You buy a new computer. You push the power button. Your screen blazes with tips and prompts, not from the device maker but from tech giants like Microsoft and Google. You rush to get started with offerings from these giants and other iconic providers. What about your personal information and how your privacy will be affected by your launch on the new device? Or perhaps you skipped the privacy choices long ago and now wonder what happened by default and your deferral of exercising privacy options? Come along as the Data Privacy Detective activates his new desktop and laptop. Learn how tech giants confront how personal information will be collected, shared, and used - or not, depending on your choices - or your failure to make them. Consider how your decisions when you launch a new computer (or make privacy choices now with an existing one) expand or limit risks to your identity and personal privacy in the digital world. Time stamps: 02:43 — Google privacy settings 07:30 — Lenovo privacy settings

Episode 155 considers three important developments as 2024 opens: -How the European Union’s pending AI Act blazes a new trail -How umbrella insurance may or may not apply to claims involving biometrics -How Quebec’s 2023 data privacy act will reshape privacy notices throughout North America. Yugo Nagashima and Brion St. Amour, attorneys with the coast-to-coast U.S. law firm Frost Brown Todd LLP, team with the Data Privacy Detective to cover these three essential matters. On December 9, the European Union published a preliminary agreement on the Artificial Intelligence Act, a pioneering law that provides a framework for sale and use of AI in the EU. We consider what the AI Act covers and the four-levels-of-risk approach the EU will take for regulating AI. We then jump into discussion of a class action lawsuit against Krispy Kreme Doughnut Corp. The suit claims a violation of the Illinois Biometric Information Privacy Act (BIPA). Does Krispy Kreme’s insurance coverage apply? We consider the distinction between the lawsuit's claims and the company’s umbrella policy. The insurer declared that Krispy Kreme is not entitled to an insurance paid defense, based on a policy exclusion. The Quebec Act for protection of personal information in the private sector became law in September 2023. December 18, 2023 Guidance from Quebec’s Commission covers what must be in privacy notices, including that they be in clear, simple language (in French and English). https://www.cai.gouv.qc.ca/politiques-de-confidentialite/ What is “clear and simple”? The Guidance offers a checklist of what organizations should say in their website privacy postings, and is certain to force changes in websites of digital businesses that cover U.S. and Canadian markets. Time stamps: 01:16 — EU’s pending AI Act 10:11 — Umbrella insurance and biometrics 17:08 — Quebec’s 2023 data privacy act

Why do businesses create cookies for their websites – and what choices can visitors make when a popup asks us to choose? Can chatbots write privacy policies for businesses? How can we determine if a website shares personal information we provide to it – and if so, for what purposes? Donata Stroink-Skillrud, President and Legal Engineer of Termageddon (https://www.termageddon.com), addresses these questions. As data privacy laws and regulations spread, data privacy technology and policies must adapt. As website visitors, we should understand our choices when deciding what to click on cookie popups and should know whether a website business is gathering our personal information for limited and proper purposes. Learn a trick about how to know if a business shares personal information. Businesses wishing to be privacy compliant and earn a privacy-centric reputation should consider top tips. For individuals, hear advice for how we can protect our personal information in a world of growing threats to our privacy. Time stamps: 01:00 — Cookies, explained 06:21 — Chatbots, explained 10:56 — How can we find out if a business is sharing our personal information? 14:21 — Tips for businesses that want to focus on user privacy 15:24 — Tips for individuals who want to protect their privacy

When we visit websites, we increasingly see popups. Why is this? How does consent affect online advertising? And what’s changing in 2024? Mate Prgin, founder/CEO of Enzuzo (https://www.enzuzo.com) explains how Google’s 2024 standards force online retailers to obtain express consent from customers for collecting and sharing personal information. Bolstered by the recent Quebec Law 25 (first in North America to adopt GDPR-style consent standards) and spreading U.S. state laws led by California, North American online sellers are driven to change their website technology and practices to give consumers the choice of allowing or refusing their personal information to be shared and used for personalized advertising. The meaning of “consent” and how it is provided in practice become essential for internet commerce in 2024. Understand how internet retailers can comply with law and private sector standards, how individuals will be empowered to exercise choices when shopping online about how their personal information will be used and shared. Time stamps: 01:30 — What do you see in 2023 about data privacy compliance 04:23 — Google’s 2024 standards, explained 10:48 — Top tips for businesses in setting up their websites with privacy for users in mind 11:58 — Top tips for individuals who want to protect their privacy

Data clutter – we keep our homes tidy, at least some of us do. But what about digital data? It accumulates and grows over time. Unlike hard copy files, which can be pitched or sent to long-term (expensive) storage, data is silent and unobservable (except perhaps to IT personnel). Explore how organizations amass vast amounts of data containing personal information, some highly sensitive. There it resides, posing serious risks to organizations and individuals. In Episode 152 Jason Cassidy, CEO of Shinydocs (https://shinydocs.com ), takes us on a tour of data clutter. Learn the vast amounts of unintended data gathered and kept by businesses that don’t need it, how this can be managed, how personal privacy can be more secure through state-of-the-art data management. Consider how data can be auto-classified on creation, how files can be better located with data breach risk minimized. Hear an industry expert’s top tips about data management for organizations and individuals. Make it a new year’s resolution to de-clutter, to data-minimize, to control fileshares, to design privacy-centric creation, retention, and storage of digital data. Time stamps: 01:10 — What info do organizations typically store in their databases? 07:20 — What risks to our personal privacy are posed by data clutter? 14:48 — Tops tips to organizations for dealing with data clutter 16:53 — Tops tips to individuals for dealing with data clutter

Major data privacy news from November - the meaning beneath the headlines: California issues proposed rules on ADTs – Automated Decision-making Technology. Applying California’s principal data privacy statute, the California Privacy Protection Agency proposes opt-out requirements, pre-use notices, and other measures for AI and related organizations. A New Landmark for Consumer Control Over their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology (ca.gov). The TSA is using biometrics at U.S. airports with little notice or disclosure. Some U.S. Senators have called “time-out.” What’s going on with biometrics at airports? BUR23A41 (senate.gov). The influential Data & Trust Alliance proposes eight cross-border Data Provenance Standards. Learn how international standards are being set by the private sector to increase transparency, reliability, and use of datasets essential for AI. Will data become labeled and tracked like food and art? How does private standard setting lay the groundwork for privacy conscious laws and regulations? Consider the immediate opportunity to provide your comments about AI and personal data privacy. The Data & Trust Alliance (dataandtrustalliance.org). Tune in to Episode 151 for analysis, as the world of data privacy spins toward 2024. Time stamps: 00:59 — ADTs 09:02 — The TSA is using biometrics 13:47 — Data & Trust Alliance proposed Data Provenance Standards

Perry Johnson & Associates (PJ&A) provides medical transcription services to healthcare organizations. Its website states that it offers “secure HIT solutions,” using “multiple U.S. based, secure data centers for documentation storage and disaster recovery.” But in November 2023, PJ&A began informing about nine million people by individually sent letters that “between March 27, 2023 and May 2, 2023, PJ&A learned that an unauthorized party gained access” to its network and “acquired copies of certain files from PJ&A systems.” A November 2023 TechRadar report summarizes the background: “A total of 8.95 million individuals are affected, with the stolen data including full names, birth dates, postal addresses, medical records, and hospital account numbers. Furthermore, the hackers took admission diagnoses, as well as dates and times of service. In some cases, the hackers also stole Social Security Numbers (SSN), insurance and clinical information from medical transcription files, and names of healthcare providers - all of which would be more than enough to stage highly convincing social engineering attacks (phishing, identity theft, etc.) and could result in many class-action lawsuits.” How did a leading MedTech company respond to this cybersecurity incident? Tune in to learn how one podcast listener was informed by letter about the wrongful release of the individual’s medical information and sought details with no success. Consider how society must prepare better to address the aftermath of data breaches and what we can do collectively and individually to protect our most sensitive information.

Blockchain technology. Can it be a solution to privacy risks inherent in traditional IT? How is it different from cryptocurrency? What can it do to allow both individuals and organizations to limit and protect personal information exchanged in daily life? Explore these questions in Episode 149, with Zenobia Godschalk, head of communications for Swirlds Labs (https://swirldslabs.com). Take a brisk tour of an open-source approach that applies blockchain technology to our evolving web. Learn about Hedera – an open source, leaderless proof-of-stake network. Consider how an individual need not share a lot of personal information when a transaction requires only proof of one thing – such as whether the individual is an adult or whether a person actually is a bank account holder. Listen for top tips to organizations and individuals about how open-source blockchain technology can minimize risks to personal information and identity theft. Hear how public ledgers for decentralized economies are changing our digital existence and can be a means of protecting personal privacy without disrupting our digital world. Time stamps: 01:02 — What is blockchain technology, and how is it different from cryptocurrency? 07:30 — What is tokenization? 12:42 — Is blockchain 100% effective? 14:44 — Top tips for organizations in considering blockchain technology as a replacement for traditional IT 18:52 — Top tips for individuals in considering blockchain

Post-Quantum Data Privacy – what is it? What does it mean for organizations and individuals? That is this episode’s focus. Tune in to learn how one company offers privacy-protect ive messaging and cryptocurrency services in the age of Web 3.0 and quantum computing. JB Benjamin, the founder of UK-based Kryotech Ltd. (Kryotech Group), provides a tour of Vox Messenger and Vox Wallet. These services employ privacy-centric technology. Explore how our personal information is collected, used, and shared often without our knowledge or approval. Consider how technology beyond passwords is essential to deter unwanted use of our personal information and to minimize rising theft of our financial resources and even our identities. Quantum computing means an exponentially increased power that can be used to break through lengthy passwords and otherwise hack and misuse data, both personal and organizational. Defenses are also evolving. Post-quantum privacy entails use of double-ratchet encryption, message immolation, sophisticated use of public and private keys, and other techniques. Individuals can be empowered to make choices about the value of their digital information and identities, which otherwise are swept up and used by businesses without payment. Understanding post-quantum data privacy is essential to empowering each individual to decide how to exercise choices about use of personal data. Time stamps: 01:08 — How is our personal info used by companies to make a profit? 04:51 — What does Kryotech do to enhance privacy? 12:54 — What is Vox Crypto and how does it enhance privacy 18:03 — Top tips for businesses who want to focus more on privacy 20:10 — Top tips for individuals who want to protect their privacy

How small and mid-sized organizations can afford privacy by design: Making data privacy and security affordable and scalable Tech giants have vast budgets for cybersecurity and data privacy. But most organizations are small or mid-sized enterprises (SMEs) and can’t afford expensive in-house talent, hardware, and software to combat data piracy or prevent data breaches. How do startups, SMEs, and MSPs create a privacy responsible foundation as they start and grow? How can they make privacy part of their offering to customers? How can they maintain first-class cybersecurity and data privacy as they scale and grow on an affordable budget? Darren Gallop, co-founder and CEO of Carbide (Company | Carbide (carbidesecure.com), provides advice on these and other topics in this Episode. With an overview of how secure personal information is today, Darren explains the benefits of starting with a secure privacy-centric foundation on an outsourced basis, then adding essential tools as an organization grows. Listen for top tips on how organizations and individuals can protect sensitive personal information on an affordable basis. Time stamps: 01:59 — How secure is personal info these days? 06:10 — On a limited budget, how can small and mid-sized businesses invest in data protection? 12:02 — How does an SME maintain first-class data privacy practices? 17:19 — Top privacy tips for individuals

October 2023 was a busy month for data privacy. Join our monthly podcast of three major developments in the world of personal information and technology. Our picks are these: 1. On October 30, President Biden issued an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (AI). Noteworthy to Data Privacy was his call for Congress to pass bipartisan data privacy legislation, especially for children, which would be a significant step towards a federal data privacy law. In addition to national security and other features, the EO prioritizes federal support for accelerating privacy-preserving techniques, strengthening privacy-preserving research and technologies, evaluating how agencies collect and use commercially available information, and developing guidelines for federal agencies to evaluate the effectiveness of privacy-preserving techniques. Explore what the Executive can do in the absence of Congressional action on data privacy. FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence | The White House. 2. The Federal Trade Commission amended its Safeguards Rule to require non-banking financial institutions to report certain data breaches to the FTC. Learn which businesses are covered and what the rule requires of them. Explore how the new reporting requirements will force a wide range of businesses to report data breaches in detail to the FTC, and how this could affect data privacy. FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches | Federal Trade Commission. 3. A United Kingdom court rules on October 17 that Clearview AI was not liable to the UK’s Information Commissioner for scraping the photos of UK residents from the internet and offering its services to foreign law enforcement agencies. ukftt_grc_2023_819.pdf (nationalarchives.gov.uk). Learn why the extraterritorial reach of GDPR principles does not extend as many thought it might, how UK residents who have not consented to Clearview’s use of their images have no remedy, and what this means for any regulation of what people post on the internet. Time stamps: 00:25 — Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence 05:53 — FTC amends Safeguard Rules 11:16 — UK Court rules in favor of Clearview AI

Malevolent attacks on data are rising. Misuse of data is an increasingly sophisticated criminal industry. How to defend? Philippe Humeau, a founder and the CEO of CrowdSec (CrowdSec - The open-source & collaborative security suite) is our guest. He explains how an open-source approach to editing a collaborative security stack for identifying and sharing malicious IP addresses across a community of users can be a powerful force for good in protecting data against mal-actors. This episode explores how malevolent data attacks occur and are expanding, how malicious IP addresses can be identified and shared, and how building a community defense can make the internet a safer place for everyone. Learn how open source can improve defenses, how multilayer firewalls function, how VPN’s are addressed in the defense of data. Receive top tips for organizations and individuals on how to protect personal and organizational data. Time stamps: 03:08 - Malevolent Data Actors 08:03 - Can an open source platform defend against malactors? 10:26 - Multi-player firewall 11:58 - Top tips for organizations/businesses 13:56 - Tips for individuals

External data privacy – what is it? How do current threats to personal data privacy require defenses beyond stronger hardware and software? Harry Maugans, CEO of Privacy Bee - https://privacybee.com - explains how external data privacy requires us all to think beyond protections provided by organizations to which we belong. Data brokers, AI database collectors, and cybercriminals all seek access to PII (personally identifiable information), which can be used for good and bad purposes and can result in physical and financial risks to individuals. Steps can be taken to safeguard personal information, even of famous individuals who don’t want certain types of information made public or misused about them. Tune in to Episode 144 to enrich your understanding of privacy-centric thinking and take practical steps in protecting personal data privacy. Time Stamps: 00:55 — What does 'external data privacy' mean? 08:55 — How do cybercriminals exploit systemic weakness? 11:25 — How does a well-known person keep their privacy?

Today’s vehicles have cameras looking inside and outside and communicate information about us to third parties as we drive. This supports continuous product improvement by automakers. But it also raises important privacy concerns. Yevgeny Khessin, Founder and CTO, and Andy Chatham, Co-Founder, of DIMO (https://dimo.zone) take us on a tour of how our privacy is at risk while we are mobile. Episode 143 considers these questions: How do individuals and vehicles get connected while mobile? ​What privacy concerns does the modern vehicle raise? Who owns our data while mobile? ​How can privacy concerns be addressed by privacy-centric automakers? ​What can automakers and each of us do to safeguard privacy while mobile? Time Stamps: 01:28 — In what ways do people share data with their vehicles? 04:00 — What are the privacy concerns? 06:27 — What does DIMO do? 11:12 — Top tips for producers of mobile/vehicle products 15:05 — Top tips for individuals who want to safeguard their privacy

Amazon Store challenges the European Union over whether it is a VLOP. What’s that, you ask? Find out and discover how an EU Court issued an early split decision under the EU’s Digital Services Act. America’s first state, Delaware becomes the 12th state to adopt a comprehensive data privacy code. Google agrees to pay $93 million, strengthen its privacy policies, and be more transparent about location tracking, to settle California claims. Explore the deeper meaning of these September 2023 data privacy developments. Yugo Nagashima, Brion St. Amour, and Joe Dehner, members of Frost Brown Todd LLP’s Data Privacy and Cyber Security Team, discuss what these events mean for organizations and individuals. Join the dialogue! Time stamps: 00:33 — Delaware adopts data privacy code 05:20 — Google agrees to pay $93 million 10:48 — EU Court issues split decision under EU’s Digital Services Act

Artificial intelligence – AI. Headline news, Senators gathering with gurus to figure out what to do, lawsuits, chatbots that offer to be our virtual concierge but then make up stuff in their responses. What’s at stake for our privacy? And what does it mean for us as individuals? Not for us as unwitting data providers or as recipients of communications from machines that can spew misinformation, but as human beings? Tune in to Episode 141 for a brisk walk down the yellow brick road of AI. Check out what’s behind the wizard’s curtain as AI aims to improve our lives and even to organize them. Consider the front end – is our personal information ours, or is it free for the taking? And the back end – how can a Chatbot affect us when we seek its benefits and cause suffering when it misadventures? Time stamps: 00:29 — How is data being used to train AI? 09:20 — What can AI providers do to safeguard consumer privacy? 11:56 — What can we do to safeguard our privacy when working with AI?

Decentralized Finance – DeFi – is with us and spreading. Tune in to Episode 140 to understand DeFi - how blockchain technology works and what privacy concerns are at stake. Consider a technology that increases the protection of organizational and individual private information when financial transactions are conducted through DeFi instead of traditional buyer-seller information technology. Anish Mohammed, Co-Founder, CTO, and Chief Scientist of Panther Protocol, explains how DeFi works and the privacy considerations about its use. He discusses with the Detective the ways in which DeFi can be conducted in a way to protect financial data and trading strategies of DeFi participants, as well as how we as individuals can better guard our own identities and wealth. 01:07 — What is DeFi? 06:13 — Panther Protocol 09:49 — Advice for businesses 10:52 — Advice for individuals

Tech giants have invented eyeglasses that can tell us the name of a person we encounter. An image of the person is sent to an AI database. Within seconds, the glasses name the individual we are seeing. Retinal scans, fingerprints, photos posted on Facebook, Fitbit data about heart rate – all represent biometric information about us that is digitized and sent into the data stream. Imagine how useful such eyeglasses will be to visually impaired persons. The convenience and security of biometric data in making purchases or getting through airline security – undeniable. But also imagine how an authoritarian government or mal-actor can use biometric information teamed with AI to follow and target us. Is privacy dead? Has biometric AI gone too far? Tune in to Episode 139 for a tour of these profound issues. What are biometrics and how do biometric data get turned into products and services for good and ill? What laws and regulations protect and restrict biometric use? Who owns an individual’s image? Can others access our data without our consent? What can organizations and individuals do about this? Dan Cotter, attorney at Howard & Howard, discusses these matters with the Detective in Episode 139. Time stamps: 03:20 — Do current laws have protections for people's biometric data? 06:50 — Do we own our own biometric data? 11:05 — Tips for individuals 13:31 — What are the top issues that arise for organizations that use biometric info?

