Professional, and an Independent Conformity Assessment Advisor for the UK Age Check Certification Scheme (ACCS). With Ito we have addressed a very important topic sitting at the heart of data protection or privacy compliance for every business: Effective Privacy Notices (or “Privacy Policies”). References:
| |||
| 18 Mar 2024 | Matthias Eigenmann: Confidential Computing, contractual relationships and legal bases for Data Clean Rooms | 00:34:14 | |
Will Data Clean Rooms help us avoid consent, or personal data altogether, and make the most of first-party data for data collaboration and addressability purposes? Matthias Eigenmann is a Swiss lawyer with over 10 years of practical experience in technology and data protection law. He currently works as legal counsel and DPO at Decentriq (a Data Clean Room), and is also an advisor on data protection matters to a large hospital in Switzerland. Prior to this, he spent several years working in tech and data protection law at a law firm, as well as as an in-house counsel for IT contracts and data protection at PwC Switzerland. References: | |||
| 16 Oct 2023 | Cory Underwood: The new privacy landscape for US-based digital marketers | 00:36:19 | |
Cory Underwood is a Privacy and Data Analytics Engineer with a strong marketing data technology background and a good knowledge of both US and EU ePrivacy law. Cory supports the data privacy offerings of Atlanta-based Search Discovery (a data strategy and activation company), leveraging eight years of experience in privacy efforts and multiple privacy related certifications to enable clients to understand the impact of privacy changes. With a combined thirteen years of experience in technology, Cory specializes in speaking and writing on his blog (cunderwood.dev) about upcoming privacy changes, allowing readers to take a proactive approach to compliance challenges. In our second interview with Cory we have looked for answers to the following questions:
References:
| |||
| 02 Oct 2023 | Jakob Plesner: Copyright Exceptions for Generative AI | 00:29:11 | |
Jakob Plesner Mathiasen is an attorney with a focus on Intellectual Property and emerging technologies. He serves as the Secretary for the Danish Society for Copyright Law and is the mind behind the Danish Entertainment Law podcast. He also teaches Entertainment Law at the University of Copenhagen. With Jakob we’ll try to better understand the copyright implications of Generative AI, and this should help many DPOs, CPOs, or innovation managers deal with the intellectual property side of their new AI Governance responsibilities. References:
| |||
| 15 Dec 2022 | Jose Belo: Artificial Intelligence in MarTech and AdTech | 00:35:26 | |
Jose Belo (FIP, CIPP/E, CIPM) is a legal professional and Data Protection Officer, specialized in data protection, privacy and compliance. Jose is currently an International Research Fellow at the ISLC at the University of Milan (Italy). His last professional engagement was as Head of Data Privacy at Valuer.ai, an AI-powered tech company from Copenhagen, Denmark. Since January 2022, Jose has been appointed as a Member of the IAPP European Advisory Board. Jose is also, currently, co-chair of the IAPP Copenhagen Chapter. Formerly, Jose was co-chair of the Portugal and Luxembourg Chapters of the IAPP. We cover, in this order:
References: | |||
| 21 Oct 2022 | Derek A. Lackey: A marketer’s take on EU-US data transfers and the Canadian approach | 00:18:11 | |
Derek A. Lackey is Managing Director of Newport Thomson, a Privacy Agency based in Toronto. With more than 30 years of marketing, advertising and privacy experience, he is focused on data protection & privacy and its effect on the brand. Derek is the author of “CASL Compliance: A Marketer’s Guide to Email Marketing to Canadians”, and looks to simplify the implementation of new data management practices within organizations. This will be the first of two separate perspectives on the basic premises that make EU-US data transfers so difficult (in the aftermath of Joe Biden’s Executive Order paving the ground for the Data Privacy Framework). We will also get a first impression of the Canadian scenario as an interesting blend of both approaches. References: | |||
| 16 Dec 2024 | Jamie Smith: AI Agents, digital identity, wallets and personal data | 00:25:31 | |
Are Personal AI Agents the future of individual empowerment? How can the evolution of digital identity make them a reality? Jamie Smith is the CEO and Founder of Customer Futures, a company focused on digital identity and customer-controlled personal data. He has been working at the forefront of digital transformation for nearly 15 years, helping deliver innovative solutions for some of the world's largest organizations. Jamie has previously worked at Evernym, Ctrl-Shift, BT and Deloitte, before embarking on various recent projects, always in the same space. References:
| |||
| 30 Aug 2024 | Jay Averitt: the evolving role of the Privacy Engineer, technical privacy reviews and DPIAs | 00:27:55 | |
Jay Averitt is currently a Senior Privacy Product Manager at Microsoft, where he manages technical privacy reviews involving Microsoft365 products including CoPilot, GPT, and other LLM products. He was previously a Privacy Engineer at Twitter, where he managed technical privacy reviews across the platform. He’s been working in privacy for over a decade as both a privacy technologist and a privacy attorney. Before switching to technical privacy, he worked as a technology counsel at SAP, SAS, and Lenovo.
