Serious Privacy Podcast – Unfiltered: An Englishman’s Information Ideals

What do you get when you put an Englishman in charge of information privacy? A lot of experience, ideas, and expertise when it is Ralph O’Brien.  With all the news on the Coronavirus, one could almost forget there are still Brexit negotiations taking place. There is still a question whether the United Kingdom can obtain an adequacy decision from the European Union. Is the UK data protection legislation enough to offer an “essentially equivalent” level of data protection? What are the British views on using and protecting personal data? What about national surveillance? And how does this all tie in to the life and work of a privacy consultant? These topics and more will be addressed in this episode with Ralph – a highly respected privacy professional located in the United Kingdom.

The conversation takes us from how Ralph first entered privacy and the considerations and areas of focus at that time to how privacy has evolved. As we can imagine, the world of privacy, including Brexit issues, has dramatically changed and not all changes are necessarily good. Listen as Ralph shares his thoughts on data privacy, technology, the privacy profession, and Brexit – including what caused him to “go ballistic” on Twitter. Listen to this week’s episode on our website or stream the episode below.

COVID-19 Privacy Resources

The global pandemic caused by COVID-19 has affected most companies and for many requires operational changes in order to move forward. In light of the uncertainty, TrustArc has provided access to the latest guidance and other helpful information to assist companies as they plan to reopen.

COVID-19: Privacy Risks & Considerations eBook

As the conversation shifts from how to create a remote workforce to how to reopen the physical office, this eBook provides privacy risk guidance for businesses during the COVID-19 pandemic. Download the free eBook here.

Comparison Chart

The COVID-19 Comparison provides summarized analysis from 100 regulators on the following topics:

  • Whether certain legal exceptions apply, such as for public health, healthcare, public interests, or vital interests;
  • What can be collected from employees and visitors;
  • Requirements related to disclosure of confirmed cases; and
  • Processing of location data

Download the Comparison Chart here.

Regional Maps

TrustArc has developed regional maps showing regulators' guidance on returning to work after COVID-19. Download the PDFs: United States, Canada, European Union & United Kingdom 

TrustArc Blog 

  • Providing guidance for employers navigating privacy and security issues; and
  • Discussing the privacy implications of new mobile technologies tracking individuals to prevent the virus’ spread.

Serious Privacy Podcast 

Serious Privacy podcast discusses COVID-19’s impact on privacy in the following episodes: COVID-19 Part 1, COVID-19 Part 2, Tech Talk: Innovation during COVID-19, Privacy on the Front Lines: A View from LA, and Returning to Work.

Privacy Insight Series Webinar

Watch our on-demand COVID-19 webinar to learn how employers can ensure good data protection and governance practices in these special times.


Serious Privacy Podcast – The GDPR at 2 Years: Time to Celebrate?


The 25th of May 2018 will be a day that is forever etched into our memories. It is a day we had been working towards for well over seven years by the time it arrived. For those of you who don’t remember – it is the day the GDPR entered into application. What other topic could we possibly discuss in today’s Serious Privacy episode other than the first GDPR review?  The serious question is – is it time to celebrate?  

Let’s look at lessons we learned over the past two years and review activities by consumers, businesses, and regulators. You will get both the U.S. and the European perspective, and we have a special guest for this episode – TrustArc’s own CEO, Chris Babel. Chris brings with him decades of experience in both security and privacy and has a front row seat in most privacy initiatives.  Being in security when it first ramped up in compliance requirements provided Chris with a solid understanding of how compliance initiatives grow, including funding challenges. We discuss the good, the bad, the ugly – and the promise of GDPR. Listen to this week’s episode on our website or stream the episode below.

Happy Anniversary, GDPR!


The European General Data Protection Regulation (GDPR) this week celebrates its second anniversary. For many organisations, it may seem that the GDPR has become business as usual; one of many elements of their global compliance strategy. For many others, it remains a continuous struggle. 

The two year anniversary is an important milestone for the GDPR, since this is the moment the European Commission was supposed to present the first evaluation of the application of the Regulation. Unfortunately, the report has been delayed until the start of the summer. Some of the lessons learned are nevertheless crystal clear.

Overall, the GDPR has been a success

In preparatory analysis for the European Commission’s review, the EU Member States, the European Data Protection Board (EDPB – the assembly of all EU supervisory authorities) and even industry groups, like the Centre for Information Policy Leadership, all agree: overall, the GDPR has been a success. Especially in the private sector, the Regulation has seen a big increase of awareness for privacy and data protection issues. Many organisations have implemented far-reaching privacy programs, to ensure the personal data of their employees, business partners and customers is well protected. And if something goes wrong, they are much more forthcoming to report a breach than was the case in the past, if you look at the total number of data breaches reported thus far.

