A

Hey, this is Ari with Market, and unless you've been living under a rock, you've probably heard that Market Live is coming up October 27th in New York City. The last Marketecture Live was sold out and this one will surely be as well, with speakers like Mark Grether of PayPal, Eric Seufert of Mobile Dev Memo, and Jenny Wall from Videoamp. Plus, I'll be recording my podcast live with the one and only Antonio Garcia Martinez, author of Chaos Monkeys and now part of the team building at Coinbase. It's a stacked agenda and we hope to see you there. Go to marketlive.com and grab your ticket.

B

While they're still available.

A

That's marketlive.com.

C

This is @ Tech God and this is a word from our sponsors. Samba TV is a global leader in AI driven media intelligence. Powered by first party data from millions of opted in connected televisions and billions of web signals across the globe, its independent cross platform measurement provides advertisers and media companies with a unified view of the entire consumer journey. Leveraging real time insights and audience optimizations, Samba TV enables marketers to reach and engage audiences with efficiency and effectiveness across any platform and every screen. Visit samba.com to find out more. Again go to samba.com to find out more.

D

Foreign.

B

Welcome to the Monopoly Report the Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. If you are new to the Monopoly Report, you can subscribe to our bi weekly newsletter@monopoly-report.com and you can check out all of the Monopoly Report podcasts@monopoly report pod.com I'm Alan Chappelle. This week my guest is Robert Bateman, Senior Partner at Privacy Partnership. Robert is a respected voice on data protection, privacy and AI law. He built his profile writing about data protection and organizing events in the sector. He now provides advice and training to businesses looking to meet the challenges and opportunities of privacy, data and technology regulation. He is also the host of the Privacy Partnership podcast where he provides quick updates on the latest developments in tech law. I'm a big fan of Robert's podcast as he brings a unique perspective. So let's get to it. Hey Robert, thanks for coming on the pod. How are you?

D

Hi Alan, thanks so much for having me on. I'm very well, thank you.

B

Good. Where are you right now?

D

I'm at home in Brighton, UK in my little dingy office where I do most of my work.

B

Ah, fantastic. So there are so many interesting things taking place in Europe on the Regulatory front. It's difficult to choose where to start. But in my view, one of the more interesting long term trends in Europe has been the evolving definition of personal data. Now I'm old enough to remember a time before GDPR when there was lots of debate regarding whether an IP address constituted personal data. And then the EU Court of Justice in what 2016 in the Breyer case held that IP was in fact personal data. Okay, so one might think that was the end and Europe had officially adopted a broad definition of personal data. But what's happened since then? And then maybe we can talk a little bit about srb.

D

Well, the Brea case was really important back in. Did you say it's 2016? That sounds about right?

B

Yeah, I think so.

D

Well, I take a slightly more conservative view on that case than some people. I think it established that an IP address can be personal data and is often, I think, used as personal data. And even some data protection authorities have interpreted it to mean that an IP address is personal data, full stop. But I think really what the court established there was that it can be personal data if the person processing it has the legal means or reasonable means. There's some debate around that element to re identify a person using that IP address. So that could be a dynamic IP address or a static IP address if it's used as an identifier as well. I think it can be personal data by definition. And we have seen regulators interpret that quite broadly since the case. So we have quite emphatic statements from some regulators that IP addresses are personal data per se. It also made its way into the.

B

GDPR itself, but wasn't part of the deciding factor the idea that an ISP could be subpoenaed and since the ISP had the identity of the data subject, that because you're one subpoena away as the holder of the IP address, that therefore it's also personal data for you? That was my recollection that that was sort of the. A key part of it. Am I missing something?

D

No, I don't think you are, Alan. And my memory of the case a little bit rusty. There is that fact that the problem is that the controller in possession of the IP address doesn't have the means to subpoena the ISP to get the identity of the data subject. But I suppose that the law enforcement agency could make that link kind of for the controller. So yes, we do have quite a broad definition of personal data emerging from that case. Nonetheless, whether, you know, whether the details say that an IP address is always personal Data or not, it did establish a pretty broad precedent, like you say, for defining personal data, which is still being discussed to this day.

