PrivacyPod

In this episode, our experts Hannes Saarinen and Pilvi Alopaeus take a closer look at one of the largest data breaches in Finland, where an attacker gained access to the City of Helsinki's network drive—compromising the personal data of around 300,000 people living in or, for example, attending school in Helsinki. To help us unpack the case and the newly published investigation report, we're joined by Mikael Hitruhin, Data Protection Lawyer at the City of Helsinki, who has been part of the city's investigative team. What went wrong? How could this have happened—and what does it have to do with Swiss cheese? We dive into both the technical and legal aspects, as well as Mikael's experiences and lessons learned from working through such a significant and devastating attack. We'll also explore the upcoming change in Finnish law that would empower the Data Protection Ombudsman to issue fines to the public sector. Will the threat of fines raise the level of data protection in public organisations—and how might it affect public trust and the sense of justice?   LINKS: The report: https://www.turvallisuustutkinta.fi/material/sites/otkes/otkes/mvyzc49g6/P2024_Helsinki_Investigation_report.pdf   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

We are back from summer break with a bunch of positive energy (that lasted through about the first two cases). This episode was recorded by Hannes, Jyri, and Pilvi on the historical day of data transfer anticlimax, despite all the LinkedIn posts preparing to sell you more legal advice. So, in this episode, we cover: The Latombe I that was not meant to be (insert violins and a slow dramatic tear). The court said nothing to see here, move on. Nevertheless, we have opinions. Austria's Data Protection Authority took five and a half years to order YouTube to give people access to their personal data. Like good art, this stirred up some strong feelings in our hosts. Google was not ordered to sell off Chrome and/or Android, but they were ordered to make the playing field a bit more open. TikTok faces new investigations into their data transfers to China. Listen as our hosts jump into this rabbit hole and end up wondering: who is the true James Bond villain… and could it be… the EU? Are we the baddies? Is the EU becoming authoritarian if it passes a law that will allow it to scan all private and even encrypted messages? More countries are objecting to this. What is at stake here — our European way of life?   Prepare for a rollercoaster of emotions, grab some popcorn, and hopefully, enjoy!   Latombe: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf NOYB vs. YouTube https://www.euractiv.com/section/tech/news/austrias-privacy-watchdog-tells-youtube-to-give-users-access-to-their-data/ https://noyb.eu/en/noyb-win-youtube-ordered-honour-users-right-access Google and antitrust: https://www.bbc.co.uk/news/live/cg50dlj9gm4t China, James Bond, and TikTok: https://cybernews.com/security/tiktok-irish-investigation-eu-data-reached-china/?utm_source=chatgpt.com  EU…the baddie? About screening your messages: https://www.techradar.com/computing/cyber-security/chat-control-the-list-of-countries-opposing-the-law-grows-but-support-remains-strong?utm_source=chatgpt.com   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

This PrivacyPod special episode was recorded on the very day the Latombe decision (T-553/23) was made, capturing the immediacy and raw analysis of a pivotal moment in EU–US data privacy law. Host Joost Gerritsen, together Prof. Dr. Gloria González Fuster (VUB, LSTS Director) and Pablo Trigo Kramcsák (PhD researcher, LSTS) delves into the EU General Court's ruling and its implications for the EU–US Data Privacy Framework. With the judgment only hours old, the discussion is lively and unfiltered, blending critical legal insight with candid questions from the privacy community. Gloria and Pablo examine the court's highly formalistic approach, questioning whether the decision provides real legal certainty or simply upholds the status quo on paper. They discuss the ruling's weaknesses, including unresolved issues of admissibility and standing, and debate whether the judgment genuinely protects fundamental rights or merely recirculates official arguments without genuine scrutiny. The conversation also covers hot topics like Article 22 GDPR, the functioning of US oversight mechanisms, and the political climate that influences data transfers between Europe and the US. Throughout the episode, the panel answers audience queries, reflecting the pulse of the privacy profession as it digests the breaking news. These real-time reactions make this episode a unique snapshot of expert opinion as legal history is being written, offering essential listening for privacy professionals, legal scholars, and anyone following the saga of cross-border data flows.     If you would like to learn how this case relates to previous rulings and documents from supervisory authorities, please visit Digibeetle: https://digibeetle.eu/latombe  Press release on the Latombe case: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

In this episode, Jyri and Pilvi have been fished out from the pool and summer vacays to discuss privacy–and they desperately try to be optimistic, it's summer, after all. Whippii. In this episode, we wallow in the following cases: TikTok Class Action in Germany (2000€ for the innocence of a child? How does that work? ) What is happening in the USA… (DOGE access to personal data, Palantir, migrant children's data collected in data banks…Privacy and Liberties Oversight Board (PCLOB) in crisis?) …and should folks in the EU be taking steps to prepare for the fall of DPF and should the EU start to become  independent from the US tech giants? Denmark is leading the way? Spotify SEK 58 million fines remains, no luck with appeals. Japan gets a new AI law – with no penalties – innovation first. Meta replaces people with AI to oversee privacy A Dentist in France gets 50 000€ in damages from Google as they failed to remove negative reviews and their classic argument based on freedom of expression fails.   So crack open a cold one, forgive us for our damaged personalities, and hit play.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]   LINKS: USA (below or open any news site): https://www.cnn.com/2025/06/06/politics/supreme-court-restores-doges-access-to-sensitive-social-security-data https://www.wired.com/story/cbp-dna-migrant-children-fbi-codis/ https://www.nytimes.com/2025/05/30/technology/trump-palantir-data-americans.html   Denmark says no more: https://www.thelocal.dk/20250603/danish-cities-drop-microsoft-over-trump-policies-and-financial-concerns   Spotify fines: https://www.imy.se/tillsyner/spotify-ratten-till-tillgang/   Japan and new AI law: https://www.japantimes.co.jp/news/2025/05/28/japan/japan-ai-law/   META and AI: https://www.npr.org/2025/05/31/nx-s1-5407870/meta-ai-facebook-instagram-risks   Dentist got dough out of Google: https://gdprhub.eu/index.php?title=CA_-_RG_n%C2%B0_22/01814&mtc=today  

In this Joost's Case Corner episode Joost, Pilvi and Jyri discuss running and privacy. In fact, the cases on our chopping block today highlights that no matter how complex privacy is, it always comes back to the basic simple questions—that are anything but simple.   The chopping block serves you today the following cases: Meta v EDPB [T-319/24, 29 April 2025] → Meta challenged the EDPB's opinion about consent or pay and asked some dough for it as well–did they really think they would get some cash out of it? And how legally binding are these opinions? CJEU Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23, C-332/23, 30 April 2025] → Corruption and anti-corruption: Can national courts intervene in how supervisory authorities work? CJEU Amt der Tiroler Landesregierung [C-638/23] → can *something* be a controller without it being a legal entity? This case's decision is a pot of gold for all litigators. CJEU Russmedia Digital and Inform Media Press [C-492/23] → case about an ad that advertised someone selling sexual services without the knowledge of the said someone who absolutely did not sell sexual services. Who is the controller here?  So push play and enjoy! Also a massive shout out to Sean Quinn who supported our podcast by buying us coffee.. You made our day, week, and year! Be like Sean, click the link below.   Links: Meta v EDPB [T-319/24, 29 April 2025] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62024TO0319 Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23, C-332/23, 30 April 2025] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62023CJ0313 Amt der Tiroler Landesregierung [C-638/23] https://curia.europa.eu/juris/document/document.jsf;jsessionid=5A19CB5FFBBA10630CAA5E780ED68940?text=&docid=297537&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=54213 CJEU Russmedia Digital and Inform Media Press [C-492/23] https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-02/cp250014en.pdf   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

In this Joost's Case Corner episode Joost, Jyri, and Pilvi discuss why Netherlands you should go to Netherlands as well as some of the latest CJEU cases. On our chopping block today, are: CJEU Deldits [C-247/23] aka. Hungary v. GDPR and LGBTQ+ rights: GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery. Spoiler alerts: we are still proud to be Europeans as the GDPR stood for the side of the good. CJEU Dun & Bradstreet Austria [C-203/22] Automated credit assessment: the data subject is entitled to an explanation as to how the decision was taken in respect of him or her. What about where and how to draw the line for the trade secrets?   These, and an excellent conversation about why carrots are orange (spoiler alert: it has all to do with Netherlands) awaits you!    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected] Joost's Case Corner–why the carrots are orange