August 2023 was a news-filled month for data privacy. Tune in for a review of top developments: Biometrics – how Illinois deals with ClearviewAI’s use of facial recognition data and how a new lawsuit challenges Amazon’s and Starbucks’ use of biometric payment systems in New York City CFPB – how the U.S. Consumer Financial Protection Bureau has declared its intent to regulate data brokers India – how its newly adopted Digital Personal Data Protection Act charts an independent course to protecting personal digital data privacy of Indian residents. Brion St. Amour and Yugo Nagashima of Frost Brown Todd LLP’s Data Security and Privacy Team join the Detective on a tour about the meaning of these developments. Time stamps: 00:10 — Biometrics 06:33 — CFPB 11:48 — India

The U.S. Government collects data globally about persons and organizations. In doing so, it collects vast amounts of data about U.S. persons “incidental” to collecting foreign intel for national security purposes. Since the Carter Administration when the Foreign Intelligence Surveillance Act (FISA) became law, this has raised conflicts between the personal privacy of U.S. and foreign persons and the Government’s interest in national security and crime prevention. The FBI has accessed FISA databases millions of times through U.S. person queries without a warrant – creating front-page news and raising major concerns from the left and right of politics. Tune in to understand what is at stake, as Congress considers by December 31, 2023 whether and how to extend FISA. Learn about FISA, the reach of Section 702, how it operates in practice, and how the privacy issues involved affect data flows and commerce between the United States and Europe and the privacy of persons domestic and foreign. Consider how information about U.S. persons is involved and can be accessed without a judicial warrant. Our guests are Gene Price, a partner in Frost Brown Todd’s Louisville office, retired as Read Admiral from the U.S. Navy where he supported U.S. Cyber Command and Naval Information Forces Reserve, and Yugo Nagashima, a partner in the firm’s Washington, D.C. office and Deputy Chair of its Data Security and Privacy Team. Time stamps: 01:45 — What is FISA? 09:23 — What is a “US person query”? 15:15 — What are the privacy implications of FISA?

The world’s most populous country adopted a comprehensive data privacy code in August 2023 – the Digital Personal Data Protection Act. Join this episode for a tour of the law’s main features. A departure from the EU’s GDPR approach and from prior draft bills of the Government, India took a unique approach to protecting digital personal information of its residents. Instead of data localization, it chose to encourage global data flows under relatively flexible standards while requiring reasonable safeguards to prevent data breach. The law will come into force on a rolling basis in coming months. Stephen Mathias, Bangalore office partner-in-charge and Co-Chair of the Technology Law practice of Kochhar & Co., one of India’s premier large law firms, explains the Act’s main features. Learn the basic approach taken, not only to comply if your organization may be subject to its reach but also to consider how a vast country with highly skilled tech professionals chose to regulate personal data privacy, enable government use of personal data for security and public order, and embrace India’s strengths in the data economy. Time stamps: 01:00 — Evolution of the Digital Personal Data Protection Act 03:45 — How is the law similar to and different from GDPR 08:00 — The government's right to obtain data 13:32 — Data localization 15:02 — Significant data fiduciary

Generative AI – ChatGPT for example. Have you considered how generative AI collects our personal information to provide its benefits in ways that can do us wrong? What can we do about the risks? How should legislators and regulators balance AI’s benefits with our rights to personal privacy? Rita Garry, a Chicago attorney with the firm of Howard & Howard Attorneys, PLLC, provides data privacy and cybersecurity services with a view to the specifics of each client. Tune in to learn what Generative AI is, how it affects individual privacy, what the recently announced White House five principles for AI regulation are, and what organizations and individuals can do about generative AI. Time stamps: 05:35 — White House’s AI Bill of Rights 14:00 — Advice on how we can decide how AI uses our data

July 2023 was hot – record setting global temperatures. Likewise in the data privacy world. Tune in for an exploration of three top topics in data privacy by Frost Brown Todd’s Yugo Nagashima and Brian St. Amour with the Data Privacy Detective. Illinois – major Supreme Court decision from the first state to adopt a biometric data privacy law – raising the stakes for businesses in using biometrics in the workplace. U.S./EU – a third attempt to facilitate personal data flows between the European Union and the United States is deemed “adequate” by the EU – will it work despite two prior failures? What’s the new option for U.S. businesses? The United Kingdom’s draft Online Safety Bill and Apple’s threat to leave the UK – what’s behind this battle between freedom and law & order in social media? Why is Apple threatening to leave the UK market rather than submit to new proposed rules that would require it to give the UK government a backdoor entry to end-to-end pro-privacy encryption? Time stamps: 00:40 — Illinois 05:47 — U.S./EU 14:22 — UK

Our personal data is collected, sold, shared, used, and misused in ways most of us cannot imagine. Data brokers that buy and sell our personal information (“PI”) do it behind the scenes and almost always without our knowledge or consent. Data brokers are largely unregulated. What can be done about perils that have led to murder, theft, and other mayhem through easy access to PI? Tom Daly, CEO of MePrism, takes us on a tour of the consumer privacy landscape. A consumer data privacy company, MePrism programmatically removes people’s sensitive information from the internet. Explore what can be done to protect individuals from swatting, doxxing, and other misuse of their personal information, early state and federal steps towards regulating data sales and sharing, and measures that organizations and individuals can take to prevent mal-actors from gaining ready access to our PI.

Who owns our personal data? As technology advances in Web 3.0, traditional software and claims of third parties over what they can do with our personal data are under challenge. Join Chris Were, co-founder and chief architect of the Australian company Verida, to consider how blockchain thinking can allow us to achieve self-sovereign identity. Explore in Episode 132 what this means and how we can take better control of our digital presence. Understand the meaning of self-sovereign identity, how it aims to secure sensitive information about ourselves and to put us in control of how our digital footprints are used and shared with others. Learn the role of zero-knowledge credentials and how a crypto wallet holding our personal information functions. Explore how digital assistants we engage could help us control our personal information as AI scrapes, stores, employs, and adapts our data in ways we may not approve.

Oregon, California, and TikTok top the list of data privacy developments of June 2023. Tune in for how Oregon’s new data privacy statute blends the best of California and other state statutes for a comprehensive code and adds a unique twist about who can enforce it. Learn how a California court extended the effective date of a California agency’s regulations drafted to implement the Golden State’s pioneering California Consumer Privacy Act. Consider a whistleblower’s sworn testimony that contradicts TikTok’s long-held position that it does not and will not share personal data of TikTok users with the Chinese Government, despite Chinese law intended to require such reporting on demand. In concise analysis that digs beneath the deadlines, Yugo Nagashima and Brion St. Amour, attorneys on the Data Security and Privacy Team of Frost Brown Todd LLP, share their insights with that of the Data Privacy Detective. Join our podcasts on the first Thursday of each month to probe three top developments from the prior month. Time Stamps: 01:04 — Oregon 05:41 — California 08:32 — TikTok

Employers and employees – how much privacy is there in the workplace? Episode 130 explores this question in the United States. What’s an employee’s reasonable expectation of privacy while working? How do federal and state laws limit employer surveillance of employee activity? What limits are there to an employer’s monitoring of employee use of company time and property? Employees use company-provided computers, phones, and other property for a variety of personal purposes, often injecting personal information through a company’s IT system. What should employers and employees do about this? And what about departing and former employees – to what extent can or should an employer monitor a departing employee’s data streams or keep a former employee’s personal information? Annee Duprey, a partner in the Labor & Employment Group of Frost Brown Todd LLP in its Columbus office, and Seth Granda, a senior associate in the firm’s Nashville, Tennessee office, tour this complicated and challenging terrain and offer top tips to both employers and employees. Time stamps: 01:20 — What is a reasonable expectation for employee privacy in the US workplace? 08:18 — Are there limits to what kind of monitoring employers can conduct on their employees? 14:35 — What limitations are there for employees on what they can do with company-provided devices? 20:15 — Top tips for employees and employers?

What happens to our personal information after death? What can we or society do about whether any privacy exists for dead people? Episode 129 considers post-death privacy. Data privacy laws are largely for and about the living and give scant attention to the dead. But a few extend to protect data privacy after death, regarding medical information and dignitary interests of decedents and families. It’s not quite a free-for-all. Consider how estate plans generally ignore a person’s digital data but could be written to address this important interest. Learn how laws could be crafted to protect the reputational and other interests of deceased persons. Hear how technology can be used to create a digital avatar and project a person’s immortal presence for interactive conversations with great grandchildren and beyond. Think how you might wish to preserve your private information beyond your lifetime.

Our personal medical information is sensitive. It becomes digital data shared beyond the medical professional who requests and needs it to provide care. Learn how our medical information is shared and used in ways that create privacy risks many of us do not wish to assume, how tech companies profit from its use, how federal and state law provide rules about medical privacy, and what companies and individuals can do about the subject. Our guest Jay Barnes is an attorney with the firm of Simmons Hanly Conroy, which represents consumers and local governments in mass tort and class actions. Jay shares insight into how tech companies collect and use personal medical information to generate profits through customized advertising we may or may not wish to receive. He explores how the underlying principle should be that of giving each person the freedom to choose whether individual medical data can be shared with and used by third parties. Tune in for a segment about what businesses should do to comply with law and earn a privacy-centric reputation and what each of us can do to increase the privacy of our medical data. Time stamps: 00:56 — How is medical data digitized and shared? 05:10 — How do state laws deal with medical data privacy? 10:04 — How can a balance between personal data privacy and public health data be struck? 14:22 — Advice for businesses on how to handle consumer medical data responsibly and safely? 16:16 — Advice for individuals on keeping their medical data secure

Get the latest on data privacy news from May 2023. Meta is fined about $1.3 billion for transferring European personal data to the States. But what’s underneath this record fine? What does it mean for how personal data rules are enforced in the EU? Are EU standard contractual clauses no longer a safe harbor for trans-Atlantic business? Washington adopts a data privacy law for health data. Will this be copied by other states as part of the ebb and flow since Roe v. Wade’s overturning? Texas adopts a comprehensive data privacy code. How does it differ from other states with personal data privacy statutes? What does it portend as this mega-state becomes the tenth state to adopt an overall approach to personal data privacy? Tune in to Episode 127 to join the conversation. Time stamps: 00:14 — Meta fined by Ireland 09:10 — Washington State’s new data privacy law 15:00 — Texas’s new data privacy code

Bail decisions are critical in the lives of arrested persons. They come without judgment of guilt or innocence but can mean the deprivation of freedom for individuals as they await trial. But they can also have crushing unintended consequences for persons who become the victims of persons released without bail or on insufficient bail. Episode 126 takes no position on the headline debates about bail reform. Instead, Ken W. Good takes us on a tour of the privacy issues involved with bail. A thirty-plus-year attorney, Ken is on the board of directors of the Professional Bondsmen of Texas, the voice of the bail industry in that state. What information does a magistrate or judge obtain when deciding on bail? What personal information about the accused individual is available, and does this data become available to the public? Is setting bail an open court matter? Is AI entering the courtroom through algorithms that make risk assessments about accused persons? Tune in to consider this critical stage of the criminal justice system and how the privacy of all of us is affected. Time stamps: 01:06 — What is the bail bondsman's view of bail and potential bail reform? 02:34 — What are the privacy issues of bail? 05:40 — What data is presented before a magistrate in determining bail? 08:52 — Is the bail decision a public record? 10:15 — Are A.I. and algorithms being used in bail determinations? 12:07 — How might bail decisions evolve in the next 5-10 years?

Identity orchestration. Explore its meaning. Discover in Episode 125 how identity orchestration can protect data privacy and data security. Founder and CEO of Strata Identity [https://www.strata.io/], Eric Olden explores with us the change under way from passwords and multi-factor authentication to a radically different approach to safeguarding and verifying identities in a world of distributed data. Learn what a blue checkmark will mean within LinkedIn as one example. Consider how a system of passwords and identity exposure sprinkled among hundreds of applications and sources exposes individuals and organizations to hacking and theft risk at the weakest link. Can technology protect us from ourselves? Learn what OIDC (OpenID Connect) means and how it relates to the ongoing struggle between mal-actors and the rest of us. Time stamps: 01:12 — What is Identity Orchestration? 04:12 — What is Project Indigo? 07:01 — OIDC - OpenID Connect Protocol 15:25 — Challenges for privacy as technology changes, and what we can do about it

The modern automobile – a marvel of technology and transportation. It collects enormous amounts of data about us. This information is used for continuous improvement in design and safety and for our convenience. But it also creates risks to personal privacy. Episode 124 provides a tour of what automakers, suppliers, and users can do to create fair controls over how the automobile monitors, records, and shares personal information. Standard setting includes the Alliance for Automotive Innovation, in its Consumer Privacy Protection Principles. NIST (the National Institute for Standards and Technology) issued 2023 revisions to its Cyber-Security Framework. In the absence of national law or regulation about automotive privacy, these standards are a baseline for acceptable use of automotive generated personal data. Tune in to consider what automotive businesses and private individuals can do to safeguard personal privacy while allowing continuing technological and safety progress. Matt Schantz, an attorney with Frost Brown Todd’s Automotive Industry Team, with a focus on intellectual property and technology agreements, leads an exploration of how our car is watching, listening, recording, and sharing our data – and choices business and consumers have to protect personal privacy. Time stamps: 01:10 — How do today's automobiles collect data about their drivers? 05:00 — How do automakers and suppliers address privacy concerns? 06:40 — What guidance does NIST have on balancing automaker interests with individual privacy concerns? 10:19 — Tips for automakers and suppliers about meeting privacy concerns and/or regulations? 13:57 — TIps for drivers about safeguarding their data

What do Indiana, Tennessee, and Montana have in common? They adopted comprehensive data privacy laws in April 2023. Explore the similarities and differences and a unique Tennessee provision about national standards. Is a pattern emerging for how the U.S. regulates personal data? Consider the privacy implications of Artificial Intelligence. Global leaders are racing to understand and decide how to regulate AI. G7 leadership met in Japan on April 29 to consider a joint approach to the dark side of AI. And hear how a request to Google’s Bard resulted in both a text and a refusal to generate a deep fake. Utah enacts the first state law giving parents control over minors’ use of social media. Whose privacy is paramount before a person reaches age 18? How does Utah’s law address the rights of parents and children in a world of social media with its far-reaching impact on us all? Time stamps: 00:40 — What do Indiana, Tennessee, and Montana have in common? 02:50 — Tennessee adopts NIST privacy framework 05:16 — How are governments thinking about how to regulate artificial intelligence? 07:27 — What is generative A.I.? 08:03 — G7 leaders met in April to discuss A.I. 11:07 — Utah enacts law giving parents control over their children's social media

How can an organization comply with a wide diversity of privacy laws being adopted and changed across the globe? How does an organization create a compliant and privacy-responsible policy to assure its customers that their privacy will be protected? Join Rachael Ormiston, Head of Privacy at Osano, as we explore these questions. Osano offers a “No Fines, No Penalties Pledge” to its customers. The World's Most Trusted Data Privacy Software Platform | Osano (https://www.osano.com/). Consider how and why it does this and seeks to offer real-time compliance in an evolving world of data privacy regulation. Hear the trends of data regulation and learn whether there is hope for harmonization across borders for how our personal information is regulated and protected. Time stamps: 01:28 — What does Osano do? 03:06 — What are the essential elements of a successful privacy policy for a mid-sized organization? 05:55 — How do you aim to create a privacy policy that is compliant with current and future regulations? 09:58 — How should companies think about their privacy policies in terms of international users? 12:14 — What does the future of data privacy regulations look like? Will different countries and regions develop their own different privacy regimes?

Join Duane Laflotte and Patrick Hynds of Pulsar Security as the Data Privacy Detective asks these essential questions about cyber-crime and data privacy: How hard is it to break into a website or organization’s IT system? What are top tips for mid-sized organizations to defeat data attacks? What’s the future for people seeking a cybersecurity career? Pulsar Security offers institutions cyber-protection through software and services to prevent data leaks and losses at reasonable cost. Offensive Network Security | Enterprise Security Software | Pulsar Security. Tune in for insights into countering the growing tide of data and identity theft Time stamps: 02:15 — How hard is it for a bad actor to infiltrate a company's website or IT system? 03:37 — How much safer is HTTPS? 05:50 — What are the top ways a mid-sized business can protect itself from cybercriminals? 07:10 — Why is it important to know which data is flowing through your organization? 09:55 — How often should you change your passwords? 13:18 — Are we going to be able to keep up with cybercriminals?

Artificial Intelligence and data privacy. Explore their relationship in this episode. It’s a subject little addressed by law or regulators and largely invisible to the public. AI depends on amassing a huge amount of personal information, collected and processed largely without consent or awareness of individuals whose personal information is being used. Once collected by AI businesses, personal data can leak to bad actors. And the services that are AI-driven can result in misapplications and mistaken projections, causing untoward harm to individuals. Vinay Kumar, CEO and Founder of Arya.ai, opens for us the black box of AI. We consider how ML Observability tools such as AryaXAI can make AI understandable to all stakeholders, including those whose personal data is used to train AI models and create AI-powered services in finance and other fields. Time stamps: 01:08 — What do AI and data privacy have to do with each other? 04:28 — What is ML Observability tool?

