A

By now you've probably heard about marketecture Live. We put on two sold out events jam packed with the most insightful advertising content around. Speakers included Eric Seoufer, James Borrow from Universal Ads, Mark Grether from PayPal, Olivia Corey from Houzz, and of course me and the Mark Detector Group. Well, this spring we're coming back bigger and better with a two day that's shaping up to be a must attend event March 10th and 11th in New York. We're putting on the new Tentpole event in collaboration with Adweek and TV Red and you absolutely need to be there. Early bird tickets are 25% off and qualified brands and agencies can be comped. Go to marketlive.com right now that's marketecturelive.com to get the early Bird discount. This podcast is brought to you by audiohook, the leading independent audio dsp. Audio Hook has direct publisher integrations into all major podcast and streaming radio platforms, providing 40% more inventory than what can be accessed in omnichannel DSPs. What's more, audiobook has full transcripts on more than 90% of all podcast inventory, enabling advanced contextual targeting and brand suitability. Audio Hook is so confident that in addition to CPM buys, they offer the industry's only pay for performance option where brands can scale audio and podcasting with peace of mind knowing they are only paying for outcomes. Visit audiohook.com to learn more. That's audiohook.com.

B

Welcome to the Monopoly Report the Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. I'm Alan Chappelle. I'm a privacy and regulatory attorney and have worked with hundreds of digital media and ad tech companies over the years. Fun fact, I've taken at least 30 of them to exits. I also publish a monthly regulatory outlook for digital media worldwide called the Chappelle Report. You can find a link to a sample copy of the Chappelle Report in the Show Notes this week My guest is Dr. Gabriela Zanfir Fortuna. Gabriela is a globally recognized data protection law Expert who, with 15 years of experience in the field, split between Europe and the US Spanning academia, public service, consulting and policy. She currently is the Vice President for Global Privacy at the Future of Privacy Forum, a global nonprofit headquartered in Washington, DC. Gabriela is going to share her thoughts on the EU's new digital omnibus. The Digital Omnibus is a proposed set of EU regulations aimed at simplifying and harmonizing the EU AI act and the gdpr. It seeks to reduce compliance burdens for businesses, especially small ones, by consolidating some data flaws, simplifying cybersecurity reporting, and delaying some of the AI act obligations. I think there's a legitimate debate to be had about simplifying the privacy rules in the eu. For those of us in digital media, there's a similar debate being had about what I've called the EU's over reliance on consent and consent fatigue. There's an old saying that if you want to make an omelet, you need to break a few eggs. But what I want to understand is this. If breaking eggs means a reduction in fundamental human rights enjoyed by Europeans, is the trade off worth it? I've got so many questions, so let's get to it. Hi, Gabriela, how are you? Thanks for coming on my pod.

C

Hi, Alan. Thank you so much for having me.

B

Well, how. Where are you right now?

C

Are you in D.C. well, funny story. I will tell you where I am, and you might be surprised because I'm in Detroit.

B

Detroit. All right.

C

Yeah. So technically I work for the Future of Privacy Forum's Washington, D.C. office, but I am physically based in Detroit, so I mostly work remotely.

B

Oh, good for you. My brother lived in Farmington Hills for a number of years, and so I spent a lot of time out there with him. And really nice place to live.

C

It really is nice. Yes. It's beautiful nature all around. I love the seasons. I'm originally from Romania, which also has four seasons, and I just love seeing the color change. And overall communities here are very nice, wonderful.

B

And sometimes there's something kind of cool about getting out of D.C. or New York, and you can kind of maybe have a little bit different perspective, which is nice.

C

Absolutely.

B

So I've shared your bio details in the show notes, but I would love it if you would share a bit more about yourself. So what's your origin story here, and how did you come to take an interest in privacy?