In this episode Jyri and Pilvi try to overcome their urge to discuss anything else but privacy and just be negative and tired of how the world is going, and after a while they actually somewhat succeed in that–or perhaps succeed is a bit of a strong word.  In any case, we discuss the current world politics situation and how it might affect the DPF and data transfers to China, not to mention that Latombe I had its day in court. The political situation might also affect the coming GDPR revamp, but in which way? We also discuss the following cases: Meta's and X's decisions to teach their AIs with public posts by its users and what the Hamburg, Irish, and Norwegian DPAs have to say about it; A case from ireland: Is the employer a controller for the employee's personal life data in their work phone? Amazon losing the appeal for MEUR 746 GDPR fines; Spanish DPA giving out EUR 500K fine for the processor that added sub-processors without a proper authorization by the controller. This, and much more that you never wanted to hear on this episode!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]   LINKS: Meta & X's AI decisions: https://datenschutz-hamburg.de/news/meta-starts-ai-training-with-personal-data   https://techcrunch.com/2025/04/14/meta-to-start-training-its-ai-models-on-public-content-in-the-eu/ https://www.reuters.com/technology/irish-regulator-investigates-x-over-use-eu-personal-data-train-grok-ai-2025-04-11/?utm_source=chatgpt.com   Hypothetical damages: https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&Datum=Aktuell&Sort=12288&nr=140810&anz=1159&pos=12 https://gdprhub.eu/index.php?title=BGH_VI_ZR_109/23&mtc=today Work phone: https://gdprhub.eu/index.php?title=High_Court_-_McShane_v_Data_Protection_Commission_(2025)_IEHC_191&mtc=today   Amazon fines: https://www.reuters.com/technology/amazon-loses-court-fight-against-record-812-mln-luxembourg-privacy-fine-2025-03-19/?utm_source=chatgpt.com   Spanish fines: https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202307719&mtc=today

Once again, Pilvi and Jyri are joined by the legendary Joost, in another episode of Joost Case Corner and the magic of European Court of Justice (and Court of First Instance) case law!   In this episode, Pilvi and Jyri (with some connection issues but not to worry Phil and all Jyri fans–he's there!) discuss the following cases with Joost Gerritsen: Case T-354/22: Judgment of the General Court in Bindl v. Institutions, commission (Can an unlawful data transfer to the USA be annulled? Also, 400€ damages for an unlawful transfer of IP Address via Facebook by the EU. A case that highlights the importance of DPF and the difficulties to function if it should fall.) Case C-394/23: Mousse Jan 9 2025 Association Mousse v Commission nationale de l'informatique et des libertés (CNIL) and SNCF Connect. (A data subject was forced to pick a salutation (monsieur/madame) when buying a train ticket because the train company wanted to send marketing, this case made us happy to live in Europe in these st/o+range times.) Case C‑416/23, Österreiche Datenschutzbehörde (Can a Data Protection Authority tell a data subject to stop filing complaints and stick to no more than 2 complaints per month?) We also take a look at what court cases are cooking in the Court of Justice of the European Union and ready for us to enjoy soon!'   This episode will be a great treat while prepping for the end of the world, so do listen in!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]       Links: Case T-354/22: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-01/cp250001en.pdf Case C-394/23: https://eur-lex.europa.eu/legal-content/fi/TXT/?uri=CELEX:62023CJ0394 Case C‑416/23: https://www.euractiv.com/section/tech/news/eu-court-rules-gdpr-complaints-cant-be-rejected-based-on-frequency/  

It's 2025 and the world is a little crazier… and more orange. So the tea is hot in the global privacy scene indeed, and Jyri and Pilvi are totally here for it.  Not to worry, we don't want to cause extra heartbeats this early in the year by speculating if the DPF will stand through this new orange era of madn…interesting times, but it is absolutely the right time to take a look at China.  We start with discussing the drama regarding TikTok and where we are with that and continue with the news that shook the markets and tech world: DeepSeek. Both cases are closely related to privacy concerns and international politics: what does this all look like from the EU's perspective? The Italian Data Protection Authority is already on the case DeepSeek: what could possibly be their concerns? And how is NOYB after controllers connected to China? We also discusst the power struggle between the Irish authority DPC and European Data Protection Board (EDPB) regarding a NOYB case where the EU Court had to intervene, the new EDPB position paper on the crossroads of competition law and privacy as well as the guideline on pseudonymisation. Oh, and we also go through some latest fines from France.  All this and much more from this disturbingly optimistic episode!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

Today's episode is perfect for the holiday season - or maybe you don't want to think about work stuff during holidays? Oh well, you are very welcome to join the ride with Laura and Pilvi when they discuss consent or pay -models with Filip Sedefov.  What is the topic really about? Are we regulating/focusing on the right things? Is personal data a tradable commodity that you can exchange for free services? What has all this to do with the values we wish we had and what we actually live by? Is the pay or consent just about making money while stomping on people's rights or can it actually be seen as an improvement from the current state of affairs?  Listen in to hear our hosts exploring the arguments while playing all types of devils' advocates from "people will not be able to make informed decisions" to "this is about safeguarding users' autonomy" and everything in between.  With this episode we'll wrap up the year 2024 and wish all our 7 (+ Joost's wife and dog = 9) listeners happy holidays and a Schrems III-free 2025!   LINKS: https://www.edpb.europa.eu/news/news/2024/edpb-consent-or-pay-models-should-offer-real-choice_en    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

Gather around the fire, children, and listen closely: it is time once again to enjoy CJEU case law in the best possible way with Joost's Case Corner! Yes, Jyri and Pilvi join forces again with the amazing Joost Gerritsen and dive right back into the CJEU Super Friday cases. In this episode, we will cover: Case C-200/23, Agentsia po vpisvaniyata (A Bulgarian case about whether an individual has the right to ask the agency to delete their personal data from the company registry, the scope of legal obligation as a legal basis, whether signatures are personal data, and if the official opinion of the Data Protection Authority can shield a controller from liabilities if the court disagrees with the DPA's opinion.) Case C-4/23, Mirin (If a first name and sex/gender are changed in one member state, must other member states recognize it as well?) Case C-768/21, Land Hessen (Does the DPA have an obligation to exercise corrective power in all cases of data breaches, particularly to impose a fine, at the demand of the data subject?) As a bonus, we also cover the following cases: C-169/23, Masdi (A Hungarian case focusing on Article 14(5)(c): does the article exempt controllers from their obligation to inform data subjects when the data processing—obtaining or disclosure—derives from national law?) C-80/23, Ministerstvo na vatreshnite raboti (A Bulgarian case about the Law Enforcement Directive (LED) regarding the concept of "strict necessity" in the context of biometric and genetic data collection for creating police records.) So lean back, close your eyes, reward yourself for making it to December of this eventful year, and let the velvety voice of Joost carry you to the wonderful wonderland of CJEU Case Law. Darling, we got you.   Did you enjoy our show? Support us by buying us coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]   Links: Case C-200/23, Agentsia po vpisvaniyata: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62023CN0200 Case C-4/23, Mirin: https://curia.europa.eu/juris/documents.jsf?num=C-4/23 Case C-768/21, Land Hessen: https://curia.europa.eu/juris/liste.jsf?lgrec=fr&td=%3BALL&language=en&num=C-768/21&jur=C C-169/23, Masdi: https://gdprhub.eu/index.php?title=AG_-_C-169/23_-_M%C3%A1sdi  

Tired of keeping up with all the CJEU case law? Want to prepare  yourself for all the cool discussions at the IAPP Brussels event? Not to worry! The Joost's Case Corner covering the CJEU Super Friday cases has landed for you to enjoy. In the first of two of the Super Friday episodes, we will cover: Case C-21/23 Lindenapotheke (What is Art 9 data and what's not? Can companies rat out each other regarding compliance with the GDPR (and is it smart)?) Case C-621/22 KNLT (Can a commercial interest constitute legitimate interest? We also get a brief history of this case and learn to understand the Dutch DPA a bit better and cover some hot tea on the subject.) Case C-446/21 Schrems v Facebook (Can you process publicly disclosed information on sexual orientation for targeted advertising just because it is public information?) We also learn about the most awesome Dutch legal term "breaking through the wall" and Olaus Petri (a priest who lived 1493-1552, in Swedish Olof Persson, who is still an important character in Finnish law) while discussing legal theory of EU law.  So take a good breath, let all the stress of November leave your mind, and enjoy the awesome drama that is CJEU case law!   Links: Case C-21/23 Lindenapotheke https://curia.europa.eu/juris/documents.jsf?num=C-21/23 Case C-621/22 KNLT https://curia.europa.eu/juris/document/document.jsf?text=&docid=290688&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4086618 Case C-446/21 Schrems v Facebook https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62021CJ0446   Did you enjoy our show? Support us by buying us a pumpkin spice latte here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

