A week in Privacy - the scary side

Show Notes

On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal cover a couple of weeks in privacy - on the scary side. Topics include updates on the global CBPRs and PRPs, NOYB launched a complaint against open AI with the austrian data protection authority and 11 complaints against META, Italy reinstates chatGPT, the EDPB chatGPT task force report,  a lawsuit against General Motors for IOT, the U. S. Department of Commerce announced some new initiatives under the AI order for NIST, the FCC fined four major us wireless carriers $200 million for unlawfully sharing customers location data without consent, the Florida governor signed a bill mandating explicit disclaimers on political advertisement to ensuring transparency in AI used for political campaigns, the Dutch Data Protection Authority issued guidance against the web scraping, Australian officials announced an overhaul of their privacy act. Carly Kind, IAPP AI governance global happened in Brussels. the women in AI emerald de leeuw shoshana rosenberg. the California Privacy Protection Agency's hearing is set for June 21st in the Superior Court of California, Maryland also signed in two significant measures for online data protection. The Maryland kids code. the Nordic data protection authorities adopted joint principles on children and online gaming. Leena Kuusniemi

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Transcript

Please note this is largely an automated transcript. For accuracy, please listen to the audio.

[00:00:00] Paul: welcome to episode 201 of Serious Privacy. After last week's celebrations, we're back to a regular week in privacy. And yes, it seems that there have been some few, some things happening this week. Not in the least, the IAPP hosting their first AI global event in Europe.

In Brussels this time some other things as well going on in Europe It's election week for the European parliament the Netherlands voted already on Thursday Most of Europe will be voting on Sunday And that will determine to a very large extent what the new European commission will look like And then also what policies we can expect on privacy on data protection on cyber security on digital services And all that fun stuff that we've been working on That and much more during this week of serious privacy.

My name is Paul Breitbarth.

[00:01:01] K: and I'm K Royal and welcome to Serious Privacy. Okay. The unexpected question. Tell me a weird fact. that you know for whatever reason.

[00:01:12] Paul: Help!

[00:01:13] K: We're, y'all can't see this because we don't, we don't record the video. One day Paula and I will record the video, but we're both looking around like have some, but I think I've shared all my weird facts on the show.

[00:01:24] Paul: I'm sure I have one, but nothing springs to mind on a Friday night. Have literally no idea.

[00:01:30] K: Okay, I'll give you a weird fact. I'm running all the weird facts through my brain. I think there's one weird fact I know that I haven't shared on the show. I was born on the anniversary of Mississippi being made a state. So, for the second time. I don't remember, was I born on the anniversary of when they were made a state the first time? At some point.

[00:01:50] Paul: I literally have no idea.

[00:01:52] K: One of the other weird facts I put in my LinkedIn profile, I've added to my LinkedIn profile that I am a deltiologist. That was a trivia question that I did not know. And when I looked it up, I was shocked. It is a person who collects postcards. I collect postcards. I've only ever had one person ask me what a deltiologist is.

[00:02:11] Paul: So I'm number two now. Well, that's a

[00:02:13] K: You're number two now. Come on,

[00:02:15] Paul: there is, there is one, if you are, if you're going into, into dates and those kinds of things I was born on the 24th of November, 1982, and that's also the date of birth or can, can be considered to be the date of birth of the so called Dutch polder module. 

And that is the spirit of compromise that exists in the Netherlands between politicians and employers and employees and in finding the right balance in all kinds of social policies.

[00:02:45] K: well, you are the perfect person to celebrate that. 

[00:02:48] Paul: Well no, I mean, Probably this agreement was signed somewhere in the evening. I was born at 10 p. m. So we're about the same age, I would

[00:02:57] K: So not the anniversary of that date, the actual date.

[00:03:01] Paul: The actual date

[00:03:01] K: is cool. That is true. We're going to have a spirit of compromise and therefore give birth to Paul Breitbart. I like it.

[00:03:08] Paul: Something like that. Although I don't think that my mother was involved in the negotiations on that. You don't think she was going through the thought process? No, I don't think so.

[00:03:18] K: Well, we have quite a few things. We haven't done a week of privacy in a while. I know y'all it's either feast or famine. We're going to give you a week of privacy week after week after week, or we're just going to swamp you with other things. And then in a month, we're going to give you a month of privacy.