C

Well, there are actually two origin stories, and I care a lot about both of them. The first one has to do with my original interest in privacy, overall. Privacy as a human right, as a fundamental right. And this one comes very impactfully from my family back in Romania and their experience during communism before 1989, when the Berlin Wall fell and we had a revolution in Romania. The lack of privacy was astounding back then. And I've heard so many stories from my family about how people were afraid of talking to their neighbors, even their families, about being cold and just not having food towards the last part of the 80s, more afraid of talking about it than actual experiencing it because they were afraid of the consequences of those that were surveilling them. So the lack of privacy had a direct impact on just their dignity, their well being, almost equal to just being deprived of some fundamental goods and other fundamental rights. I particularly know from my granddad, whose dad actually did political prison, even though he was kind of just a school teacher, first grade school teacher, and my granddad suffered from being surveilled throughout his entire life. And he was telling me how he was listening to Radio Free Europe with the slightest of volume. And that was because very often he would find neighbors or other people from the village just listening outside his window to turn him in to the secret police. So as you can see, it's like a very sort of heavy origin story in this sense and why I care about privacy so much. The other one is much shorter and not as interesting and it has to do with a moot court competition. I participated in law school when I discovered that there is a thing called data protection in European Union law. And I found it absolutely fascinating. And this was before the gdpr. So I started with the field some years before the gdpr. And being so fascinating about these two perspectives, I continued my research after law school. I did an LLM and then I did my PhD in data protection law.

B

So one of the reasons, and there were a bunch, but one of the reasons I wanted to have you on was, was to discuss this as someone who comes at privacy from a very real world consequence perspective, because a good deal of my audience comes at this from the advertising space. Some of them are for big tech firms, but many are for much smaller companies. But one of the things that this group struggles with is understanding and quantifying privacy harms. And so I would love your thoughts on how do we go from, and I'm going to use air quotes here, but building a profile based on an interest in fishing or golf to undermining democracy because a lot of us, I would even include myself, have a little trouble drawing that straight line. And I would love any perspective you were willing be willing to share.

C

Thank you so much for that question. Even though I have to say is one, it's one of the most difficult questions out there. There are a couple of threads that come to mind as what I can share and weigh in. So the first one which will help me delineate a bit from the harms conversation is that from the legal theory I come from, which is the European Union's theory on data protection and privacy, the harms themselves don't matter that much, and it might be controversial. But what matters in that legal framework and legal philosophy about all of this is that you simply respect those rules of the role when harms occur and when harms come. That's to be sort of proved later on if you want to ask for damages against those who cause harms and so forth. So from my sort of legal theory and framework, harms don't matter as much as they would matter absolutely in a common law space as the one we have here in the US So having said that, let me also weigh in from this other perspective, which is that I absolutely understand how it's almost impossible to see any harm when you're looking at a beautifully targeted ad. And I have been the beneficiary of some pretty amazing things that I purchased online after seeing targeted ads. You know, from dresses to purses to like nice office, little things with stuff that I care about. So I think when we're talking about harms in this space, we have to detach a bit from this harmless type of artifact of the online advertising ecosystem and look at that big picture. And when I say big picture, I literally have in mind this huge infographic I once saw with the whole RTB ecosystem, right. And when I started to actually understand what was going on on so many different levels before I got to see that beautifully targeted ad. And I do see so much value in having relevant marketing and relevant ads. Absolutely, I see that value. But on another hand, when some of the common sense rules on how all of the data trickles into that big picture are not followed or at least cared a bit about, we might get into situations that can easily become harmful even at a systemic level. I will give you two examples. One of them we've seen that even the US Government has now come to hint towards the fact that bulk sensitive data in even some ad tech form of collecting them might touch on national security interests. And we have seen that with the DOJ rules that limit transfers of bulk sensitive data of Americans towards adversary countries. And I think what's remarkable here is that both the previous administration and the current administration are kind of accepting that as a policy goal of the US government. And then the second thing I'm going to point out to is an example from exactly a year ago and an example again from my home country of Romania, where we had an unprecedented thing happen in November of last year where the first round of the presidential elections in the country was annulled by the Constitutional court, some massive revolt, and a lot of soul searching that happened afterwards towards democratic processes and so forth. And as part of that very big development in the country, it was shown afterwards in filings that a little bit of role was played by a campaign of online targeted ads that was being done for years in the country by a particular marketing company, AdNow, based in London and which was peddling, let's just call it misinformation. And we went from a very harmless little ad about how tea can cure cancer or something that was being done for years and that ended up in such an explosive moment for a young democracy, which frankly, it's still young and it's still learning a lot and trying to find its footing. That was a lot to take in there. But these were my thoughts when I heard the question.