What do ChatGPT, Iowa, TikTok, and Spyware have in common? They all made data privacy news in March 2023. Italy’s Data Protection Authority blocked ChatGPT internet use on privacy grounds, the first western government to do so. Iowa became the sixth U.S. state to adopt a comprehensive personal data protection code. President Biden issued an Executive Order against federal use of social media containing spyware, without expressly naming TikTok or China as the targets. Join the Data Privacy Detective’s conversation with Mike Nitardy and Yugo Nagashima, attorneys with the Data Privacy Team of Frost Brown Todd LLP. Explore the meaning of these developments for data privacy and its place in the world of technology and of us all. Time stamps: 00:43 — ChatGPT in Italy 06:54 — Iowa develops a comprehensive personal data protection code 12:00 — Executive order against federal use of social media containing spyware

Prominent South African data privacy attorney Ahmore Burger-Smidt described 2022 as a year of “bloodbath” for personal data privacy in a recent report from her firm Werksmans. The firm manages the Lex Africa Legal Alliance, with members in over twenty-five African countries. Cybercrime is extensive and growing in Africa, similar to trends evident in the rest of the world. Cybercriminals employ increasingly sophisticated phishing attacks and business email compromise schemes and have expanded with cryptocurrency attacks and direct entry into data storage and other technology to steal personal data and identities. African countries have responded through governmental and private sector efforts. South Africa’s Protection of Personal Information Act (POPIA) is about two years in force, with its implementation encouragingly steadfast. Click on Episode 118 for an African view of how the battle between cybercrime and civil society is unfolding. Time stamps: 01:33 — What cyber crime / data privacy issues are we seeing in South Africa? 03:49 — Business email compromise 09:08 — South Africa's regulatory approach to data privacy 15:35 — South Africa's regulatory regime has both carrots and sticks

The European Union’s GDPR (General Data Protection Regulation) became effective in May 2018. It declared a thorough and far-reaching set of rules for data privacy and became the global leader in how personal data privacy can be regulated and enhanced. What have almost five years shown? Is it successful? Entrenched? A model others follow? And how does it work in practice in 2023? Episode 117 considers how GDPR has become an embedded fabric for how personal information flows – or fails to flow – across borders. While an adopted framework within the EU and affecting global business without regard to borders, GDPR has not been copied everywhere. It varies both from the data localization approach of some countries and from the freer market approach of the United States and other countries. Tune in for what’s happening in early 2023 with GDPR and how it has worked in practice. Time Stamps: 01:28 — GDPR Fines 03:36 — United Kingdom privacy regime 04:43 — 2023 examples of laws influenced by GDPR 07:40 — US and EU attempting to create a safe harbor for data transfers between the two 08:23 — Differences between US and Europe regarding privacy 09:30 — Europe’s draft data act

Government regulation is moving towards giving consumers the right to stop companies from selling or share their personal information. How easy do companies make it for consumers to make this request—and then have it mean something? This episode contrasts two companies that take very different approaches to the question. One company makes its money through advertising, and to do that it needs to collect and share personal information of those who use its browser and other offerings. Another was fined by the California Attorney General for failing to give its visitors a choice. It now posts a clear and simple way for consumers to stop it from selling or sharing their personal information to others. Consider in Episode 116 how websites can provide consumers the right to protect their privacy and what consumers can do about it when companies make it difficult or impossible to stop them from selling or sharing their personal data. Time stamps: 00:30 — Sephora’s privacy policy 07:57 — Google’s privacy policy

Many of us wonder how the internet knows so much about us. We are barraged with tailored ads as we use the internet. How does this happen? How does this affect the compliance risks of businesses and the data privacy of us all? Dan Frechtling, CEO of Boltive, explores the digital advertising ecosystem in Episode 115. Explore the sub-terrain of the internet, how it creates advertising revenue that is the business model of many tech firms, how unwanted ads and mal-advertising encroach, how it affects our personal privacy, and how regulation increasingly requires businesses to offer consumers the choice of refusing the sale or sharing of their information. Learn how businesses can minimize risk and avoid compliance violations and how consumers can make privacy choices within their control. For information about inadvertent data leakage, Visit Boltive at https://www.boltive.com/ to learn more about inadvertent data leakage. Visit https://www.linkedin.com/in/frechtling/ to connect with Dan. Time Stamps: 01:40 — What brought Dan into the data privacy space? 07:50 — Consumer privacy concerns about digital advertising 09:06 — Data privacy minimization 09:42 — What Boltive does to address these issues 11:13 — What is the future of the digital advertising business model?

The Data Privacy Detective welcomes Frost Brown Todd attorneys Mike Nitardy and Yugo Nagashima to cover three important developments in the world of data privacy: -Updates to the California Privacy Rights Act (“CPRA”) – highlights of final regulations just issued -FTC settlement with GoodRX - the first enforcement of the Health Breach Notification Rule – its meaning for the healthcare industry and us -European Commission’s proposed “Data Act,” which could radically change the rules of data sharing and stimulate competition in tech sector Time stamps: 01:15 - California Privacy Rights Act amendments 07:58 - FTC settlement with GoodRX 11:55 - EU Data Act proposal

Business Email Compromise – it’s a major way that global thieves steal trillions of dollars. Bill Repasky, an attorney at Frost Brown Todd LLP, with years of experience in electronic payments and cyber-fraud defense, explains how attacks of this type occur, why they are growing, what can be done to prevent them, and what a business can do if attacked this way. Common types of Business Email Compromise attacks are what appear to be incoming customer payments, outgoing payments to suppliers of goods and services, and internal attacks (where a mal-actor takes over an employee’s email account at the business). While anti-phishing training is important, it is not enough. Businesses can minimize risk of loss by upgrading institutional defenses this podcast discusses. Tune in for a tune up on how businesses can deal with the rising global crime wave of Business Email Compromise. Time stamps: 00:46 - What is Business Email Compromise? 03:28 - What businesses are being targeted? 05:35 - What are the common threads we see in business email attacks? 08:24 - How do internal business email attacks occur? 11:00 - How is public information on social media used as part of email attacks? 11:38 - Key things businesses can do to prevent attacks? 14:20 - What is “out-of-band” verification and how can it help prevent attacks? 17:15 - What should a business do once it knows it has been attacked?

In this bonus episode, we bring you the Data Privacy Detective's guest appearance on the Privacy Week podcast's "The Privacy Panel Discussion" special.

Canada and the United States are each other’s major commercial partner. Many U.S. companies have Canadian customers and collect and process personal information about Canadians. They must therefore understand Canada’s and its provinces’ regulation of personal data privacy. The Canadian regulation of data privacy is very complex, with a maze of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws and regulations. In this conversation with Lyndsay Wasser, a Toronto-based attorney at the Canadian law firm McMillan LLP, the Data Privacy Detective asks what cross-border businesses should know about privacy and data security in Canada, as well as looming changes on the U.S.’s northern horizon. Time stamps: 01:05 - What is the general state of data privacy and security law and regulation within Canada? 02:33 - What does Quebec do differently? 03:18 - Do foreign companies need to consider individual provincial laws in addition to the federal laws? 05:27 - How is the Canadian privacy regime similar to the EU's GDPR? How is it different? 07:14 - What should a US company know if it collects data from Canadian users? 08:16 - How does Canada address data localization? 09:43 - What does the future look like for data privacy law in Canada? 13:06 - What advice would Lyndsay give on the type of guidance companies should seek regarding Canadian data privacy?

“If it’s free, then you are the product.” We carry in our pockets devices that have powerful mechanisms for collecting our information–where we go, what we buy, and even how fast we move. Every time we scroll through social media on our phones, we are submitting extremely precise data about what we might be interested in… even down to how many seconds we slow down to look at an individual post. By using these products and services, we are in effect consenting to this data collection, which comes back to us in the form of targeted advertising. But is there an alternative? What can we do if we want to use these services but don’t want to give over so much of our personal information? Ryan Patersen’s company Unplugged is betting that there are many people willing to pay more for more privacy. The products and services Unplugged offers present a fascinating test case in how much people value their privacy, and Ryan joins the Data Privacy Detective podcast to tell us all about it. Learn more about Unplugged at their website – https://www.unplugged.com/ Time stamps: 01:23 – How do our devices collect data on us? 03:57 – How do companies use our data? 07:22 – What are the privacy risks? 08:44 – What is Unplugged doing differently? 14:10 – How much money is each user worth to the big tech companies as an ad delivery conduit?

Tech giants like Google, Apple, and Facebook incur huge Euro fines from European Union data privacy authorities. This is a “stick” approach, perhaps more like a “club,” of forcing EU rules upon global companies, aiming to force tech giants to change data privacy policies and practices to GDPR’s strict demands. Enter the Netherlands - with a different way of achieving changes in privacy practices through a joint approach. A January 23, 2023 New York Times article by Natasha Singer highlighted the Dutch carrot and teamwork way of getting companies to embrace EU rules without first resort to financial penalties. This podcast considers how the Dutch treatment – an audit and negotiation approach – offers a successful means of boosting personal privacy through collaborative solutions. Tune in for a refreshing example of how data privacy authorities and technology giants can work together to achieve common personal data privacy goals. New York Times article - How the Netherlands Is Taming Big Tech (Jan 18, 2023) by Natasha Singer - Link: https://www.nytimes.com/2023/01/18/technology/dutch-school-privacy-google-microsoft-zoom.html Time stamps: 00:21 - How the Netherlands has approached GDPR compliance 01:41 - GDPR fines have gotten the attention of Big Tech companies 03:03 - NYT article by Natasha Singer on Dutch approach to Big Tech 07:40 - The Dutch’s different approach of collaboration rather than lawsuits has been effective

The Data Privacy Detective Joe Dehner will be appearing as part of the LinkedIn Live event, "Privacy Week Podcast Palooza." Tune in on Thursday, January 26 from 3:00 to 4:00 p.m. EST: https://www.linkedin.com/video/event/urn:li:ugcPost:7021476486180212738/

A Third Way Emerges - Light Touch India -soon to be the world’s most populous country, a fast growing economy with a highly sophisticated tech sector. It’s a country with a digital rupee in circulation and digital identity cards. Since independent India has forged an independent path between “east and west.” About a year ago, the Modi Government withdrew a bill based on Europe’s comprehensive privacy-centric approach to personal data privacy, GDPR. In November 2022, a very different bill was proposed by the Ministry of Electronics and Information Technology – the Digital Data Protection Act. What caused the change and where is India headed? In Episode 109, Stephen Mathias of the premier Indian law firm Kochhar & Co explains the new approach. Expected to be adopted by mid-2023 in a final form, it is very different from either the GDPR strict and privacy-centric approach or the U.S. model of sectoral and partial rules without an overarching federal code. India’s will use a “light touch” approach. It will leave many details open to evolving technology and future administrative rule-setting. Explore this very different model for national regulation of data privacy and security.

Identity management. Learn how an automated approach can defend against the rising tide of data hacks, thefts, ransomware attacks, and other assaults on private information. Kevin Dominik Korte, IT Innovation and Growth Strategist of Univention, explains how an automated approach to login and other steps we take to connect to the internet and intranets can reduce the ability of bad actors to succeed in their attacks on IT systems, large and small. Traditional identity management is more costly and risk prone than what can be designed into an automated IT system that includes privacy and security by design. Consider how digital identities can be managed to increase security and minimize data breach risk in Episode 108.

November 2022 saw the largest private data privacy settlement in U.S. history, a huge Irish fine of Meta, the UK’s forging an independent path from the EU, and South Dakota entering US/China foreign relations over TikTok. Tune in to Episode 107, as the Data Privacy Detective searches monthly for learning from privacy and security developments. As cybercrime grows and governments move from data breach punishment to requiring digital systems to embrace privacy-centric security, consider news from the U.S., EU, UK, Australia, India, and South Korea.

Decentralized identifiers or “DIDs”. Tune in for an exploration how blockchain and pseudonymization can systematically improve data security and increase users’ control over their digital identities. Our tour guide is Phillip Shoemaker, the Executive Director of identity.com, a non-profit that provides tools for developers to help organizations identify individuals without compromising their security or privacy. Through this approach, enterprises can de-couple personal identities from users, providing instead a separate digital identity for the user that is not linked to a phone number, address, Social Security number, or other means of identifying the user whose data is otherwise at risk. Learn what individuals can do to urge governments, regulators, and businesses to arm digital systems with defenses that prevent malicious actors to hack masses of personal data that are then used to steal and misuse identities and assets. As standards are being developed for software, IoT devices, and digital infrastructure, consider the role of DIDs as a best practice to be adopted broadly. If you have ideas for more interviews or stories, please email [email protected].

Breached!, published in 2022 by Oxford University Press, reveals how data security law fails because of undue focus on data breaches. It explores what can be done to improve data privacy and limit data theft. Author Daniel Solove, law professor at George Washington University Law School and head of a privacy and security training company serving hundreds of global organizations, explores how laws focus too much on data breach and punishment of companies that are themselves breach victims. This is counterproductive and aggravates rather than addresses the need for heightened data security. In this podcast, we turn our spyglass to data theft and insecurity and consider whether a holistic, systemic approach is better than a glaring focus on data breach. Emerging legal approaches to defective software and prevention of data theft can better stem the rising tide of cyber-crime and are essential to furthering privacy interests. Learn what you and public officials can do about this and how a different approach to prevention can better protect the privacy of data. As Breached! concludes, “If data security law is going to stand any chance in a world of artificial intelligence, smart devices, and social media, it must move beyond the breach.” Get ready for a new approach to protecting our privacy and achieving stronger data security. If you have ideas for more interviews or stories, please email [email protected]

October 2022 highlights for data privacy: - Battle between the U.S. Federal Trade Commission and a data broker over whether the FTC has authority over its practices - U.S. Government orders federal agencies to push NIST Guideline compliance throughout the software supply chain - Survey reports 2d quarter jump in data breaches - France fines Clearview over facial recognition - A Dutch Court awards a fired employee damages from the employer’s webcam rules - EU acts to harmonize procedural laws to aid GDPR enforcement - Biden Administration issues Executive Order at third attempt at a safe harbor approach to allow data transfers between U.S. and EU - First conviction of a company security chief arising from data breach response - White House issues Blueprint for an AI Bill of Rights. Whew! A lot happening. Tune in for the meaning and implications of these events. If you have ideas for more interviews or stories, please email [email protected]

William McKnight, one of the most highly published analysts in information management, offers insights into the future of how big data and artificial intelligence are changing the world. The McKnight Consulting Group is a leading data strategy and implementation firm that helps businesses solve complex problems through the use of growing personal information databases. Learn from this podcast who is watching us and how our personal data is collected, shared, and used. Discover new analytic uses by enterprises in master data management, how artificial intelligence mines our data to create a burgeoning array of products and services. Hear how AI and other critical technologies will change the world in the next ten years. And consider how this will affect our privacy and what we can do about it.

Data brokers acquire and sell data that includes personal location information. This exposes to others visits of women seeking pregnancy healthcare options, the church, synagogue, or mosque we attend, and other sensitive information we would prefer to be kept private. In August 2022, the U.S. Federal Trade Commission sued Kochava, an Idaho based data broker, claiming that it engages in an unfair business practice by sharing location data it gathers from data sources. Mike Swift, Chief Global Digital Risk Correspondent for MLex Market Insight, a Lexis-Nexis global news organization, discusses the lawsuit and the vital privacy interests at stake. On October 25, 2022, Kochava filed a motion to dismiss and earlier preemptively sued the FTC. Kochava aggressively argues that the FTC lacks authority to make its claims and that data brokers serve an important, positive function. The Kochava suit will test whether there is federal authority to regulate the sharing of sensitive private information through data brokers. If not, data brokers may be almost entirely unregulated, able to do virtually anything they wish with personal information we did not knowingly authorize them to obtain and sell. You’ll learn what businesses can do amidst a chaotic and evolving global legal compliance and what individuals can do to protect their sensitive personal location information. If you have ideas for more interviews or stories, please email [email protected].

Data breaches are now daily news, like weather reports. Podcast 101 digs beneath the headlines into what happens with data incidents that result in breaches – where our personal information goes, whether it’s ever truly recoverable, what businesses can to do to prevent and address breaches, what consumers can do about it, and how one company officer became the first U.S. person to be criminally convicted for mishandling a company’s data breach. Andy Lunsford, founder/CEO of BreachRx, offers insights and advice for what companies and individuals can do about data breaches. Companies that have a data response plan in place and test it in advance are best positioned to deal with them. The October 5, 2022 conviction of Uber’s former Chief Information Security Officer highlighted the rising risks involved for business officers charged with data breach management. Consumers can act immediately when informed that their data was breached. Despite the need for a global standard about data breach response time and other non-political aspects of cross-border data, there is none, and not even a U.S. common approach. Tune in to understand what happens when a data breach occurs and what each of us can do to respond to it. If you have ideas for more interviews or stories, please email [email protected].

Spell-jacking: a new word emerging from the tech world. Learn its meaning and what can be done to protect personal data privacy. We use convenient third-party features on websites that can expose highly sensitive information about us without our even suspecting this is happening. When we use spellcheck on a website, this can send the entire form we are working on to “the cloud.” The information is in flight and can be shared (or hacked) in unexpected ways. A September 2022 study by otto-js, a JavaScript security firm, found that the vast majority of enterprise websites send data with Personal Identifying Information (PII) back to Google or Microsoft when users access Chrome Enhanced Spellcheck or Microsoft Edge Editor. This can release passwords, Social Security numbers, and other personal information users would not approve. Through enabled features that are convenient for users (such as spellcheck or “show my password”), personal data is being shared in ways individuals did not expressly approve and would avoid if they could. Otto-js co-founders Maggie Louie and Josh Summitt tell how this problem was discovered and share how risks can be mitigated. While legitimate enterprises have no interest in releasing PII to mal-actors, spell-jacking as such is currently unregulated or under-regulated. Learn how industry and regulators are addressing this issue – and what consumers can do about it to protect their own personal privacy. Helpful guides for developers and consumers are available on the otto-js website. If you have ideas for more interviews or stories, please email [email protected].

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe. 1. Instagram fined 405M Euros for GDPR violations. 2. Google and Meta were fined a total of $72 million by South Korea’s Privacy and Protection Commission for tracking behavior on other sites without consumer approval, then using that data for advertising. 3. The Internal Revenue Service acknowledged Friday that it had inadvertently exposed a batch of taxpayer information linked to some non-profits and other tax-exempt organizations, following a Wall Street Journal report that said as many as 120,000 individuals may have been affected by the error. 4. While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June. In both cases, the data was likely exposed inadvertently and as a result of human error. 5. China hopes to tighten its cybersecurity laws with higher fines for some violations. If the amendments are approved, fines for critical information infrastructure operators who use products or services that have not undergone security reviews could be 5% of revenue or 10 times their cost. 5. According to Acronis, ransomware losses worldwide are expected to surpass $30 billion by the end of 2023. 6. Lloyd’s of London Ltd. has told insurers that nation-state attacks and related losses will be excluded from insurance coverage after 1Q 2023. A 2022 court ruling dashed insurers’ hopes that “cyber war” exclusions would let them avoid payment for such losses. 7. Québec’s personal information privacy act takes effect September 22, a provincial statute that supplements Canada’s federal legislation, including the term “confidentiality incidents” and addressing biometric information. 8. Euractiv reports that the EC will introduce its proposal for a Cyber Resilience Act this week. The Act will address cybersecurity issues with consumer-connected devices. 9. UK - The Telecommunications (Security) Act 2021 (Commencement) Regulations 2022 have been made. They bring the Telecommunications Security Act 2021 (TSA) into force from 1 October 2022. The Electronic Communications (Security Measures) Regulations 2022 under the TSA will come into force on the same date. 10. After TikTok allegedly violated U.K. privacy regulations, the Information Commissioner’s Office sent a notice of intent including a possible fine of £27 million. 11. California Governor Gavin Newsom has signed The California Age-Appropriate Design Code Act into law. The new legislation, signed by Newsom on September 15, 2022 and passed by the state congress in late August, will implement some of the strictest privacy requirements for children in the US, especially in relation to social media. 12. U-Haul International disclosed that it has experienced a data breach of names, drivers’ licenses/state IDs but indicated no credit card or financial information was compromised. 13. A teenage cyberattacker gained full access to Uber’s systems after impersonating an IT professional from the popular rideshare company to gain VPN access. 14. Congress is investigating Meta after The Markup discovered the tech giant’s Pixel tool gathered information on users’ private health records. If you have ideas for more interviews or stories, please email [email protected].