Are you googling me? Stop googling me, Jyri!   In this episode Jyri, Pilvi, and Milla take a look at the latest interesting privacy news. The repertoire includes discussion on what happens when regulation is 20 years late (=personalized ads and privacy issues) in the form of LinkedIn's 310 million euro fine and NOYB's Pinterest complaint.    We also fall in love (and you will too) with Germany's Traunstein Court and their Schrems II case (transfers to the US), where the court gave out a decision that seems to include some common sense (no joke). Do listen in for some statements that will first make you feel warm and fuzzy, smiling from ear to ear, and then break you in the "Don't do that, Don't give me hope." -meme kind of way. But hey–when was the last time you felt warm and fuzzy about a Schrems II decision? We thought so too. We all need this, we've been through a lot.    We also rant about the latest "know your sub-processors to the infinity and beyond" EDPB guideline draft and most importantly, Jyri tells you in detail how you can actually get some suggestions implemented in the public consultation rounds (no joke).    So grab your Halloween-candy-flavored-popcorn and enjoy some privacy goodie-goodie! You deserve it and darling, we got you. Did you enjoy our show? Support us by buying us a pumpkin spice latte here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, send us your Pinterest boards, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod

In this episode, amazing hosts Milla Keller and Floora Kukorelli sit down with Jussi Mäkinen to discuss the (bright?) future of EU technology regulation. Jussi Mäkinen leads the EU regulatory team at the Federation of Finnish Technology Industries and has extensive experience in digital regulation, both in drafting policies and advocating for industry interests. The discussion revolves around the so-called Draghi Report, in which the former European Central Bank President and Prime Minister of Italy Mario Draghi warns that the EU is falling behind the US and China in the use of data and digital services. The report suggests that Europe's declining competitiveness is partly due to its stringent data (protection) regulations. The conversation explores whether the Draghi Report marks a turning point in EU data protection policies and what it might mean for the future. The episode also looks at the role of the incoming European Commission in shaping future technology regulations, with special attention to Commissioner Henna Virkkunen from Finland, who oversees areas like technology and competitiveness. The discussion examines her approach and the potential impact it could have on EU tech regulation. Additionally, the episode delves into the future of the EU's General Data Protection Regulation (GDPR) and the fate of the ePrivacy Regulation. Our guest believes that a more practical approach to privacy is needed moving forward, with the EU striking a better balance between protecting privacy and fostering innovation - the million dollar question is, where this balance lies. This episode provides an engaging and timely look at the current state and future prospects of EU technology regulation for anyone interested in the digital economy and EU policymaking.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

Get ready for a super META conversation—no, not about social media, but about who we are and what we really do. Milla and Laura are joined by the privacy guru herself, Natalija Bitiukova (Head of Privacy at Carlsberg). They almost spent the entire episode talking about beer, but once they tapped into Natalija's epic level of privacy geekdom, the focus shifted back to our roles in the privacy world. Stick around until the end, and you'll be treated to the story of the most romantic gift in the universe (hint: "the world" just doesn't cut it). There's a lot to unpack in today's chat, so take notes—what you agree with, disagree with, or just find hilariously nerdy—and we'll do a future episode where we read your comments and dive deeper. Grab your earbuds and let's get META!   LINKS: Natalija's hobby: https://streamlex.eu/  EDPB survey on DPO: https://www.edpb.europa.eu/news/news/2024/edpb-identifies-areas-improvement-promote-role-and-recognition-dpos_en     Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

The world of privacy and AI shook and trembled when Hamburg's Data Protection Authority published its edgy discussion paper on Large Language Models (LLM). In a nutshell, they stated that LLMs do not store personal data and that this is in line with the CJEU's views. Milla and Pilvi were honored and humbled (=overly excited with fangirl-hats on) to have Dr. Markus Wünschelbaum, Policy and Data Strategy Advisor at the Hamburg Data Protection Authority, to discuss what's this all about. And what a discussion this ended up being!  Markus takes our (and your) hands and walks us all through the discussion paper's key points and how the DPA ended up with this view: From the technical key points (it's all about probabilities) all the way to the legal gymnastics and philosophy. On the other hand we also discuss what the result and impact would be if we would take the stance that LLMs do in fact store personal data and if that would actually make any sense. And what about NOYB's complaint on OpenAI?  All this and much, much more awaits all our 6 listeners in this episode that you should not miss. After the recording our hosts needed a moment to gather themselves from all the excitement. We tried to be tough journalists but how can you not get excited about all this. We love DPAs with edgy action and hot tea to serve. Sorry about that. BUT IT WAS TOO FUN!    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected] Links: In German: https://datenschutz-hamburg.de/news/hamburger-thesen-zum-personenbezug-in-large-language-models   In English: https://datenschutz-hamburg.de/fileadmin/user_upload/HmbBfDI/Datenschutz/Informationen/240715_Discussion_Paper_Hamburg_DPA_KI_Models.pdf  

In this episode, Jyri, Milla, and Pilvi walk  you through the latest hottest tea in privacy and data protection. First, we turn our attention to the herald of doom itself: Clearview and the actions taken by the Dutch Data Protection Authority (fine of 30,5 million euros and then some). Will the Dutch DPA follow through with going after the management and inflict personal liability the managers or directors of Cleaview? We also explore whether such a grim herald can have any positive aspects. The Dutch DPA suggests that the government could create its own version of Clearview, raising an important question. Should we, as a human society, pursue every technological capability simply because we can? Next, we visit the herald of digital future and all things beautiful, that is of course Sweden. The Swedish data protection authority, IMY, has given out two fines for unfortunate use of Meta pixels by a pharmacy and a bank that led to leaking sensitive personal data to Meta. The cases have some meme aspects (legal said no) but also raise up important questions: what is the root cause? Could Meta's way of enrolling in updates be the one to blame? What steps to take to ensure your organization's compliance? Then, we take a look at the latest blog by Anu Talus, the Finnish Data Protection Ombudsman and the the Chair of the European Data Protection Board. She admires Sweden (don't we all?), who seems to thrive under the GDPR rules whereas Finland's Data Protection Authority remains under-resourced, raising concerns about its ability to support future demands. She distinctly calls out for the ability to fine the public sector also in Finland (one of the few countries where this isnt possible), and discusses the AI Act. Lastly, we dive into a fast-paced Lightning Round™ of key data protection developments. From the Belgian DPA's crackdown on dark patterns in cookie consent to fines against Uniqlo by the Spanish DPA (AEPD), and a penalty for Vejen Municipality in Denmark over stolen school laptops, important actions are shaping the landscape. We also explore Liechtenstein's insights on remote work and This and much more (such as some tips on who to follow on LinkedIn) awaits behind the play-button! Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]   Links: Clearview fine: https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-on-clearview-because-of-illegal-data-collection-for-facial-recognition   Swedish Meta Pixel cases: https://www.imy.se/nyheter/sanktionsavgift-mot-avanza-for-overforing-av-personuppgifter-till-meta/ https://www.imy.se/nyheter/sanktionsavgifter-mot-apoteket-och-apohem-for-overforing-av-personuppgifter-till-meta/   Anu Talus' blog: https://tietosuoja.fi/-/tekoaly-hoi-missa-suomen-digistrategia-   Belgian DPA's cookie case: https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-113-2024-van-6-september-2024.pdf   Uniqlo fine: https://www.edpb.europa.eu/news/national-news/2024/spanish-supervisory-authority-fined-uniqlo-europe-ltd-violations-article_en   Vejen Municipality fine: https://www.datatilsynet.dk/afgoerelser/afgoerelser/2024/aug/endnu-en-kommune-indstillet-til-boede-for-manglende-kryptering   The DPA of Lichtenstein's activity report for 2023: https://www.datenschutzstelle.li/application/files/3417/2526/0394/WEB_Datenschutzstelle_Taetigkeitsbericht_2023.pdf  