Also the ‘extraterritorial’ influence of the GDPR is noticeable. Countries around the world have adopted legislation to bring their own privacy laws more in line with GDPR, or are in the process of doing so. Think for example of Japan, where additional legal provisions and guidelines were adopted to ensure their privacy law could be declared adequate. A similar process is ongoing in South Korea. And in Brazil, the new omnibus privacy law LGPD is clearly inspired by the GDPR, as is the draft Indian privacy bill currently before Congress. That doesn’t mean these laws are exact copies of the GDPR: all countries have chosen to embed their laws in their own national legal traditions, but many of the newer concepts and compliance approaches introduced by GDPR have been copied.

The GDPR has not achieved one of its main goals: full harmonisation

One of the main points of criticism of the GDPR, is that it is a Regulation-in-name-only. That requires a bit of explanation. Under EU law, there are two main legal instruments: Regulations, which have direct legal effect in all EU Member States and in principle do not require national implementing laws, and Directives, which are only binding as to the goal they aim to achieve. Directives always require implementing laws in all EU Member States. The GDPR officially is a Regulation, and many of the provisions indeed have direct effect, and can be relied upon by organisations and individuals throughout Europe. However, on many details, like the use of special categories of personal data (including health data), additional national rules can be imposed, to either allow the processing of such data or to make it more difficult. The same goes for data used in an employment relationship and for research and statistical data. Also, the age at which minors can provide consent for online services varies from country to country, between 13 and 16 years. This means the original goal to have “one single privacy rule for the whole of the European Union” has not been completely achieved. The core of the Regulation has been harmonised, but many important details have not.

What also hasn’t been fully harmonised, is the approach supervisory authorities should take when enforcing the law. The GDPR provides the main elements of what an investigation should look like and how authorities should consult each other, but the process itself is run on the basis of national administrative law. These laws fall outside the scope of EU legislation, and thus are not harmonised. 

Supervision and enforcement of the GDPR remains a struggle

Also more in general, the supervision and enforcement of the GDPR is not an unequivocal success. Many had expected – and sometimes hoped – that data protection authorities would start imposing multimillion euro fines from the moment the GDPR went into application. That seems not to have been the case. Especially some high profile complaints brought by civil society groups like NOYB (none of your business, led by the Austrian Max Schrems) and Privacy International, are still awaiting a decision by the competent authorities. But that doesn’t mean the GDPR has not been enforced at all. 

At the start of 2020, well over €115 million had been imposed in fines by the various data protection authorities. In addition, many authorities have taken other types of enforcement decisions, as allowed by the GDPR, from (public) warnings of non-compliance, to the suspension of processing operations. Many data protection authorities also make clear it sometimes suffices to have a phone call with a non-compliant organisation, to explain the correct interpretation and/or application of the GDPR. This may not be the most visible way of enforcement, but it is a really effective one.

The main hurdle for data protection authorities is a lack of resourcing and funding. Two-thirds confirm they do not have sufficient resources to deal with all the complaints received from individuals, as well as with the requests from companies for guidance and approval of certifications and international transfer instruments. Also the Council and CIPL conclude in their GDPR evaluation reports that underfunding of data protection authorities is a risk for the effective implementation of GDPR. 

With only two years experience in working with the GDPR in practice, almost everyone agrees that it is too soon to start discussing any possible changes to the text of the Regulation. For now, Member States, supervisory authorities and industry seem content with more (detailed) guidance from the EDPB. At the same time, they note the reform of the data protection legislation in Europe is still not completed. The ePrivacy Regulation, which shall provide the specific rules for online data protection in line with the standards and principles of the GDPR, is still in the legislative process, with no agreement on a final text of the Regulation in sight. The hope is the German presidency of the Council from July onwards will be able to make some progress in this file.

Serious Privacy Podcast – Wildly Successful: An Unexpected Career in Privacy


Describe your perfect privacy career. Do the words “vibrant,” “brilliant,” and “high energy” come to mind?  Back when we still had privacy conferences and trade shows, you could sometimes meet someone that was so vibrant, so enthusiastic and so interesting, they would make the whole event. Emerald de Leeuw, Privacy Lead in EMEA for Logitech is that kind of person. She is a fellow Dutchie to Paul and calls Ireland her home. She is an entrepreneur with a brilliant privacy mind, but allegedly also serves up a mean cocktail.