How a California statute works in practice In August 2022, California’s Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora’s website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires. Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer’s ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers’ personal information to other businesses, but the attorney general disagreed. The California Privacy Rights Act (CPRA) effective in 2023 will address the “sharing” of personal information, a much broader reach than “selling.” Tune in to Episode 98 to learn how a privacy law moves from theory to practice, what it means for personal privacy rights, and how businesses that rely on data sharing and selling may not make it simple for their customers to exercise rights that a law creates. If you have ideas for more interviews or stories, please email [email protected].

Get an update on lawsuits launched and settled in August 2022. Consider FBI warnings about DeFi platform and CISA declarations about protecting critical infrastructure. Learn of a draft bill circulating in California about an age-appropriate code for websites. A data broker is sued by the Federal Trade Commission for selling geolocation data that can be used to track who’s visiting a women’s reproductive health center, an addiction treatment facility, and everywhere else a smartphone travels. Tune in for this September 2022 update of what’s been happening in data privacy and cybersecurity. If you have ideas for more interviews or stories, please email [email protected].

Data privacy and the laws that protect our personal information mostly deal with digital data and data equipment like computers and smartphones. But the Internet of Things – IoT – is meeting data infrastructure (listen to Episode 90 about the Edge for more on that). Things we don’t think of as data collectors collect our personal information and share it with others, often without our notice or consent, and sometimes in ways we do not want. Is the law ready to deal with this? Daniel Murray, an intellectual property and technology transactions attorney at Frost Brown Todd LLC join the Detective in exploring the issues. With a mishmash of state and federal rules, the U.S. lacks a comprehensive data privacy code. International laws differ greatly, some granting control to individuals over their personal data and others giving central government authorities almost total control over personal data about residents. As IoT devices, including automobiles and home furnishings, watch and record us and our visitors, the challenges to protecting privacy proliferate, and existing rules may not apply. This podcast discusses the challenges to data privacy in the IoT world, issues including interoperability, inadvertent and unconsented collection, and other questions of modern life and the future of personal data privacy. If you have ideas for more interviews or stories, please email [email protected].

Data localization – we’ve devoted several episodes to what countries are doing to control and restrict data flows involving their residents. What happens when there’s a war (or “military operation” if you prefer) going on? Do recent actions by the Russian government reflect a growing trend toward a splinternet, treating data as though it were national cattle being locked within a corral? Or is this more a reaction to sanctions imposed by other nations, having little do with data? This podcast considers how data localization is on the rise in democracies like Indonesia, but India’s government shelved a draft national data law that would have increased control and domestication of data after pressure and objection from its broader society. With Yugo Nagashima, a Frost Brown Todd attorney focused on international and domestic data privacy and technology, we discuss expanding fines and Russia’s seizure of Google’s Russian subsidiary’s bank account, aiming to force U.S. and other non-Russian companies to agree to Russia’s controls over data as a condition of offering services to Russians. Will the internet achieve its dream of global information flows with reasonable privacy protections, or are we headed to a splinternet, where nations control and restrict what their residents can share and receive across borders? If you have ideas for more interviews or stories, please email [email protected].

Cryptography comes from the ancient Greek word “cryptos,” meaning “hidden” or “secret.” Encryption is a cybersecurity pillar, a key defense against invasion of our privacy. But it may be underappreciated in practice. Tune in to learn about the growing need for encryption technology to combat the rising tide of cyber-attacks. A recent report by the Port of Los Angeles to the FBI indicated that it suffers from over one million cyber-attacks per day. Dan Draper, CEO and Founder of CipherStash, explains from his home in Sydney, Australia the role of cryptography in protecting sensitive personal and other information. Dan’s company provides a data storage platform for sensitive data that uses searchable encryption technology to protect against attacks. Dan discusses how encryption protects personal data and how traditional databases are vulnerable to hacking and other risks. Learn why cryptography is becoming increasingly crucial in guarding data privacy and why Dan is optimistic about the use of encryption even as the age of quantum computing dawns. If you have ideas for more interviews or stories, please email [email protected].

5G is the buzzword for the new generation of mobile networking. It brings blazing speed to digital communication. With that comes concern about the impact on our privacy. 5G speeds up data sharing – the good, the bad, the annoying, the criminal. With the emergence of the Edge linking devices and data infrastructure (DPD podcast 90), 5G shares information in virtual real-time about your health, your highway speed, your browsing and entertainment, your choices in a grocery store, and your location. In equally instant time, this data will be shared by a growing number of companies and people watching and listening to us (known and unknown), who will turn the information into benefits for themselves and risks for your privacy. National security is also at stake. Criminal elements will exploit the benefits, along with governments foreign and domestic. Explore in this episode the intersection of 5G and personal information. What does 5G mean for data privacy and what can the U.S. Government do to address the national security risks? Our tour guide is Sohan Dasgupta, former Deputy General Counsel of the U.S. Department of Homeland Security and a leading data privacy expert, an attorney with Frost Brown Todd LLC’s Washington, D.C. office. If you have ideas for more interviews or stories, please email [email protected].

TikTok built a global platform sharing short videos of wild and wonderful doings of people, animals, and things. It is the first Chinese-owned company to create a global base of more than a billion users. What are the risks to personal data privacy from TikTok? How can regular users and influencers protect their personal privacy while using TikTok? How different are the TikTok risks from those of other social media companies that are not owned in part by the Chinese Government? Our guest is Ben Kunde, a Certified Fraud Examiner who leads the international investigations practice at Interfor. Starting with a tragic story about a 13-year-old girl who amassed a million fans that included a demented stalker, Ben discusses prudent privacy measures individuals can take to enjoy a platform’s offerings without needlessly sharing personal data. We also consider controls a country can take when a foreign-owned media giant creates risks to minors and others and what reasonable measures can apply in a world of global data and commerce. If you have ideas for more interviews or stories, please email [email protected].

With the reversal of Roe v. Wade by the U.S. Supreme Court, data privacy becomes a more important issue than ever. This podcast considers how highly personal, sensitive information about the period between conception and birth is shared and used, how prosecutors obtain and use digital evidence, how private parties obtain information about women considering their options. Learn how individuals can protect their digital healthcare data against unwanted future use by third parties. Consider how a person can safeguard thoughts, considerations, and decisions about intimate personal matters, including the consequences of pregnancy termination. In the uncertainty of what individual states will impose on women’s healthcare and decisions, understand what steps one can take to protect personal digital privacy. If you have ideas for more interviews or stories, please email [email protected].

Protecting and using personal information has focused on computer and software technology. With the Internet of Things (IoT), the Edge has arrived – the place where devices and traditional data infrastructure connect. Niranjan Maka takes us on a tour of the Edge and explains what it means to enterprises and individuals and the risks the Edge creates for us all. Niranjan heads SmartHub.ai, Enterprise IoT Platform | Smarthub.ai, an Edge company spun out from VMware, focused on bringing AI/ML powered management and monitoring to IoT/Edge devices. Our physical presence is replete with siloed millions of devices and sensors that collect, process, and share our personal information and enterprise data. As a veteran holding leadership positions at companies like RSA Security, Niranjan explains how we must become aware of the devices and sensors that are constantly with us and how the Edge changes how enterprises and individuals manage data and affect how our personal information is gathered and used. Tune in for an introduction to the Edge. Learn what enterprises and individuals can do about it, both to manage well in the IoT age and to protect our personal information. If you have ideas for more interviews or stories, please email [email protected].

What’s at stake as Congress considers a national data privacy law? The National Restaurant Association is the U.S.’ leading trade association for the restaurant and foodservice industry, representing thousands of members from the largest chain to solo providers. Brennan Duckett, its Director of Technology and Innovation Policy, discusses the key issues for the restaurant industry as Congress debates whether to adopt a national data privacy law. The “Three Corners Bill” recently introduced with bipartisan and bicameral support endorses substantial federal preemption of state law and a limited private right of action for substantial and individualized harm. How does a major industry see this proposal, and what are the changes needed before it is enacted? Our personal data is shared when we order, pay for, and receive a meal. Restaurants and food service companies can be both data controllers and data processors. They interact with other companies that are data processors and controllers. Tune in to this podcast to explore the issues the restaurant industry sees as important as Congress seeks a national approach to data privacy. These issues include private rights of action, loyalty programs, and harmonization of data privacy laws rather than the patchwork and confusing current state-by-state approach. If you have ideas for more interviews or stories, please email [email protected].

Through a new cybersecurity regulation, businesses in India will have six hours to report cyberattacks to the government, pursuant to a regulation that comes into force at the end of June 2022. On April 28, 2022, the Indian Computer Emergency Response Team – CERT – part of the Ministry of Electronics and Information Technology, announced regulations that include the world’s most time-sensitive deadline for reporting cyber incidents to the government. Stephen Mathias, head of the Technology Law Practice at the premier Indian law firm Kochhar & Co., presents the substance, challenges, and ambiguities of this pioneering effort. The regulation covers cyberattacks regardless of whether personal data is involved. In comparison to other global reporting requirements (such as GDPR’s 72-hour deadline for reporting breaches of personal data), the 6-hour deadline is daunting and perhaps unworkable. Wording covers attacks even if not successful, in effect requiring Indian businesses to report in real-time the stream of all cyber-attacks that occur daily. Global businesses rely on India’s strong tech industry for data processing. The regulation will challenge all Indian legal entities and any business with Indian connections to act quickly to assess the regulation’s impact before July 2022. Both civil and criminal enforcement can result from failing to report a broad array of cyber incidents. This podcast will help you understand the impact of the new Indian regulation and what it means to global business and data protection. If you have ideas for more interviews or stories, please email [email protected].

Japan is a major U.S. ally commercially and otherwise. What is the Japanese approach to personal data privacy, and how does it differ from the U.S.’s privacy culture? Erik Jacobs addresses the differences in how privacy is conceived and addressed in Japan in contrast to the complex U.S. system that has no overarching federal law about how our personal information is collected, stored, sold, and otherwise handled. Erik advised the White House Office of Science and Technology and coordinated policy at the U.S. Energy Department during the prior administration. Fluent in Japanese and English, Erik is now Policy Manager for the U.S. and Asia at Access Partnership, a leading global public policy firm dedicated to opening markets for technology. He discusses the Japanese attitude toward privacy policy and Japan’s 2022 Act on Protection of Personal Information (APPI), a comprehensive personal data privacy code that augments sectoral and other laws governing the flow of personal data. Tune in to learn Japan’s approach and what the U.S. can learn from how a leading Asian ally developed a national approach to data privacy protection. If you have ideas for more interviews or stories, please email [email protected].

Blockchain. Does it protect personal privacy? Is it a tool that can evade the law? How should we think about the relationship between blockchain technology and individual privacy? In this first of a series of podcast episodes about blockchain and privacy, we turn our spotlight on the first use of U.S. Government sanctions against a cryptocurrency mining company. On April 20, 2022, the U.S. sanctioned the Russian-Swiss Bitriver conglomerate, as part of its response to Russia’s 2022 invasion of Ukraine. Consider how blockchain and privacy interact and what it means for the future of this technology, the use of cryptocurrency, and the ongoing contest between government and personal privacy. If you have ideas for more interviews or stories, please email [email protected].

Japan’s Act on the Protection of Personal Information (APPI) becomes effective on April 1, 2022. The APPI strengthens the country’s comprehensive personal data privacy code and affects all businesses that collect or process personal information of Japanese residents. Yugo Nagashima of Frost Brown Todd LLC explores four key developments that affect global business: 1. “Person Related Information” – a new category of data – with consent required to transfer such data to a person related information handler. 2. Extra-Territorial Reach – Instead of an adequacy approach (like the EU), Japan requires a business that will handle Japanese personal information outside Japan to have the consent of those persons after a clear description of the data privacy laws of the foreign jurisdiction. 3. Data Breach Notification – A two-step notification process is mandatory for data breaches, with a low threshold of 1,000 persons triggering a mandatory notification. 4. Pseudonymous Information – Specific definition of pseudonymized data and exemption from data breach notification when pseudonymous data has been hacked. If you have ideas for more interviews or stories, please email [email protected].

The data protection laws of the European Union require many European and other companies holding or processing personal information of EU residents to appoint a Data Protection Officer – a DPO. This role creates a triangle of DPO duties – with responsibilities to the individuals whose personal information is at stake, to the company the DPO serves, and to the Data Protection Authorities who enforce GDPR. Marie Penot provides outsourced DPO services to companies in German, French, and English from her own German consultancy. We explore with her the working life of an outsourced DPO. Learn how companies benefit from the independent role of a DPO regarding EU residents’ personal data. Explore advantages and disadvantages of an outsourced DPO instead of one appointed internally. If you have ideas for more interviews or stories, please email [email protected].

Hacking – it gets a bad rap. For good reason. It’s associated with bad actors who infiltrate an IT system and steal organizational and personal information for criminal purposes. But hacking is simply an activity. Ethical hacking is a means for companies and people to test their data systems and avoid bad actors from getting into them. Ethical hacking is a tool to protect data by upgrading defenses. André Sollner is Global CFO of wizlynx group, a global ethical hacking and penetration testing provider. André holds numerous certifications over a 20+-year career in cybersecurity, including that of Certified Data Privacy Solutions Engineer. He is our tour guide for how a system assessment is conducted in five phases, from understanding and mapping an IT system and all points of entry, to a final assessment and report after the system is ethically attacked. This podcast episode will inform you about preventive system assessments that can fortify defenses against data theft, ransomware attacks, and other data disasters. We discuss the range of personal information commonly found in company databases and key weaknesses in IT systems. You will get top tips for both organizational and personal data privacy protection. If you have ideas for more interviews or stories, please email [email protected].

India is about to enact a far-reaching Data Privacy Law. Expected to be passed by April 2022 and in force as early as 1st quarter 2023, it represents a far-reaching comprehensive approach based on but extending beyond the model of European Union’s GDPR. It would govern not only personal information but how non-personal data is collected and processed across borders. The bill would force global companies that gather and use data of Indian residents – or that have personal data of non-Indian persons processed by India’s stellar offshoring/outsourcing industry – to reconsider existing privacy policies and procedures. By including non-personal data and introducing measures of data localization, India’s novel approach would represent perhaps the most onerous and strict national policy about data collection, storage, and use. Join this excursion to India, guided by Stephen Mathias, head of the Technology Law Practice at Kochhar & Co. (https://kochhar.com), one of India’s premier multi-city law firms. If you have ideas for more interviews or stories, please email [email protected].

Quantum computing – some view its emergence as heralding the end of data privacy. It threatens to penetrate encryption used in conventional computing to give hackers ready access to digital data. What will quantum computing mean for our privacy and the digital world? And what can we do to defend against its perils? Our guest is Ken Morris, CEO of KnectIQ, a company that provides beyond military grade identity, authentication, access, and data protection solutions for highly sensitive environments. KnectIQ: ZeroTrust based identity, access & data protection. Explore the meaning of quantum computing - its promise, timing, and limitations, as well as the defenses against attackers who will harness it to steal and misuse our data. Learn the two schools of thought about defenses to data theft when quantum computing empowers bad actors as never before. This podcast will force you to rethink cryptography as the sole defense against data loss. Learn how we can better protect data by dealing directly with the infrastructure of data storage and transfer and eliminating the fundamental problem. Tune in for an introduction to the coming age of quantum computing and how individuals, businesses and governments can protect personal and other data from misappropriation. If you have ideas for more interviews or stories, please email [email protected].

Backup – what does it have to do with protecting data privacy? And how does a backup service work? What should businesses and individuals know about backing up their digital data? On one hand, a backup of data provides a second target for data thieves. Not properly handled, backups can increase privacy risks. But without a backup of data, it can be lost and subject to exfiltration by thieves who steal or freeze the data held by businesses and government, the prime targets of ransomware criminals. This podcast explores the world of backup with W. Curtis Preston, sometimes referred to as Mr. Backup. Host of the podcast series “Restore It All,” author of books, veteran of the data backup business, and Chief Technical Evangelist for Druva (www.druva.com), our guest will take you on a tour of a business and service little understood but vital for protecting and recovering data in case of loss. Learn the meaning and importance in tech field lingo of “regular expressions” and “immutability.” Consider how backup services can inform businesses about protecting sensitive data better, beyond their role in resiliency and providing prompt access to data streams that are lost or stolen. And get tips about how individuals can consider the role of backup for their own personal data. If you have ideas for more interviews or stories, please email [email protected].

Taiwan occupies a unique geopolitical position – with a substantial population and robust economy, it lacks formal diplomatic recognition by most countries and is considered by the People’s Republic to be rightfully part of it. Taiwan has its own system and laws. How does it approach personal data flows beyond its borders? Taiwan has a comprehensive personal data privacy law with a GDPR-similar approach. It provides more flexibility than the EU in how Taiwanese personal information is collected and processed. There is no express extraterritorial reach to its law. But Taiwan businesses must comply with rules on handling data they collect and can be held criminally and civilly liable for exporting data that infringes Taiwan principles. There are statutory exceptions to the relatively free ability for cross-border sharing and processing of personal data. Taiwan’s financial regulator requires financial institutions to obtain consent for the export of personal financial data. Taiwan prohibits its telecommunications and broadcast companies from storing subscriber data in the People’s Republic of China. Taiwan uses sectoral exceptions to address particularly sensitive security concerns. This podcast episode explores the unique position of Taiwan on our continuing global tour with Yugo Nagashima about how data localization is practiced. If you have ideas for more interviews or stories, please email [email protected].

Turkey is the first 2022 stop on our global tour about data localization. What is Turkey’s approach to cross-border transfers of personal data about its citizens and residents? Turkey’s Law on Protection of Personal Data is comprehensive and like the European Union’s former Data Protection Directive, though it differs in some respects. Data localization is not part of this existing Turkish law. Instead, Turkey takes a sectoral approach to cross-border collection and processing of personal data of its residents. Turkish banks must collect and store Turkish customer data within Turkey. Data localizations requirements apply to payment and electronic money institutions, forcing companies like Paypal or Venmo to locate a payment system within Turkey and to comply with Turkish data privacy regulations. Social media providers must register with and report every six months to Turkish authorities about Turkish social media users. In August 2021, the Turkish Data Protection Authority (KVKK) proposed to amend Turkish law to permit cross-border data transfers if it issues an adequacy decision about another country. But unlike GDPR, the amendment would require the foreign country to be reciprocal in its data privacy laws, a unique approach that extends beyond adequacy. If adopted, the KVKK approach would encourage multinational companies to use Turkish-based servers and a Turkish subsidiary to have broad access to the Turkish market but would allow flexibility through binding corporate rules and notifying the Turkish authorities of a standard undertaking. Tune in to Episode 78 to learn how and why Turkey may be aligning with evolving European standards instead of more authoritarian and protectionist rules evident in China, Russia, and India. If you have ideas for more interviews or stories, please email [email protected].