See how we get back to podcasting after the brat summer? Very demure, very mindful. We are not like these other podcasts, we don't come back for the new season with a half-planned episode, we don't use chatGPT to make notes, we don't record too long episodes where half of it is just giggling–we're very mindful, very considerate, very cutesy. In today's very considerate episode Jyri, Milla, and Pilvi walk you through the most interesting news from the summer, such as the mega fine of €13,9 million given by the the Czech Supervisory Authority to a cyber security company that shared data of 100 million data subjects to its subsidiaries in a not very mindful way. We also discuss the latest drama on the EU Commission's Preliminary DMA Findings on Pay or Consent as well as Meta suing the EDPB that is very interesting, very cutesy.  We also take a look at the secret collaboration between Meta and Google to target ads at 13–17-year-olds and have a discussion on what's the harm in this? Is it really a problem or are we just trying to hold on to a world that is not realistic? We are not like these other privacy people–we don't just gush about this–we explore different perspectives and play devil's advocate. Very mindful, very considerate, very demure. These and much more in this episode where we do not try to play too much slightly off pitch on the hottest meme by the amazing @joolieannie , we're very considerate, very funny, very cutesy, very mindful, and most certainly very demure.    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected] Links: Big fine in Czech: https://www.edpb.europa.eu/news/news/2024/czech-sa-imposed-fine-139-million-eur-infringement-art-6-and-art-13-gdpr_en   EU Commission and Pay or Consent: Commission sends preliminary findings to Meta over its "Pay or Consent" model for breach of the Digital Markets Act - European Commission (europa.eu)   Meta and Google not very demure collaboration: https://www.ft.com/content/b3bb80f4-4e01-4ce6-8358-f4f8638790f8   NOYB annual report Annual_Report_2023_EN.pdf (noyb.eu)   Scraping and OpenAI: Microsoft Word - 2024.08.02 FINAL OpenAI Complaint (2) (courtlistener.com) https://www.legaldive.com/news/nvidia-open-ai-face-youtube-creator-lawsuits-for-using-online-videos/724498/  

Prepare to get your mind blown (and not necessarily in a good way) - in this episode Laura, Floora, Pilvi, Milla and Hannes (what a full house!) discuss the theory and practice behind data processing roles.  What is the background of the roles, what is working and not working - why does CJEU want everyone to be joint controllers, what about the AI Act and much more. If you bear with us to the very end we even throw in some suggestions on how to develop a less complex life for the many privacy professionals. linkit: EDPB guideline on controller and processor: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en  CJEU, judgment of July 10, 2018, Jehovan todistajat, C‑25/17, EU:C:2018:55 https://curia.europa.eu/juris/document/document.jsf?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1305431 CJEU; judgment of June 5, 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388 https://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1305548  CJEU, judgment of July 29, 2019, Fashion ID, C‑40/17, EU:C:2019:629 https://curia.europa.eu/juris/document/document.jsf?text=&docid=216555&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1305826    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/

Cambridge Analytica, Brexit, Trump, Russian Trolls. Political microtargeting has shaped the world and our society more and longer than we would like to admit. The European Union decided to fight back on it with Regulation on the transparency and targeting of political advertising, yet the road to the regulation was everything but smooth. Time will tell how or if the regulation will be able to actually make a difference. On this episode, Milla and Pilvi are going back to this important subject with our very special guest, privacy influencer and an Estonian lawyer Norman Aasma, who wrote his master thesis on the subject. Together we will discuss the road to the regulation, what was the issue with banning the use of sensitive personal data, what does the regulation actually regulate, and what change we can expect it to make.  The episode was recorded on the 27th of May 2024, just before the EU Elections, and thus, we also discuss the current EU Elections and take a brief look at the political advertising taking place (or the lack of it…). We compare it to the research data and results that we have gained from conducting research on the Finnish elections (see our Finnish podcast TietosuojaPod episodes #66 and #52).  So hit play and join us to enjoy a moment in privacy!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

"Welcome! Welcome! Welcome! To PrivacyPod Joost's Case Corner Episode, we are your hosts Milla and Pilvi with Joost Kle… Gerritsen. Thank you so much for joining us and let us begin with our first and most important story, the events of last week's Eurovision and the big denim egg that made it all the way to "Last Week Tonight" with John Oliver (Go Finland!)."  After we have gathered ourselves from the too short (Panu's comment which has been noted) section on Eurovision, we move head first to the most interesting recent CJEU cases! And what is on the chopping block today? CJEU NADA and Others [C-115/22], where doping results were published online.  CJEU Juris [C-741/21], where a lawyer wanted to be compensated on receiving direct marketing which for some reason made some of our hosts just lose it (sorry). CJEU IAB Europe [C-604/22], where our focus is on the joint controllership aspect of the case. Thank you so much for listening and good night! Links: Belgian DPA's Decision on IAB Europe:  decision-quant-au-fond-n-21-2022-en.pdf (autoriteprotectiondonnees.be) CJEU NADA and Others [C-115/22]: https://curia.europa.eu/juris/document/document.jsf?text=&docid=285723&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2737812 CJEU Juris [C-741/21]: https://curia.europa.eu/juris/document/document.jsf?text=&docid=284641&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2738131   CJEU IAB Europe [C-604/22]: https://curia.europa.eu/juris/document/document.jsf?text=&docid=283529&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2738315   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

We're so glad to geek out on something a bit different this week, as we welcome Natallia Karniyevich to discuss all things cyber with our hosts Hannes Saarinen and Milla Keller. Natallia is a senior associate at Bird & Bird, where she also co-chairs Bird & Bird's international cybersecurity steering group.  Natallia guides us through what has been a flood of new, stricter cybersecurity legislation. We discuss the background and need behind the new laws. We look a bit closer specifically at the NIS2 Directive, which brings tighter requirements to many different kinds of organizations. And ofcourse, we discuss what do these new laws mean for privacy professionals: how does cyber intersect with the GDPR?     Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

We have good news and bad news. Good news are, we are returning with Joost's Case Corner, so expect lots of CJEU goodness from this episode. Bad news are, we get pretty distracted by other (equally important) topics before actually getting to the CJEU privacy cases… But don't worry, whatever recent case law we didn't cover in this episode, we'll come back to in another episode in a few weeks! Ok, so what do we discuss in this episode? We had to start with EDPB's Pay or Consent Opinion, as that is the most exciting piece of news from last week. Related to that, we also dare to talk about the Advocate General's Opinion in the C-446/21 Schrems v Facebook case - even though the AG Opinion was only published after we recorded the episode.  The CJEU cases we cover in this episode are: CJEU Belgian State – Data processed by an official journal [C-231/22] CJEU Gesamtverband Autoteile-Handel [C-319/22] CJEU FT – Copies of medical records [C-307/22] CJEU Ministerstvo zdravotnictví – COVID-19 mobile application [C-659/22] (Upcoming on 7 May 2024) - CJEU NADA and Others [C-115/22]   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

Laura and Panu are joined by Otto Lindholm to discuss recent CJEU case related to Finnish transparency laws and disclosing criminal conviction data via telephone. What is the Finnish tradition of transparency of official documents really about, are we now losing it and what's going to happen? If you ask Panu, doomsday is upon us. Transparency is dead and criminals, politicians and reality tv contestants will run amok with no accountability. Or then its just a storm in a tea cup. Panu does make a lot of mistakes, such as reads the European Charter of Fundamental Rights wrongly. In other news, but no less important, the Court actually states that oral transfer of data from a filing system is processing of personal data. Did you see that one coming? The cool privacy kids did, Panu did not.  The discussion twists and turns and reaches some kafkaesque levels but who cares - privacy theory is fun.   Hope you enjoyed our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

It's been a heavy spring. So many new things are coming to privacy folk's way, the world is (literally) shaking, we are killing our one planet, old men are driving the world to turmoil and horror. The world is getting darker.  Therefore, without forgetting the importance of discussing all the difficult things, we decided to treat you with an invitation to Milla's happy place: to discuss something that is full of bright colors and makes everyone focus, just for a brief moment, on the importance of coming together and enjoying the beautiful wonders that people do. We are of course talking about the Eurovision! Will ABBA serve a beautiful Swedish Suprise in May in Malmö? Which year did TIX compete for Norway (Milla gets this wrong)? What country did Flo Rida compete for? And whats the most efficient way to collect consent? One of these questions is not answered in this episode. Even though the task was to talk a little bit about Eurovision and a lot about privacy, Pilvi kinda ends up interviewing Milla about her love for the Eurovision and all the wonderful twists and turns this performance art competition includes. We also asked the presenters to take few breaks for editing purposes, but guess that was too much to ask. And anyway we maybe did or didn't have time to cover privacy-related news - one has to prioritize. So put on your headphones, grab a glass of your favorite beverage, and slide into the bliss of Eurovision for a moment – it's on us! And Herkko, you can skip this episode!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

