PrivacyPod

We are back from summer break with a bunch of positive energy (that lasted through about the first two cases). This episode was recorded by Hannes, Jyri, and Pilvi on the historical day of data transfer anticlimax, despite all the LinkedIn posts preparing to sell you more legal advice. So, in this episode, we cover: The Latombe I that was not meant to be (insert violins and a slow dramatic tear). The court said nothing to see here, move on. Nevertheless, we have opinions. Austria’s Data Protection Authority took five and a half years to order YouTube to give people access to their personal data. Like good art, this stirred up some strong feelings in our hosts. Google was not ordered to sell off Chrome and/or Android, but they were ordered to make the playing field a bit more open. TikTok faces new investigations into their data transfers to China. Listen as our hosts jump into this rabbit hole and end up wondering: who is the true James Bond villain… and could it be… the EU? Are we the baddies? Is the EU becoming authoritarian if it passes a law that will allow it to scan all private and even encrypted messages? More countries are objecting to this. What is at stake here — our European way of life?   Prepare for a rollercoaster of emotions, grab some popcorn, and hopefully, enjoy!   Latombe: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf NOYB vs. YouTube https://www.euractiv.com/section/tech/news/austrias-privacy-watchdog-tells-youtube-to-give-users-access-to-their-data/ https://noyb.eu/en/noyb-win-youtube-ordered-honour-users-right-access Google and antitrust: https://www.bbc.co.uk/news/live/cg50dlj9gm4t China, James Bond, and TikTok: https://cybernews.com/security/tiktok-irish-investigation-eu-data-reached-china/?utm_source=chatgpt.com  EU…the baddie? About screening your messages: https://www.techradar.com/computing/cyber-security/chat-control-the-list-of-countries-opposing-the-law-grows-but-support-remains-strong?utm_source=chatgpt.com   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com  

This PrivacyPod special episode was recorded on the very day the Latombe decision (T-553/23) was made, capturing the immediacy and raw analysis of a pivotal moment in EU–US data privacy law. Host Joost Gerritsen, together Prof. Dr. Gloria González Fuster (VUB, LSTS Director) and Pablo Trigo Kramcsák (PhD researcher, LSTS) delves into the EU General Court’s ruling and its implications for the EU–US Data Privacy Framework. With the judgment only hours old, the discussion is lively and unfiltered, blending critical legal insight with candid questions from the privacy community. Gloria and Pablo examine the court’s highly formalistic approach, questioning whether the decision provides real legal certainty or simply upholds the status quo on paper. They discuss the ruling’s weaknesses, including unresolved issues of admissibility and standing, and debate whether the judgment genuinely protects fundamental rights or merely recirculates official arguments without genuine scrutiny. The conversation also covers hot topics like Article 22 GDPR, the functioning of US oversight mechanisms, and the political climate that influences data transfers between Europe and the US. Throughout the episode, the panel answers audience queries, reflecting the pulse of the privacy profession as it digests the breaking news. These real-time reactions make this episode a unique snapshot of expert opinion as legal history is being written, offering essential listening for privacy professionals, legal scholars, and anyone following the saga of cross-border data flows.     If you would like to learn how this case relates to previous rulings and documents from supervisory authorities, please visit Digibeetle: https://digibeetle.eu/latombe  Press release on the Latombe case: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com  

In this episode, Jyri and Pilvi have been fished out from the pool and summer vacays to discuss privacy–and they desperately try to be optimistic, it’s summer, after all. Whippii. In this episode, we wallow in the following cases: TikTok Class Action in Germany (2000€ for the innocence of a child? How does that work? ) What is happening in the USA… (DOGE access to personal data, Palantir, migrant children’s data collected in data banks…Privacy and Liberties Oversight Board (PCLOB) in crisis?) …and should folks in the EU be taking steps to prepare for the fall of DPF and should the EU start to become  independent from the US tech giants? Denmark is leading the way? Spotify SEK 58 million fines remains, no luck with appeals. Japan gets a new AI law – with no penalties – innovation first. Meta replaces people with AI to oversee privacy A Dentist in France gets 50 000€ in damages from Google as they failed to remove negative reviews and their classic argument based on freedom of expression fails.   So crack open a cold one, forgive us for our damaged personalities, and hit play.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com   LINKS: USA (below or open any news site): https://www.cnn.com/2025/06/06/politics/supreme-court-restores-doges-access-to-sensitive-social-security-data https://www.wired.com/story/cbp-dna-migrant-children-fbi-codis/ https://www.nytimes.com/2025/05/30/technology/trump-palantir-data-americans.html   Denmark says no more: https://www.thelocal.dk/20250603/danish-cities-drop-microsoft-over-trump-policies-and-financial-concerns   Spotify fines: https://www.imy.se/tillsyner/spotify-ratten-till-tillgang/   Japan and new AI law: https://www.japantimes.co.jp/news/2025/05/28/japan/japan-ai-law/   META and AI: https://www.npr.org/2025/05/31/nx-s1-5407870/meta-ai-facebook-instagram-risks   Dentist got dough out of Google: https://gdprhub.eu/index.php?title=CA_-_RG_n%C2%B0_22/01814&mtc=today  