B

And practically speaking, I felt a bit of a tension between the concept of pseudonymization under the GDPR and this broad definition of personal data. Do you agree? What's your sense of the tension driving that?

D

So how do you see the tension, Alan, between those two concepts?

B

Well, okay, so just thinking about this from the perspective of a crass business business person. What is the benefit to me of pseudonymizing a data set if at the end of the day I probably have to get a consent for it? If, if you're in the ad space and, and I don't really need to treat it any differently, or if I'm starting with the data set that is arguably pseudonymous. Like it almost feels like pseudonymization is this sort of side compartment of the gdpr. I'm probably overstating this, but I'm going to run with it. Like I get in a HIPAA context de identification, I get what that means and I get how that all works. And I know we might talk about HIPAA a little bit later, but, but, but why even have pseudonymization if there's no, you know, benefit to the business community or to the, the controller for pseudonymizing?

D

Great question and I love that we're getting straight into the weeds on this episode. So I think that's a really good point and that the benefits of pseudonymization have been oversold by some people to suggest that it is equivalent to anonymisation, which of course it's not. Certainly in GDPR terms there are security benefits to pseudonymizing. So if you have the information you need to make the identification in one place and the pseudonymous pseudonymized identifiers in another, then you know, you can control who can make that link either internally or if you are suffer a breach, then the pseudonymized information by itself might not be very useful to the attacker. So in that sense it's like a security measure. And it's also, you know, tangentially, it's a data protection by design measure because you are reducing privacy risks by doing it. And data protection risks there's also, and we're going to get to this, I suppose you might be leading up to this some benefits if you take more recent case law to pseudonymization in the hands of someone to whom you only give the pseudonymized data, not the additional information as it's put under the gdpr.

B

And that's a great opportunity for me to ask about this more recent case that dropped What, a week or two ago in early September, the SRB case. So, you know, my understanding is the c, you know, the Court of Justice of EU clarified the definition of personal data is as, as being closer to relative. And so I would love it if you would walk my audience through a bit of the background and the court's ruling in srb.

D

I will. So I'll tell you what I know. And I was on vacation when this case dropped, but I have managed to catch up.

B

Robert, there is no such thing as a vacation for data protection professionals, my friend.

D

Well, I did, I did give it a cursory read. Not on the beach, but in the apartment. So the details here are. Well, the background is it's a case between the srb, the Single Resolution Board and the European Data Protection Supervisor. So the SRB is quite obscure for me anyway. EU institution that was set up in the wake of the financial crash in 2008 to unwind banks that were going bust and take control of financial institutions. And they did a survey of shareholders in a bank that was closing down or being sold or being bought. And they sent the, the results of that survey to Deloitte in the US and they pseudonymized the participants names, but not the opinions, you know, the comments on the survey. So the shareholders in the bank, who were the respondents here to the survey, got upset about this and launched a complaint against sr. I think some of that complaint was a little bit confused in data protection terms, but they got through to the European Data Protection Supervisor. What they alleged was that SRB should have notified them that they were going to transfer this data to Deloitte. The SRB said, no, we're only sending Deloitte pseudonymized data. We're not sending the additional information that would help them to link these responses to actual shareholders. So we didn't need to tell the shareholders about this transaction. So the question was this personal data when SRB sent it to Deloitte and was it personal data when Deloitte processed it, given that they couldn't make that link to identify the people the information was about? So those are two of the essential questions here. This is what we're dealing with. And at first instance it was decided that in neither case was it personal data. SRB actually didn't need to tell the shareholders that they had sent the data to Deloitte because Deloitte wouldn't, it wouldn't be personal data once Deloitte received it. And the court just recently said, no, it was personal data or they should have. SRB should have told the participants what they plan to do with the pseudonymized data, but once Deloitte received it, actually, because they can't make the link, just the pseudonyms, as it were, that's not personal data when Deloitte has it. So we do get this slightly more relative definition of personal data confirmed or emerging from this case.