Friends, Romans, countrymen, lend us your ears!  We've come to discuss if transparency matters, not to bury it. The insufficient privacy decisions that men do lives after them; The efforts for better privacy is oft interred with their business minded decisions; So let it be with transparency. The noble controllers hath told you GDPR is impossibly ambitious: if it were so, it was a grievous fault, And grievously hath DPAs enforced it. Here, under leave of our Executive Producer and the rest- For he is an honorable man; so are we all, all honorable people– come we to battle this out for once and for all. And battle we shall. It is no secret that the PrivacyPod back-chat is often turned into a gladiator arena where we battle our views to the very end. One of the most discussed subject is if transparency even matters and what is the point of it. This time, Floora has set up the challenge and armed our gladiators Milla and Pilvi with gladius swords and retes nets, and lets them lose on the arena. Who barricades themselves on a hill of business minded decisions? Does better transparency create more risks or will it reduce risks? Is transparency a zero-sum game? Who tries to take a victory lap on a high horse only to be knocked down? Who has the high ground? Who tries to win all Partners to their side with icky frases? Will our friendship survive this or will this be the end of PrivacyPod?  So grab some popcorn and join in for a Shakespeare level drama!    Links: Klarna case: https://www.edpb.europa.eu/news/national-news/2022/swedish-authority-privacy-protection-imy-issues-administrative-fine-against_en https://www.imy.se/en/news/administrative-fine-against-klarna-after-investigation/   Whatsapp case: https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry   Shakespeare: Julius Caesar, Act III, scene II: https://www.poetryfoundation.org/poems/56968/speech-friends-romans-countrymen-lend-me-your-ears https://www.youtube.com/watch?v=q89MLuLSJgk   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

It's about time you fell in love with something  that will love you back, and that, our friends, is the crossroad of privacy, government openness, and freedom of speech. It doesn't judge you, and we won't either.  The European Court of Justice, however, will totally judge you, even if it goes against deep roots or local law in your country. In this episode, Pilvi and Jyri will discuss the new (Finnish!) European Court of Justice case "Endemol Shine". Here a Finnish district court had denied the release of court documents due to GDPR to a producer conducting background checks for reality TV, despite local statutes on openness of court documents. We continue on the same path with discussing NOYB filing a complaint on MrKoll in Sweden, which touches upon the Nordic unwillingness to judge and define what journalism and media is. We end up wondering if GDPR is obliterating Nordic cultures and what consequences this may have.  On other news, the USA will totally judge you as well if you are TikTok or happen to be from Singapore. We discuss the "The US TikTok Ban" as an interesting reaction to possible cross-border data transfers to a country that might use that personal data for intelligence activities… sounds vaguely familiar. We also discuss the Verkkokauppa.com case where the Finnish DPA decided on a record fine of 856 000 euros for not having defined retention times for online customers' customer account data as well as forcing all online customers to create an account. This episode will also include the first ever musical number of PrivacyPod. So push play, hop on to this love boat, and we´ll take good care of you.    (Ps. If you missed it, the EU Parliament accepted the AI Act.)    Links: Endemol Shine https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62022CN0740 NOYB and MrKoll: https://noyb.eu/en/swedish-data-brokers-claim-journalists-legal-protection-evade-eu-law How to get a media license in Sweden: https://mediemyndigheten.se/ansokan-och-registrering/medier-pa-natet/ H.R.7521 - Protecting Americans from Foreign Adversary Controlled Applications Act: https://www.congress.gov/bill/118th-congress/house-bill/7521?q=%7B%22search%22%3A%22TikTok%22%7D&s=1&r=5 Case Verkkokauppa.com (In Finnish, translatable): https://tietosuoja.fi/-/verkkokauppa.comille-seuraamusmaksu-asiakastietojen-sailytysajan-maarittelematta-jattamisesta-myos-vaatimus-asiakkaan-rekisteroitymisesta-oli-lainvastainen   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

In this episode Milla, Pilvi, and Jyri try to save their faces after the Episode #51 meltdown only to discover that they are forever changed by that experience. Just when we brace ourselves to move forward like "a granny in a bog" as the Finns say, we hear a suspicious announcement: "Please remain calm, the end of the pre-DMA era has arrived, we cannot save you, enjoy the ride" that pushes us into observing the first signs of the DMA doomsday and ask: what is the point of all the new consents rolling onto our screens? Will it be an effective way to control the digital markets? Furthermore, we peek to the other side of the pond and see how the new executive order that the frisky American president has issued will change the US privacy forever… or is it just a big whoop about nothing? We also take a look at the EDPB's opinion on the main establishment that seems like a promising idea but in reality, we arrive again to the question if it is—you guessed it–a big whoop about nothing? So turn up the volume and hold on to your doomsday hat, because this and much more awaits you and our other 5 listeners in this episode.    LINKS: About DMA https://digital-markets-act.ec.europa.eu/about-dma_en   The US Executive Order: https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/ EDPB on main establishments: https://edpb.europa.eu/system/files/2024-02/edpb_opinion_202404_mainestablishment_en.pdf   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

We started this episode with so much enthusiasm, positivity, and excitement but we ended up thinking that this is the episode we wish to exercise our right to be forgotten on. We start with the Google case on, you guessed it, right to be forgotten, where the Swedish court ordered Google to pay SEK 50 million in fines and declared that Google cannot provide publishers a list of de-listed websites to the webmasters thus confirming the EDPB's (and WP29's) guidance on the matter. We question the EDPB guideline and the Court's ruling and somehow we end up in a very confusing situation where Pilvi rambles on, Jyri refuses to understand, and Milla is desperately looking for an exi(s)t sign. We caution you to listen at your own risk. We also cover the latest DMA drama regarding Apple app store including Spotify's hot take on it. Furthermore, we return to Google and wonder how the consent mode v2 can be legal? Join in for the episode and please have mercy on us.    LINKS: The Irish Independent article: https://m.independent.ie/irish-news/courts/google-forced-to-stop-telling-publishers-about-right-to-be-forgotten-decisions-after-court-ruling/a596519256.html Sweden's Aftonbladet article: https://www.dagensmedia.se/medier/digitalt/dom-mot-google-vinner-laga-kraft/   On Google's consent mode v2: https://www.cookiebot.com/en/googles-consent-mode-deadline-ads-privacy-compliance/   Spotify's take on Apple store changes and the issues with the DMA: https://newsroom.spotify.com/2024-01-26/apples-proposed-changes-reject-the-goals-of-the-dma/ Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

Take a tight grip on your cups listeners, because today we are spilling the hottest tea of the legal world, a behind the scenes story of the AI Act. We delve into this with a person who had the front seat at the closed-door tea party: Dan Nechita, the Head of Cabinet to Romanian MEP Dragos Tudorache (Renew Europe) at the European Parliament. Dragos Tudorache has served as a rapporteur on the file. Renew Europe is liberal, pro-European political group of the European Parliament founded for the ninth European Parliament term. The group is the successor to the Alliance of Liberals and Democrats for Europe (ALDE) group which existed during the sixth, seventh and eighth terms from 2004 to 2019. Renew Europe has been pushing for AI systems that respect fundamental rights and the EU's democratic values, provide legal certainty concerning innovation and investment, and facilitate the development of a single market for lawful and safe AI. Dan takes us to the room where it all happened and talks about what transpired during the all-nighter negotiations in December.  He also sheds light on the background of the AI Act and whether or not we can breath already or will there be more changes. We try to guess why did the AI Act leak as well as what happened to the General Purpose AI, and if the Fundamental Rights Risk Assessments is just a DPIA that slays. We also discuss whether the legislators understand how expensive this will be for the organizations: is it a case of because you're worth it…or because they can afford it? ...And Milla and Pilvi totally forgot that this was our 50. podcast. Oh well, we will celebrate at 100 then.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