In this Joost’s Case Corner episode Joost, Pilvi and Jyri discuss running and privacy. In fact, the cases on our chopping block today highlights that no matter how complex privacy is, it always comes back to the basic simple questions—that are anything but simple.   The chopping block serves you today the following cases: Meta v EDPB [T-319/24, 29 April 2025] → Meta challenged the EDPB’s opinion about consent or pay and asked some dough for it as well–did they really think they would get some cash out of it? And how legally binding are these opinions? CJEU Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23, C-332/23, 30 April 2025] → Corruption and anti-corruption: Can national courts intervene in how supervisory authorities work? CJEU Amt der Tiroler Landesregierung [C-638/23] → can *something* be a controller without it being a legal entity? This case’s decision is a pot of gold for all litigators. CJEU Russmedia Digital and Inform Media Press [C-492/23] → case about an ad that advertised someone selling sexual services without the knowledge of the said someone who absolutely did not sell sexual services. Who is the controller here?  So push play and enjoy! Also a massive shout out to Sean Quinn who supported our podcast by buying us coffee.. You made our day, week, and year! Be like Sean, click the link below.   Links: Meta v EDPB [T-319/24, 29 April 2025] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62024TO0319 Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23, C-332/23, 30 April 2025] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62023CJ0313 Amt der Tiroler Landesregierung [C-638/23] https://curia.europa.eu/juris/document/document.jsf;jsessionid=5A19CB5FFBBA10630CAA5E780ED68940?text=&docid=297537&pageIndex=0&doclang=EN&mode=req&dir=&occ=first∂=1&cid=54213 CJEU Russmedia Digital and Inform Media Press [C-492/23] https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-02/cp250014en.pdf   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

In this Joost’s Case Corner episode Joost, Jyri, and Pilvi discuss why Netherlands you should go to Netherlands as well as some of the latest CJEU cases. On our chopping block today, are: CJEU Deldits [C-247/23] aka. Hungary v. GDPR and LGBTQ+ rights: GDPR and transgender identity: the rectification of data relating to gender identity cannot be made conditional upon proof of surgery. Spoiler alerts: we are still proud to be Europeans as the GDPR stood for the side of the good. CJEU Dun & Bradstreet Austria [C-203/22] Automated credit assessment: the data subject is entitled to an explanation as to how the decision was taken in respect of him or her. What about where and how to draw the line for the trade secrets?   These, and an excellent conversation about why carrots are orange (spoiler alert: it has all to do with Netherlands) awaits you!    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com Joost’s Case Corner–why the carrots are orange

In this episode Jyri and Pilvi try to overcome their urge to discuss anything else but privacy and just be negative and tired of how the world is going, and after a while they actually somewhat succeed in that–or perhaps succeed is a bit of a strong word.  In any case, we discuss the current world politics situation and how it might affect the DPF and data transfers to China, not to mention that Latombe I had its day in court. The political situation might also affect the coming GDPR revamp, but in which way? We also discuss the following cases: Meta’s and X’s decisions to teach their AIs with public posts by its users and what the Hamburg, Irish, and Norwegian DPAs have to say about it; A case from ireland: Is the employer a controller for the employee’s personal life data in their work phone? Amazon losing the appeal for MEUR 746 GDPR fines; Spanish DPA giving out EUR 500K fine for the processor that added sub-processors without a proper authorization by the controller. This, and much more that you never wanted to hear on this episode!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com   LINKS: Meta & X’s AI decisions: https://datenschutz-hamburg.de/news/meta-starts-ai-training-with-personal-data   https://techcrunch.com/2025/04/14/meta-to-start-training-its-ai-models-on-public-content-in-the-eu/ https://www.reuters.com/technology/irish-regulator-investigates-x-over-use-eu-personal-data-train-grok-ai-2025-04-11/?utm_source=chatgpt.com   Hypothetical damages: https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&Datum=Aktuell&Sort=12288&nr=140810&anz=1159&pos=12 https://gdprhub.eu/index.php?title=BGH_VI_ZR_109/23&mtc=today Work phone: https://gdprhub.eu/index.php?title=High_Court_-_McShane_v_Data_Protection_Commission_(2025)_IEHC_191&mtc=today   Amazon fines: https://www.reuters.com/technology/amazon-loses-court-fight-against-record-812-mln-luxembourg-privacy-fine-2025-03-19/?utm_source=chatgpt.com   Spanish fines: https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202307719&mtc=today