B

As you say, Alan, my audience is the ad space. And so what do you see as the implications of the SRB decision for the digital media folks? Or is it really just sort of a moot point? Because at the end of the day, you need a, a consent for the placement of a tracking technology and you probably need a consent for any profile that's associated with the, the tracking technology. It, it sounds groundbreaking in an academic privacy setting, but is it such a big deal in the digital media world?

D

I haven't quite settled on that yet. You, you are seeing two different types of opinion about this. You know, some that say it's. It's just reiterating the Brea case, it's not new. And some saying actually it is quite significant, particularly if you are working with pseudonyms, as is often the case in the ad tech space. I wouldn't like to take a firm view on that just yet. I think it does leave some unanswered questions. So one thing it does mean, one thing it confirms is that if you plan to strip out identifiers or pseudonymize data after you've collected it and process it in that pseudonymized or even anonymous form, you still need to tell people what you're planning to do with it when you collect it. This was confirmed in that case. So they said SRB should have told these shareholders they were planning to send their pseudonymized data to Deloitte. So the equivalent that you can probably draw a parallel in the, in the ad space as to when you might be doing that sort of thing, you still have those transparency obligations and presumably other obligations under the GDPR as well. It follows. As for if you're working with this sort of data as a vendor, maybe in the ad space, if you've received pseudonyms from a publisher or another player, then it does suggest that you might be able to do a bit more with the data because it might not qualify as personal if you can't make the link, even if the person who collected it can. There's a question as to whether this applies to processors, because Deloitte was not, it seems, acting as SRB's processor in this case, so acting on behalf of the company that collected the data that might be a bit different. I again haven't quite settled on that question and there are lots of other questions as well, I think drawing from this as to around data processing agreements, international data transfers and so on. But I think it can be read in a way that is potentially favorable to ad tech companies.

B

Well, I also think a couple of other shoes have to drop. They might, I mean, who knows? There's certainly a, a pretty broad rethink taking place in Europe when it comes to data protection. Hard to say exactly where they're going to land. But the first shoe that needs to drop is there needs to be a rethink of the E Privacy Directive because again, none of this really matters if one needs to get a consent anyway. And then the second thing is that there would need to be perhaps a larger focus on data minimization in profiling amongst EU regulators because I think we've, they've moved off of the initial Article 29 group position where, you know, interested in women's shoes in Belgium might not require a consent. Well, they seem to have moved off of that a little bit and where like almost any type of profile would require a consent. Consent, which I personally find unfortunate because I, I then I think you've incentivized the business community towards the wrong things. If, if one needs to get a consent for anything, you, you're telling the business community that they might as well collect as much data as they can.

D

Many of my colleagues would agree and others would, would disagree on you the kind of direction of your thinking there, Alan? Definitely. I am not afraid to say that the E Privacy Directive needs reform. We were waiting for many years for the privacy regulation that has now been dropped in the state. It was. There is now more rumors about the Commission proposing amendments to the Privacy Directive, maybe splitting it up to have some for national security and some for advertising and so on, which I think would be a good shout. As for the issue of profiling and consent and so on, I think you're right, it does. Having a very strict interpretation, given where we're at and how many people's livelihoods do depend ultimately on advertising and given how integral it is to so much of the economy Now, I'm not a purist about this stuff from a privacy perspective, I think that there do need to be compromises and you do perhaps incentivise people to throw compliance out the window. If they think it's going to be impossible, you know, they might come to an all or nothing sort of position. Maybe it's better to have something in Between. As for how that would look, I mean, that's a complicated issue. We might have something like that emerging in the uk. I think it would be a long time before there's any significant change in the eu.