References:
| |||
| 01 Dec 2024 | Matthew Junod: the US-based DPO in the face of AI governance | 00:28:03 | |
How is the role of the DPO (Data Protection/Privacy Officer) evolving in the US? What is the best approach to managing AI governance once a privacy program has been implemented? Matt Junod is a US privacy attorney and Florida native with a prior background in network engineering and security. He has worked in-house, rolling out and managing data protection programs as well as dealing with security and privacy compliance issues. Our guest has also served in privacy leadership roles since 2018, including the DPO position for a large technology services firm, and most recently a leading Internet job board. References: | |||
| 05 Mar 2021 | Julian Wilson: Self-Sovereign Data meets Open Banking | 00:18:48 | |
Julian Wilson began his career at Apple in the late 80s. Here he worked on projects such as the world's first set top box, hybrid CD / internet games console and as part of the team who introduced Newton [arguably the forerunner to the iPhone]. He left Apple to join ATT in 1996, where he conceived and built a digital cash payment service for mobile phones based on smart cards. In 1999 after raising $5m from US venture capitalists and the Dutch Government, Julian led a management buyout of this technology to create SmartAxis BV. After two more Internet start-ups focused on identity and mobile data, Julian joined Barclays engineering team in late 2013, where amongst other things he and a colleague submitted global patents for modification to the bitcoin protocols / blocks of crypto currency. Julian joined Ecospend in 2019 to build a self-sovereign data service on top of an Open Banking platform. He describes his role as putting an Internet lens onto product design. References: | |||
| 03 Feb 2025 | Alex Dittel: recent developments in Australian data privacy | 00:26:49 | |
Alex Dittel leads KHQ’s Data Privacy, Cyber and Digital legal practice. He brings over 15 years of experience in data protection, information security and technology commercial matters acquired during his time working for big and small technology companies and law firms in the United Kingdom and Australia. As a passionate GDPR-native data privacy lawyer, he advises on Australian as well as international data privacy matters. He holds CIPP/A, CIPP/E and CIPP/US certifications from the IAPP. References:
| |||
| 03 Feb 2021 | Alessandro De Zanche: The Funnel of Trust for media owners | 00:21:26 | |
Alessandro De Zanche is a multilingual senior executive with over 16 years of experience of data, audience, monetisation strategies and products covering international roles in global companies (News Corp, Yahoo!, Telefonica, GfK, Hutchison 3G, Sizmek). He is currently consulting (among others, with: Financial Times Strategies, Dentsu Aegis Network, DPG Media Group) and writes on AdExchanger on a regular basis. We took this opportunity to discuss the pains of the open programmatic advertising market for publishers and the trade-offs involved in identity management or different models for people to pay for their content. References:
| |||
| 08 Sep 2024 | Robin de Wouters: non-deprecated cookies, legitimate interest and small businesses | 00:23:58 | |