Once again, Pilvi and Jyri are joined by the legendary Joost, in another episode of Joost Case Corner and the magic of European Court of Justice (and Court of First Instance) case law!   In this episode, Pilvi and Jyri (with some connection issues but not to worry Phil and all Jyri fans–he’s there!) discuss the following cases with Joost Gerritsen: Case T-354/22: Judgment of the General Court in Bindl v. Institutions, commission (Can an unlawful data transfer to the USA be annulled? Also, 400€ damages for an unlawful transfer of IP Address via Facebook by the EU. A case that highlights the importance of DPF and the difficulties to function if it should fall.) Case C-394/23: Mousse Jan 9 2025 Association Mousse v Commission nationale de l'informatique et des libertés (CNIL) and SNCF Connect. (A data subject was forced to pick a salutation (monsieur/madame) when buying a train ticket because the train company wanted to send marketing, this case made us happy to live in Europe in these st/o+range times.) Case C‑416/23, Österreiche Datenschutzbehörde (Can a Data Protection Authority tell a data subject to stop filing complaints and stick to no more than 2 complaints per month?) We also take a look at what court cases are cooking in the Court of Justice of the European Union and ready for us to enjoy soon!‘   This episode will be a great treat while prepping for the end of the world, so do listen in!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com       Links: Case T-354/22: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-01/cp250001en.pdf Case C-394/23: https://eur-lex.europa.eu/legal-content/fi/TXT/?uri=CELEX:62023CJ0394 Case C‑416/23: https://www.euractiv.com/section/tech/news/eu-court-rules-gdpr-complaints-cant-be-rejected-based-on-frequency/  

It’s 2025 and the world is a little crazier… and more orange. So the tea is hot in the global privacy scene indeed, and Jyri and Pilvi are totally here for it.  Not to worry, we don’t want to cause extra heartbeats this early in the year by speculating if the DPF will stand through this new orange era of madn…interesting times, but it is absolutely the right time to take a look at China.  We start with discussing the drama regarding TikTok and where we are with that and continue with the news that shook the markets and tech world: DeepSeek. Both cases are closely related to privacy concerns and international politics: what does this all look like from the EU’s perspective? The Italian Data Protection Authority is already on the case DeepSeek: what could possibly be their concerns? And how is NOYB after controllers connected to China? We also discusst the power struggle between the Irish authority DPC and European Data Protection Board (EDPB) regarding a NOYB case where the EU Court had to intervene, the new EDPB position paper on the crossroads of competition law and privacy as well as the guideline on pseudonymisation. Oh, and we also go through some latest fines from France.  All this and much more from this disturbingly optimistic episode!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

Today’s episode is perfect for the holiday season - or maybe you don’t want to think about work stuff during holidays? Oh well, you are very welcome to join the ride with Laura and Pilvi when they discuss consent or pay -models with Filip Sedefov.  What is the topic really about? Are we regulating/focusing on the right things? Is personal data a tradable commodity that you can exchange for free services? What has all this to do with the values we wish we had and what we actually live by? Is the pay or consent just about making money while stomping on people’s rights or can it actually be seen as an improvement from the current state of affairs?  Listen in to hear our hosts exploring the arguments while playing all types of devils’ advocates from “people will not be able to make informed decisions” to “this is about safeguarding users’ autonomy” and everything in between.  With this episode we’ll wrap up the year 2024 and wish all our 7 (+ Joost’s wife and dog = 9) listeners happy holidays and a Schrems III-free 2025!   LINKS: https://www.edpb.europa.eu/news/news/2024/edpb-consent-or-pay-models-should-offer-real-choice_en    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