The Data Privacy Detectives turns his data localization spotlight on the island nation of Singapore. With a per capita income of 64% higher than the United Kingdom’s and a free-market economy that depends on global trade and commerce, Singapore takes a very different approach from China, Russia, India, and other countries that strive to localize their residents’ personal information. Singapore’s Personal Data Protection Act (2012) provides a comprehensive set of rules protecting the personal information of its residents. Like GDPR in scope, it differs in its flexible approach to balancing privacy and national security protections. In 2020 Singapore’s Monetary Authority and the U.S. Treasury issued a joint statement opposing data localization requirements, calling them a risk to cybersecurity and economic growth. They called instead for data mobility in financial services as a spur to innovative services and economic growth and as a more effective approach to risk management and cross-border compliance. Singapore's broad privacy protection rules allow flexibility for businesses to comply, a model that U.S. regulators may wish to study as alternatives to data fencing or rigid regulation. In February 2021 Singapore’s Privacy Data Protection Commission published a guide of model clauses for processors to follow, regardless of where they are based and not requiring that a Singapore server be the data custodian. The island’s embrace of regional multinational compacts (Asia Pacific Cooperation Cross-Border Privacy Rules and Asia Pacific Economic Cooperation Privacy Recognition for Processors) offers a regional model different from China’s data nationalism. If you have ideas for more interviews or stories, please email [email protected].

Our prior podcast episodes detailed how China, Russia, and to a lesser extent India have created barriers to the free flow of personal information across borders. Data localization, sometimes called data nationalization, is the practice of governments to restrict or regulate closely how personal information of their citizens can be collected or shared outside a country. This podcast episode looks at how Australia, a free-market country, is handling personal data transfers. Australia has no broad data localization requirements. But it restricts the export of medical information about its residents. Electronic health records with personally identifiable information cannot be transferred or processed outside Australia. Australia’s Privacy Act, an early national data privacy law (1988), is comprehensive and different from GDPR. Collecting personal information is possible only if “reasonably necessary,” so does not require express consent. But Australia is protective of its citizens’ privacy interests. A 2021 order of Australia’s regulator against Clearview ordered it to cease collection of facial biometrics and destroy existing images of Australian citizens. Clearview argued with no success that the images were publicly available (and so did not constitute personally protected data) and that Clearview is a U.S. company with no establishment in Australia. If a free-market oriented country like Australia engages in data localization and the extraterritorial reach of its laws, what does this mean for the internet, global data business, and the privacy of people? Tune into this discussion in our fourth episode about data localization. If you have ideas for more interviews or stories, please email [email protected].

We turn to Russia in our data localization series. Russia’s 2015 personal data protection law requires “data operators” to collect and keep information about Russian residents within Russia. It forces them to keep personal data about its citizens on a Russian located server, which must at all times keep at least as much data as is kept on a company’s servers outside Russia. This law resulted in LinkedIn’s being blocked from the Russian internet in 2016 for failing to do this. In 2019 Russia expanded the authority of its regulator, Roskomnadzor, to levy fines instead of being limited to blocking for violations. While the fines are modest in amount, this lets regulators allow popular sites into Russia while insisting on data localization Russian style. In July 2021, Russia began requiring giant social media companies to establish a Russian presence to connect with Russian citizens. It’s believed that more than 600 foreign companies have registered with Russian authorities to participate in the Russian market and comply with Russian data laws. These include giants such as Microsoft, Apple, and Samsung. If they fail to comply with Russian law regarding the data of Russian citizens, they can face advertising bans or blocking of access. Russia’s approach lies between the stricter regimen of China and the globally open approach of the United States. Russia’s Government would argue that its laws are there to protect Russian citizens from data abuse by foreign companies. But tech protectionism and Russian sovereignty over its citizens’ internet use are also at work. Podcast Episode 75 asks what Russia’s data localization means for the original internet dream of communications and commerce across borders. Tune in for the conversation. If you have ideas for more interviews or stories, please email [email protected].

In this second podcast episode about data localization, we spotlight India. Since 1993 the world’s largest democracy has enacted data localization laws aiming to keep certain personal records within India or otherwise restrict data transfers of Indians’ personal data. When in 2017 the Indian Supreme Court found personal privacy to be a fundamental constitutional right, a Personal Data Protection Bill (PDPB) was promptly drafted. It has since been percolating towards adoption. The draft bill defines certain personal data as “critical” and so must be stored only within India. Other data is called “sensitive,” and may be processed outside of India with a copy kept within India. A third category of “regular” data could be transferred abroad, pursuant to data transfer rules. Unlike China, reviewed in the last podcast episode (episode 73,) India has a robust tech industry heavily involved in processing foreign data. India processes more personal data than any other country, so that parochial data laws would stand in stark contrast to this essential industry of India. Yet, Amazon, Facebook, Google and other global businesses dominate the Indian home markets, unlike their absence from China. Protectionist forces within India are calling for strict data controls, purportedly to protect the privacy of Indian residents while also favoring the interests of local tech and other firms. Indian businesses such as Reliance talk of “data colonization,” the idea that foreign companies control too much of the data of Indian residents and are plundering the wealth of India as measured by the data of its 1.3 billion people. Indian sources expect the PDPB to be enacted in the winter session of 2021-22. The enacted version will reveal whether India adopts a protectionist approach to data or embraces a more global approach to how personal data is collected and processed. This in turn will affect how other nations will respond. The outcome will affect how data privacy is enhanced or diminished as the rules governing data evolve country by country. If you have ideas for more interviews or stories, please email [email protected].

The internet and the worldwide web – the words envision a global communications system that transcends national borders. But the reality differs. Is it increasingly the splinternet? Is www really a series of webs that don’t connect globally? And how is our privacy affected by data fences and controls erected by nations? In this first of a series, we explore how China deals with personal information of its residents. China collects a vast array of personal information about its people – financial, judicial, commercial, societal, and governmental. These are the five pillars of China’s Social Credit System, which aims to reward loyal and trustworthy citizens and penalize others, based on information collected about Chinese residents. Individuals are white-listed or black-listed to be rewarded or penalized, based on personal data collected, analyzed, and applied by the Government to encourage a socially proper citizenry. China has an extensive and evolving set of laws, including recent changes to its Data Security Law, Cybersecurity Law, and the forthcoming Personal Information Protection Law, which aim to keep within China’s borders “personal information” and “important data.” This allows China to prevent transfers of these two types of data to other countries. But the definitions of “personal” and “important” data are left to a vast array of sectoral ministries and regulators and to other national, regional, and local organizations, which may issue categories or lists to define and apply these broad terms. By contrast, China is free to import personal information of non-Chinese residents. Take TikTok, for example. Over twenty million U.S. persons use TikTok, owned by a Chinese company. It is not clear whether the personal information TikTok collects is made available to the Chinese Government, pursuant to PRC laws and procedures. If Chinese companies and Government can collect personal information about U.S. citizens but U.S. companies and Government cannot collect and utilize personal information about Chinese citizens, this creates an imbalance of trade and business opportunities. Is this a path to a data trade war? And if our personal information can be shared beyond our country’s borders, will this change what data we post and share within our borders? This podcast explores how China affects personal privacy and the future of the internet. If you have ideas for more interviews or stories, please email [email protected].

Home is our private place. But in the digital age, how private are our homes? And what can we do to protect our privacy from home invaders? 66% of us rate our highest privacy concern as being viewed through cameras in our own homes, according to a safehome.org June 2021 survey. Explore in this podcast how home devices are watching, listening, collecting, and sharing our personal data and steps we can take to limit unwanted intrusions. Terry Rankhorn, a 22-year FBI veteran and founder of Rankhorn & Associates, conducts home and business sweeps to protect clients’ personal data and safety. Computers, televisions, smart thermostats, Alexa and Siri, even dog bowls collect and broadcast our personal data in unimagined ways, jeopardizing our privacy and security. Mr. Rankhorn explains the first step to increase home privacy is to know what devices we have and which ones collect and broadcast our data. We can delete devices we don’t need or want and use privacy setting choices and common-sense steps to limit sharing. We can adjust our smart thermostats when away for an extended time, to prevent hackers from knowing from thermostat data when our homes are vacant and so are ripe burglary targets. We can protect our personal data from devices we literally live with. This podcast episode offers practical advice about how to do that. If you have ideas for more interviews or stories, please email [email protected].

Kentucky is perhaps the first state to adopt a comprehensive anti-doxing statute that creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member. In this podcast episode, Justin Fowles, an attorney in Frost Brown Todd LLC's Louisville, Kentucky office, shares key insights on what the new law contains and could mean for individuals' and businesses' online behavior. What is doxxing – or is it doxing? This word entered the Merriam-Webster Dictionary in the 21st century. It defines “dox” as a verb – “to publicly identify or publish private information about (someone) especially as a form of punishment or revenge.” Today it connotes cyberbullying or troll harassment by posting personal information about a targeted person or organization, urging others to take action intended to shame or expose the target. Doxxing has had tragic ends. Doxed individuals have had surprise visits by SWAT teams breaking down doors to targets’ homes based on the doxer’s false message that a kidnapping or domestic violence was occurring there. Death and more commonly emotional stress arise from doxing attacks. A federal anti-stalking statute includes the language “interactive computer service or electronic communication service” within it. If a person uses such services with intent to kill, harass or otherwise target persons in specific ways that puts them in reasonable fear, causes substantial emotional distress, or otherwise causes them to suffer specified harm, a doxer can be criminally prosecuted. But federal prosecutions are rare, and no U.S. statute was designed specifically to combat doxing. Enter the states. Kentucky's anti-doxing statute creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. Effective June 29, 2021, the Kentucky statute was passed by a Republic legislature with Democratic support and signed by a Democratic governor. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member. The spread of PII must be such that a reasonable person would be in fear of physical injury to the targeted person or an immediate family or household member. Intent is measured by what would cause a reasonable person to be in fear of physical injury personally or to a family or household member, rather than requiring express proof of the doxer’s actual intent. Organizations should consider how best to avoid being either a doxing victim or a doxing perpetrator. Organizations could face civil and criminal challenges under Kentucky’s statute as to their use of personal information if communicated within the scope of the statute’s reach. Businesses and other organizations should review the personal information they hold and how it is shared or communicated, to avoid being charged with a doxing tort or prosecution. Organizations can likewise review defenses to being doxxed. The anti-doxing statute could suggest responses and provide recourse to unfair personal attacks on company personnel. If you have ideas for more interviews or stories, please email [email protected].

Mike Potter’s cat bounced on his keyboard years ago. His hard drive cratered, and he lost his data. But he turned this disaster from feline treachery into a career and a company. Backing up data is an essential part of data privacy and retention for businesses as well as for people. Why is this, how does it work, and what’s the impact on how we keep and protect our data? Mike Potter is CEO of Rewind, an Ottawa, Canada based company that backs up, restores, and copies to its cloud critical information businesses store in their SaaS (Software as a Service) applications. Apps sit atop a user’s platform. Not unlike cats, they can cause problems. Ransomware attacks, employee mistakes, and many other forces can cause a business to lose essential data even when the platform itself is running well. Having a readily available backup copy can allow a business to continue its customer connections, its bookkeeping, and other essential functions without material disruption. That’s the business of Rewind. Many Rewind customers are retail and other small to midsized businesses that use Shopify, QuickBooks, and other platforms for customer interface and keeping other essential data. While major platforms have good cybersecurity protection, none is immune from a hack attack. But beyond that, a business using a SaaS platform may not realize that its own account remains vulnerable to data loss. When a data loss occurs, the affected business must decide whether this constitutes a data breach, and if so, whether data breach regulations require immediate and usually expensive remedies. A backup copy can help determine the cause of a data loss, whether from bad actors or accident. It’s a starting point to discern what went wrong and how a repeat can be avoided. It may lessen the impact of a ransomware attack if the data held hostage is available to the business anyway without paying a ransom to recoup the data. When engaging a backup copy provider, a business should consider whether the provider has ample privacy protection for its business. A shaky backup vendor would represent a second vector for hack attacks. A business should vet companies that provide such services. Effective ones will offer services that include keeping data on servers within jurisdictions that have data localization requirements, having funds to afford first-rate cybersecurity protections, offering a 24/7 hotline, and providing excellent customer support. Tips from Mike Potter to businesses on how to keep essential data private and secure when using SaaS platforms: 1. Make sure to use a password manager. 2. Use two-factor authentication. 3. Vet third-party apps before installing them about their strength and capabilities. 4. When you add teammates, make sure they receive the minimum level of permission needed. 5. Have a backup available. If you have ideas for more interviews or stories, please email [email protected].

Ransomware. It’s in the headlines. It’s digital organized crime across borders. When an organization’s IT system freezes with its data locked by a ransomware gang, what happens? Ransom is demanded, and ransom often gets paid. But how does this work? In this podcast episode, Bill Repasky, attorney with Frost Brown Todd LLC, shares key insights on the process of negotiating with ransomware criminals. They want payment in cryptocurrency. Victims want their data and systems restored. This becomes a business transaction. But not a typical one. Ransomware strikes in 2021 involve highly sophisticated criminal syndicates. To them it’s about the money. When they strike a target and freeze the organization’s ability to operate an IT system, they reveal their digital identity and dictate how to send a ransom payment. The target may be willing to pay – but should do so only after negotiations to ensure that the payment will accomplish two essential objectives – (1) providing a decryption key to unlock the encrypted data and restore the IT system’s operation; and (2) ensuring that the data has not been taken (exfiltrated) by the criminals, or if it has, to have it returned with no copies kept by the criminals. The victim organization should check before making payment to be certain it does not violate U.S. sanctions laws by paying a group or person listed on the OFAC list. See Specially Designated Nationals And Blocked Persons List (SDN) Human Readable Lists | U.S. Department of the Treasury. Successful conclusion of a ransomware attack requires expertise, patience, and insight. Learn how it’s done, pitfalls to avoid, lessons from past victims. If you have ideas for more interviews or stories, please email [email protected].

Ransomware attacks, data breaches, digital theft – on the rise. Who are the cyber-criminals? Can they be traced? And what can a company do to minimize risk and respond to an incident? Joining us for a tour of the dark side of the digital age is Bill Corbitt, Vice President of Digital Forensics and Incident Response at Intersec Worldwide. www.intersecworldwide.com, a US-based team of former federal cybersecurity experts who have worked on some of the world’s largest security breaches. The firm was named a 2021 top Digital Forensics & Incident Response firm by Enterprise Security Magazine. Bill’s team has addressed serious incidents for many Fortune 100 companies. In this podcast episode he shares insights into dealing with ransomware attacks, data theft, and the aftermath. Ransomware attacks are conducted by sophisticated criminal enterprises, usually operating from data havens where government seldom prosecutes them for attacks abroad. They probe for vulnerabilities and find attack vectors into a company’s IT system, freeze digital operations, then post a ransom demand before releasing their grip that can paralyze the victim’s business. Modern digital forensic techniques can generally identify the attackers. The quicker an attacked business engages a forensic expert, the more likely it is that the perpetrator can be identified. Ransomware attackers increasingly have two waves of ransom demand – the first to unlock the system, the second to promise not to release exfiltrated data to the world. Every ransomware attack should be viewed as a data breach, though it is possible for a forensics expert to determine if data has been taken rather than only temporarily encrypted. Cybercrime, like all crime, will not disappear. If there is money to be made, criminals will seek it. Minimizing risk is essential. Businesses should constantly upgrade their entire IT systems, eliminating weak points and discarding outdated elements. Those with access to company computers and systems need training and discipline to view company property and data with care. If you have ideas for more interviews or stories, please email [email protected].

Europe finds UK data privacy system adequate, for now. On June 28, 2021, the Europe Union granted two adequacy decisions to the United Kingdom for personal privacy purposes. 1. Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation 2. Decision on the adequate protection of personal data by the United Kingdom - Law Enforcement Directive This assures, for now, that data flows between the EU and UK can continue without restrictions. But for the first time, the EU’s decisions were not permanent and will last only four years. What’s going on? Because of Brexit, the UK and the EU reached a transition agreement at the end of 2020. This included six months for the UK and EU to reach an agreement about data privacy flows. The deadline approached, and the EU decision was made just in time (the UK had already issued its own adequacy decision regarding data going to the EU). Had it not been made, one estimate was that UK businesses would face immediate compliance costs of about 1.6 billion pounds, aside from other costs. So, UK businesses can rest easy – for a time. According to Kim Walker, a leading UK privacy attorney at the firm of Shakespeare Martineau (Kim Walker | Shakespeare Martineau (shma.co.uk), 11% of global data flows through the UK, and 70% of UK data flows through the EU. Why the last-minute timing and why the unusual temporary grant of an adequacy decision? The answer lies in the same surveillance issues that restrict data flows between the EU and the United States. Without a comprehensive and protective federal personal data privacy law, the United States is unlikely to receive an adequacy decision from the EU indefinitely. The EU is particularly skeptical of mass surveillance by U.S. authorities. The British mass surveillance system is not that different from the American approach to how and when public authorities can access private personal information. The EU is concerned that by granting adequacy to the UK, this could create a back door for the UK to grant unrestricted data flow to the United States, thus undermining Europe’s basic GDPR approach to restricting data flows that may disrupt the protections of personal privacy at the heart of GDPR. If you have ideas for more interviews or stories, please email [email protected].

This is a true story of a phone scam of May 2021. The Data Privacy Detective got a call on the home landline. This scam will succeed in stealing money from countless Americans. It’s targeted particularly at older people who dearly love their television, especially during pandemic times. You can see the tricks and traps in this scam. Of course, the best defense is not to answer such calls at all, but then how can one know that a local number is not an old friend or acquaintance calling for a good reason. If you get a call like this, write down the details. Share them with the fraud hotline of the company being impersonated. Notify the FBI and the Federal Trade Commission if you have the time. This builds a file on these entities. Though it’s unlikely that law enforcement will be able to shut down the criminal syndicates and others active in this fund-raising activity, it will build the awareness that our privacy is attacked through such intrusions. Without greater regulation and defense against such increasing scams, there’s a risk that our communications systems become so riddled with such problems, that we’ll all retreat into a hole to avoid them. One definition of privacy is the right to be left alone. Anyone with a phone will find that hard to achieve. You can, however, work with your phone service provider to block calls in various ways. Check with your provider what restrictions you can put into place to limit calls from James Michael and Ralph Smith. Remember – protecting your personal privacy begins with you. If you have ideas for more interviews or stories, please email [email protected].