So I'm going to run through quite a few things that have happened in the past few weeks. And then. just as a listing, just in case it didn't hit your where radar, here's some things that have happened. And then we're going to go back and cover a couple or three or four of them in, in detail. Okay. So if you missed it update on the global CBPR forum.

I think we mentioned that before that they're coming together. They're issuing accountability agents. In Japan, Korea, Singapore, Chinese Taipei, the United States looking at that. So getting global CBPRs and global PRP, which are the processors for that, again, as Paul mentioned, may not be a direct crossover with BCRs at this point, but still for a global privacy problem, good thing. NYOB, in case you missed it, launched a complaint against open AI with the Austrian data protection authority. 

[00:04:23] Paul: and 11 and 11 against META again,

[00:04:26] K: yes, I saw that one. That was probably in the second week update. But Italy did reinstate chat GPT after open AI addressed their concerns that they had previously covered. 

[00:04:38] Paul: which wasn't a blessing that it's all in order. They also made that very 

[00:04:43] K: No, it wasn't,

[00:04:44] Paul: the European data protection board is following up because they have just released a report on the work of the chat GPT task force and are now set out to develop guidelines on generative AI, including on data scraping in the context of AI training.

[00:04:59] K: which is something if you're not paying attention to, you need to pay attention to. We've said it before. We'll say it again. And we'll probably keep saying it until the day we both die. But just because information is published online does not mean it is publicly available for commercial purposes for businesses to use and train their AI.

That includes on LinkedIn, which people seem to think is public. It's not. we, we already covered that there was a plaintiff against general motives for the IOT in the information's and the sensors and everything and what they're doing with that. And that was also about the same time that U.S. Senators White and Markey revealed that the detailed location information that the car manufacturers are given to law enforcement and the transparency there, so. Automakers had pledged not to do it. They broke that. So they didn't have it, but back over to Europe, the EU council approved a protocol to facilitate the free flow of data between EU and Japan.

I think Paul and I mentioned that one before, so I am going back a couple of weeks here. The UK implemented some laws safeguarding consumers and businesses from cyber threats requiring smart devices, IOT to meet minimum security standards, manufacturers are now required to protect against hacking.

And this is something we've also talked about years, years in the making. Paul is the default password has to be changed. You have to ban easily guessable default passwords like monkey. 123 is apparently one of the most common ones.  Yeah, right. Password. Exactly. I before we get off, I'll look up what are the most common passwords.

I don't think I did those for 2023. We'll look those up. The U. S. Department of Commerce announced some new initiatives under the A. I order for NIST to improve the safety and trustworthiness of A. I. So that report, I believe, is also coming out. That's one of the things that we'll talk about or that will make sure that we share the link for you to have, the FCC find four major us wireless carriers, nearly 200 million for on lawfully sharing customers location data without consent.

Same thing along the line as the auto manufacturers, there should be measures in place to require certain authority. Don't just give it out when the law enforcement asked for it. I mean, by the way, if you haven't looked at those transparency report for wireless carriers, just go pull them up. They're, they're quite eye opening.

Effective in less than a month, the Florida governor signed a bill mandating explicit disclaimers on political advertisement, ensuring transparency in AI used for political campaigns. Oh, are we undergoing some sort of controversial political campaign election season in the U S 

[00:07:40] Paul: or in the UK, or in Europe at 

[00:07:43] K: or in the UK or Europe. Now back to you. The Dutch Data Protection Authority, as you said, issued guidance against the web scraping. I think that's what you were referring to a little while ago, right?

[00:07:54] Paul: Yes.

[00:07:55] K: Okay. So they do have that. We'll make sure that we get you the link for that. The Australian officials announced a comprehensive overhaul of their privacy act. We discussed this before, so I won't, I won't do a lot of details. They had their privacy awareness campaign. Stop it at the start. They're protecting women and children online. 

[00:08:15] Paul: However, Carly Kind, if you're listening, we'd love to have you on.

[00:08:18] K: Yes. Yes, we keep saying that. We keep meaning it. It needs to happen. The European Commission introduced whistleblower tools.

Now, this is something Paul and I, I think we discussed this our first year about how whistleblowing in the EU needs to be disclosed and controlled. It's not quite the same way it's taken here in the U. S. So you may have a whistleblower program, but there are specific protocols you need to follow. If you're in Europe so there are the European Commission introduced some whistleblower tools for the Digital Services Act and the Digital Markets Act.