B

Yeah, I think that's a fair observation. I recently had Tobias Juden on the Pod and we were riffing a little bit back and forth. I. I responded to his comment that apparently there. There is some discussion about outlawing behavioral advertising in Norway, and I'm actually supportive of that, which has kind of ticked off some of the business community. But from my perspective, if once you admit that something isn't working, and I don't think anybody can really sit, like, stand up and say that the current process is really working for anybody, well, then how do you fix it? And I think the way to fix that is by experimentation. And so I'm intrigued by the idea of what would happen if behavioral advertising were outlawed in a particular market. But I'm also intrigued by some of the discussions taking place in the uk. And so maybe we can shift the focus a little bit to what the Information Commissioner's Office has recently initiated, because there's a consult taking place there that I think would be of a lot of interest to folks in the ad space. So, for those who might not know, UK Information Commissioner is the entity that regulates data protection in the uk. The ICO is contemplating a rethink. And I want you to keep me honest on this, because you're much closer to it than I am, but they're contemplating a rethink when it comes to the Privacy Directive rules, rules, pecr, around cookies and tracking technologies. Can you walk my audience through what's going on over there?

D

There's two things. We can separate this into two tracks. I think we've got actual primary legal reform that's just happened and is kind of taking effect in stages, some of which is about cookies that's not terribly relevant to advertisers yet. Then we have this ICO call for views. It is at the moment. So it's the early stages of a consultation about the ICOs, proposing that it does not enforce existing law or that new law in certain areas, which sounds quite controversial and is quite controversial, frankly, but the proposers themselves set out different sorts of activities that they say if people do without consent, even though they're legally required to do these things with consent, with we won't enforce the law against them. Now, it's a bit of a moot point, again, to bring your phrase from earlier, because the ICO has Never enforced this part of the law for these activities. We've only had one, as far as I know, cookies. Related case or tracking? Related. We did have lots of letters sent out about cookie banners and so on. They've got quite a strict interpretation on cookie banners, but they are thinking about relaxing enforcement so far as they can relax it any further in areas like frequency capping, fraud detection, certain types of. Well, there's a proposal for certain types of targeting, but I think that wouldn't be the, you know, the sort of targeting we mean when we say targeting, fingerprinting and so on, but certain sort of ancillary activities, I guess, around advertising that do technically require consent under EU and UK law, but really are very quite low risk, I would say, personally. So what they might be doing here is informing new primary legislation or secondary legislation for the UK government, which means that the government does have the right to pass certain regulations under this new law, and I think the ICO's consultation might be informing that. So we could see new exceptions to the cookie and tracking rules in the UK emerge from this process.

B

So I applaud this again in the same way that I applaud what may or may not happen in Norway, because this sounds different. We're going to try something new here, and I have no idea if it's going to work, but. But again, I think some experimentation is sort of exciting. Do you see any downside, potentially, to the business community to this type of initiative? I mean, other than the obvious. Whereas, like they say, you know what, we thought about it, and heck with it, we're gonna. We're gonna go back to the old rule set and we're gonna double down on enforcement. But, like, leaving that aside, do you see. Do you see this, you know, heading in a direction that. That becomes a little bit problematic?

D

I think from a pure privacy perspective, I don't have an issue with people, you know, doing frequency capping and ad selection, staff measurement without consent. I think that's pretty harmless, to be frank. Some people would be outraged by that assertion, but I have a slightly higher risk tolerance than some people. The problematic element here, I think, is that the ICO is effectively saying it's not going to enforce the law in certain areas. And working with the government to pass sort of weaker data protection and privacy laws, it seems it just leaves a slightly odd taste in my mouth. You know, Parliament has just decided not to exclude these things from the cookie consent rules. It did decide to exclude certain statistical analytics, for example, emergency access to device location for emergency services. So called performance cookies will be out of scope of the consent rules. But there is nothing in that law about frequency capping and so on. What I think the reason for that might be that the government recently had its adequacy decision reviewed from the eu. So this is a way for the UK to receive personal data from the EU without lots of contracts and cuts. A lot of red tape for businesses. Now, none of this frequency capping exception or anything was in that primary law, but we might be introducing it now in secondary law. So it might have been a way to get it kind of under the table without the EU noticing or, you know, we're not going to have a review of that decision for several years now. So it might be something to do with that. All of which in a rule of law kind of public law sense, makes me a little bit uneasy, but that's just me.