We speak about building out a career in privacy, being underestimated and staying sane while working hard. We also talk about the challenges that a woman in privacy and tech faces, whether at the beginning of her career, or even when she is established and successful. Being underestimated is just one of those challenges. Emerald also opens up about her career champions and the importance of being authentic as a professional. Listen to this week’s episode on our website or stream the episode below.

The California Privacy Rights Act of 2020



Alastair Mactaggart, the driver behind the current California Consumer Privacy Act (CCPA) in 2018 (CCPA, published a new version of a consumer privacy act in September 2019). Since then, it has been modified and is being submitted to California county governments for inclusion on the California ballot for voting. In California Elections Code, Article 3, Section 9035 requires that initiative measures for statutes be presented to the Secretary of State with a minimum number of signatures, at least 5 percent of the total numbers of registered voters in the most recent gubernatorial election, in this case, no less than 623,212. 

The Office of the Attorney General released the title and summary of the initiative back in December 2019 as one of the first steps in a ballot initiative. On May 4, 2020, the Californians for Consumer Privacy announced that it was submitting over 900,000 signatures for qualification of the California Privacy Rights Act of 2020 (CPRA) as a ballot initiative and is now submitting the petitions to all counties for inclusion on the ballots in November.  If passed, the CPRA would take effect January 2023 with a one-year look back to January 2022. Some provisions, however, are presented for 2021, such as a new state privacy agency responsible for implementing and enforcing the CCPA.

Previously, this same group sponsored CCPA to be on the November 2018 ballot. However, the California Legislature passed its version of the CCPA in June 2018, which was signed into law – and has been amended twice since then. To date, the regulations to implement the CCPA have not been issued, yet enforcement is slated to begin July 1, 2020.

About the CPRA

The CPRA’s intent is to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA. Key provisions include:

  • Enhanced obligations on third parties, including service providers and contractors
    • Providing notice where data is collected (businesses acting as third parties) 1798.100(b)
    • Contractual obligations to comply with the law and to provide certain levels of privacy protection Section 1798.100(d) 
    • Cooperate on consumer requests, including deletion and flowdown obligations 1798.105(c)(3)
  • Explicit security provisions (reasonable as appropriate to nature of information) 1798.100(e)
  • New right of correction 1798.106
  • New right to limit use and disclosure of sensitive personal information 1798.121
  • Addition of definitions of “consent,” “contractor,” “sensitive personal information,” and “share” (as proposed §1798.145(h), (j), (ae), and (ah) respectively). Each of which carries new or enhanced obligations. A summary of these new definitions are listed here, with the exception of “sensitive personal information” which is provided in full below.
    • “Consent” must be freely given, specific, informed and unambiguous, with a clear affirmative action or statement and includes what does not indicate consent, such as acceptance of general terms or muting or closing a piece of content. (h)
    • “Contractor” is very similar to a service provider.(j)
    •  “Sensitive personal Information” means: (1) personal Information that reveals (A) a consumer's social security, driver's license, state Identification card, or passport number; {B) a consumer's account log-In, financial account, debit .card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocat/on; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mall, email and text messages, unless the business Is the Intended recipient of the communication; (F) a consumer's genetic data; and (2}(A) the processing of biometric Information for the purpose of uniquely identifying a consumer; (B) personal Information collected and analyzed concerning a consumer's health; or {C) personal Information collected and analyzed concerning a consumer's sex life or sexual orientation. Sensitive personal Information that Is “publicly available” pursuant to paragraph {2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal Information or personal information. (ae)
    • “Share,” “shared,” or “sharing” is very much like selling, but in regards to cross-context behavioral advertising. (ah)
  • Additional element of data sharing to the definition of “business” for those who share control and branding with a business subject to the CCPA, Section 1798.140(d)(2) 
  • Creation of a California Consumer Protection Agency. Section 1798.199
  • Requiring an annual cybersecurity audit for businesses whose processing of personal information presents a significant risk to consumers – and submitting risk assessments to the new Consumer Privacy Protection Agency. Section 1798.185(a)(15)
  • Subjecting violations involving the personal information of individuals known to be under the age of 16 to the increased penalty level of $7,500 each violation. Section 1798.155(a)

These are certainly not all of the changes proposed by the CPRA and one should read the complete text to understand the potential impact.

Next steps

Under the previous initiative, which became the CCPA, negotiations were held to enact state law in lieu of the ballot initiative proceeding. It is unknown whether similar discussions are being held about the CPRA. As permitted under California Constitutional Law, the CPRA will be listed on the ballot in November as long as the remaining requirements are met.\