Earlier this summer, Google announced that its Chrome browser would after all keep third party cookies. This interview with Robin de Wouters is the first of two episodes exploring the consequences of that update from the point of view of our usual stakeholders (DPOs, CMOs, CDOs). Robin de Wouters is the Director General for the Federation of European Data & Marketing (FEDMA), in Brussels. He has a strong background in communication and public relations across the private, non-profit and institutional spheres. He previously worked in the field of human rights with Euromed Rights, the ONE Campaign and the United Nations. Robin is also the Vice-Chair of the Board of the European Interactive Digital Advertising Alliance (EDAA) and the Communications Director and Spokesperson for Democrats Abroad Belgium, the international arm of the US Democratic Party. References:
| |||
| 14 Apr 2021 | Lisa LeVasseur: Introducing the Me2B Alliance | 00:32:20 | |
Lisa LeVasseur is an MBA technologist with a background in Computer Science and Philosophy. Lisa began strategic work in cellular telecom industry standards in the late ‘90s while at Motorola. Since then, she has participated in 3GPP, 3GPP2, MEIF, WAP Forum, IETF, W3C, IEEE and Kantara Initiative. The Me2B Alliance is setting the standard for respectful technology. It is backed by a group of software engineers, policy analysts, UX experts, business and philanthropic leaders who are committed to giving individuals more say in how technology treats people. References: | |||
| 11 Mar 2024 | Rie Aleksandra Walle: The DPO’s guide to better sources, constructive debates, and a happier life | 00:26:01 | |
Rie Aleksandra Walle brings over seventeen years of professional experience across both the private and public sectors, having worked at Kristiania University College, Ernst & Young, Nordic Innovation and the Norwegian Agency for Public Management and eGovernment. Rie is behind the DPO Hub, which helps busy DPOs by offering concise summaries and key practical takeaways from key CJEU rulings, EDPB documents and DPA decisions, as well as by putting together a community around it. She is also the host of the Grumpy GDPR podcast. With Rie we will explore her own tips and tricks to stay sharp and up to date, avoiding a myriad of shallow or confusing sources and digging for the best possible answers at all times - all of it while avoiding clickbait, radical opinions and the avalanche of so-called privacy experts clogging LinkedIn feeds. References:
| |||
| 09 Mar 2023 | Nicola Newitt: the legal case for Data Clean Rooms | 00:33:11 | |
Nicola Newitt is a UK qualified lawyer who trained in private practice and worked at Slaughter and May before moving in-house to start her privacy career in Bupa’s international health insurance business. She is now Senior Privacy and Product Counsel at InfoSum, a leading Data Clean Room. With Nicola we have covered a very hot topic for anyone in the Marketing Technology or AdTech spaces. Our discussion included the following questions:
References:
| |||
| 07 Apr 2021 | Katharina Weimer and Kirsten Ammon: In anticipation of the EU ePrivacy Regulation | 00:28:19 | |
Katharina Weimer is a partner in the privacy team of Fieldfisher and located in the Munich office. She has been advising her clients in the data protection landscape for more than 12 years with a focus on international companies.
Kirsten Ammon is a lawyer of Fieldfisher's IT and privacy team in the Hamburg office. She develops practical privacy solutions for her clients that are mainly located in Europe and the US.
References:
| |||
| 10 Feb 2021 | Gam Dias: On privacy, agency, convenience, and freedom | 00:25:45 | |
Gam Dias is a partner at 3PointsDIGITAL, part of the MSQ Group of Digital Agencies, where he is growing the Data Strategy and Personal Data practice. Gam previously co-founded e-commerce consultancy First Retail, and prior to that was Head of Data Strategy at Aviva Insurance. He is also an associate professor at IE Business School.