B

Yeah, I. My quick response to that is don't get me started on rule of law issues because every time I open up the. The news today and, and actually I think there are worse rule laws of issues taking place in the EU because there is a clear circumvention of the one stop shop principle. And that to me seems like maybe a more direct hit on the rule of law, but maybe, maybe best to move on. But speaking of the eu, do you think there's any likelihood of them taking on a similar initiative? I mean, like, you know, the ICO is getting feedback from the marketplace. Hopefully there will be some level of experimentation there. I mean, do you see much appetite in the EU for, for a similar initiative or is it. Is you think it's going to be more. More of the same?

D

No, I don't see much appetite for it in the eu. And you know, by nature of it being, you know, 27 countries, partly it's much slower to make changes. It would be. It's years before anything happens really, when it's first proposed. There are DPAs that take much stronger and more absolutist views on privacy than the ico. Your former guest Tobias, who I massive respect for, he is, you know, he's quite, I don't want to say extreme, but he's one of the kind of stricter in Norway anyway, one of the stricter DPAs in the block. We also have Germany can get Austria. They've had some much stricter interpretations or decisions than the ico. So I think, well, that would be a barrier to this sort of reform in the eu. Not that they are legislators in that sense, but I think they are involved in the process sufficiently to slow things like that down at least and give a disfavorable opinions. So no, I don't see it happening in the EU anytime soon, to be honest.

B

So you alluded to the adequacy decision between the EU and the UK and adequacy is basically shorthand for, yeah, your data protection laws are up to snuff or up to the EU standard, so that cross border data transfers can, can happen without tons and tons of additional red tape. And cross border data transfers are a huge issue as between the EU and a lot of places, but probably no more so than the EU and the US and so I'd love to talk about that a little bit. So I recognize that this is one of those areas where the business folks in my audience can start to feel their eyes glaze over. But why are cross border data transfers critical to a viable digital media space?

D

They are critical to the digital media space as it stands because, well, frankly, so much business is done by the US and eu Consumers consume so much US stuff, you know, products, services, media, and if you were to flip the switch and shut that off, I mean, European civilization would probably collapse overnight, to be, to be frank. So much of our services and goods come from the US particularly in the digital space, that we need some way to facilitate the transfer of data back and forth. Of course we have that in a physical sense, but we also need to have it in a legal sense. So these adequacy decisions that have been quite shaky between the EU and the US over the years, as I'm sure you know, and we can, we can discuss, are Europe's way of reassuring itself that European data is safe when it leaves Europe, you know, having such high data protection standards, it does need to be accessed in the US to facilitate a lot of this stuff. You know, the flow is not one way. So these are, that's what the adequacy decisions are about.

B

And there's a particular challenge within the ad space because so many ad tech companies continue to process data in the US even, even data where ads are being served on, you know, to EU data subjects or on EU sites that are directed to EU data subjects. And so first of all, data localization is problematic because somewhere along the chain somebody is transferring data for processing in the US Right now it's probably most of them. But even if you got it down to, you know, cut that in half, there's still somebody who's, who's, who's ultimately processing data in the US and so, you know, We've, we've had a whole bunch of back and forth on this, you know, so most of my audience will have some familiarity with Max Schrems and how his efforts have effectively brought down EU to US data transfers twice now. But there was a more recent challenge to the EU US Data Privacy Framework. And the DPF is sort of the, the newer version of Safe harbor slash Privacy Shield to those who, who maybe don't have a scorecard here. But the Data Privacy Framework has been up for a few years now. You know, there was a challenge to it. It wasn't from Max Schrems, but it was a significant challenge. And I'm wondering if you would walk my audience through the specifics of that challenge.

