Masters of Privacy

Jakob Plesner Mathiasen is an attorney with a focus on Intellectual Property and emerging technologies. He serves as the Secretary for the Danish Society for Copyright Law and is the mind behind the Danish Entertainment Law podcast. He also teaches Entertainment Law at the University of Copenhagen.

With Jakob we’ll try to better understand the copyright implications of Generative AI, and this should help many DPOs, CPOs, or innovation managers deal with the intellectual property side of their new AI Governance responsibilities.

References:

• Jakob Plesner on LinkedIn
• Reuters: “Getty Images lawsuit says Stability AI misused photos to train AI”
• The Washington Post “‘Game of Thrones’ author and others accuse ChatGPT maker of ‘theft’ in lawsuit”
• Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (Infosoc Directive)
• Directive on Copyright in the Digital Single Market (DSM Directive)
• The Wrap: “Adobe Will Reimburse Firefly AI Users Against Copyright Suits”
• Microsoft announces new Copilot Copyright Commitment for customers
• David Bowie and Queen vs. Vanilla Ice
• Copyright law of Japan (in English)
• Entertainmentretten (Danish Entertainment Law) Podcast (in Danish)
• Danish Society for Copyright Law
• Adrian Sterling: World Copyright Law

Have you spent the past three months isolated from the world? We are bringing you up to speed with a long list of updates and news at the intersection of marketing, data, privacy, and technology.

Visit this episode's blog post on Masters of Privacy for a long list of references and notes.

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast.

__

This was a pretty active season in terms of regulatory updates and decisions or guidelines coming out of supervisory bodies:

Spain’s AEPD issued a decision on the use of Google Analytics by the Royal Academy of Spanish Language (“RAE”), becoming the first EU Data Protection Agency to see the glass half full in the use of the widespread digital data collection service (having been considered high-risk in Denmark, Italy, France, the Netherlands and Austria). It must however be noted that the RAE was only using the most basic version of the tool, without any AdTech integrations or individual user profiling - and in this regard aligned with the CNIL’s long-standing guidelines for the valid use of the tool.

At EU level, the Artificial Intelligence Act (which we have covered this quarter in a couple of Masters of Privacy interviews) made fast progress with the Council adopting its final position. At the same time, new common rules on cybersecurity became a reality with the approval of the NS2 Directive (or v2 of the Network and Information Security Directive) on November 28th. The updated framework covers incident response, supply chain security and encryption among other things, leaving less wiggle room for Member States to get creative when it comes to “essential sectors” (such as energy, banking, health, or digital infrastructure).

Across the Channel, the UK’s Data Protection Agency (ICO) issued brand new guidelines on international data transfers, providing a practical tool for businesses to properly carry out Transfer Risk Assessments and making it clear that either such tool or the guidelines provided by the European Data Protection Board will be considered valid.

Already into the new year, the European Data Protection Board (EDPB) issued two important reports, on valid consent in the context of cookie banners (in the hope to agree on a common approach in the face of multiple NOYB complaints across the EU) and the use of cloud-based services by the public sector. The former concluded that the vast majority of DPAs (Supervisory Authorities) did not accept hiding the “Reject All” button in a second layer - which most notably leaves Spain’s AEPD as the odd one out. They did all agree on the non-conformity of: a) pre-ticked consent checkboxes on second layer; b) a reliance on legitimate interest; c) the use of dark patterns in link design or deceptive button colors/contrast; and d) the inaccurate classification of essential cookies.

The latter concluded that public bodies across the EU may find it hard to provide supplementary measures when sending personal data to a US-based cloud (as per Schrems II requirements) in the context of some Software as a Service (SaaS) implementations, suggesting that switching to an EEA-sovereign Cloud Service Provider (CSP) would solve the problem and getting many to wonder whether it also refers to US-owned CSPs, which would leave few options on the table and none able to compete at many levels in terms of features or scale.

All of which can easily lead us to the latest update on the EU-US Data Privacy Framework:

The EDPB released its non-binding opinion on the status of the EU-US Data Privacy Framework (voicing concerns about proportionality, the data protection review court and bulk data collection by national security agencies). The EU Commission will now proceed to ask EU Member States to approve it with the hope of issuing an adequacy decision by July 2023. This would do away with all the headaches derived from the Schrems II ECJ decision (including growing pressure to store personal data in EU-based...