So make sure we'll again, we'll give you the links for those. Microsoft released its first responsible AI transparency report. I haven't found someone from Microsoft to come on and talk about it yet, but I'll be honest, I haven't asked either. Now in this past week, let's look and see what happened here.

I know that the IAPP AI governance global happened in Brussels. I see lots of announcements on LinkedIn about, especially about the women and AI and everything. So that looks like it went really well. That's fabulous.

Okay, this week. What happened this week, Paul? Let's look and see what happened this week. Colorado passed their Colorado AI Act. We mentioned that already, and it goes into effect when? February 2026, I think. January, February 2026. So, in about 18 months, I think. 

[00:09:44] Paul: I haven't read the Colorado AI 

[00:09:46] K: shocked. I'm

[00:09:49] Paul: I know, figure, I'm, I figure you are shocked, but there are too many other things happening that have a direct impact on my day to day life and work life. And somehow Colorado AI for me has no impact yet, given that we are not 

[00:10:04] K: You're like, 

[00:10:05] Paul: yet.

[00:10:06] K: your side of the world. 

[00:10:07] Paul: that's on your side of the world for sure. But also, I mean, Colorado is not my primary market.

[00:10:13] K: yeah, 

[00:10:14] Paul: Believe it or not. 

[00:10:15] K: believe it or not, go figure. Pa's not really worried about Colorado. I'm a big fan of Colorado, but I got it. I get it.

[00:10:23] Paul: to Colorado.

[00:10:24] K: Oh, we should do a trip to Colorado because Colorado is pretty fabulous. It's gorgeous. But I live on this side of the country now. And in Europe, that would be like what, three or four countries away.

[00:10:36] Paul: Mm hmm. 

[00:10:37] K: All right the California Privacy Protection Agency's hearing is set for June 21st in the Superior Court of California, County of Sacramento, so that's literally two weeks away. So we will watch for when that happens and see what comes out of that.

[00:10:53] Paul: So what's the hearing about? 

[00:10:55] K: Oh their rulemaking authority. can the agency issue regulations without providing a grace period for compliance? Now, again, we've had this come into effect when there was no grace period. Explicitly provided for when we eliminated the,

[00:11:12] Paul: the privacy shield. 

[00:11:13] K: Yeah, there we go. The shield. That was the last one eliminated. Not the last one to be eliminated because another one's going to happen, but at least it was the, the most recent one. And there was no explicit provision to recognize other compliance measures.

So in other words, if you didn't put something in place, you were technically in violation of European data transfer laws. California is issuing regulations without giving a grace period for compliance. And they're saying, is this legal? Can you do that? It was filed by the California chamber of commerce.

They want to delay implementation of the California Privacy Act regulations.

[00:11:51] Paul: Well, good luck with that. I mean the law is the law is the law already So

[00:11:55] K: California is a different beast. all 

[00:11:57] Paul: it's true, but I mean, it's strange, right? I mean that would basically say be like saying To the European data protection board. Oh yeah. You've now given guidance on the interpretation of the law and how you are going to apply the law. And now you need to give us another year to comply because we were not compliant with the law itself already. Doesn’t

[00:12:19] K: Well, and that's the thing. We have the law, but then the regulations give you the details on how to comply with the law. But you're right. Essentially, the law is the law. It's just, The California Privacy Rights Act wants you to place a big blue button at the bottom of the page that says do not sell My data.

This is just a hypothetical And the law doesn't say to place the big blue button on the bottom of the page It says you have to allow a method to opt out. So it's the details

[00:12:45] Paul: Yeah, well then you can challenge in court when you get a fine that you don't have a big blue button, but have a big green button. Then that is something you can challenge. But to just challenge, hey, you put out guidance how you are going to apply the law. 

[00:13:00] K: here here's the thing. Is that not considered a dark pattern? I mean, I know this is completely hypothetical 

[00:13:06] Paul: If it's a bright green button instead of a blue button, no, that's

[00:13:09] K: Well, no. If they say you have to put a bright blue button on the bottom, or bright red button, bright green, bright brown, bright pink, whatever it is, if you put something in a contrasting color that is intended to capture peoples attention so they click on it and they pay attention to it, isn't that a dark pattern?