D

Yeah, I don't want to get too technical with this particular case, because it was. The details are quite dry. So the Schrems 1 and 2 cases, as they're called, challenge those older frameworks that you mentioned, the Safe harbor and Privacy Shield, that basically they put restrictions on the US Intelligence services in respect of data imported from the eu. The new Data Privacy Framework tries to address the issues with those previous cases. And the litigant or the applicant in this case, Mr. Philippe Latombe, who is a French MP and also sits on the French Data Protection Authority Board, but was bringing this case as a private citizen. So those things are arguably not relevant. He said that the new framework doesn't solve the problems of the old ones. Now, the problems with the old ones where essentially that, well, the most recent one anyway, privacy shield people don't have sufficient recourse to appeal if they feel that they have been surveilled illegally by, for example, the NSA in the us so there wasn't a procedure to get them in front of a judge to make their case. The new framework has what they call a data protection review court. Now, Mr. Trump has massively undermined the independence of that court and fired people on the body that oversees it and has arguably quite badly harmed the neutrality of that whole process.

B

But that's sort of the interesting part of this, because it's sort of like they chose to go to evaluate the DPF based on what it was like when it was created and not what it was like today. And so query whether they'd reviewed it with what was going on today, whether they would have come back with the same decision.

D

Yes, you're right, Alan. So because of how EU law works or this particular procedure, they only looked at the framework as it was constructed and didn't take into account the fact that Trump has fired the FTC chair and Rebecca Slaughter of BEA and has dismantled this Privacy and Civil Liberties Oversight Board and has put various executive orders that kind of extend executive power into places where it arguably shouldn't be. None of that was considered by the court and also they didn't really look that far into the substance. There was a problem with this case, in my view, which was that Mr. Latombe was using a procedure designed for EU institutions rather than private citizens. Now, I'm sure he knew that, but he was just trying it anyway. WhatsApp and TikTok have both tried to use this procedure as well, unsuccessfully. He got further than them, but I don't think it was really a proper challenge to this framework. So we might not have seen the back of this case. It might come back at appeal, it might be heard more fully in future, but for now that that framework is definitely safe for at least a year or so.

B

Well, yeah, a year or hopefully so, because we'll see. I mean, it seems like just a matter of time before Mr. Schrems and Nlyb get around to launching a formal challenge. I'm almost surprised that hasn't happened yet, although perhaps there are things taking place in the background of which I am unaware.

D

Yeah, a bit of insight there. Well, I interviewed Schrems in 2022. I think it was when this was just in. They were just in talks about this and he suggested that he was ready to go. You know, once this was passed, he would challenge it straight away through a fast track procedure. And he. That didn't happen. And so people have been asking for a few years what's going on. And I think the most recent comment we have is that this is a very expensive process and it appears that NOIB can't fund it. That's just based on one comment he made in an interview more recently. So I don't know if we'll see a challenge from noib. Personally, I think their efforts are better focused elsewhere and they do very important work in other areas. But as far as I know, they're not preparing a challenge to this and they do tend to win cases. So that would likely be stronger than what Mr. Latombe came up with.

B

Yeah, I would say, and look, this is, this is high level, but from the outside looking in their hit rate or their success rate for things that they choose to focus on, it seems leagues better or higher than almost anybody else. The only person that I would say, I don't know why we're rating the privacy advocates here, but I'M going to go run with it. The only person who I think has maybe had as much success as Max Schrems might be Ashkan Sultani. Because the whole CCPA was on some level and the global privacy control was on some level, his brainchild. It's really amazing to me how successful both of those actors have been over the last decade or so. Even if I might disagree with some of it, boy, you still have to kind of tip your cap.

D

They. Yeah, I don't always agree with their focus, but they do tend to win. Not always. They've had some blunders, but compared to litigation funders, I think now that I have the statistics or class action lawsuits, they're very successful. And your hat tip to Sultani there as well as well deserved, I think.