Gam has been an active member of the MyData Madrid community since its inception in late 2019, and we use our past debates as a starting point, eventually touching on a few hot topics: personal agency, privacy vs convenience, personal data stores, and reinventing digital marketing. References:
Visit our website for further information: www.mastersofprivacy.com | |||
| 03 Jun 2024 | Adrian Doerk: digital identity, digital wallets and data protection | 00:20:24 | |
Adrian Doerk is co-founder of Lissi GmbH and co-coordinator of the IDunion research project. He has extensive experience in the rollout of digital wallets, specializing in the European digital identity wallet (EUDI-Wallet) under the eIDAS 2.0 Regulation. Adrian has helped us answer a few important questions on this topic:
References:
| |||
| 14 Oct 2022 | Peter Hense: How first-party data will kill CMPs | 00:34:02 | |
Peter Hense is a partner at Spirit Legal, Germany. He specializes in data privacy litigation, particularly in the area of Advertising Technology. In this episode we discuss the uselessness and potential demise of Consent Management Platforms (CMPs) in a first-party data future. We will also touch on Data Clean Rooms and whether they actually deserve the label. References: | |||
| 11 Jul 2023 | Nick Baskett: Mastering DPIAs | 00:27:24 | |
Nick Baskett is DPO at Holland & Barrett. He has a personal interest in ethics and philosophy, encryption and AI, and he once published a book on Data Protection Impact Assessments. He was also the founder of one of the early Cyber Security consultancies in the UK (Matta). With Nick we have discussed best practices around Data Protection Impact Assessments or Privacy Impact Assessments, including their management at scale in the context of privacy operations, as well as risk assessment efforts associated with Generative AI projects. References:
| |||
| 25 Mar 2024 | Radha Gohil: the marketer’s approach to privacy, progressive consent and MarTech vendor audits | 00:20:03 | |
Is there a sweet spot between privacy compliance and marketing outcomes? What is “progressive consent”? Radha Gohil is a Data Governance and Privacy leader at Shell. She works on AdTech and MarTech data flows, as well as digital and programmatic supply chains, applying privacy compliance requirements to marketing-related practices. This includes consent management and, in general, acting as a bridge between Marketing, IT, CDO and legal. On top of that, Radha chairs the Digital Governance Steering Group at the ISBA (Incorporated Society of British Advertisers). She has previously worked at PwC and The Telegraph. With Radha we have covered the manner in which marketing teams navigate privacy compliance or even leverage a privacy-first approach as a competitive advantage. This includes dealing with transparency requirements or the difficult trade-offs involved in gathering proper consent when required to do so.
References:
| |||
| 25 Aug 2024 | Nick Manning: Advertising, Who Cares? | 00:38:11 | |
Nick Manning is a commentator, author and speaker on advertising, with a specialization in media. He co-founded Manning Gottlieb Media in 1990, and following its purchase by Omnicom he became CEO of the OMD UK Group. He also co-founded OPera, the media negotiation arm for OMD and PHD. In 2007 Nick joined Ebiquity as Chief Operating Officer before becoming responsible for Ebiquity’s non-UK based operations and Chief Strategy Officer. At Ebiquity he led the team that produced the recommendations for advertisers that accompanied the K2 Intelligence report into media transparency in 2016. Since 2019 he has run his own consulting business, advising advertisers and their trade associations. Nick specializes in helping advertisers improve their effectiveness, accountability and transparency. References:
| |||
| 23 Feb 2025 | Mike Hintze: My Health My Data updates, international transfers of US personal data | 00:38:58 | |
An update was due at the intersection of MarTech/AdTech and the My Health My Data Act, with a Washington Consumer Protection Act case against Costco paving the way for the recent class action lawsuit involving the Amazon Ads SDK. Also, the date is approaching for compliance with restrictions on international transfers of US personal data. Mike Hintze is a well-known leader in the field with more than 20 years of experience in privacy and data protection. He has been a partner at Hintze Law since 2016 and prior to that was Chief Privacy Counsel at Microsoft for 18 years. He also teaches privacy law at the University of Washington school of law and has served on multiple advisory boards. He has also testified before Congress, state legislatures or European regulators. References:
