Privacy Paths

The Apple AirTag debacle shows that there is a need to diversify privacy to protect people and brands. Diversifying privacy means more than diversifying product development and privacy teams. It means looking outside the compliance bubble and centring marginal voices, including those that challenge the status quo. Abigail Dubiniecki talks to Stewart Dresner and Tom Cooper and explains what went wrong with the Apple AirTag. Apple is usually regarded as the company at the privacy friendly end of the spectrum. The latest consumer tech products are promoted as offering convenience. But developers ignore, understate or underestimate the possibility for harm. Harms to individual users as well as communities. Some products and services are intended to vacuum up masses of data to monetise it. But even if a company rejects the outright monetisation of data as its main purpose, and instead is trying to create a product with privacy protections, some unforeseen problems can occur. Apple and other companies can learn lessons from the AirTag story to avoid damage to their reputation. This podcast is based on Abigail's article in PL&B International Report April 2022. Resource referred to in the podcast: Just Tech Abigail Dubiniecki is a privacy lawyer and consultant based in Canada who helps clients in the UK and Canada implement GDPR and other privacy and data protection laws. She specialized in operationalizing Privacy by Design and is a privtech and emerging tech enthusiast.

Age verification and estimation by companies to protect the privacy and safety online for young people Stewart Dresner talks to Iain Corby, Executive Director, The Age Verification Providers’ Association (AVPA) and Project Manager, euCONSENT. There is consensus that young people should be safe online. But how should organisations behave in an ethical way? How to reconcile the commercial objectives of data acquisition and retention, and the legal objective of data minimisation and data protection by design? There are many international and national initiatives on online safety for young people. All are trying to protect “the best interests of the child”. How are companies engaging with them? There is a continuum as children mature into teenagers and then into adults but regulations impose specific ages when content should be restricted. This is the issue at the core of attempts at regulation to better protect young people from online content of a violent or sexual nature, or increasing the risk that they will be led to the consumption of tobacco, alcohol, gambling and other dangerous and inappropriate content. Iain Corby discusses with Stewart Dresner how companies are working together to achieve a credible method of age estimation and verification. Privacy Laws & Business will cover this subject in more depth in our free webinar on the afternoon of Wednesday 16 March: Helping young people to better protect their privacy and safety online. In addition to Iain Corby, participants will include the Acting Head of Children’s Policy at Ireland’s Data Protection Commission, a representative of the games industry, academics, and a Privacy Policy Manager for Meta.

Justin Antonipillai, Founder and CEO, WireWheel, discusses with Helena Wootton and Stewart Dresner the privacy laws most likely to be adopted in the US. His experience of leading President Barack Obama’s attempt to have a federal privacy law adopted by the US Congress enables him to explain why he considers such a law in the next five years as unlikely. The new Chair of the Federal Trade Commission, Lina Khan, is more energetic on privacy issues. Stronger sanctions are likely but the FTC is constrained by its narrow scope and lack of a comprehensive federal privacy statute. Meanwhile, the initiative is being taken by the states, with California in the lead once again as it was some 20 years ago with a data breach law, later copied by the other 49 states over the next 20 years. Virginia and Colorado are now the first states to follow California’s lead in adopting new state privacy laws but each one is different from the others, making life difficult for companies doing business across the country. Antonipillai, having led the US negotiations with the EU on the EU-US Privacy Shield, is aware of the commonalities and differences between the two sides. Companies need to map their collection, storage and disclosure of personal data against the many different privacy laws around the world and take steps to manage the personal data in their systems is a consistent way taking into account the interests of the data subjects.

Canada leads on applying privacy law to sales of recreational cannabis. Michael McEvoy, Information and Privacy Commissioner for British Columbia (BC), Canada, explains why and how he has applied the BC privacy law to the legal retail sale of recreational cannabis. To coincide with the legalisation of recreational cannabis, he published in October 2018, Protecting Personal Information: Cannabis Transactions, the world’s first guidance on this subject. This was updated in a revised version in August 2021. He explains the main privacy issues common to the retail sale of other products in general and alcohol in particular, and the impact of the pandemic on trends which impact privacy. This guidance has additional benefits of attracting the public’s attention to their data rights, and retailers about their responsibilities. We discuss how this world leading BC guidance is now having an impact across Canada and several other countries where the law on the sale of recreational cannabis is being relaxed to fulfil a mainstream need. Listeners to this podcast can obtain the related article published in the August 2021 edition of PL&B International Report by emailing: info@privacylaws.com

Guernsey is an independent island jurisdiction located between the United Kingdom and France. In this podcast, Emma Martins, Guernsey’s Data Protection Commissioner, speaks to Valerie Taylor and Stewart Dresner about this Channel Island’s adequacy declaration from the EU, and its importance for its digital economy of retaining free and safe data transfers between Guernsey, the UK and the EU. The Commissioner does not see privacy and innovation as a zero sum game and is confident that it is possible to incorporate both values into products and services. She deploys fines and other enforcement tools when necessary but has recently launched Project Bijou, a human-centred method for incorporating privacy values into both everyday personal life and work. Find out how Guernsey balances the gravitational pull between the UK and the EU.