Gather around the fire, children, and listen closely: it is time once again to enjoy CJEU case law in the best possible way with Joost’s Case Corner! Yes, Jyri and Pilvi join forces again with the amazing Joost Gerritsen and dive right back into the CJEU Super Friday cases. In this episode, we will cover: Case C-200/23, Agentsia po vpisvaniyata (A Bulgarian case about whether an individual has the right to ask the agency to delete their personal data from the company registry, the scope of legal obligation as a legal basis, whether signatures are personal data, and if the official opinion of the Data Protection Authority can shield a controller from liabilities if the court disagrees with the DPA’s opinion.) Case C-4/23, Mirin (If a first name and sex/gender are changed in one member state, must other member states recognize it as well?) Case C-768/21, Land Hessen (Does the DPA have an obligation to exercise corrective power in all cases of data breaches, particularly to impose a fine, at the demand of the data subject?) As a bonus, we also cover the following cases: C-169/23, Masdi (A Hungarian case focusing on Article 14(5)(c): does the article exempt controllers from their obligation to inform data subjects when the data processing—obtaining or disclosure—derives from national law?) C-80/23, Ministerstvo na vatreshnite raboti (A Bulgarian case about the Law Enforcement Directive (LED) regarding the concept of “strict necessity” in the context of biometric and genetic data collection for creating police records.) So lean back, close your eyes, reward yourself for making it to December of this eventful year, and let the velvety voice of Joost carry you to the wonderful wonderland of CJEU Case Law. Darling, we got you.   Did you enjoy our show? Support us by buying us coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com   Links: Case C-200/23, Agentsia po vpisvaniyata: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62023CN0200 Case C-4/23, Mirin: https://curia.europa.eu/juris/documents.jsf?num=C-4/23 Case C-768/21, Land Hessen: https://curia.europa.eu/juris/liste.jsf?lgrec=fr&td=%3BALL&language=en&num=C-768/21&jur=C C-169/23, Masdi: https://gdprhub.eu/index.php?title=AG_-_C-169/23_-_M%C3%A1sdi  

Tired of keeping up with all the CJEU case law? Want to prepare  yourself for all the cool discussions at the IAPP Brussels event? Not to worry! The Joost’s Case Corner covering the CJEU Super Friday cases has landed for you to enjoy. In the first of two of the Super Friday episodes, we will cover: Case C-21/23 Lindenapotheke (What is Art 9 data and what’s not? Can companies rat out each other regarding compliance with the GDPR (and is it smart)?) Case C-621/22 KNLT (Can a commercial interest constitute legitimate interest? We also get a brief history of this case and learn to understand the Dutch DPA a bit better and cover some hot tea on the subject.) Case C-446/21 Schrems v Facebook (Can you process publicly disclosed information on sexual orientation for targeted advertising just because it is public information?) We also learn about the most awesome Dutch legal term “breaking through the wall” and Olaus Petri (a priest who lived 1493-1552, in Swedish Olof Persson, who is still an important character in Finnish law) while discussing legal theory of EU law.  So take a good breath, let all the stress of November leave your mind, and enjoy the awesome drama that is CJEU case law!   Links: Case C-21/23 Lindenapotheke https://curia.europa.eu/juris/documents.jsf?num=C-21/23 Case C-621/22 KNLT https://curia.europa.eu/juris/document/document.jsf?text=&docid=290688&pageIndex=0&doclang=EN&mode=req&dir=&occ=first∂=1&cid=4086618 Case C-446/21 Schrems v Facebook https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62021CJ0446   Did you enjoy our show? Support us by buying us a pumpkin spice latte here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

Are you googling me? Stop googling me, Jyri!   In this episode Jyri, Pilvi, and Milla take a look at the latest interesting privacy news. The repertoire includes discussion on what happens when regulation is 20 years late (=personalized ads and privacy issues) in the form of LinkedIn’s 310 million euro fine and NOYB’s Pinterest complaint.    We also fall in love (and you will too) with Germany’s Traunstein Court and their Schrems II case (transfers to the US), where the court gave out a decision that seems to include some common sense (no joke). Do listen in for some statements that will first make you feel warm and fuzzy, smiling from ear to ear, and then break you in the “Don’t do that, Don’t give me hope.” -meme kind of way. But hey–when was the last time you felt warm and fuzzy about a Schrems II decision? We thought so too. We all need this, we’ve been through a lot.    We also rant about the latest “know your sub-processors to the infinity and beyond” EDPB guideline draft and most importantly, Jyri tells you in detail how you can actually get some suggestions implemented in the public consultation rounds (no joke).    So grab your Halloween-candy-flavored-popcorn and enjoy some privacy goodie-goodie! You deserve it and darling, we got you. Did you enjoy our show? Support us by buying us a pumpkin spice latte here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, send us your Pinterest boards, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod

In this episode, amazing hosts Milla Keller and Floora Kukorelli sit down with Jussi Mäkinen to discuss the (bright?) future of EU technology regulation. Jussi Mäkinen leads the EU regulatory team at the Federation of Finnish Technology Industries and has extensive experience in digital regulation, both in drafting policies and advocating for industry interests. The discussion revolves around the so-called Draghi Report, in which the former European Central Bank President and Prime Minister of Italy Mario Draghi warns that the EU is falling behind the US and China in the use of data and digital services. The report suggests that Europe’s declining competitiveness is partly due to its stringent data (protection) regulations. The conversation explores whether the Draghi Report marks a turning point in EU data protection policies and what it might mean for the future. The episode also looks at the role of the incoming European Commission in shaping future technology regulations, with special attention to Commissioner Henna Virkkunen from Finland, who oversees areas like technology and competitiveness. The discussion examines her approach and the potential impact it could have on EU tech regulation. Additionally, the episode delves into the future of the EU’s General Data Protection Regulation (GDPR) and the fate of the ePrivacy Regulation. Our guest believes that a more practical approach to privacy is needed moving forward, with the EU striking a better balance between protecting privacy and fostering innovation - the million dollar question is, where this balance lies. This episode provides an engaging and timely look at the current state and future prospects of EU technology regulation for anyone interested in the digital economy and EU policymaking.   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com  

Get ready for a super META conversation—no, not about social media, but about who we are and what we really do. Milla and Laura are joined by the privacy guru herself, Natalija Bitiukova (Head of Privacy at Carlsberg). They almost spent the entire episode talking about beer, but once they tapped into Natalija’s epic level of privacy geekdom, the focus shifted back to our roles in the privacy world. Stick around until the end, and you’ll be treated to the story of the most romantic gift in the universe (hint: “the world” just doesn’t cut it). There’s a lot to unpack in today’s chat, so take notes—what you agree with, disagree with, or just find hilariously nerdy—and we’ll do a future episode where we read your comments and dive deeper. Grab your earbuds and let’s get META!   LINKS: Natalija’s hobby: https://streamlex.eu/  EDPB survey on DPO: https://www.edpb.europa.eu/news/news/2024/edpb-identifies-areas-improvement-promote-role-and-recognition-dpos_en     Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com  

The world of privacy and AI shook and trembled when Hamburg's Data Protection Authority published its edgy discussion paper on Large Language Models (LLM). In a nutshell, they stated that LLMs do not store personal data and that this is in line with the CJEU’s views. Milla and Pilvi were honored and humbled (=overly excited with fangirl-hats on) to have Dr. Markus Wünschelbaum, Policy and Data Strategy Advisor at the Hamburg Data Protection Authority, to discuss what’s this all about. And what a discussion this ended up being!  Markus takes our (and your) hands and walks us all through the discussion paper’s key points and how the DPA ended up with this view: From the technical key points (it’s all about probabilities) all the way to the legal gymnastics and philosophy. On the other hand we also discuss what the result and impact would be if we would take the stance that LLMs do in fact store personal data and if that would actually make any sense. And what about NOYB’s complaint on OpenAI?  All this and much, much more awaits all our 6 listeners in this episode that you should not miss. After the recording our hosts needed a moment to gather themselves from all the excitement. We tried to be tough journalists but how can you not get excited about all this. We love DPAs with edgy action and hot tea to serve. Sorry about that. BUT IT WAS TOO FUN!    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com Links: In German: https://datenschutz-hamburg.de/news/hamburger-thesen-zum-personenbezug-in-large-language-models   In English: https://datenschutz-hamburg.de/fileadmin/user_upload/HmbBfDI/Datenschutz/Informationen/240715_Discussion_Paper_Hamburg_DPA_KI_Models.pdf  