This podcast episode explores ransomware from preventive, legal, and communications angles. While there’s no 100% effective vaccination against a ransomware attack, there are steps enterprises and each of us can take to beware, prepare, and take care. Ransomware. It’s the modern equivalent of kidnapping – except people aren’t grabbed and held hostage. Instead, an enterprise has its computer and information system locked by a criminal. Data gets encrypted and unusable until and unless the organization pays a ransom to the thief, who is known only by a digital address and often demands untraceable payment in cryptocurrency. Ransomware is a type of malware – software installed in a system by an outside party for bad purposes. Unlike malware focused on stealing data, ransomware aims to extract a ransom payment in exchange for decrypting and restoring the victim’s data. From a criminal’s perspective, ransomware is a simpler, less expensive way to get money than malware that aims to export (or exfiltrate) and resell data. It can be an “in and out” operation, not requiring search, download, categorization, and reselling of purloined data. Despite this, because data has great value, Blackfog estimates that 70% of ransomware attacks include data exfiltration, so that the attacks not only temporarily freeze data usage but result in a release of personal and business data to third parties as secondary damage. Ransomware theft is rising. Security sector experts report a 7-times increase in ransomware attacks between 2019 and 2020, with the average ransom demand increasing more than 3 times the prior year’s figure. Blackfog predicts cybersecurity theft will approach $6 trillion for 2021. CrowdStrike’s comprehensive summary of 2020 and early 2021 reports a four-fold increase in interactive intrusions in the past two years, with 149 criminal syndicate followed as tracked actors on its list of named adversaries. Ransomware is organized crime on a massive and global scale. For units of government, businesses, and non-profits (like universities and hospitals), ransomware can strike like a rogue wave at sea. But it’s often an attack more like a time bomb, lying in wait until the criminal gang is ready to demand its ransom at a time of its choosing. And when this happens, it can immobilize the organization’s ability to operate. Immediate action is required. How do we get our data back? Do we pay the ransom? If we do, will we get the data back? Even then, how do we know it’s safe? How can we prevent this from happening again? If it does, how do we deal with the immediate issues, recoup the data, and ensure it’s clean and usable? If you have ideas for more interviews or stories, please email [email protected].

Janus was the Roman god of doors, gates, and transitions. He needed two faces to look in both directions - life and death, past and future. Internet browsers allow us to access and gaze across the internet, but at the same time, they are watching us, recording what we do while browsing. True, browsers do not charge us for their services – browsing is free. But as it is said, when a product is free, we become the product – or more specifically, our data becomes the product. In this podcast episode Jeff Bermant, the founder and CEO of the browser Cocoon, joins us to explore how browsers and privacy intersect. Cocoon was founded for the purpose of providing a more privacy-secure experience than any other browser by creating a cocoon around the browsing individual. We discuss how users have data privacy choices – which browsers to consider, how to adjust privacy settings, and what add-ons are available for browsing. When it comes to data privacy, protecting your personal data begins with you. If you have ideas for more interviews or stories, please email [email protected].

Facial recognition. It’s a hot topic. Targeting, misidentification, and doxing - the dangers are real. So are the benefits – finding criminals and solving crimes, searching for relatives and old friends, researching history, conducting social research, sharing with friends over a lifetime. Kashmir Hill’s penetrating cover article in the March 21, 2021 New York Times Magazine, “Your Face is Not Your Own,” details how our photos are scraped and used by companies far beyond what we imagine. Our images are available from public sources such as driver’s licenses. Many arise from our choice– through Facebook and Instagram postings, directories, newspaper and other media sources. As the TV series Cheers’ theme song sang, “Sometimes you want to go where everybody knows your name.” But now it’s not just the neighborhood pub. It’s the internet, where everybody knows your name, and everybody can find your face. What to do? That’s where scrubbing comes in. Scrubbing is the effort to erase, stop, or minimize the spread of a digital posting. Scrubbing is a challenge. It can be expensive. Certain scrubbing services charge annual fees of $100 a year or more per person. In this episode we discuss what options are available to you, what governments are experimenting with to find a balanced solution, and if there is any hope to truly erase your face from digital history. If you have ideas for more interviews or stories, please email [email protected].

On February 16, 2021 TikTok was sued in Europe for abusing consumer rights. Millions of Europeans use TikTok to post, share and watch videos 3 to 60 seconds long, ranging from dogs in pink tutus to Shaq dancing. The European Consumer Organization BEUC is an authorized entity in the EU to file complaints against businesses. Its press release, BEUC files complaint against TikTok for multiple EU consumer law breaches | www.beuc.eu, claims that TikTok engages in a “massive scale” of consumer abuse, including unfair and deceptive practices, terms of use that hurt consumers, failure to protect minors from harmful content and embedded advertising, and misleading use of personal data. By contrast, the U.S. President on August 14, 2020 issued an executive order to kick TikTok out of operation in the States unless it sold its American operations to a U.S. buyer. The Executive Order was based on TikTok’s Chinese ownership, which the prior U.S. Administration claimed was a threat to U.S. national security because the owner ByteDance was accessing personal data of U.S. persons that could be provided to PRC authorities. EO-on-TikTok-8-14-20.pdf (treasury.gov) TikTok successfully sued in several courts to block immediate enforcement of the Executive Order, a matter on appeal in the federal courts. On February 10, 2021, the Wall Street Journal reported that the Biden Administration decided that it would review the matter but was unlikely to pursue a forced sale to American companies. TikTok Sale to Oracle, Walmart Is Shelved as Biden Reviews Security - WSJ. What’s the future of TikTok as a Chinese-owned business that allows people to post, share and watch videos globally? And what does it mean for the world where business and human connections flow across borders? The Data Privacy Detective explores these puzzles in this podcast. If you have ideas for more interviews or stories, please email [email protected].

Data theft set new records in 2020. The major causes are not failures of equipment, software, or services. In an estimated 85% of cybercrime, the cause is us. We make careless mistakes as though we were inviting villains into our homes. We let thieves into our IT systems by accident. We get phished. You get a message on your computer. It may seem to be from a friend, a trusted source, a reliable company, even your boss. It might seek an urgent response about something. How do you avoid dealing with the emailed message without letting a villain into your computer, and so into your personal or business’ IT systems? How do you prevent making a mistake that gives a cybercriminal the chance to freeze and hold your personal or your company’s IT system for ransom or to hack personal and proprietary information? Here are seven top tips to avoid being the reason you or your business is the victim of data theft. Check emailed messages for seven red flags before acting: 1. Bad spelling 2. Bad grammar 3. Nonsense in the subject line 4. Incorrect domain name in images and links (hover over a link without clicking to reveal this) 5. Pressure tactics to scare you into acting fast 6. Unexpected message 7. Unexpected attachments or links in the message

As businesses move into 2021, what insurance can they have to limit cyber risk? What does cyber insurance cover and not cover? How is it priced and secured? Data Privacy Detective guest Sean McGee is a Vice President of USI Insurance Services, an independent company serving global clientele and accessing global insurance markets. www.usi.com / [email protected] . Also an Ohio and Kentucky attorney, at USI Sean advises customers on a broad array of business risks, including those arising from personal data collection and use. Cyber insurance emerged in 1997. Insurance Journal reported 2019 premiums of over $2.2 billion, spread among a competitive range of providers, with growth anticipated in number of policies, variety of risks covered, and premiums. As one example, the average payment for ransomware attacks jumped to almost $85,000 by year-end 2019, almost double the prior year’s average, triggering an adjustment of price for covering this type of risk. Cyber insurance pricing is competitive. It depends on a company’s responses to questionnaires that can be 20 pages in length and interviews with CIO’s and others. Underwriters assess the strength and scope of an applicant’s cyber protection program before quoting a premium. A solid cyber policy will generally cover direct costs resulting from a data breach or incident. These include attorney fees and other costs of defense, resolution of private and public claims, expenses to recover purloined data, business interruption (subject to defined caps and other details), and similar out-of-pocket losses suffered from a cyber-attack. Policies generally cover global losses, including direct losses suffered in the European Union under GDPR. Coverage typically does not extend to more indirect losses, such as damage to reputation, costs to improve a system after an attack, or potential future lost profits as distinguished from business interruption loss. The more indirect or difficult to measure a loss is, the less likely it will be insured. Deductibles, caps and other limits, and unusual types of risks should be carefully reviewed before finalizing an insurance purchase. Top tips for businesses considering cyber insurance: -Have a top-to-bottom training program to help every individual avoid phishing and other incidents that lead to data breaches, ransomware attacks and other losses. -Have a data response plan in place before it’s needed, ready to activate immediately when required. -Think holistically. Preventing data attacks is not just a hardware problem. Review regularly measures to upgrade data protection, protect personal and proprietary data, and limit losses from data risks.

Taiwan is one of the “Four Asian Tiger” economies. Its companies hold 66% of the world’s semiconductor market. It consistently tops the USPTO per-capita list of patent files, and its population of about 25 million enjoys what is considered the world’s fastest internet connection. It is becoming a major player in data. Considered part of China by the PRC which refers to it as the “Taiwan Authority,” Taiwan declares itself to be the Republic of China. Despite geopolitical issues, robust business flows between the two. Taiwan is a leading investor in the PRC. Commerce between the two seems unimpeded by political differences. With rising tensions between the U.S. and PRC, alongside changes in Hong Kong that threaten the “one country two systems” approach, how should global business consider Taiwan? Is it a bridge for east-west data-related commerce? John Eastwood leads of the Taiwan firm Eiger Law’s Greater China Practice. John EASTWOOD - Eiger. In this podcast John explains how Taiwan is becoming a major Asian data, financial and regional headquarter center for North American and European businesses, growing to rival Singapore and Hong Kong. Personal privacy protection is highly valued and regulated by Taiwan law that differs significantly from the PRC’s data localization regimen. Taiwan generally blocks flows of personal information from Taiwan to the PRC, and so can be viewed as a safe haven for western businesses that collect and process personal and company data in Asia. Unlike the PRC, Taiwan does not require data to be shared at will with government authorities. Taiwan’s Personal Data Protection Act (PDPA) adopts entirely neither the U.S. nor the GDPR model, though it embraces most of the key principles of the GDPR. Taiwan’s Personal Data Protection Rules - Taiwan Business TOPICS (amcham.com.tw). More flexible and consent-based than the EU’s regulation but comprehensive unlike the U.S. sectoral approach, Taiwan in recent years has broadened the protection of personal data while aiming to be attractive to multinational business seeking an east Asian data hub. Taiwan is pursuing an “adequacy decision” with the EU while addressing numerous concepts differently from the GDPR’s provisions. If you have ideas for more interviews or stories, please email [email protected].

Data privacy is about balancing individual concerns and community needs. Without assurance that private information will be responsibly shared and used, people may not share accurate information or be willing to provide data at all. But to get student aid, applications must reveal sensitive family financial information. To gauge student success, performance details must be documented and shared with others. Sociological research requires that a database be accurate and credible. How can a community design its IT system to reassure individuals about privacy but obtain and share data responsibly and create data platforms and visualizations to meet collective needs and aspirations? This challenge is common to any community, whether it’s a city, a business, a university or other type of collective. In this podcast Lee Norris, Vice Provost for Enterprise Data Architecture of the University of North Carolina Greensboro, discusses how a community that gathers data of 25,000 people at its core and about 100,000 data subjects overall, designs and operates its data system. Through a combination of communication and technology, its data architecture stems from privacy by design. This approach advances essential ethical, research, institutional and other objectives, beyond compliance with federal and other laws that regulate particular types of data, such as student information (FERPA) and medical information (HIPAA). UNCG’s design starts with an understanding of individuals’ concerns and circumstances. By communicating clearly to data subjects (people) what data is needed, what data need not be shared, and what and how data will be handled and safeguarded within UNCG, the data system is created to encourage appropriate but limited data sharing. This is data minimization and privacy by design thinking. By building a culture of trust, UNCG has not found that its constituents are reluctant to share needed information. This in turn increases the accuracy and reliability of databases that UNCG staff create from data pools for a variety of purposes, ranging from assessing individual and collective student success to compiling research databases. If you have ideas for more interviews or stories, please email [email protected].

We all value privacy – at least to some extent. But some of us want to be famous, and all of us want to connect with friends and acquaintances. We like the convenience from technology that requires our personal information to operate. So we share our personal details in many ways, and our data flows like water down a stream into lakes and oceans, some of which we’d prefer to avoid. And our information becomes a piece of society’s knowledge base. Databases like the U.S. Census have essential purposes, but they’re only reliable and complete if we are comfortable sharing our data. How to respect individual privacy and achieve reliable databases? That’s a challenge! In this podcast episode Alex Watson, co-founder and CEO of Gretel.ai, explains two essential phrases to understand how this can be done. Alex founded a security startup called Harvest.ai, which was acquired by Amazon Web Services in 2016, when he became AWS General Manager and it launched its first customer-facing security offering. Gretel.ai is an early-stage startup that offers tools to help developers safely share and collaborate with sensitive data in real-time. Alex explains that privacy is a problem rooted in code, not in compliance. By auto-anonymization, the personal data of an individual is separated from the underlying data so that the database where the information is needed comes to it without identifying the individual. The essential information is shared without allowing someone to know which individual’s information it is. While nothing is hack-proof, auto-anonymization eliminates the link between an individual and data about that individual as it moves to another user. Personal privacy is preserved in the transmission and further use. The other key phrase to understand is differentially private synthetic data. Data Privacy Detective Podcast 55 offers an introduction to the topic. This phrase means that information within a database has been changed to eliminate the ability to trace back the data to a particular individual. The information is private and individual to a person, but as pieces of data are shared for a purpose, they are not traceable to a specific person. The database user only needs the provided information, not the identity of individuals who contributed each piece. There is great public benefit in encouraging people to share sensitive data – e.g., public health databases, sociological research, Census Bureau studies. But people will share their private data only if they are comfortable knowing it will not be misused. Database users should ensure that they do not acquire personal data that identifies individuals without the need to have that information. Auto-anonymization and differentially private synthetic data – two phrases one should know. Their proper usage can achieve privacy by design. This will be an important contribution to creating reliable databases humankind needs to advance public health and other social good. If you have ideas for more interviews or stories, please email [email protected].

Ransomware - a sinister type of cyberattack that installs malware onto a computer system. Once inside a network, the malware encrypts documents, freezing the IT systems of entities and individuals until they pay ransom to regain access to their data. Recent average cost paid to a ransomware syndicate? $333,000, according to Greg Edwards, founder and CEO of CryptoStopper, a leading anti-ransom software provider. www.getcryptostopper.com. Ransomware surfaced in the late 1980’s, when AIDS Trojan was injected through floppy disks. Victims were asked to pay a “license fee” of $189 to a post office box to restore access to their data. Ransomware became ever-more sophisticated. Thanks to Bitcoin and other cryptocurrencies that emerged around 2012, thieves could hide their identity, and attacks mushroomed. Most start through a careless employee who gets phished and permits the villain to enter the enterprise’s system. Malware is unleashed to encrypt data, including on back-up copies held within the enterprise. Ransomware attacks in 2020 show a continuing growth in number and cost. Fileless ransomware appeared, far more likely to succeed than file-based attacks. Smart ransomware disguises itself as though it were Halloween, but it’s all trick and no treat. Major 2020 targets are healthcare systems, which cannot risk their patients’ health and are pressured to pay substantial ransom to release a freeze of critical data. Cybercriminals now offer Ransomware-as-a-Service, available as kits sold on the dark web that include everything needed to get into the business of kidnapping data. Greg Edwards’ company CryptoStopper uses detection technology to trick the ransomware code to fix on it as bait, blocking the infection before it spreads. Watcher files defend against attacks. Most clients are B2B, but the company offers a free of charge download to individuals. When ransomware criminals focused only on encrypting and decrypting data once they were paid, the privacy of data was relatively untouched. This has changed. Now ransomware attackers profit not only from ransom payments but also engage in exfiltration. They acquire and package data for sale on the dark web. Exfiltration releases company and personal data to use by criminals who purchase it for sinister purposes. Can law enforcement come to the rescue? Occasionally, but most attackers are from areas beyond the reach of Interpol and extradition treaties. How can enterprises defend and avoid having data breached and resold? Anti-ransomware products are available. Top tips from Greg Edwards to deal with the risk of ransomware beyond an add-on like his company’s offering: 1. Patch management – update all software and operating system of all devices on a network. 2. Keep anti-virus software up to date. 3. Keep back-ups in off-site locations. If you have ideas for more interviews or stories, please email [email protected].

Science and knowledge advance through information gathered, organized, and analyzed. It is only through databases about people that social scientists, public health experts and academics can study matters important to us all. As never before, vast pools of personal data exist in data lakes controlled by Facebook, Google, Amazon, Acxiom, and other companies. Our personal data becomes information held by others. To what extent can we trust those who hold our personal information not to misuse it or share it in a way that we don’t want it shared? And what will lead us to trust our information to be shared for database purposes that could improve the lives of this and future generations, and not for undesirable and harmful purposes? Dr. Cody Buntain, Assistant Professor at the New Jersey Institute of Technology’s College of Computing and an affiliate of New York University’s Center for Social Media and Politics discusses in this podcast how privacy and academic research intersect. Facebook, Google, and other holders of vast stores of personal information face daunting privacy challenges. They must guard against unintended consequences of sharing data. They will not generally share with and will not sell to academic researchers access to databases. However, they will consider and approve collaborative agreements with researchers that result in providing academics access to information for study purposes. This access can aim to limit access to identifying individuals through various techniques, including encryption, anonymization, pseudonymization, and “noise” (efforts to block users from being able to identify individuals who contributed to a database). “Differential privacy” is an approach to the issues of assuring privacy protection and database access for legitimate purposes. It is described by Wikipedia as “a system for publicly sharing information about a dataset by describing the patterns of groups within the dataset while withholding information about individuals in the dataset.” The concept is based on the point that it is the group’s information that is being measured and analyzed, and any one individual’s particular circumstances are irrelevant to the study. By eliminating the need for access to each individual’s identity, the provider of data through differential privacy seeks to assure data contributors that their privacy is respected, while providing to the researcher a statistically valid sample of a population. Differentially private databases and algorithms are designed to resist attacks aimed at tracing data back to individuals. While not foolproof, these efforts aim to reassure those who contribute their personal information to such sources that their private information will only be used for legitimate study purposes and not to identify them personally and thus risk exposure of information the individuals prefer to keep private. “Data donation” is an alternative. This provides a way for individuals to provide their own data to researchers for analysis. Some success has been achieved by paying persons to provide their data or allowing an entity gathering data for research to collect what it obtains by agreement with a group of persons. Both solutions have their limits of protection, and each can result in selection bias. Someone active in an illicit or unsavory activity will be reluctant to share information with any third party. We leave “data traces” through our daily activity and use of digital technology. Information about us becomes 0’s and 1’s that are beyond erasure. There can be false positives and negatives. Algorithms can create mismatches, for example a mistaken report from Twitter and Reddit identifying someone as a Russian disinformation agent. If you have ideas for more interviews or stories, please email [email protected].