Laura Linkomies talks to two privacy experts, Marta Dunphy-Moriel, Partner at Deloitte, and Alexander Dittel, Associate Director at Deloitte about privacy issues with adtech. Learn what companies using adtech can do to be transparent and comply with the UK Data Protection Act.

Do app developers gather information in a legally sound way? Apps often involve trading one’s personal data for a usually free useful or entertaining service. Data privacy laws apply to apps so how can developers navigate this legal terrain? We explore Clubhouse, the audio meeting app which is on a rising trend, and the privacy laws which apply to it, as they do to all apps. The key legal questions we ask in this episode: do users understand the process? and do they know how much data the app developers are using or “harvesting”? These issues are heightened because of mobile devices’ small screen sizes; the complexity of the opt-in or opt-out process; and the use of persuasive techniques by deploying colour and design to persuade users to consent or ‘opt-in’ to use of their personal data. We all know that app developers want access to one’s contacts and location – but is this lawful? Companies want to monetise valuable data by analysing it and sharing it with other parties. This happens largely because the individuals desire the essential and attractive (at least in the mind of the prospective user) service provided by the apps. Are the regulators keeping up? These app companies seem to live in a different world from more conventional companies, and we ask how hard the law will have to work to catch up? Participants:

Laura Linkomies talks to Jenai Nissim, Director of HelloDPO and James Young, Legal Counsel for the Frasers Hospitality Group, the global hospitality company which includes Malmaison Hotels. They cover what is included in the role of Data Protection Champions, how they won top executive buy-in, made Data Protection Champions work on a win-win basis, and how benefits have rolled out across the group in many countries.

China issued a draft law on the Protection of Personal Information in October 2020. Now that the consultation period has closed and the law is expected in 2021, Yan Luo, Partner at Covington & Burling’s Beijing office explains some of the key aspects of the draft and what it will mean for companies doing business with China.

Opt-out rights are enshrined in many national privacy laws and regulations, which provide individuals with a right to opt-out of unwanted marketing. But this is a time-consuming process and often requires know-how and commitment. Global Privacy Control (GPC) is a new mechanism which enables anyone to easily opt out of website-based marketing. Rob Shavell, Founder and CEO of Boston-based Abine (which includes DeleteMe and Blur), explains the organisations, websites and major media groups behind GPC. They include the Washington Post, the New York Times, the Financial Times, browsers, including Mozilla’s Firefox, DuckDuckGo, Brave and Consumer Reports. They are working together to develop GPC. We discuss with Rob how GPC’s web-based opt-out works and how it could enable website users to implement their opt-out rights around the world. The opt-out right for individuals has gained traction in the USA as a result of California’s Privacy Rights Act of 2020 but the principle applies wherever the GDPR ripples around the world. How has the attitude of major tech companies to opt-out technology developed in recent years? The new US federal political landscape in January 2021 could provide fertile ground for a federal privacy law which might include these rights. Will privacy regulators in other countries start to recognise the value of GPC and will the mass of consumers take up GPC? Participants: AbineDeleteMeBlur

How did FutureFlow (a start-up business) win the confidence of the United Kingdom’s ICO’s regulatory sandbox to enable its anti-money laundering service to be ready for the market and also protect personal data? Share the inside story of how FutureFlow has developed its software with the cooperation of major financial institutions and the financial regulatory authorities to track the flow of money in the international monetary system. FutureFlow’s objective is to be transformative for society by combating multi-billion dollar money laundering, and to enable personal data to be retained by the individual bank while sharing suspicious transactions with the authorities. We show how the ICO was helped in its work by close cooperation with the Financial Conduct Authority. This narrative has an international dimension, as the fight against money laundering does not stop at national borders. If your company is doing something daring with personal data, but you are willing to have your positions challenged by exploring the boundaries of data protection law, this podcast will help you to move forwards to achieve a win-win in both commercial and regulatory terms. We talk to the founder of FutureFlow and the head of regulatory assurance at the UK Regulator. Find out how both sides have benefited and learned from their experience of this one year ICO regulatory sandbox programme. Participants: FutureFlowSee Privacy Paths episode 6 for the first podcast on the ICO’s regulatory sandbox. If you are interested in applying for the ICO’s Regulatory Sandbox, you can find more information on their website.