Laughs

[00:13:28] Paul: effect on the individual.

[00:13:29] K: Right? 

[00:13:30] Paul: Otherwise the intentions are not dark, right?

[00:13:33] K: Right. The intentions aren't dark. It has to be an intention to subvert someone's independent decision making capability. But there you go. Okay. Maryland also signed in two significant measures for online data protection. The Maryland kids code. We talked about that briefly that we now have another state with the Maryland kids code.

[00:13:50] Paul: So when you talk about Maryland and children's privacy, Maryland was not the only one this past couple of days talking about kids privacy because we have Not only the Nordic privacy arena. There is also the Nordic data protection authorities conference which came together at the end of May which comprises the data protection authorities from Denmark, the Faroe Islands, Finland, Iceland, Norway, Sweden, and Åland.

And they met in Oslo for their annual conference. And one of the things that they adopted was joint principles on children and online gaming. they should be published shortly I haven't seen them yet. And these principles will set out how the children's rights should be safeguarded by game developers.

And there are quite a few game developers in the Nordics obviously Rovio from Angry Birds being the most recognizable one. But children's data, and especially in relation to online gaming is a big topic for the Nordics this year.

[00:14:51] K: and we have a wonderful guest that we've brought on before. 

[00:14:56] Paul: Leena Kusniemi.

[00:14:57] K: Yeah, her and Benjamin Siegel, both on gaming for kids. So that might be a great episode to tee up for y'all as well as to get those on talking back about gaming again, because we've seen significant advancements.

In this and children's protection. So I think that would be cool as well as some enforcement actions that's happened since we did the last episode. So we already covered the, the letter to Congress saying, don't preempt our state data protection laws. I think we're up to 17 or 18 us state omnibus privacy laws.

But back over to you, Spain's data protection authority released guidelines for Wi-Fi tracking technologies. of mobile devices, unauthorized tracking of children back to geolocation, different things like that. And then of course, the big stories of the day that we have to talk about was the NOI filing against meta.

Did you want to go into that one? Or was there another one in particular you wanted to go into? I know there was a few things that we had that were pretty major. We needed to talk about.

[00:15:58] Paul: Well, that is certainly one of them. Maybe one further point from the Nordics because they also have considered artificial intelligence. and of course, a lot of the work on artificial intelligence, as I just mentioned, Will be happening in the European data protection board, but they have also made clear that they are very concerned about their resources because AI will require a lot of extra capacity from the data protection authorities.

So there is a call to the Nordic governments to review funding to see whether that's sufficient to also deal with the additional responsibilities for artificial intelligence. As mentioned, the EDPB adopted their report on the chat JPT task force. That also goes into the lawfulness of the tooling, the fairness, transparency.

So basically all the data protection principles. I'll admit I have not been able to read that yet, but it is on my reading list for the next couple of days. 

[00:16:55] K: You have nothing else to do over the weekend, right? 

[00:16:58] Paul: well, yes, no, maybe. The other thing that the data protection board adopted is an opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports. And I think I already ranted about Heathrow airport sneakily, sneakily taking my picture and matching it to my passport. Basically, the data protection board says, that's not allowed. 

[00:17:25] K: Sneakily taking your pigeon. However, I love it when I see the, notices at the airport saying what they 

[00:17:31] Paul: Which notice? 

[00:17:32] K: off of that a little bit. 

[00:17:34] Paul: There still is no notice.

[00:17:35] K: Well, at U. S. airports they have big posters. 

[00:17:39] Paul: Heathrow. No.

[00:17:40] K: Really, which is crazy, right? Y'all say America has no privacy and we're the ones posting big posters and notices saying that you can ask for alternative processes. You don't have to use it, but I figure hell, my face is plastered everywhere. Who

[00:17:54] Paul: Well, let's not forget this is Britain. This is no longer Europe. I know it's a painful point for many, including for Ralph. 

[00:18:01] K: Europe. It's not the European Union.

[00:18:03] Paul: Yeah. And so we, we disqualify them as being European. 

[00:18:07] K: Honorarily disqualified from Europe.