A new year of PrivacyPod is kicked off with an episode covering the hottest topics and most intriguing privacy news so far! Hosted by Milla and Laura, in this show our privacy DSARs speculate what the actual is up with Meta's consent or subscribe. And it would not be a 2024 privacy show if we would not dip in to what to expect in 2024 regarding recently leaked the EU AI Act. We discuss a German case where the local court raised the bar high for answering data subject access requests (commonly known as DSARs) on time. Somewhat unexpectedly we find ourselves defending data brokers and cursing the difficulty of meeting those tough transparency requirements.  Links Meta decision coming: https://politico-tech.simplecast.com/episodes/an-exit-interview-with-europes-most-powerful-privacy-regulator  Leaked AI act: https://iapp.org/news/a/eu-ai-act-draft-consolidated-text-leaked-online/ German case https://www.arbeitsrechtsiegen.de/artikel/bewerberanspruch-auf-auskunft-nach-art-15-dsgvo-und-schadensersatz-aus-art-82-dsgvo/  Black tiger case https://www.gegevensbeschermingsautoriteit.be/burger/gba-sanctioneert-gegevensbeheerder-black-tiger-belgium-wegens-gebrek-aan-transparantie https://www.autoriteprotectiondonnees.be/citoyen/lapd-sanctionne-lentreprise-de-gestion-de-donnees-black-tiger-belgium-pour-manque-de-transparence https://www.dataguidance.com/news/belgium-dpa-issues-174640-fine-black-tiger-unlawful  Poland Bisnode 2019: https://iapp.org/news/a/polands-dpa-issues-first-gdpr-fine/  https://uodo.gov.pl/en/553/1572 (The Supreme Administrative Court upheld the decision of  the Personal Data Protection Office (UODO)   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

In this week's episode Milla discusses with Gabriel Silva from TravelPerk the best practices for using AI to enhance your work as a privacy professional. TravelPerk has recently started using a custom-built Legal Bot, which crunches through hundreds of privacy and other legal questions. What do you need to consider when you outsource legal work to a bot? How do you finetune the model to make sure that the answers are relevant? Gabriel shares his practical experience on all of this. We also discuss other AI tools that are available for anyone. What kind of work tasks is AI good for? How to get started with prompting - and how to get better at it?  Gabriel is based in Barcelona and works as Legal Manager for privacy at Travel Perk which is a platform for business travel bookings. Gabriel has previously worked at Google at Google's legal operations.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

This week on PrivacyPod: EDPB's guidelines on the infamous cookie article! EDPB published a couple of weeks back guidelines on the technical scope of Article 5(3) of the ePrivacy Directive (also known as the golden rule… no, sorry, the cookie rule). Hannes (!), Heikki (!!), Laura (!!!!) and Milla (????) go through the guidelines, speculating why do we get guidelines on this topic right now, considering that the legislation is not exactly fresh out of the oven. What exactly is then the technical scope of the cookie article? And how will organizations go about implementing the new guidelines, once they have been adopted after the consultation period? Also in this episode: Hannes, Heikki and Milla share reflections on the recent IAPP Brussels conference. Don't worry though privacy folks, we only discuss the official program - what happens in Brussels, stays in Brussels.   Links: edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf (europa.eu)    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

In this awaited and exciting episode Milla and Pilvi are experiencing a true fangirl moment as they welcome Tobias Judin, the Head of International Department at the Norwegian Data Protection Authority, Datatilsynet. Accompanied by our new co-host Jyri they will dive into to discuss the Meta case on its rocky road with its legal basis for behavior based advertising. Norwegian DPA has not only talked the talk but it has also walked the walk: as Tobias states, they see that the GDPR has to be enforced now and that the GDPR does have tools to do that. We discuss, among other things, how has the Norwegian DPA become the renegade DPA that takes such firm action? What has the road been like from 2018 to the EAA wide ban? What does Tobias think about the newest Meta solution: consent or pay? We also touch upon subjects such as does transparency matter at all? How do you measure it? What about the IAB case and advertising funding journalism? Is the new "consent or pay" just Meta buying time and gaslighting? We also have a big scoop in the episode, which we recognize with "cool cool". This and much more awaits you. Links: Datatilsynet 17.7.2023: "Midlertidig forbud mot adferdsbasert markedsføring på Facebook og Instagram" https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/midlertidig-forbud-mot-adferds basert-markedsforing-pa-facebook-og-instagram/ Datatilsynet 8.8.2023: "Meta-saken opp i Oslo tingrett" https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/tvangsmulkt-til-meta-hvis-forbu d-ikke-folges/ Datatilsynet 6.9.2023: "Datatilsynet vant mot Meta i Oslo tingrett" https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/datatilsynet-vant-i-oslo-tingrett/ Datatilsynet 25.10.2023: "Meta går til ny sak mot Datatilsynet" https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/meta-gar-til-ny-sak-mot-datatils ynet/          Datatilsynet 28.9.2023: "Meta-saken løftes til europeisk nivå" https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/meta-saken-loftes-til-europeisk- niva/ Datatilsynet 31.10.2023: "Datatilsynets vedtak mot Meta utvides til EU/EØS og gjøres permanent" https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/datatilsynets-vedtak-mot-meta- utvides-til-eueos-og-gjores-permanent/ EDPB 1.11.2023: "EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta" https://edpb.europa.eu/news/news/2023/edpb-urgent-binding-decision-processing-persona l-data-behavioural-advertising-meta_en Meta: "How Meta Uses Legal Bases for Processing Ads in the EU" https://about.fb.com/news/2023/01/how-meta-uses-legal-bases-for-processing-ads-in-the-eu/ TechCrunch 1.8.2023: "Meta says it will offer Europeans a free choice to deny tracking" https://techcrunch.com/2023/08/01/meta-says-yes-to-consent/ TechCrunch 3.10.2023: "Meta planning ad-free subscription or tracking ads 'choice' in EU, per WSJ — in latest bid to keep snooping" https://techcrunch.com/2023/10/03/meta-subscription-vs-consent/ Meta: "Facebook and Instagram to Offer Subscription for No Ads in Europe" https://about.fb.com/news/2023/10/facebook-and-instagram-to-offer-subscription-for-no-a ds-in-europe/              Case C‐252/21 Judgment: https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageIndex=0& doclang=EN&mode=req&dir=&occ=first&part=1 Case C‐252/21Press release: https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-07/cp230113en.pdf DPC Meta decisions January 2023: https://www.dataprotection.ie/en/news-media/data-protection-commission-announces-con clusion-two-inquiries-meta-ireland Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

In this news episode, Milla and Pilvi jump into the most interesting news (in their opinion at least) of the recent weeks and that takes us to a journey that will include Googling, Star Wars, elderly millennials trying to exists in the world they don't understand, and Jean-Jacques Rousseau's book Émile ou De l'éducation from 1762. But we also actually go through the recent privacy news, including the recent CANAL+ case from France, EDPB's coordinated action -action, an interesting case on legal bases legal obligation and public interest from Sweden that also include somewhat puzzling takes on CCTV and article 13..or 14 (there's the question!)? We also discuss Meta being sued by 41 states in the US, EU Commission's next DSA actions towards social media giants and the latest from the mysterious world of AI.   "So it seems like this internet thing is here to stay, huh?" Chandler Bing   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

In this episode, Hannes and Milla welcome Jussi Leppälä, the of Valmet (a leading global developer and supplier of technologies, automation and services for the pulp, paper and energy industries) to delve into the interesting world of IoT -based data sharing of the future.  What is the underlying intent of the Data Act? How does it interact with other data laws? How will it be enforced? Delving deeper into the Data Act, we look at the actual scope of data sharing obligations, how they would work in practice and alongside the GDPR's data subject or towards third parties.  Join us to get insights on whether Data Act will be effective in fostering European small and medium sized companies … or enterprises outside of the EU. Are your data related trade secrets also protected tomorrow? And much, much more! Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on harmonised rules on fair access to and use of data (Data Act) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

Meta is considering a move to cookie-paywall some listeners may know (and already hate) from German newspaper websites. As the legal basis for Meta's personalised ads (the company's main money-maker) is being pushed towards consent from all fronts, Meta is considering desperate means. But is it all just a ruse, as convincing as Meta's earlier threats about leaving the EU because of data transfer issues? In other news, Pilvi and Milla discuss Irish Data Protection Commission's 345 MEUR fine to TikTok. We also discuss once more the Grindr case from Norway, where the appeals board upheld the earlier fine. We also cover UK Information Commissioner's preliminary enforcement notice against Snap, BBC blocking ChatGPT from using its content and lots more.   Links: Meta (Facebook / Instagram) to move to a "Pay for your Rights" approach (noyb.eu) Meta Plans to Charge $14 a Month for Ad-Free Instagram or Facebook - WSJ UK Information Commissioner issues preliminary enforcement notice against Snap | ICO Record fine in the Grindr case confirmed | Datatilsynet BBC blocks ChatGPT from using its content (thetimes.co.uk) Google adds a switch for publishers to opt out of becoming AI training data - The Verge Irish Data Protection Commission announces €345 million fine of TikTok | 15/09/2023 | Data Protection Commission   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