COVID-19: The impact on wellbeing and the use of personal data in HR. Helena Wootton talks to Alison Deighton and Jenai Nissim, the Directors and Co-founders of HelloDPO. What has been the impact of COVID-19 on the mental health and wellbeing of employees? How are organisations balancing their obligations under data protection laws when using employee data to ensure the effective management of their employees? What steps should organisations take with particular care for processing sensitive health data? How should organisations recognise the boundaries between work life and home life when so many people are now working from home? At what point does management monitoring become too intrusive? This podcast provides useful answers to these questions.

The European Data Protection Board has issued GDPR controller-processor guidelines (for consultation) which define the roles and responsibilities for the different actors. Laura Linkomies talks with Elisabeth Jilderyd, International Legal Advisor and Coordinator, International and EU Department at Sweden’s Data Protection Authority about the controller-processor relationship, joint controllers, drawing up agreements between the parties, and their responsibilities in case of a data breach.

Innovation and privacy are often regarded as incompatible. They were brought together for mutual advantage in the United Kingdom’s ICO’s regulatory sandbox. Onfido, which provides proof of identity using facial recognition, has now emerged from the sandbox in its first cohort. We discuss with Onfido's Director of Privacy and the ICO’s Head of Assurance how they assessed the risks and took the plunge. Find out how both sides have benefited and learned from their experience of this one year programme. Participants: Onfido The article on Onfido’s rationale for entering the sandbox, published in the September 2019 edition of Privacy Laws & Business United Kingdom Report is available free of charge by e-mailing info@privacylaws.com. If you’re interested in applying for the ICO’s Regulatory Sandbox, you can find more information on their website.

The online advertising market is changing rapidly. Regulators are on the case. Consumers are waking up to that fact that their personal data is being used (or mis-used), and are taking back control. How are businesses reacting and what does the future hold for this multi-billion dollar industry. Tom Cooper discusses these issues with privacy lawyer Abigail Dubiniecki, My Inhouse Lawyer. For more details see Abigail's article: Achieving a privacy-first Adtech digital marketing strategy, in PL&B UK Report July 2020. See also: IAB Europe Guide to the Post Third-Party Cookie EraICO's Update Report into Adtech and Real Time Bidding

The end of 2020 and the EU-UK transition period is fast approaching. Valerie Taylor and Helena Wootton discuss what will happen to international transfers of personal data from the EU to the UK and how should organisations prepare. A fuller analysis is available in the July 2020 edition of Privacy Laws & Business UK Report.

In a podcast aimed at licencees and managers, Helena Wootton, Stewart Dresner and Tom Cooper discuss possible data protection pitfalls of collecting data from customers and make some practical suggestions. Useful links: UK Government guidance - Keeping workers and customers safe during COVID-19 in restaurants, pubs, bars and takeaway services https://assets.publishing.service.gov.uk/media/5eb96e8e86650c278b077616/Keeping-workers-and-customers-safe-during-covid-19-restaurants-pubs-bars-takeaways-230620.pdf Big Hospitality - Coronavirus track and trace: 7 steps to complying with data protection law https://www.bighospitality.co.uk/Article/2020/06/24/Coronavirus-track-and-trace-7-steps-to-complying-with-data-protection-law-GDPR-hospitality-restaurants-bars Note from Stewart Dresner, Privacy Laws & Business: "I stated in the podcast that retaining personal data for its purpose, in this case for Covid-19 tracing, (the purpose limitation principle) is a longstanding principle going back to the UK’s Data Protection Act 1984. I wrote an article in The Economist in 1987 reflecting the importance of this principle by referring to the first use of a search warrant by the Data Protection Registrar [the regulator] to investigate a part-time policeman who was suspected of using the Police National Computer to check up on the boyfriend of his daughter. A similar case involving a policeman, who worked part-time as a debt collector, led ultimately to a decision in the UK’s highest court referenced as R. v. Brown [1996] 1 AC543 on interpretation of the Data Protection Act 1984 Section 1 (7)" http://www.legislation.gov.uk/ukpga/1984/35/section/1/enacted

How have Covid-19 tracing apps addressed data protection issues? Do they work and are there lessons there for all app developers? Hosted by Tom Cooper, Deputy Editior, with Laura Linkomies, Editor, and Helena Wootton, Data Lawyer and Correspondent. MIT article on tracing the tracing apps mentioned in the discussion - https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/

In our first podcast, Professor Graham Greenleaf, PL&B Asia Pacific Editor, discusses the privacy aspects of Australia’s CovidSAFE voluntary contact tracing app with Stewart Dresner, Publisher, Helena Wootton, Data Lawyer and PL&B correspondent and Tom Cooper, Deputy Editor. A fuller analysis is available in the June 2020 edition of Privacy Laws & Business International Report.