[00:18:10] Paul: They want to be different, then let them be different, but  yes, some notices, please.

but basically the data protection board says, no, you are allowed to use biometrics, airports to recognize passengers and, and help them with all the checks, but only if the key is in the hand of the passenger. so then basically I guess your passport or your phone should be the key where that information is stored, or maybe your boarding pass or something like that. 

[00:18:37] K: on your phone, right?

[00:18:38] Paul: Or maybe just, well, it could be your paper boarding pass. I, I, I'm not sure how they, And visage this. and I'm very curious to see which of the data protection authorities will be the, for the first to start enforcing this. because it's I think it's, it's interesting and I do agree with the legal analysis, but I also think it's probably very hard to start enforcing this right now.

[00:19:03] K: Yeah. Well, in here in the U S we're trying to go to travel IDs, which is an upgraded version of your driver's license that they had a deadline before God, I think it was in 2020 when everything shut down for COVID. Of course they delayed it. So now the deadline is back. It is sometime, I think next year. But since I need to go register to vote, cause you know, election season I'll get a, a travel one here for South Carolina. So there's a thing, 

[00:19:33] Paul: So one other thing if you talk about travel is that the European Union will soon introduce the EU wide entry exit system. This is similar to the ESTA that already exists in the United States. So the electronic travel authorization that you need to obtain before you are allowed to travel to the United States. Europe will have something similar.

[00:19:54] K: Oh, cool. And well, that's part of the discussion, whether it's cool or not.

Is it cool? Is it not cool? I like having simplified processes when you travel. My daughter just traveled with me over to Arizona for my other daughter's graduation and traveling with me was quite the experience for her. Because I am snap, snap, snap. I like everything organized and in line and, streamlined and efficient.

And I like to get on the plane first. So I don't have to worry about whether or not my suitcase is coming on the plane with me. I like everything organized and done, and I like being at the gate on time and she doesn't care.

[00:20:35] Paul: ah,

[00:20:36] K: Traveling with me was quite the eye opener for her. She's like, Mom, you are so OCD. I'm like, this is not OCD. I am a control freak. There's a total difference.

[00:20:47] Paul: well, the European entry exit system will apply as of October of this year.

[00:20:54] K: Okay. 

[00:20:55] Paul: doesn't seem that at this point you need to do a prior request. And that it is mainly the documentation, but that means that everything needs to be. Needs to be scanned,

[00:21:06] K: Right. We have that too. The mobile passport, mobile. No, it's not the mobile passport. It's the, the stuff they tell you, you can fill out on your phone and answer all the questions and then you just show them the QR code and you're done.

[00:21:19] Paul: Yeah. That's the old the old paper form, right, that you get, the, the landing card.

[00:21:26] K: Yeah, did you, did you, do you have anything to declare? Did you buy over 50, 000 worth of stuff? Did you bring any live animals with you? 

[00:21:33] Paul: to murder the president or commit a 

[00:21:35] K: Yeah. And you know, it's, it's only the criminals that are going to lie about it. So. 

[00:21:39] Paul: Exactly. 

[00:21:41] K: Okay. So, yeah. I wanted to dig a little bit into the NOYB complaint. Not, not that I really think that that's earth shattering for anybody.

But the NOYB complaint against Meta for, for the news. Oh, by the way, there was other news. in case anybody missed it in the privacy world. 

Keith Enright is no longer at Google as their chief privacy officer. He made a post on LinkedIn and announced that he's kind of got, I kind of got the impression excited and scared all at the same time.

You know how that comes, but I've not yet seen what he's announced that he's moving on to. I did however, see the FDF AI. Okay. Council announcement. I expected to see his name on there. Maybe that was the next thing he was going to FPF and join the think and do tank, which I, by the way, Jules Poloneski, I don't know if you're listening to me or not, but how on earth do I get more involved in the FBF 

I want to go do something with the FPF. I want to do something with simple too. I want to get more involved in some of these think tanks because I think I've shared with y'all before, if I was to win the power ball and become insanely rich. I would still do privacy.

[00:22:47] Paul: Of course. I mean, that's your passion. Just two steps back to Keith Enright, because you keep blazing on. 

[00:22:55] K: I've had nothing but Hershey's chocolate to drink today and Dr. Pepper. That's all I've had. And it is 2. 30 in the afternoon. 

[00:23:02] Paul: This is Sugar Rush K.