| |||
| 28 Apr 2021 | Gabriela Zanfir-Fortuna: A world tour of data protection laws | 00:23:52 | |
Gabriela Zanfir-Fortuna is a Senior Counsel for Global Privacy and EU data protection law at the Future of Privacy Forum and former legal officer for the EDPS (Brussels). She holds a PhD in data protection law. References:
Training courses at the Future of Privacy Forum: Understanding Digital Data Flows | |||
| 24 Feb 2021 | Andres Arrieta: Privacy, competition, and browser wars | 00:26:16 | |
Andrés Arrieta is Director of Consumer Privacy Engineering for the Electronic Frontier Foundation (EFF), where he oversees projects and tech policy like blocking trackers online when you browse. He is also an advocate for better privacy, cybersecurity, and fair competition. References: | |||
| 22 Jan 2025 | NextAI 2025: pondering new ideas at the heart of the Pyrenees (with Alberto Lopez Valenzuela) | 00:26:16 | |
This special mountain retreat will bring together a unique combination of backgrounds and nationalities. NextAI is an initiative of Alberto Lopez Valenzuela and we have asked him to share more details. Alberto Lopez Valenzuela is an entrepreneur with over 25 years of experience in the decision intelligence sector, mainly in the UK and the US. He founded alva in 2009, a London-based AI analytics firm that ended up working with hundreds of blue-chip clients, expanding to New York and establishing the company as an industry leader. In 2021 alva was acquired by US private equity firm Falfurrias Capital Partners and this, together with the incorporation of other companies, resulted in the creation of Penta. Alberto was the Managing Director of its AI division until 2023. In 2024, he founded Ordino Partners, incubating and investing in AI tech startups with a meaningful social impact. As an author, Alberto published The Connecting Leader in 2018. Masters of Privacy is a NextAI partner and Sergio Maldonado (your host) will be attending the event. References:
| |||
| 18 Nov 2022 | Brendan Quinn: DPIAs, whistleblowers, collective redress, and the GDPR-DSA interplay | 00:28:37 | |
Brendan Quinn (Esq.) is a qualified Irish Solicitor, New York Attorney, and Fellow of the Chartered Certified Accountants (FCCA), holding an LL.M from University College Dublin and Higher Diplomas in Computer Science and Data Analytics, as well as a postgraduate in Financial Technology. He is also the author of Data Protection Implementation Guide: A Legal, Risk and Technology Framework for the GDPR (Wolters Kluwer, September 2021). Among other things, our guest helps innovative software companies in their compliance with Privacy by Design and data security requirements, including data anonymization research and DPIAs. We cover, in order:
References:
| |||
| 03 Nov 2022 | Fall 2022 Newsroom: Instagram and Criteo fines, GDPRexit, and the Data Privacy Framework | 00:31:00 | |
With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast. References:
Selected updates: Enforcement Starting with Europe, the most discussed recent case, and perhaps the most complex, is Ireland’s 405m EUR fine to Meta for the manner in which it exposed contact details for 13-17 year olds on Instagram business accounts. At its core: the European Data Protection Board (EDPB)’s intervention to find a compromise between the Data Protection Commissioner (leading supervisory authority for most US tech giants) and other Data Protection Agencies accusing it of resting on its laurels. Perhaps even more relevant to the interplay that we mostly care about (MarTech/AdTech + Privacy) was the French DPA’s announcement of a potential 60m EUR fine for Criteo. All hints point to a lack of proper oversight in the obtention of valid consent through publishers and advertisers. The role of these two was instrumental in building what the company had once claimed were “IDs and interests for 72% of all internet users”, so this case could bring us full circle into the Consent Management Platforms debate and whether they can be relied upon. All in all, it is no wonder that Criteo has moved firmly into first-party data territory, now calling itself a Commerce Media platform. The Digital Analytics space got its own share of excitement too. Denmark became (with Austria, France, and Italy) the fourth country to make it clear