B

Robert, this has been a fantastic conversation. I really appreciate you coming on. And I've got one more question, if you'd be willing. So you've worked as a journalist covering any number of data protection issues over the years, and we've had Shoshana Wadinski and a couple of other journalists on. But I always love to kind of peek into the mind of somebody covering things for journalistic purposes. And so how do you see your role as a journalist meshing with or impacting your role as a consultant?

D

Well, it was similar and also this is what kind of got me interested in the topic and also helped me meet so many people and it gave me insights into. Well, I would, I would run a story about how terrible Google and Facebook are. I would contact people on both sides of the argument to get their views. I would meet them both, you know, like them almost every time, remember them and hear both sides of the fence. So this has been kind of helpful to me as a consultant, kind of constraining as well because I'm always on both sides of an issue. I can a terrible centrist when it comes to almost everything in this, in this area because I can see the incentives and I can see the risks and having that experience early on and, you know, it was. I hesitated even to call myself a journalist at the time. I was doing work, journalistic work, but, you know, never trained in that field. I was respecting journalistic standards and so on, but it was for a very small outlet, but it certainly helped me to make a name in the sector and meet lots of very interesting people primarily.

B

Well, the one thing I would just say is that being able to view an issue from a number of different perspectives is a gift. I don't see that ever as a detriment all too often, particularly in the privacy and data protection world. People retreat into their camps and then they lob little, you know, missiles or little, little paper airplanes at the other side. And that doesn't facilitate exchange or it doesn't create a dialogue. And without that, I just don't think you're able to really solve any of the problems that are endemic to this space. You have a podcast of your own and I want to make sure we trumpet that here. Where can folks find Robert Bateman?

D

Search for the Privacy Partnership podcast wherever you get your podcasts, as they say. And I put out LinkedIn videos quite often at least once a week. I'm going for these are quite short episodes, a couple of interviews here and there, but just updates really on what's happening and my take on it.

B

Yeah, I personally find them invaluable. So please keep doing it and I'd encourage my audience to look for you.

D

Thank you, that's very kind.

B

Well, thank you so much for coming on, Robert. This has been a blast. I appreciate it. That was a great conversation. I have a few thoughts. First, I find it interesting that the EU seems to be narrowing its definition of personal data at the very time where the US led by state privacy law, has expanded its definition of personal data pretty significantly. We're now at the point in the US where I don't know where the definition of personal data ends and the definition of DE identified data begins, a notion that I have sometimes referred to as Schrodinger's data set, where a data set can be both personal data and DE identified data. Second, I'm intrigued by the experiment taking place in the UK regarding their E privacy, the Cookie Directive. I'm hoping to have someone from the UK Information Commissioner's Office on the podcast to discuss this sometime next year. But in the same way that I applaud Norway contemplating a law that would outlaw behavioral ads, I'm equally excited to see what comes of this experiment in the US uk. Also, I've become aware of a number of German publishers who have started their own experiment. It's something called the Good Advertising Initiative and I hope to have someone from that group on here soon as well. Overall, we are clearly in a monetization emergency for publishers and we need to be trying different things. Lastly, it was great to get Robert's perspective on the likelihood of Max Schrems challenging the current EU to US data privacy framework. It does seem like it's just a matter of time before somebody challenges EU to US cross border data transfers, so it was interesting here that lodging a complaint can be, as they say in the uk, right pricey, and that the budget might be the thing holding Max Schrems and Noib back from issuing a formal challenge. There's a lot to talk about in Europe, and I'm sure we'll be returning to these topics again soon. We have a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. I've got John Leibowitz, former head of the ftc, coming on in just a couple of weeks. I've also got Patrick McGee coming on, who will talk about his fascinating book Apple in China. So please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And and thanks for listening.

A

Thank you for listening to the Market podcast. New episodes come out every Friday and an insightful vendor interview is published each Monday. You can subscribe to our library of hundreds of executive interviews at Markitecture tv. You can also sign up for free for our weekly newsletter with my original strategic insights on the week's news at News Market. And if you're feeling social, we operate a vibrant Slack community that you can apply to join@adtech God.com.