[00:23:04] K: Yes. Breakfast, lunch, everything. Hershey candy bar and Dr. Pepper.

[00:23:08] Paul: That's a very scary version of K, I can tell you. But apparently Keith won't be replaced as Chief Privacy Officer. 

[00:23:15] K: That's what I understand as well.

[00:23:17] Paul: that is the scary part of course, what is going to happen there. 

[00:23:20] K: And it's being absorbed into the business. I think is what I'm seeing online.

[00:23:25] Paul: Well, the good thing is that Google still has about a gazillion other privacy people left. 

[00:23:30] K: Some of our favorite people are at Google as privacy people 

[00:23:33] Paul: and I actually just sat in a session yesterday at Google's Amsterdam offices with their global DPO,

[00:23:40] K: So not the one that I accidentally met at IAPP and got a, got a quick snippet from. Chrissy John Flynn 

[00:23:47] Paul: is the global DPO, but I am reaching out to her.

[00:23:50] K: Oh good, but we all know Paul, I'll never be that person at a company like Google or something that everybody's like, Oh my goodness, Kay resigned as CPO from Google. These companies don't want me.

[00:24:01] Paul: No, no, you're way too outspoken

[00:24:05] K: Right. 

[00:24:06] Paul: public.

[00:24:07] K: Yeah, 

[00:24:07] Paul: That's so yes, let's, let's look a bit into Meta and the complaint by Noyb. This goes back to the 6th of June but it actually goes back a few days earlier when Meta announced, well, no, before they even announced, some people found out that Meta intends to use your old Facebook and Instagram posts and pictures and videos to help train their large language model for generative AI.

And some people started reaching out to Meta's privacy team already to see if they could opt out. That coincided, I think, more or less with Meta's in app announcements. Hey, we are going to do this. Read more about this. And then if you jump through a few hoops in the app, you would be able to send an opt out request.

Which I did also to try it. And for Europe, it actually works very quickly because within two minutes, I had to confirmation your data will not be used. so apparently if you are under GDPR, it's an automated process with auto approval, because I also saw some messages from non EU people that are still waiting for a response. So 

[00:25:14] K: that easy here.

[00:25:16] Paul: So we'll see but at the same time NOYB is also filing complaints in Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland, and Spain against this use of personal data for AI technology claiming it's not a compatible use and challenging meta statement that they can use any data from any source for any purpose and make it available to anyone in the world as set

[00:25:43] K: As long as it's done with AI technology and they don't define what AI technology is.

[00:25:49] Paul: No, obviously not. 

[00:25:51] K: So, 

[00:25:52] Paul: and the question of course, this can also, this can only be done on the basis of consent or legitimate interest, because it's something and, and, and you can even argue it cannot be done on the basis of legitimate interest because it needs to be a compatible use. And if it's not compatible you need to have 

[00:26:08] K: exactly. And so, The Irish DPC has come out and said that Meta delayed the launch following the number of inquiries from the DPC. As y'all know Facebook's European is hosted in Ireland. So Ireland, like a lot of American based companies has jurisdiction over a lot of that. We’ve already seen this when we talked about the consistency, the consistency mechanism as well.

I also have not read the most recent report issued by the Irish DPC. Which I understand is a fascinating read, but I need to actually go read. Yeah, their annual report. I love to read that. Actually it's, it's, it's very illuminating. but it said that Meta gave users four weeks of notice ahead of the initial training.

Now for a while now, I've had the stupid little Meta AI, little bar at the top for searching. You can't search on Facebook. For things unless you use their stupid little AI search thing, here in the U. S. At least on my mobile which is now and basically I just go on and post my wordle anymore But there we go But their large language model is called llama the latest version llama 3 was released in April It's the one they use to power the meta AI which is not available in Europe yet. 

[00:27:21] Paul: and part of the complaint from Noyb is also that Meta claims at least not to be able to distinguish between data from users in the European Union or European economic area and other people around the world. but I that because why would I then so quickly get my opt out confirmed if they wouldn't even be able to 

[00:27:41] K: well, when you opt out, yes, but if I talk about you on Facebook, how do they know that you're in Europe? 