B

Really, really fascinating. So I've got two reactions. The first is, and I'm not here to, to attempt to normalize this, but I will say that a lot of what's taken place, you know, even in the the U.S. recent election, certainly around the world, is stuff that started back around the whole Cambridge Analytica thing a number of years ago. There was certainly the ability to advertise via these platforms in a way that, you know, certainly moves political sentiment in certain directions. And we're seeing the ramifications of that now. So that your point's well taken. But what's even more fascinating for me was your comment about the DOJ bulk surveillance rules and padfa, because it's, it really helps tie into the discussion we're having here today because at the very time that the US is saying that, you know, website visits, if strung together, can cause a national security issue, it seems like Europe may be heading in a very different direction, saying that that exact type of data set may not even be afforded the protections of their data protection law. So let me level set here a little bit. You know, we've got the Digital Omnibus, which is the proposal from the EU Commission to streamline the, the EU data protection rules. And before we go too far into the changes under discussion, I would love your thoughts regarding why these changes are being made. What's the goal? And then maybe we can have a discussion about whether the changes are actually aligned with the stated goal.

C

The goal of what we're seeing now in Europe is officially labeled as a simplification of the regulatory environment that the European Commission is prepared pursuing. And they officially declared that the end goal is to support SMEs like small and medium enterprises to navigate this regulatory environment in the Digital space. The other goal, again officially declared, is to push for European competitiveness in the digital space, and particular with an eye towards the AI race in. I may call it that way. So these are the declared goals, and I believe that the European Commission believes that what they're proposing will end up achieving part of these goals. I am not personally convinced this will be the case, to be honest. Europe has a very consistent and significant regulatory environment for everything, not only in the digital space, you know, from labor law to funding to all of the other important elements in a competitiveness debate. So this is the goal. And it all started with the very famous Draghi Report, which is a report on European competitiveness that was published more than a year ago by Mario Draghi and who suggested that one of the key problems for European competitiveness was a burdensome regulatory environment.

B

Yeah, Reagan started that in the US back in the, back in the 80s, after he apparently helped defeat communism. And so there's a whole bunch of irony in play here regarding where the two respective regimes are going. You know, one of the challenges, and this is just my view here, but the, the, the US favors innovation, but doesn't always talk about quality of life. And the, the, the EU has all these regulations, but a lot of those regulations are directly tied towards the quality of life of many of their people. And so while there are probably fewer startups in Europe because of all that regulation, there are some benefits to that that I think go wildly unacknowledged within the US that isn't really a question, but if you have a reaction, I'd be delighted.

C

I have a reaction, and the reaction is that, indeed, I think we'd have to look at the both sides of the coin here. And, and it's true that in Europe, particularly if you're going to visit in August, you won't find a lot of people sweating at work, but just kind of enjoying a nice break, which, frankly, I don't think it's that bad. You know, sometimes folks need like a meaningful break from the year to be able to go back and grind, so let me just leave it at that.

B

One of the challenges, I think with some of these changes, and maybe we'll get to these in a little bit, but is that there's sort of a. You're re upping the whole apple cart here and perhaps trading one set of ambiguities for a slightly different set of ambiguities. And so it's hard for me to define that as progress. So one of the changes, it's a, it's a narrowing of the definition of personal data. And so a good deal of my audience works in the ad at ad tech companies and and most of whom have for 20 something years done everything they can to stay outside of the identifiable personal data world. So do these changes mean that companies that only process pseudonymous data could find themselves outside the rule set of the new gdpr?

C

In short, yes. Mind you though, this is based on a first assessment that myself and the team did, and we're just at the beginning of discussing this with various stakeholders to better understand how the impact of these changes will look in real life and in real compliance programs. But based on our initial assessment, that is indeed the case, because it's true that the definition of personal data in the gdpr, with which I'm sure your audience has become very familiar in the past more than five years, let's say, which indeed is very broadly conceived, right? So that definition, if this proposal will be adopted in the end will have a significant addition which will indeed make it as such that while the same set of data is personal for an entity which has the means to reidentify it, that same set of identifiable data will not be considered personal for any other entity or some of the other entities which will not have it as easy to re identify it. And even when you are trying to explain exactly how that definition, the addition to the definition is being being conceived, you immediately see the level of uncertainty and of ambiguity that would need guidance further clarification that will see privacy offices not knowing exactly which way to pull internally. Do they convince their board that well, we actually need to have a full program for this key coded data as opposed to no, don't worry about it, we are safe, we don't need to invest so much in our compliance program now and then they might find themselves in a matter of months, let's say with an investigation. Because who knows how those means reasonably likely to re identify will actually be assessed. So that's why I think the concern is real in terms of uncertainty. And this is also why I think we need to have a very applied conversation before we end up with a text that will create more problems than it solves.