COVID-19 has changed the world in dramatic ways. Contact tracing emerged as an approach to fight the pandemic’s spread and save lives. The idea is to notify people who have been in close contact with another person who tests positive for the virus. This should allow the contacted individuals to self-quarantine and take measures not to spread the virus before experiencing symptoms or otherwise learning that they are infected. Australia, a country of about 25 million, has an App called CovidSafe, developed and owned by the federal government. By October 1, 2020, it has been downloaded by about 27% of Australians. The government target is 40%. Sign-up is voluntary. To register, a person provides name, mobile number, postcode and age range. The App must be open on a user’s smartphone with Bluetooth enabled. It does not use GPS location technology. Persons in close proximity for at least 15 minutes will be identified as App contacts and eligible for future notices in case one person learns of a positive Covid test – and if the individual consents to notifying others about this. Results are mixed. In this podcast, Kelly Dickson, a principal lawyer of the Australian law firm of Macpherson Kelley(www.mk.com.au), explains the CovidSafe App and discusses how data privacy and healthcare intertwine. How does CovidSafe work? The app recognizes other registered users’ devices and uploads data to cloud-based central storage controlled by the federal government. Notices go to persons who had close contact when another person posts a positive test. The data is shared with others for 21 days from each contact on a rolling basis, though the Health Ministry may keep the data longer for public health purposes. Encryption and cybersecurity aim to protect the sensitive data and to convince Australians that their personal data is highly secure and shared only for the purpose of public health. Great idea - but how’s it working? Critics say it’s not working as it was conceived. Limited participation and consent result in an undercount of those infected and so limit the impact of the effort. Having smartphone apps live constantly has resulted in a report of loss of functionality and battery drain. When phones lock, the App does not function as intended. There have been inevitable bugs and fixes for the App, which was rushed into a prompt launch. States and territories have their own tracing methodologies (some in traditional hard copy format), with varying work and other restrictions in force. While workplaces are required to have a CovidSafe plan in place, this requires significant human intervention and is prone to haphazard error. Different states report varying degrees of take-up, support and efficacy. Will sensitive healthcare information be misused? While a targeted federal statute covers the security of App collected and shared data, users control whether positive test information will be shared. If a person tests positive, that person may consent – or not – to share the data – and without consent, the system will not accomplish its purpose of notifying others. There’s a CovidSafe Data Store where information is held in the cloud, leaving the possibility of hackers’ accessing both data in flight to and from the cloud and within the Store. September 2020 polling showed a skeptical public, with 57% concerned about security and only 41% confident the government would protect the privacy of data collected. This is despite strong support from the Prime Minister and a lack of overly divisive public sentiment akin to the USA’s mask/no-mask divide. Some critics are concerned that Amazon holds the data or that it is otherwise retained or accessed outside of Australia. If you have ideas for more interviews or stories, please email [email protected].

Brazil’s General Personal Data Protection Law or “LGPD” entered into force on September 18, 2020. In this podcast, Thiago Luís Santos Sombra of the prominent Brazilian law firm Mattos Filho, www.mattosfilho.com.br, explains the basic approach to personal data privacy of South America’s largest country. Highlights: • Brazil chose the European Union’s basic approach (GDPR), but there are differences between GDPR and LGPD. • Personal data is defined broadly to include identifiers such as email address, geo-location and similar information particular to a person. • Data mapping and risk assessment are the immediate steps a business should take that collects or processes personal data of Brazilians. • Companies must assess whether consent or legitimate interest is the basis of holding particular personal data and decide a compliant approach thereafter. Brazil’s Code is broader than GDPR in providing various bases to hold and process personal data. Businesses will look to express consent as a last resort rather than the first in complying with the law. • A privacy-compliant notice should be posted. • A prevention and emergency plan should be in place for handling breaches. • If a business is compliant with GDPR (or thinks it is), this does not guarantee Brazilian compliance, as there are differences from GDPR. There is probably more flexibility in Brazil for businesses than exists under GDPR, but until an Authority is in place, there is no regulator to discuss ambiguities or obtain advance guidance. • Cross-border transfers take the European approach, with no data localization as required by China, Russia, or India. The data protection authority to be appointed will need to issue standard contractual clauses or otherwise specify what is required. Brazil and the USA are already negotiating about data transfers, with no clear guidance from the Code about what is required of another country’s level of protection by law. • Data Protection Officers (DPO’s) must be appointed for controllers but not processors, with no threshold or de minimis test for this (unlike GDPR). No specific liability is specified for DPO’s, except for willful misconduct common to any relationship. DPO’s can be internal or outsourced. While there is no requirement that the DPO reside in Brazil, Portuguese language skill is practically essential for a DPO. • Regulations will follow in time. Individuals will need to be appointed to the Authority and approved by the legislature, with the aim of having an enforcement agency ready to act by August 2021. Because of Brazil’s prominent position as the giant of South America, one could expect an Iberian approach to personal data privacy throughout South America. Similar but not identical comprehensive codes exist in Chile, Colombia and many other South American countries. If you have ideas for more interviews or stories, please email [email protected].

Robo-calls, phishing, identity theft, ads we didn’t ask for – and worse. How does this happen? How does our personal data get collected, used and sold, without our knowing approval? Data brokers are a primary answer. They are businesses that collect, use, and sell blocks of personal information to a wide variety of buyers. This is not per se a shady business, though it may seem that way to those of us overwhelmed with constant interference by phone, email, pop-ups, and attacks aiming to disrupt our day or steal our assets or identity. Rob Shavell, CEO and co-founder of Abine, a 10-year-old privacy company, gives us a tour of data brokerage. Our personal data is collected in many ways. Some is virtually public – postal address, registered voter information, other ways in which details about us become publicly available. A lot of information about ourselves we contribute to the world – through social media posts, publicity, items we publish. There’s a tension between our instinct for privacy and the desire to be known, even famous if only for a day or two. Sensitive information is held by financial institutions, healthcare providers and others, who are generally restricted by federal and state law from sharing it with others but are themselves victims of a data breach. Information once disclosed becomes available to data brokers, who organize, package and sell the data to others interested in advertising to customers, monitoring behavior, analyzing groups or otherwise seeking data for their legitimate purposes (and otherwise. If you have ideas for more interviews or stories, please email [email protected].

A July 2020 Indian Government Report calls for regulation of Non-Personal Data. Most data privacy laws aim to protect (or not) personal data of people, This Report raises the question whether the world is about to see an explosion of regulation of non-personal data, which could change the business of data and how information flows within and across national borders. Stephen Mathias, head of the Bangalore/Bengaluru office of Kochhar & Co., one of India’s largest law firms, first updates us on two ongoing data privacy topics and then explains a novel approach to non-personal data being considered by the world’s largest democracy. The Personal Data Protection Bill is advancing toward adoption by the Indian Parliament. Patterned on EU principles, the Bill if adopted in its current form would align India generally with GDPR concepts, though with a data localization approach different from EU rules for data sharing across borders. In August 2020 the Modi Government decreed as an emergency measure a ban of certain Chinese apps, grounded in concerns about how the personal data of Indian residents could be provided by the businesses with Chinese authorities. India joins the U.S. in using data and technology as a geopolitical tool against PRC actions that transcend data concerns. For Indian consumers and businesses that represent a large market for Chinese companies and provide services used by many Indian residents, this has raised a backlash from many using Chinese-sourced apps and concern from businesses about the retaliation. Will trade wars be supplemented by data wars? Stay tuned. If you have ideas for more interviews or stories, please email [email protected].

Cloud computing offers a business the prospect of efficiency and savings by improving data storage capabilities and outsourcing computing resources that a business need not build for itself. But when data moves to the cloud, does this raise new troubles and make legal compliance more difficult? Or can it minimize risk and increase compliance with a dizzying array of global data privacy laws? How do cloud computing and data privacy compliance intersect? Lowell Thompson of Genity, a US-based company, discusses in this podcast how a cloud computing service can address this challenge and opportunity. Using encryption technology, Genity offers what it describes as data security by default that aims to bypass data privacy laws of Europe, California, Canada, and other countries. Major data breaches such as Equifax (2017) revealed weaknesses in internal business systems, in that case exposing sensitive personal information of 147 million people from several countries. As a business focused on data, a cloud provider must be attentive to cybersecurity and differing data privacy rules and so may be able to provide greater security and compliance than many businesses can expect of their own personnel and system. When a business contracts with a cloud computing services provider, it should consider several key issues: consent of data subjects, security, control and supervision, and server location. If a server resides in a jurisdiction that requires data localization or requires sharing data with government authorities, this can complicate a business’ data issues. The contract between a business and cloud services provider merits careful review to determine whether proceeding minimizes or increases the risk of data breach and inadvertent violations of differing state and national data privacy rules. Cloud computing has its benefits. But you don’t want a cloud to turn dark with thunder and lightning. Explore the intersection of cloud computing and data privacy in this podcast. If you have ideas for more interviews or stories, please email [email protected].

On June 30, 2020 China enacted a National Security Law applicable in Hong Kong. The UK and USA governments reacted negatively, stoking fears that this could mean the end of the one-country-two systems concept. Front-page news abounds about the meaning, the reach, and the political implications. But what about business and normal life, about Hong Kong’s role as a global financial and technology center? How does one understand the impact on data privacy? Does this mean a replacement of Hong Kong law or will it be Hong Kong business as usual? In this podcast Pádraig Walsh of Tanner De Witt Solicitors, a leading Hong Kong law firm, guides us. If you have ideas for more interviews or stories, please email [email protected].

Colombia made personal privacy a fundamental right in its 1991 Constitution. A 2008 law protected personal financial information, and in 2012 Colombia adopted Law 1581, a broad code across all sectors, modeled generally on the European/Iberian approach. Angela María Noguera Moreno, of counsel with the Colombian law firm of Vanegas Morales Consultores and an IAPP-certified Information Privacy Professional/Europe, explains in this podcast the Colombian approach to protecting personal data. Colombia requires all businesses to protect personal data. Consent of the data subject, the individual, is the keystone requirement. All controllers and processors of personal data must comply with the requirements of Law 1581 and decrees that function as regulations implementing the code. Responsible parties are both controllers and processors of personal data. Personal data categories include not only sensitive (financial, medical, religious, political) and non-sensitive (business or email address) types of data, but what Colombia calls “semi-private” data, such as information about an individual’s credit history. The data protection authority is the Superintendence of Industry & Commerce, which can levy fines and even close a business for violating data privacy laws. Colombia is now in a transition from formalistic compliance (posting website notices and policies) to a compliant society that protects personal data in practice. Superintendence officials expect compliance beyond simply posting policies. This is an approach under way generally in South America, though some countries like Ecuador and Panama did not adopt a general law until 2019. Listen to this podcast for an overview of how this important South American country aims to protect personal data privacy. If you have ideas for more interviews or stories, please email [email protected].

Cookies in the internet sense are packets of data that a persons’ computer receives when visiting a website. Without a cookie sent by an online retailer, every time one moves to a different page on a site, the visitor would need once again to supply account data and other information – a terrible burden! But cookies also represent a potential threat, as disguised cookies can install viruses or malware on our computers, and supercookies and zombie cookies pose other threats to personal privacy. Because a cookie can represent a third party that is accessing personal information of someone visiting a website, website owners and operators must consider whether the data streams arising from this use and the sharing with cookie senders amount to activity governed by the CCPA (or other states with similar or evolving data protection laws). William Morriss, an attorney with Frost Brown Todd, LLC who advises numerous tech and other companies about software and internet matters and himself a former computer programmer, explains in this podcast the link between cookies and California and discusses what a business can do to determine its cookie status and comply with the CCPA if required to do so. Make it a New Years Resolution for 2020 to get ahead of the cookie compliance curve so that cookies don’t become commercial indigestion!

Medical data are considered particularly sensitive personal information. Laws and regulations in most countries, including the USA and throughout Europe, generally aim to restrict sharing such information with the target of building privacy walls around each person’s data. But making such health data available more broadly is key to improved medical care, research and the advance of health science. Finland is the first country known to have adopted an approach to allow third parties to access health data for the purposes of scientific research, drug and health technology development and knowledge-based management in social and health care. Researchers, service developers and other legitimate data users will be able to collect, combine and process data from Finnish registries smoothly and securely. While most data will be anonymized, for particular applications individual identities can be shared. Those seeking access to such information will apply to a central authority that will screen applications to approve legitimate uses of Finland’s substantial database. It will accept applications for access starting in early 2020. Helsinki attorney Markus Myhrberg, member of Lexia explains how this will work in this podcast with the Data Privacy Detective. Markus heads Lexia’s IPR, data protection and marketing practices. The Finnish Act on the Secondary Use of Health and Social Data was adopted on March 13, 2019 and became effective on May 1, 2019. The text of the Act is available in Finnish, in Swedish and in English. If you have ideas for more interviews or stories, please email [email protected].

California Consumer Privacy Act (CCPA) and the so-called European "right to be forgotten" are hot topics as summer turns to autumn. With the CCPA coming into effect on January 1, 2020 amendments to modify it abound in the legislature. Stay tuned for a final Act! Even so, the driving force behind the Act’s passage, Alistair Mactaggart, is not trusting the legislature. Watch for voters to decide directly what California’s law will be in 2020 at the same time they vote on America’s president. The EU’s "right to be forgotten". Media announced a victory for Google from the European Court of Justice (ECJ), claiming that the "right to be forgotten" under GDPR cannot be enforced outside the European Union and its 28 (soon to be 27?) countries. The ECJ’s September 24 ruling was on Google’s request for a preliminary ruling on appeal from the French Government’s 2014 order that Google delink globally its search engine from sites containing embarrassing or out of date information. The "right to be forgotten" still raises some questions. Where will the lines be drawn? Could governments order a business to remove truthful but embarrassing information about an individual gained from a police report? If the story was published in a book, do those pages need to be torn out of history? Where will the balance between freedom of the press and individual privacy land? This is a task now for courts and a risk for website and media businesses. If you have ideas for more interviews or stories, please email [email protected].

What do Ecuador, San Diego, the FBI and Bayfront HMA Medical Center have in common? They’re all in data privacy news this first week of fall 2019. This podcast episode checks the data privacy temperature around the world this week. If you have ideas for more interviews or stories, please email [email protected].

Sometimes it seems the United States is more a loose federation than a national government. States have a major role in law-making. Data privacy is no exception. A recent law adopted by the State of Maine differs greatly from the California act that will come into force on January 1, 2020. Maine’s law will be effective on July 1, 2020. This podcast hits the highlights of it. Melissa Kern, Co-Chair of Frost Brown Todd LLC’s Privacy and Data Security Team explains that the Maine law applies to broadband internet access services – the folks who bring us access to the internet – not website hosts, not everyone holding personal data – but providers like ATT and Spectrum as well as regional internet access providers. If a provider has even one customer in Maine that is billed for service there, the Maine law applies. There’s no safe harbor threshold. If you have ideas for more interviews or stories, please email [email protected].

Encryption is often thought of as the basic and best cybersecurity approach to protecting data in transit or in flight. As guest Ken Morris, CEO and founder of KnectIQ, argues, it’s not. Encrypting data is an essential practice, but it’s really not the problem or the solution. Instead, any organization must consider its keys. Best practices in cybersecurity in 2019 require new technologies that address the role of and threats to keys. Once a hacker gets access to a key, the data are there to be taken, even without the data controller or processor knowing that the thief has entered the storeroom. As the day of quantum computing approaches, it will become ever more certain that encryption alone is inadequate to protect data in flight. This is becoming known to the authorities. And that is not an idle thought. Article 32 of the EU’s Global Data Protection Regulation, GDPR, forces possessors of personal data to consider the “state of the art” in deploying systems to protect personal data. And the increased sophistication of corporate espionage demands new thinking on how to prevent data break-ins. This podcast is a primer on how to think differently about cybersecurity and how the best practices of yesterday are no longer those of today. If you have ideas for more interviews or stories, please email [email protected].

One country, two systems – that’s the 50-year agreement that led to Hong Kong’s becoming part of China in 1997. This remains an evolution in progress. Hong Kong retains many of its systems independent of the PRC and yet is part of China. What does this mean for data privacy and the rules that apply to business in this powerhouse commercial center? Padraig Walsh, a privacy leader at the prominent Hong Kong law firm of Tanner De Witt, provides insight into how multinational firms should view Hong Kong for digital services. Hong Kong’s 1996 data privacy law was a pioneer at the time in establishing a legal framework for protecting personal data and regulating companies that handle data flows as controllers or processors. If one asks is it like China’s or the EU’s or the USA’s approach to data privacy, the answer is that it is much more like the EU or USA approach than China’s. It was adopted in the final months of British sovereignty. If you have ideas for more interviews or stories, please email [email protected].

No business or individual wants to be the victim of a disaster. Cyber-attacks can cause exactly that. Individuals are the first line of defense for personal privacy and cybersecurity. For businesses, it’s essential to train everyone associated with data systems to avoid letting hackers and other criminals into the network that holds data, Dr. Gleb Tsipursky explains in this podcast how disaster avoidance requires an approach based on emotional intelligence and training based on human psychology. While firewalls, policies and procedures are essential for protecting a company’s data flows, so is effective training of personnel – of employees, contractors, others who hold the keys to accessing a company’s computer systems. Freezes of entire company systems caused by ransomware, thefts of financial and intellectual property by hackers, improper releases of personal data of customers – these and other crimes of the digital age are often caused by one individual’s careless acts in letting a thief enter a business’ digital gateway. If you have ideas for more interviews or stories, please email [email protected].

The EU’s General Data Protection Regulation (GDPR) turned one year old on May 25, 2019. What’s been the experience? Kim Walker, Co-Chair of the Privacy Team of Shakespeare Martineau, a premier UK law firm, provides insight into how this comprehensive law of personal data privacy has unfolded in the United Kingdom. If you have ideas for more interviews or stories, please email [email protected].