that Google Analytics breached the GDPR unless additional measures are taken. As explained in detail by France’s CNIL, the only way to avoid scrutiny was using a reverse proxy (a company’s own EU-based server, filtering out important pieces of information prior to forwarding calls to Google’s servers). As many will remember, this was only the tip of the iceberg of the 101 complaints filed by NYOB against companies using either Google Analytics or the Facebook pixel. Next in line was TikTok, quickly catching up with Meta/Facebook and Google in terms of privacy violations, penalties, privacy lawsuits and privacy-related scandals. Its latest trophies: the UK’s DPA (ICO)’s proposed 27m GBP fines for its mishandling of children’s data (they were allowed to sign up without parental consent, information provided was insufficient, and special categories of data were being processed), a 92 million settlement in Illinois (under the State’s Biometric Information Privacy Law on which every major social media platform has stumbled before) and recent coverage of the manner in which its tracking pixels follow everyone around the web. Legal updates It may not be a new law or court case, but Joe Biden’s Executive Order to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) is the biggest piece of news on this front. All going well in Brussels, it could put an end to the nightmare currently faced by the millions of customers of US-based SaaS MarTech and AdTech solutions that happen to process data on US soil, including Google Analytics, Mailchimp, HubSpot, or Salesforce Marketing Cloud. For its part, the UK wants out of the GDPR and this could actually result in a more dynamic environment (it relied on an Oxford University research that claimed that the GDPR is costing UK businesses 8% of their profits). For one thing, they are proposing to let small businesses get on with their lives. Future of media Elon Musk completed his acquisition of Twitter, announcing monthly charges to its heaviest users - starting with those displaying a “verified” blue icon, who happen to be the ones caring the most about the status their identity or following confers to them. This was criticized as a “misinformation nightmare”, in very timely Halloween fashion. | |||
| 18 Nov 2024 | Newsroom: Fall 2024 | 00:16:47 | |
Time for a Newsroom summarizing everything that’s happened in our usual areas of focus, although we are dropping the last two (Zero-Party Data and Future of media) this time around. ePrivacy & Regulatory UpdatesEnforcement
Legal updates and guidelines
MarTech and AdTech
AI, Competition and Digital Markets
That’s it for today! Thanks again for listening.
| |||
| 27 Oct 2024 | Ben Winokur: data anonymization through AI-generated synthetic data | 00:33:36 | |
Can we leverage AI-generated synthetic data as a privacy-enhancing or data anonymization solution? How compatible is it with Data Clean Rooms? Will there be a path to effectively anonymize unstructured data? Ben Winokur is the co-founder and CEO of Subsalt, the leading platform for anonymous synthetic data. Prior to Subsalt, Ben worked in a variety of legal, product, and operational roles at Passport, where he first encountered the problem Subsalt solves: privacy and security risks have made it too expensive and difficult to access, share, and analyze sensitive private data. References:
| |||
| 12 Feb 2024 | Newsroom: Winter 2024 | 00:23:12 | |
Nina Müller and Sergio Maldonado discuss a few recent events across the EU, the UK, and the US: Yahoo/Uber ePrivacy fines, Google Chrome (Incognito Mode) settlement, US Congress Social Media hearing, upcoming UOOM/ Global Privacy Control enforcement across various states, and Spain’s AEPD Guidelines to circumvent cookie consent requirements for high-level Digital Analytics. Please find relevant links and additional updates across all of our usual core sections (ePrivacy and regulatory updates; MarTech and AdTech; AI, competition, and digital markets; PETs and Zero-Party Data; future of media) on the PrivacyCloud website. | |||
| 25 Sep 2022 | Cory Underwood: Global Privacy Control, CPRA and beyond | 00:33:53 | |
Cory Underwood combines in-depth technical expertise in the MarTech and Analytics space with a thorough understanding of the ePrivacy legal framework. He has hands-on experience in Distributed System Design, A/B Testing, Tag Management or Analytics - and writes extensively about the intersection of digital analytics and cross-border privacy compliance. References: | |||