In this episode, join Pilvi, Hannes, and Floora as they take a deep dive into the world of Mergers and Acquisitions (commonly known as M&A) from a privacy perspective. They'll explore the intriguing question of whether the M&A process differs in the realm of privacy compared to other areas of law. If so, what sets it apart, and does it make sense to approach privacy M&A in the traditional manner? Listeners can expect a lively and informative discussion on the intricacies of privacy M&A. Our hosts will shed light on the varying perspectives of in-house counsel, external advisors, and walk you through the general M&A process, step by step. Additionally, they'll engage in a thoughtful conversation about proposals aimed at advancing the field of privacy M&A. Tune in for an insightful and educational journey through the legal landscape of privacy M&A, where we explore the unique challenges and opportunities that arise in this ever-evolving field. Furthermore, tune your ears to the finest, because eagle ear listeners can hear our ultracute privacy poodle Hubert weigh in on M&A as well! Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

Joost Case Corner (JCC) is back! As per usual, there's no way we will cover all of the Court of Justice of the European Union (CJEU) goodness in under one hour, so buckle up for an extra-long special episode. Its a perfect catch up with the lates court action and since its been a while, we can hear our presenters (Milla mainly) trip over some pretty basic EU abbreviations. So all you EU nerds there, prepare to scream really hard to your earphones what TFEU stands for. We discuss three cases with final judgments already out there: Meta v Bundeskartellamt (C-252/21), Pankki S (C-579/21) and Lietuvos Respublikos (C-162/22).  Under our section on ongoing cases we go through five cases that will likely shake the privacy world once decided: ILVA (C-383/23), Mousse (C-394/23), Österreichische Datenschutzbehörde (C-416/23, which Milla can pronounce perfectly, just wait for it), IAB Europe (C-604/22, sad that Heikki isnt here to rant) EDPS v SRB (C-413/23 P, yes, that annoying pseudonyisation case where normies claim that GDPR doesnt apply). The cases cover definition of personal data, pseudonymization and anonymization, calculation of fines and much more. We know, you might be a bit lagging behind on the case law, so no worries! This is your cue to press play and dig through the intricacies of data protection case law with Joost, Milla and Pilvi.   Cases covered in the episode:   Cases with final judgments: Meta v Bundeskartellamt (C-252/21) Pankki S (C-579/21) Lietuvos Respublikos (C-162/22)   Ongoing cases: ILVA (C-383/23) Mousse (C-394/23)  Österreichische Datenschutzbehörde (C-416/23) IAB Europe (C-604/22)  EDPS v SRB (C-413/23 P)   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

This week Pilvi and Milla do a deep dive into two recent cookie related rulings from Nordic data protection authorities. First we discuss the Bonnier case from IMY, the Swedish data protection authority. Whilst not strictly only about cookies, this case discusses the further processing of data collected with cookies - and more specifically, whether this processing can be based on legitimate interest (IMY says no). The second half of the show we discuss Traficom's ruling on the Nordic media company Sanoma's cookie practices. Lots to unpack there: necessity of certain analytics cookies, retention times, representation of legitimate interest in cookie banners and much more. Both of the cases have been appealed.   Links: Sanoma Media Finland Oy.pdf (kyberturvallisuuskeskus.fi) Tillsyn: Bonnier News AB | IMY   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

This week we are fangirling over Wolt's approach to algorithmic transparency. We have Wolt's public policy manager Ylwa Rein join us for this episode, where we walk through the process of creating an algorithmic transparency report: what's the legal background and requirements, who to involve in the project, how to get management buy-in and much more. We also chat with Ylwa about finding a job where you can make an impact, and how algorithmic transparency contributes to a more fair digital society. Links: Transparency at Wolt - Wolt (Finland) Unveiling the second edition of the Wolt Algorithmic Transparency Report   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

In this episode, Milla and Pilvi take a look at the brand new Data Privacy Framework. The discussions include but you bet are not limited to topics such as the sadly-not-so-funky-name of the framework (why not Privacy Trampoline?) and the identity crisis that surely all privacy professionals shall now have to face: who are we without the discussions and work on US transfers? What should one do with all the time saved? How long will this last and should we already start buying toilet paper and canned food and prepare for the downfall of the worl…DPF? We also take a look at the recent Google Analytics cases, discuss if all the issues with Google Analytics disappeared with the DPF and we also sniff the hot and humid air of Doha not forgetting the legendary summer sheepe of Milla.    Links: Adequacy decision: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en   Press release: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721   Data Privacy Framework (DPF) website (check out e.g. faq section Frequently Asked Questions):  https://www.dataprivacyframework.gov/s/   EDPB Information note on EU-US data transfers: https://edpb.europa.eu/our-work-tools/our-documents/other/information-note-data-transfers-under-gdpr-united-states-after_en   NOYB Press Release July 10: https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu   IMY (Swedish DPA) press release on the 4 Google Analytics cases: https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/   Norwegian DPA on Google Analytics: https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/vedtak-i-google-analytics-saken/   https://www.datatilsynet.no/personvern-pa-ulike-omrader/internett-og-apper/rad-for-analyse-og-sporing-pa-nettsted/   Danish DPA on Google Analytics: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2023/jul/brug-af-google-analytics-kraever-ikke-kun-lovlige-overfoersler-til-usa   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

In this episode of PrivacyPod, Joost and Panu talk to professor Herke Kranenborg who holds a chair in European Data Protection and Privacy Law at Maastricht University. In addition, professor Kranenborg is a member of the European Commission's Legal Service, which serves as an in-house legal counsel to the commission as well as represents the Commission in the Court of European Union in Luxembourg. Professor Kranenborg has a interesting position in the commission as he has taken part in many of the privacy related cases in the European Court of Justice as a commission representative.  You can hear Joost being a bit starstruck with his hero in this episode, but in the end he handles it well. Professor Kranenborg gives us an unique look into what it is like to prepare and argue in the one of the most important privacy cases in this decade from the commission perspective. We also discuss other landmark cases, so get your pencils ready! Or actually, you dont, since all the cases are listed here below. And what is the most important case this year according to professor Kranenborg? Listen in, and you will find out.   Delivered judgments Judgment of 6 November 2003, Lindqvist, C-101/01, EU:C:2003:596 Judgment of 8 November 2007, Bavarian Lager v Commission, T-194/04, EU:T:2007:334 Judgment of 29 June 2010, Commission v Bavarian Lager, C-28/08 P, EU:C:2010:378 Judgment of 9 March 2010, Commission v Germany, C-518/07, EU:C:2010:125 Judgment of 16 October 2012, Commission v Austria, C-614/10, EU:C:2012:631 Judgment of 8 April 2014, Commission v Hungary, C-288/12, EU:C:2014:237 Judgment of 16 July 2020, Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559 Judgment of 6 October 2020, Privacy International, C-623/17, EU:C:2020:790 Judgment of 6 October 2020, La Quadrature du Net and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791 Judgment of 15 June 2021, Facebook Ireland and Others, C-645/19, EU:C:2021:483 - Advocate General Bobek's opinion: https://eur-lex.europa.eu/legal-content/AUTO/?uri=ecli:ECLI:EU:C:2021:5 Judgment of 24 March 2022, Autoriteit Persoonsgegevens, C-245/20, EU:C:2022:216 - Advocate General Bobek's opinion: https://eur-lex.europa.eu/legal-content/AUTO/?uri=ecli:ECLI:EU:C:2021:822 Judgment of 5 April 2022, Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258 Judgment of 20 September 2022, VD and SR, C-339/20 and C-397/20, EU:C:2022:703 Judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369   Pending cases CJEU DPC v EDPB I (Facebook) (T-70/23) CJEU DPC v EDPB II (Instagram) (T-84/23) CJEU DPC v EDPB III (Whatsapp) (T-111/23) CJEU Meta v EDPB I (T-682/22)  CJEU Meta v EDPB II (Instagram) (T-128/23) CJEU Meta v EDPB III (Facebook) (T-129/23) CJEU WhatsApp Ireland v EDPB (C-97/23 P)   CJEU Meta v Bundeskartellamt (C-252/21) CJEU Endemol Shine Finland (C-740/22) CJEU Österreichische Datenschutzbehörde (C-33/22) CJEU LQDN and Others (Personal data and the fight against counterfeiting (C-470/21) - Advocate General Szpunar's opinion: https://eur-lex.europa.eu/legal-content/AUTO/?uri=ecli:ECLI:EU:C:2022:838   Full list of pending cases available at https://digibeetle.eu Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