India is about to enact a comprehensive data privacy law that will force global and Indian businesses to revise their approach. Stephen Mathias, Co-Chair of the Tech Team at Kochhar & Co., one of India’s premier law firms, explains how India will shift from relatively lax regulation of data privacy to one of the world’s most protective regimens once the new bill is enacted. If you have ideas for more interviews or stories, please email [email protected].

What do serial killers, employees who don’t want their fingerprints shared and a U.S. Senator have in common? Data privacy. In this podcast, Victoria Beckman, Co-Chair of Frost Brown Todd’s Privacy and Data Security Team, discusses this and other news. If you have ideas for more interviews or stories, please email [email protected].

The Data Privacy Detective turns the spotlight on five American data privacy developments in a conversation with Melissa Kern, Co-Chair of Frost Brown Todd’s Privacy and Data Security Team. 1. California’s data privacy law, CCPA, comes into force in 2020. It’s occupied attention because of California’s size and its potential extraterritorial application. It provides limited rights for individuals to sue companies that violate CCPA, restricted to certain cases of data breach. Privacy advocates were disappointed when the California State Senate rejected a bill to empower individuals to sue companies that violate any part of CCPA, a big win for the tech sector in America’s largest state. 2. In the absence of an overarching U.S. law, the statutory action in data privacy has been on a state level, as in California. But the Network Advertising Initiative foresees the need for national standards and intends to fill that role as a Self-Regulatory Organization (SRO) rather than have a national law that could be less friendly to business interests. It issued a revised Code of Conduct 2020. A key upgrade requires opt-in consent of persons whose location data will be collected from various devices. 3. WhatsApp users were stunned to learn that spyware could be implanted on their phones without their knowledge. WhatsApp promptly issued an upgrade to be downloaded at no charge that was said to fix this stealth attack, permitted by exploitation of a buffer-overflow vulnerability. Another privacy embarrassment for Google, though one promptly addressed. 4. San Francisco became the first city known to prohibit use by city agencies of facial recognition technology. Other cities are considering similar bans. Unlike local laws banning cameras to catch drivers going through red lights, this ban restricts the use of analytical technology without barring devices that take photos without our express okay. 5. Google is rolling out settings on its Chrome browser that will enable users to delete 3d-party cookies. This will be optional, as some individuals may want to go to their grocery store and have their device tell them about a discount on their favorite foods and beverages without being asked. Others find it creepy that our whereabouts are not only being monitored by third parties but are used to stay in touch with us without our asking them to come along for the ride. If you have ideas for more interviews or stories, please email [email protected].

The May 2-3, 2019 International Association of Privacy Professionals Conference featured leading U.S. officials and participants in the data privacy field. Mike Nitardy, a certified Privacy Professional (U.S.) and data privacy attorney at Frost Brown Todd LLC shares highlights from the conference. If you have ideas for more interviews or stories, please email [email protected].

Picture frontline employees – like those at a motel’s front desk. In come ICE agents with gold badges asking to see guest logs, aiming to identify and track down undocumented aliens. What’s the desk attendant to do? Most likely, cooperate without thinking it through. This led to costly problems for Motel 6 – a $12 million settlement in the State of Washington alone. The lesson is this – don’t let frontline employees decide whether to turn over personal data of guests or customers. That’s a big decision that should be made at a higher level, in sync with the company’s privacy policy. This podcast explores what happened to Motel 6 and draws lessons for what a business should do to safeguard the privacy of customer data. If you have ideas for more interviews or stories, please email [email protected].

Businesses have far more personal data than they think they have, and information expands by the hour. This is a key finding from an April 2019 Data Privacy Maturity Study from Integris Software – www.integris.io. Data flows change daily, and yet many businesses rely on spreadsheets and annual surveys to learn what data they house, resulting in inaccurate information that risks reputation and non-compliance. Kristina Bergman, Integris’ founder and CEO, offers important insights in this podcast about how business can deal more effectively with avalanches of data and blizzards of national and state data privacy regulation through an automated approach to the inventory of data. If you have ideas for more interviews or stories, please email [email protected].

Businesses hold vast amounts of digital and hard copy data. Much is personal data regulated by differing country and state laws and rules. The first step towards personal data privacy compliance is to know what personal data are held by a company. But traditional means of inventorying personal data undercount and are almost always behind the curve of time. Network analytics is the answer to this challenge. In this episode, the Data Privacy Detective has a conversation with 1touch’s CCO Mark Wellins, and they explore how to discover, map and flow data in a more comprehensive and timely way than traditional methods allow. If you have ideas for more interviews or stories, please email [email protected].

Data incidents arise regularly for businesses. The perpetrators range from sophisticated scoundrels seeking a quick ransom payment, to foreign governments conducting industrial espionage, to thieves seeking inside information, to distant hackers seeking personal data to sell on the dark web. When an incident arises, companies turn to legal counsel as part of the response team. In this podcast, Bob Dibert, a Frost Brown Todd attorney with 30 years’ experience and a veteran of data incidents, discusses how incidents arise and how they’re handled. There’s a three-step approach when an incident arises: 1. Contain: Immediately aim to stop further leakage and prevent additional harm from arising. 2. Counsel and Plan: Promptly analyze the scope and nature of the incident, what needs to be done to address it both immediately and longer term. 3. Remediate: Solve the problems, remedy the damage, notify those affected if required. If you have ideas for more interviews or stories, please email [email protected].

The European Commission issued its second review of how the EU PrivacyShield is working in late December 2018. Over 4,000 U.S. firms have signed up so far for this method of dealing with the GDPR (General Data Protection Regulation) of the European Union that protects personal data of its residents. The Commission’s report approves U.S. efforts to support the bilateral agreement that supports the Privacy Shield, with one important matter to be address in February 2019. If you have ideas for more interviews or stories, please email [email protected].

China should never be viewed through a foreign lens. And yet, what other lens do we have from the USA or most of the world but to do just that? Bloomberg News reported two statistics on November 21, 2018 that will shock most non-Chinese citizens – “By the end of May, people with bad credit in China have been blocked from booking more than 11 million flights and 4 million high-speed train trips, according to the National Development and Reform Commission.” If you have ideas for more interviews or stories, please email [email protected].

Russia governs personal data of its residents based on a generally applicable law. As a federal country, Russia has rules below the federal law, but they conform to standards set by statute throughout the nation. Though not as comprehensive as Europe’s broadly extensive General Data Protection Regulation (GDPR), Russia’s statute aims to protect the personal data of Russians similar to the GDPR’s approach. Concepts of consent of persons to use their data, privacy by design, data minimization, cybersecurity minimum standards and other principles are augmented by a data localization focus different from the GDPR.

The internet was once viewed as an instrument of freedom. It freed communications across borders, aided the ability of people to rally against repressive governments, dramatically lowered entry barriers to sellers of goods and services across borders. But like many good things, the internet has been increasingly harnessed to repress – or more neutrally to assist those in control of government to keep their power and a watchful eye and long arm over those who threaten their view of public order, The Freedom House report is a disturbing compilation of the rise of digital authoritarianism. The study of 65 countries that hold 87% of the world’s internet users found a decline in freedom from June 2017-May 2018 in 26 nations compared to gains in 19. If you have ideas for more interviews or stories, please email [email protected].

Because U.S. states employ over 16 million people and hold the data of almost all American residents, state governments are major targets for data villains seeking to obtain data about us. How safe is our personal information in the hands of state governments and what security challenges must states address to better protect personal data? Podcast guest Trey Grayson is a veteran of these issues, having served as Kentucky’s Secretary of State for eight years and later as director of Harvard’s Kennedy School of Government’s Institute of Politics and member of the President’s Commission on Election Administration, which reviewed the 2012 election. Trey is now a principal of the public policy firm CivicPoint and an attorney with Frost Brown Todd LLC. As an attorney and public policy expert, Trey offers guidance on the state of cybersecurity and state-held data in episode 26 of the Data Privacy Detective podcast.

The EU’s GDPR requires businesses outside the EU to appoint a “representative” in a member state and a Data Protection Officer in the EU to consult on and monitor data privacy matters. In this episode, Alessandro Di Mattia joins us to explore the definitions and requirements surrounding these positions and the roles they play in protecting consumer personal data according to the GDPR.

The California Supreme Court faced a challenge that may have been the first stone cast in a global debate about free expression on the internet. The case centered on a San Francisco law firm that got a one-star YELP review from an unhappy former client. When the firm’s YELP rating dipped from 5.0 to 4.5 the law firm successfully sued the reviewer for a defamation claim. YELP was not originally a party to the case, but when the judgment ordered YELP to remove the information, YELP refused. If you have ideas for more interviews or stories, please email [email protected].

“California enacts the strictest online privacy law in the country!” trumpeted CNN/Tech. A statute passed unanimously in the legislature and immediately signed by Governor Brown, AB 375, had the support of large tech firms and privacy advocates. It moves California in the direction of the European Union, granting rights to California consumers concerning personal information they share online. The Data Privacy Detective turns his magnifying glass on this statute. It will have an impact. If California were a country, it would boast the world’s fifth largest economy. California has citizen initiative rights that let people propose laws enacted by a popular vote, bypassing the legislature. Enraged by the Cambridge Analytica scandal of data shared by Facebook that ended up sold without consumers’ direct knowledge for political campaign purposes, a wealthy Californian tired of waiting for the legislature to act. He promoted an initiative aimed at creating tough consumer data privacy protections. Alarmed by the proposal, California’s large tech community backed a quick legislative response that is a compromise compared to the initiative language. It was drafted, enacted, approved and signed into law in about a week, and the initiative leader withdrew his effort and supported the outcome. See www.caprivacy.org. If you have ideas for more interviews or stories, please email [email protected].

Businesses not located in the European Union have tried to understand whether the General Data Protection Regulation (GDPR), applies to them. And if it does, or if it might, one of the puzzles has been whether a non-EU business needs to appoint a natural person or legal entity to be its “representative” or a natural person to be its “Data Protection Officer” for dealing with EU and its Member States’ Data Protection Authorities (DPAs). This podcast focuses on that question. If you have ideas for more interviews or stories, please email [email protected].

How did U.S. businesses deal with the launch of GDPR? And what’s its immediate impact on how U.S. businesses address personal information they have? The Data Privacy Detective turns the magnifying glass to this question, focusing on small and mid-sized (SME) U.S. businesses that hold personal data of Europeans. Most coverage about GDPR is about titanic battles of tech giants whose business models are based on monetizing customer data. My spyglass turns to a different subject: How did SMEs in the United States deal with GDPR? The clear majority of them do not sell personal data of Europeans, but instead collect and use it for ordinary business purposes, such as marketing goods and services, employing personnel, collecting payment and other processing that has nothing to do with surreptitious use of such personal information beyond the obvious. If you have ideas for more interviews or stories, please email [email protected].

GDPR, the European Union’s effort to protect personal data, has dominated the efforts of businesses to deal with personal data across borders. Less noticed is China’s evolving system of controlling, regulating and protecting the personal information of its people. On May 1, 2018, China issued standards for personal information protection.

In this podcast episode, the Data Privacy Detective discusses the background to the EU / U.S. and Swiss Privacy Shield and how it relates to the new requirements of the EU General Data Protection Regulation (GDPR)that will take effect on May 25, 2018. If you have ideas for more interviews or stories, please email [email protected].

In this podcast, the Data Privacy Detective turns a magnifying glass to how businesses located outside the EU can gather and use personal data that originates in the EU without violating the GDPR. Businesses inside the EU are actively working to bring their policies and procedures in line with the GDPR, with the benefit of many years of practice under the 1995 EU Directive that required EU countries to adopt laws based on a common background and similar principles to what becomes a directly binding regulation on May 25, 2018. For businesses beyond EU borders, how do they determine if GDPR’s extraterritorial reach affects them and what should they do about it?

The Data Privacy Detective explored in prior podcasts the broad scope of personal data, the differences between controllers and processors and other matters, including how processing can be lawful. That includes several specific, limited instances when acquisition and use of personal data can be legitimate in the absence of express consent of the persons whose data are held.

The EU’s GDPR – the General Data Protection Regulation – becomes law on May 25, 2018. This podcast explores what processing of personal data as defined by the GDPR is considered lawful. “Processing” is defined very broadly by Article 4.2 to encompass a wide variety of ways in which personal data are held or used. Article 6 describes what constitutes “Lawfulness of Processing.” It lists six alternatives for when processing is lawful. The first and most basic is if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Express consent is at the heart of the European approach to personal data protection. But consent is not the sole basis for lawful processing of personal data.

The GDPR defines personal data very broadly. But it is not an all-encompassing effort to protect all personal data from every conceivable use or misuse. “Personal data” is defined by Article 4.1 as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This defines personal data to include relatively non-sensitive information such as a phone number or email address, as well as more sensitive information such as biometric, genetic and other information about a person. The GDPR does not protect the data of legal entities. Only personal data of natural persons are addressed. Business, non-profit organization and government data are not covered. (Recital 14). Only data that relate to an identified or identifiable natural person are regulated by the GDPR. (Article 4.1)

Businesses collect, use and store personal data. It’s unavoidable. An email address, phone number, birthdate, postal address – these are all personal data that allow someone to identify or contact an individual. Other information is far more sensitive, such as health information, religious preference, political beliefs, race or ethnic origin, sexual preference, and financial details. The European Union’s General Data Protection Regulation (GDPR) classifies businesses that hold personal data as controllers or processors. The GDPR applies directly to both controllers and processors, but in different ways. This podcast explores the meaning of controller and processor and how cross-border businesses can meet the differing requirements imposed by the GDPR.

How does a non-EU business know if it must comply with the GDPR? And what specific things are required if the answer is yes? This podcast explores these questions, detailing the specific activities that require a non-EU business to comply with this EU regulation. Merely having a website is not enough. But if a company aims to sell goods or services to Europeans or to monitor the behavior of EU citizens or residents, compliance is expected. Conducting a data inventory and creating a data map are first steps to determine how a cross-border business can deal with the GDPR and comply with its requirements.

On May 25, 2018 the European Union’s General Data Protection Regulation becomes law – not just within the EU but everywhere in the world in some respects. It is deliberately extraterritorial. The EU is serious about compliance with the GDPR. Fines can be as high as 4% of a company’s gross revenues or 20 million Euros. The Data Privacy Detective launches a thorough exploration of the GDPR with this podcast, starting with the history, the context and the GDPR’s basic aim of protecting the personal data of its citizens and residents.

In this podcast, the Data Privacy Detective talks about tech support scams with Michael Severini, Director of Information Security for one of America’s large law firms, Frost Brown Todd LLC. A tech support scam can start with a phone call claiming to provide computer support and security. But increasingly this scam pops up when you click on a website and your screen freezes, with a warning page that your pc is infected and you need to call a toll-free number immediately for help. If you have ideas for more interviews or stories, please email [email protected].

The risk of the Internet of Things (IoT) is far more than a stolen credit card number or a banking loss. The risk could be mortal and pervasive if a critical device is hacked and a malicious command is issued through the IoT.

Phishing is an effort by cybercriminals to use bait in the guise of a familiar email address to hook you into revealing your sensitive information. This podcast tells a real story of two college professors who were initial victims of a clever evolution of a phishing scam.

On July 25, 2017, the FBI issued a TLP:AMBER alert on its Cyber Watch system about an elaborate cyber-criminal attack underway by sources believed to originate from Iran. The Alert lists about 200 domain names and IP addresses that individuals and businesses should avoid. The Alert lists four actions that all persons and businesses should take to avoid being harmed, not only by this attack, but to address the burgeoning rise of malware and other attacks against our data privacy and use of the internet.

Very private information about us can be extremely useful for medical research and other noble purposes – such as medical data that can be aggregated into a big database to help control and combat disease. But we’re reluctant to share our health and genetic details if we can be identified individually. How can we contribute to the big data need of public health and still preserve our individual privacy? Pseudonymous and anonymous coding is the answer, many say. But wait, does that too have risks? Join a conversation with Ken Morris, a leading entrepreneur, technologist and attorney, to explore this essential question. If you have ideas for more interviews or stories, please email [email protected].

The Data Privacy Detective talks about facial recognition technology, how it affects our privacy and what rights we have to fair use by the government. This episode will acquaint you with FIPPs and a law meant to ensure fair use by government on passports, videotapes and other images of our persona.

So what can you do yourself to protect your personal data and the confidential information of your company or employer? Julia Montgomery of Traveling Coaches shares top tips on how to protect confidential and personal data.

John Hibbs, Chief Information Security Officer for J.P. Morgan Chase, gave a riveting talk in Chicago in the fall of 2016 about the devices that tempt us to spend our waking hours giving them attention. He began with a challenge I readily accepted - that humans are not good at guarding their data privacy. Technology is too strong and changing too quickly to keep up with. Nonetheless, there are choices we can make with regard to the equipment and software we use and thereby better protect our data. You are your own first line of defense against the loss of your data, and this episode of the Data Privacy Detective goes through a checklist of items regarding software and equipment to assist you.

Personal data is vast and expanding exponentially. And the means of combing through vast quantities of digital data is becoming easier and quicker than ever, with human beings linked to each other on a global scale never before possible. At an October 1, 2016, conference in Luxembourg, French attorney Olivier Saumon cited industry projections that by 2020 the world will have 50 billion connected devices – an average of over five per person. Computers, smartphones, wristwatches, vehicle devices, robots and other devices will create data and connect to an expanding galaxy of devices that will track our health, finances, genetics, emotional make-up, perhaps even our dreams. This episode of the Data Privacy Detective highlights an example that shows how websites can search for and secure highly personal data of individuals and also how governments can intervene to delete the information and penalize third parties that lack express consent to handle the information.

A 2014 European Court of Justice decision against Google made Google the decision maker about whether to delink its search engine from sites that infringed the rights of European citizens – and raises the issue whether one government can set the rules of privacy worldwide. The intricacies of the case provide one glimpse into the evolving global battle over data privacy that faces technology providers. In the absence of a global agreement or a world court, the battles continue between disclosure and privacy. If you’re European, you have rights greater than those available to American citizens in having certain information about you deleted. This episode of the Data Privacy Detective dives into the Google case and its implications on technology companies and privacy rights of people around the world.

Privacy is dead, get over it. This is what a blockchain entrepreneur told a conference at the European Court of Justice on September 30, 2016. And yet, we know this is not true. If privacy were dead, we would know all the details of Donald Trump’s tax returns and we would have access to every email of Hillary Clinton from both public and private servers while she was Secretary of State. And we don’t. Personal data privacy is alive and well, but it is under attack. And our own worst enemy is ourselves. Data privacy is not about protecting data – it’s about protecting you. Listen for tips on how to eliminate unnecessary risk by taking some simple steps to protect the data on your smartphone. If you have ideas for more interviews or stories, please email [email protected].