In this episode, Jyri, Milla, and Pilvi walk  you through the latest hottest tea in privacy and data protection. First, we turn our attention to the herald of doom itself: Clearview and the actions taken by the Dutch Data Protection Authority (fine of 30,5 million euros and then some). Will the Dutch DPA follow through with going after the management and inflict personal liability the managers or directors of Cleaview? We also explore whether such a grim herald can have any positive aspects. The Dutch DPA suggests that the government could create its own version of Clearview, raising an important question. Should we, as a human society, pursue every technological capability simply because we can? Next, we visit the herald of digital future and all things beautiful, that is of course Sweden. The Swedish data protection authority, IMY, has given out two fines for unfortunate use of Meta pixels by a pharmacy and a bank that led to leaking sensitive personal data to Meta. The cases have some meme aspects (legal said no) but also raise up important questions: what is the root cause? Could Meta’s way of enrolling in updates be the one to blame? What steps to take to ensure your organization’s compliance? Then, we take a look at the latest blog by Anu Talus, the Finnish Data Protection Ombudsman and the the Chair of the European Data Protection Board. She admires Sweden (don’t we all?), who seems to thrive under the GDPR rules whereas Finland’s Data Protection Authority remains under-resourced, raising concerns about its ability to support future demands. She distinctly calls out for the ability to fine the public sector also in Finland (one of the few countries where this isnt possible), and discusses the AI Act. Lastly, we dive into a fast-paced Lightning Round™ of key data protection developments. From the Belgian DPA’s crackdown on dark patterns in cookie consent to fines against Uniqlo by the Spanish DPA (AEPD), and a penalty for Vejen Municipality in Denmark over stolen school laptops, important actions are shaping the landscape. We also explore Liechtenstein’s insights on remote work and This and much more (such as some tips on who to follow on LinkedIn) awaits behind the play-button! Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com   Links: Clearview fine: https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-on-clearview-because-of-illegal-data-collection-for-facial-recognition   Swedish Meta Pixel cases: https://www.imy.se/nyheter/sanktionsavgift-mot-avanza-for-overforing-av-personuppgifter-till-meta/ https://www.imy.se/nyheter/sanktionsavgifter-mot-apoteket-och-apohem-for-overforing-av-personuppgifter-till-meta/   Anu Talus’ blog: https://tietosuoja.fi/-/tekoaly-hoi-missa-suomen-digistrategia-   Belgian DPA’s cookie case: https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-113-2024-van-6-september-2024.pdf   Uniqlo fine: https://www.edpb.europa.eu/news/national-news/2024/spanish-supervisory-authority-fined-uniqlo-europe-ltd-violations-article_en   Vejen Municipality fine: https://www.datatilsynet.dk/afgoerelser/afgoerelser/2024/aug/endnu-en-kommune-indstillet-til-boede-for-manglende-kryptering   The DPA of Lichtenstein’s activity report for 2023: https://www.datenschutzstelle.li/application/files/3417/2526/0394/WEB_Datenschutzstelle_Taetigkeitsbericht_2023.pdf  

See how we get back to podcasting after the brat summer? Very demure, very mindful. We are not like these other podcasts, we don’t come back for the new season with a half-planned episode, we don’t use chatGPT to make notes, we don’t record too long episodes where half of it is just giggling–we’re very mindful, very considerate, very cutesy. In today’s very considerate episode Jyri, Milla, and Pilvi walk you through the most interesting news from the summer, such as the mega fine of €13,9 million given by the the Czech Supervisory Authority to a cyber security company that shared data of 100 million data subjects to its subsidiaries in a not very mindful way. We also discuss the latest drama on the EU Commission’s Preliminary DMA Findings on Pay or Consent as well as Meta suing the EDPB that is very interesting, very cutesy.  We also take a look at the secret collaboration between Meta and Google to target ads at 13–17-year-olds and have a discussion on what’s the harm in this? Is it really a problem or are we just trying to hold on to a world that is not realistic? We are not like these other privacy people–we don’t just gush about this–we explore different perspectives and play devil’s advocate. Very mindful, very considerate, very demure. These and much more in this episode where we do not try to play too much slightly off pitch on the hottest meme by the amazing @joolieannie , we’re very considerate, very funny, very cutesy, very mindful, and most certainly very demure.    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com Links: Big fine in Czech: https://www.edpb.europa.eu/news/news/2024/czech-sa-imposed-fine-139-million-eur-infringement-art-6-and-art-13-gdpr_en   EU Commission and Pay or Consent: Commission sends preliminary findings to Meta over its “Pay or Consent” model for breach of the Digital Markets Act - European Commission (europa.eu)   Meta and Google not very demure collaboration: https://www.ft.com/content/b3bb80f4-4e01-4ce6-8358-f4f8638790f8   NOYB annual report Annual_Report_2023_EN.pdf (noyb.eu)   Scraping and OpenAI: Microsoft Word - 2024.08.02 FINAL OpenAI Complaint (2) (courtlistener.com) https://www.legaldive.com/news/nvidia-open-ai-face-youtube-creator-lawsuits-for-using-online-videos/724498/  