Sandy Tsakiridi is a ​​dual-qualified Senior Legal Counsel in HSBC's global Data Privacy team. As part of her responsibilities, she provides advice on privacy-related matters, including privacy risk management across all customer-facing lines of business and internal functions of the HSBC Group. Prior to her current role, Sandy worked as an external legal counsel in leading international law firms and one of the Big Four in Brussels and London.

Sandy holds a Bachelor and four postgraduate degrees in law from University College London (UCL), the London School of Economics & Political Science (LSE), Université Paris 1 - Panthéon Sorbonne and the Brussels School of Competition. She is an Advisory Board Member of the International Association of Privacy Professionals (IAPP).

We cover, in this order:

• What can we expect from the upcoming EU Artificial Intelligence Act?
• What does it take to deploy an AI Governance Framework in the Financial Services sector?

References:

• Draft EU AI Act
• Sandy Tsakiridi on LinkedIn
• Recorded contents of the Legal AI Summit (Sandy was a speaker in 2022)
• Upcoming changes to UK Data Protection laws

With Nina Müller, Ethical Commerce Alliance Director and host of the Ethical Allies podcast.

References:

• Full Newsroom (Fall 2022)
• Tara Taubman-Bassirian on the Instagram fine
• Peter Hense on valid consent
• Cory Underwood on Google Analytics and Sephora
• Derek A. Lackey on Joe Biden’s Executive Order (a marketer’s perspective)
• Stephan Grynwajc on Joe Biden’s Executive Order (a lawyer’s perspective)

Selected updates:

Enforcement

Starting with Europe, the most discussed recent case, and perhaps the most complex, is Ireland’s 405m EUR fine to Meta for the manner in which it exposed contact details for 13-17 year olds on Instagram business accounts. At its core: the European Data Protection Board (EDPB)’s intervention to find a compromise between the Data Protection Commissioner (leading supervisory authority for most US tech giants) and other Data Protection Agencies accusing it of resting on its laurels.

Perhaps even more relevant to the interplay that we mostly care about (MarTech/AdTech + Privacy) was the French DPA’s announcement of a potential 60m EUR fine for Criteo. All hints point to a lack of proper oversight in the obtention of valid consent through publishers and advertisers. The role of these two was instrumental in building what the company had once claimed were “IDs and interests for 72% of all internet users”, so this case could bring us full circle into the Consent Management Platforms debate and whether they can be relied upon. All in all, it is no wonder that Criteo has moved firmly into first-party data territory, now calling itself a Commerce Media platform.

The Digital Analytics space got its own share of excitement too. Denmark became (with Austria, France, and Italy) the fourth country to make it clear that Google Analytics breached the GDPR unless additional measures are taken. As explained in detail by France’s CNIL, the only way to avoid scrutiny was using a reverse proxy (a company’s own EU-based server, filtering out important pieces of information prior to forwarding calls to Google’s servers). As many will remember, this was only the tip of the iceberg of the 101 complaints filed by NYOB against companies using either Google Analytics or the Facebook pixel.

Next in line was TikTok, quickly catching up with Meta/Facebook and Google in terms of privacy violations, penalties, privacy lawsuits and privacy-related scandals. Its latest trophies: the UK’s DPA (ICO)’s proposed 27m GBP fines for its mishandling of children’s data (they were allowed to sign up without parental consent, information provided was insufficient, and special categories of data were being processed), a 92 million settlement in Illinois (under the State’s Biometric Information Privacy Law on which every major social media platform has stumbled before) and recent coverage of the manner in which its tracking pixels follow everyone around the web.

Legal updates

It may not be a new law or court case, but Joe Biden’s Executive Order to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) is the biggest piece of news on this front. All going well in Brussels, it could put an end to the nightmare currently faced by the millions of customers of US-based SaaS MarTech and AdTech solutions that happen to process data on US soil, including Google Analytics, Mailchimp, HubSpot, or Salesforce Marketing Cloud.

For its part, the UK wants out of the GDPR and this could actually result in a more dynamic e...