In this episode, Milla, Pilvi, and Panu take a look at the Meta case on the US transfers that ended up costing Meta 1.2 billion euros. We explore the depths of the case, such as how Meta justified their transfers, what supplementary measures were used that were not deemed sufficient, and debate a bit on the politics intertwined with the case. But hold on! We have more! We also take a look at the finger-licking KFC case, where the AEPD ordered a fine of 5000 euros for violating Article 13 by using undefined expressions such as "we can use…" in the privacy policy. The AEPD also ordered a fine of 20 000 euros for not appointing a Data Protection Officer. We also discuss Panu's career plans as he is open for hire (wink wink!)! Links:  Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR): https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-12023-dispute-submitted_en Meta's Response to the Decision on Facebook's EU-US Data Transfers by Nick Clegg, President, Global Affairs & Jennifer Newstead, Chief Legal Officer : https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/ KFC case, AEPD (Spain) - PS/00140/2022: https://www.aepd.es/es/documento/ps-00140-2022.pdf (spanish)   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

In this week's episode Floora, Milla and our guest host Joost discuss how to look at AI through the lenses of privacy and data protection. With so much hype around the topic, we go through the most important developments in the past weeks. On one hand, proponents of AI regulation argue that without proper oversight, AI could cause harm to privacy, whether intentionally or unintentionally. For example, if AI systems are used to make important decisions that affect people's lives, such as hiring decisions or medical diagnoses, there is a risk of bias or errors that could lead to unfair outcomes. On the other hand, opponents of AI regulation argue that too much regulation could stifle innovation and hinder progress in the field. They argue that AI is still in its early stages of development and that it is not yet clear what the long-term impacts of AI will be. The main reason for all the discussion is that service providers have been very opaque about the collection and usage of personal data in the AI models. Do they even use personal data? Are they processing it actively? And thats where the Italians come along, as the Italian DPA already has taken a stance against Chat GPT and a "virtual friend" chatbot named Replica. What were the main issues according to the Italian DPA with ChatGPT? Why should you re-read the Google Spain decision to understand how ChatGPT might comply (or not comply) with the GDPR? We also shortly touch on the upcoming AI Act.   Links:  Google Spain (Case C‑131/12) https://curia.europa.eu/juris/document/document.jsf?docid=152065&doclang=en  Italian DPA Garante on ChatGPT: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9870847#english  Norwegian DPA Datatilsynet: Artificial intelligence and privacy https://www.datatilsynet.no/globalassets/global/english/ai-and-privacy.pdf    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

In this episode of PrivacyPod with Anja Wyrobek, a Legal Policy Advisor and European Parliament, we will dive into lengthy development of ePrivacy Regulation, its impact on cookies (one may not forget cookies), encryption and impact of combat against child sexual abuse material thereto. Eprivacy, the troublesome uncle of GDPR who just doesnt seem to get its act together, is on the talks, again. Eprivacy was expected to be adopted shortly after the GDPR, but the lingering conflicts has dragged the regulation in jeopardy, in an sort of  EU legal limbo, a void of Nothing. Five years later, no regulation is still the news. Some say the future of the internet depends on it, others think the changes arent that big in the end. Many presidencies have tried to forcefully either bury it or unlock it, to no avail. Will the hard working regulators in Brussels get to finally push this Sisyphean rock on the top of the privacy hill?  The key questions relate to the way communications are regulated, trying to bring OTT players, such as electronic communication services providers WhatsApp, Facebook messenger and Skype (yes, the proposal is THAT old) into the realm of regulation. The other goal is to stenghten regulation to protect consumers, but this has greatly fluctuated between revised proposals of the regulation. Cookies are also a central question and thats also what is the issue here. As Anja reminds, its not the cookie banners that are striclty required by the current eprivacy directive, instead its the market players who have selected to solve the underlying issue with a terrible solution. It is not clear whether or not the new proposal clarifies the cookie situation, but people do have their hopes up. Dial in to listen how Anja, Milla Keller and Hannes Saarinen dissect the legislative proposals impacting the future of our communications. Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

This week we discuss everything around U.S. privacy with a special guest, Odia Kagan! Odia is a Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild, a US-based law firm with 29 offices across the United States. What was that last week's discussion on banning TikTok all about? What is happening with U.S. privacy legislation right now, and how is FTC enforcing privacy requirements? If you gave up on following U.S. privacy updates after the California Consumer Privacy Act, this episode is for you.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]

Have you ever felt bad about clicking "decline all" on a cookie consent? Has that button been difficult to find? And if you finally find it, has the website spawned a pop up message trying to tell you how they will go bankrupt and the world will end if you do not accept all? If you answered yes to any of the previous questions, congratulations -- you have been subjected to dark patterns.  In this episode, we venture into the dark side and discuss this issue with Marie Potel-Saville, a very well known figure in the world of legal innovation and the founder and CEO of Amurabi, a legal innovation agency. Before founding Amurabi, Marie has worked at Allen & Overy, Chanel and as a VP for legal at Estee Lauder EMEA.  Almost the whole internet is full of dark patterns trying to nudge you into doing things you actually do not want to do by utilizing your humanity and the fact that you do not use your full brain capacity in every second you browse the wonderful world of the World Wide Web.  But why is this a problem? What harm does this actually cause to individuals, companies, societies and well, democracy? And what about the children (1/3 of the web users are under age)? Is there a better way? What does the GDPR say about dark patterns -- is it really compliant to use dark patterns? What is the solution?  Did we find the light at the end of the tunnel at all? Listen in to find out! Links: The Helmet decision by the Finnish Data Protection Ombudsman: https://tietosuoja.fi/en/-/deputy-data-protection-ombudsman-issues-reprimand-for-conveying-library-search-information-to-us-based-google European commission: Consumer protection: manipulative online practices found on 148 out of 399 online shops screened https://ec.europa.eu/commission/presscorner/detail/en/ip_23_418 We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

This week, we talk with Romain Robert, a Program Director and a senior lawyer working at NOYB. For the few who might not know, NOYB is a Austrian NGO founded by Max Schrems, who is probably a familiar name to everyone in the privacy world (heard of Scherms I or Schrems II anyone?). Romain has extensive and interesting background and can claim a rare feat of actually taking part in writing the GDPR. We talk about three groundbraking cases delivered by the Irish DPA by just the beginning of the privacy year 2023 concerning Instagram, Facebook and Whatsapp, all Meta owned platforms (yeah, those ones, everybody is talking about them, right?). The complaints against these three companies were made on 25th of May 2018, on the day GDPR entered into force, and concerned their legal basis for processing the personal data of their users. The legal basis used for multiple different purposes, such as behavioural advertising and service improvement, was claimed to be contract, and this ultimately did not go through with the DPC. However, the case is more complicated than it sounds and included many twists and turns between the parties as well as between the DPC and other Member State DPAs- and ultimately the EDPB). We also talk to Roman about working with NOYB, their future agenda, consent or pay -solutions and GDPR enforcement. Please tune in and learn more about the inside world of the most talked-about privacy NGO in Europe (or the world)!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]  

And we are back once again with Joosts Case Corner! This time we dive deep into the past, present and future of the Court of Justice of the European Union with upcoming cases as well as latest judgments. Panu and Joost explore the continous push and pull of GDPR enforcement. On the other hand, it seems like the GDPR puts aside any rights (the Luxembourg Business Registers case). On the other, there seems to be forming limits to the GDPR application in some areas (the Pankki S case). If you have missed the CJEU action lately, no worries, this episode will put you back in track on what has been happening in the highest court in the EU. The hosts discuss in this loong episode about several cases and in the process of doing that, they give Milla a good chance to issue an correction. So load up your earpods and get your pencils ready, because this is going to be a pleasure. Reading material: Report about 22 GDPR: https://fpf.org/blog/fpf-report-automated-decision-making-under-the-gdpr-a-comprehensive-case-law-analysis/ New cases: C-672/22 (DKV) + Advocate General conclusion of 15 December 2022, C-487/21 (Österreichische Datenschutzbehörde and CRIF) C-693/22 (I) T-682/22 (Meta v EDPB) C-740/22 (Endemol Shine Finland) C-757/22 (Meta Platforms Ireland) Questions and overview of all pending cases available at: https://gdprbeetle.eu/which-cjeu-data-protection-cases-are-currently-pending/ Judgments C-129/21 (Proximus) C-37/20 and C-601/20 (Luxembourg Business Registers) C-154/21 (RW)   Hearing C-634/21 (SCHUFA Holding and Others (Scoring)) on 26 January 2023 at 14:30 (First Chamber)   A-G opinion C-579/21 (Pankki S.) Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: [email protected]