[00:27:47] Paul: no, of course. Then they don't, then they don't 

[00:27:49] K: you know, so they, they can't make it across the board because it depends on, I think they're doing the geo fencing and everything. And again, if you're using VPN, they don't have accurate thing. If you don't put where you actually are when you create your account, things like 

[00:28:03] Paul: the same time if you tag me and I have opted out Then they already know that I am in the picture. So that should do it Obviously if you haven't tagged me, which you wouldn't be able to do because I'm no longer on Facebook then it would be harder and then I understand that they can't make that distinction but that, that's one, the same also for special categories of personal data that they would not be able to distinguish.

And that's of course where it becomes really tricky from a legal perspective. 

[00:28:32] K: a challenge, right? 

[00:28:33] Paul: Yeah. I mean, and that's probably for data protection authorities going to be a no brainer. And also here. Probably Norway to the rescue because Norway had already put out a blog post before Noib's complaint, arguing that it is highly doubtful whether Mette's approach is legal.

Surprise, surprise.

[00:28:52] K: Surprising.

So, we'll see, we'll see what happens. And squirrel note speaking of Facebook, there is someone that just won the Mrs. Arizona USA. No, Miss Arizona USA. and her first name is the letter K.

[00:29:10] Paul: Congratulations.

[00:29:11] K: one to win one of the state pageants that is over 40 as the Miss USA pageant has increased its age limit or eliminated the age limit.

But her first name is K and I've only ever met one other person whose first name was the letter K. And that is a, 

[00:29:26] Paul: the winner.

[00:29:27] K: She was. This guy was a male attorney in New York. So, he was not the winner. But believe it or not, I heard about this because of a lady in the UK who posts pageant news.

[00:29:39] Paul: But I honestly thought it was you but it is not you.

[00:29:41] K: It is not me yeah, I've won a few pageants, but not Miss U. S., not, not the Arizona USA, trust me. They look for a little bit different of a body type than my very curvaceous one.

[00:29:52] Paul: Well still congratulations are in order and other Congratulations are in order for Dr. Irith Kist! She defended her PhD successfully on the 5th of June. I watched the defense She did She did really well She did really well. It was very nice to see. She got some very complex questions, 

[00:30:14] K: congrats. 

[00:30:15] Paul: but yeah, very happy for her.

[00:30:17] K: But I think that is plenty of news for this week. I will tell y'all that I'm interested in pursuing the AIGP certification from IAPP. I was not in this first wave of several hundred people that did it, but I am interested in pursuing that. So I'll be looking at the study resources and everything for that. So I'll let y'all know how that goes 

[00:30:37] Paul: I will be at legal tech talk in London next week, Thursday, Friday which is supposedly going to be a very big conference for all kinds of legal tech. So I'm looking forward to that one. If you are going to be there give me a shout it's near the O2 arena so in the east of London. Let me know if you're going to be there, if you want to catch up. I'll try to do some recordings while at the conference, but never know how that's going to go. 

[00:31:05] K: I will try mine as well. I'm going to be at the state bar of Arizona conference. We're doing an afternoon program on AI. So I am flying out there. Our panel won the president's award for the state bar conference.

So AI, unfortunately it's at the same time that the free CLE for Brown versus the board of education panel which is going to be very much a draw for people to go to that for that. So that's going to be interesting, but yeah, I'll try the same thing if I get some people out there. I am speaking with again, other privacy professionals around Arizona.

One of them is actually private practitioner that takes privacy cases. So deals with a totally different type of privacy than I would. I deal with, he deals with invasion of privacy and, and all of that stuff. We don't address those types of issues. Although, 

[00:31:53] Paul: whereas you are much more into data protection.

[00:31:56] K: Right, exactly. So he takes private cases. I do cover it in my privacy class for the students to make sure they understand there is the world out there doing that. But also the professor that I teach with, Gary Marchant will be there as well. So looking forward to seeing him in person. It's been about a year since I've seen him and so maybe I'll be able to get some words from him.

He's pretty cool.

[00:32:16] Paul: And I will be talking about navigating data, privacy, and AI, how to build a dependable policy where I also will once again, be advocating for a risk based approach 

So on that note, we'll wrap up another episode of Serious Privacy. If you like us, join the conversation on LinkedIn. You'll find us under Serious Privacy. You will find K on social media as @HeartofPrivacy and myself as @EuropaulB. next week, goodbye.

[00:32:43] K: Bye y'all.