Prepare to get your mind blown (and not necessarily in a good way) - in this episode Laura, Floora, Pilvi, Milla and Hannes (what a full house!) discuss the theory and practice behind data processing roles.  What is the background of the roles, what is working and not working - why does CJEU want everyone to be joint controllers, what about the AI Act and much more. If you bear with us to the very end we even throw in some suggestions on how to develop a less complex life for the many privacy professionals. linkit: EDPB guideline on controller and processor: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en  CJEU, judgment of July 10, 2018, Jehovan todistajat, C‑25/17, EU:C:2018:55 https://curia.europa.eu/juris/document/document.jsf?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=1305431 CJEU; judgment of June 5, 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388 https://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=1305548  CJEU, judgment of July 29, 2019, Fashion ID, C‑40/17, EU:C:2019:629 https://curia.europa.eu/juris/document/document.jsf?text=&docid=216555&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=1305826    Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/

Cambridge Analytica, Brexit, Trump, Russian Trolls. Political microtargeting has shaped the world and our society more and longer than we would like to admit. The European Union decided to fight back on it with Regulation on the transparency and targeting of political advertising, yet the road to the regulation was everything but smooth. Time will tell how or if the regulation will be able to actually make a difference. On this episode, Milla and Pilvi are going back to this important subject with our very special guest, privacy influencer and an Estonian lawyer Norman Aasma, who wrote his master thesis on the subject. Together we will discuss the road to the regulation, what was the issue with banning the use of sensitive personal data, what does the regulation actually regulate, and what change we can expect it to make.  The episode was recorded on the 27th of May 2024, just before the EU Elections, and thus, we also discuss the current EU Elections and take a brief look at the political advertising taking place (or the lack of it…). We compare it to the research data and results that we have gained from conducting research on the Finnish elections (see our Finnish podcast TietosuojaPod episodes #66 and #52).  So hit play and join us to enjoy a moment in privacy!   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com

“Welcome! Welcome! Welcome! To PrivacyPod Joost’s Case Corner Episode, we are your hosts Milla and Pilvi with Joost Kle… Gerritsen. Thank you so much for joining us and let us begin with our first and most important story, the events of last week’s Eurovision and the big denim egg that made it all the way to “Last Week Tonight” with John Oliver (Go Finland!).”  After we have gathered ourselves from the too short (Panu’s comment which has been noted) section on Eurovision, we move head first to the most interesting recent CJEU cases! And what is on the chopping block today? CJEU NADA and Others [C-115/22], where doping results were published online.  CJEU Juris [C-741/21], where a lawyer wanted to be compensated on receiving direct marketing which for some reason made some of our hosts just lose it (sorry). CJEU IAB Europe [C-604/22], where our focus is on the joint controllership aspect of the case. Thank you so much for listening and good night! Links: Belgian DPA’s Decision on IAB Europe:  decision-quant-au-fond-n-21-2022-en.pdf (autoriteprotectiondonnees.be) CJEU NADA and Others [C-115/22]: https://curia.europa.eu/juris/document/document.jsf?text=&docid=285723&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=2737812 CJEU Juris [C-741/21]: https://curia.europa.eu/juris/document/document.jsf?text=&docid=284641&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=2738131   CJEU IAB Europe [C-604/22]: https://curia.europa.eu/juris/document/document.jsf?text=&docid=283529&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first∂=1&cid=2738315   Did you enjoy our show? Support us by buying us a coffee here: https://bmc.link/privacypod4u We would love to get feedback – so please tag us, follow us, DM us, or send us traditional email: Twitter: https://twitter.com/PodPrivacy, #privacypod Instagram: @privacypod LinkedIn: https://www.linkedin.com/company/tietosuojapod/about/ Email: tietosuojapod@protonmail.com