B

I could not agree more because it feels like, and this might just be my lack of knowledge about how the sausage making is in Europe ultimately works. But there's some really interesting ideas in here, but some of them don't feel fully baked and I think you've identified one of them with the definition of personal data because the implications of that don't seem Entirely clear. There's a couple of others that I would love your thoughts on. So there's a, there's a provision within the digital omnibus that creates a browser and mobile OS based. I'm calling it Do Not Track. I'm somebody might call it Global Privacy Control, but a, you know, stop the tracking button. And it's designated to allow users to revoke their consent. But they've sort of kicked the can on the implementation details and they've said, well, in six months we'll, you know, figure out a way to create those implementation details. It doesn't seem like a lot of time to me and I'm curious. I sat for three years partially in Europe discussing the Do Not Track standard and this seems like a lot like that. And I don't really understand how in six months we're going to do something that we couldn't do in three years.

C

And you are spot on with these complications and you are right. So what the omnibus proposal is including is the possibility of a sort of Do Not Track, a privacy signal, general privacy control, or however you want to call it, which would facilitate various signals, it would facilitate a consent signal, it would facilitate a refusal of consent, but it would also have to facilitate an opt out from a direct marketing. And then of course we'll go, you know, what is direct marketing? And we'll go into that whole conversation. This automated signal would need to be done at browser level or other type of online interface level, which again is. I'm sure it will be a matter of conversation. And the other important detail here is that the European Commission has to request a standard from the standardization bodies in Europe, like officially submit a request for a standard that meets all of these points and then the standardization body has to come up with it within a particular time frame. And it's true that we've heard about six months in the most recent documents that I've seen. They switched that to 24 months, which seems more reasonable. But there are still questions about whether the standardization bodies will be able to deliver any of that. Right now there is a situation in Europe where standardization bodies had to come up with various standards for the application of the AI act, which is another regulatory framework. And there have been significant delays with that process, which is creating complications with the compliance programs and so forth. The question is, will the standardization bodies be able to deliver on the AI act standards on this new standard, taking into account just how complex the conversations on the Do Not Track were back in the day? I don't frankly know. And this is just One of the complications before ending here, a funny detail that I spotted in the latest documents was that there was a reference to agentic AI as a potential means to do all of this. So, you know, that just throws another.

B

Gabriella, don't feel too bad. I think the privacy nerds can, can just take with a little bit of solace in the fact that all of the business people are pointing to agentic as a thing that's going to solve all of their problems too.

C

Absolutely. Absolutely.

B

With about equal success rate, I would imagine. Well, I'm glad to hear it's 24 months. I just think there are so many complexities in here. As somebody who again has been down this road before, and the one thing that we have to grapple with now that I don't think anybody was willing to grapple with with respect to the Do Not Track wars, you know, 10, 15 years ago, was number one. Now there's a recognition that if the browser may have their own advertising offering and that it's poor, probably uncool or impolite to use the do not Track signal as a way to preference your own ad products and services. And so I. But it doesn't seem like that's been accounted for in the, the digital omnibus. And so that's something that probably needs to be dealt with. A second thought is there's a, a carve out to some of the cookie and tracking rules where they don't seem to apply to media companies. I'm using air quotes there too because, because I'm not sure what a media company is in this context. Like is TikTok a media company or are we talking about Axel Springer? I'm pretty sure Axel Springer is a media company, but, you know, is. Is meta.

C

That is another great question. Oh my goodness. And I'm on a roll here. You're on a roll. And there's, there's generally no simple answer to that. What I can share is that the intention of the text of the digital Omnibus is to consider providers of media services the same providers which are covered by another EU legislation on the Freedom of Media Act. Media Freedom Act. So technically, if some of the platform services would be considered a provider under the Media Freedom act, then they would also be considered a provider of media services under this particular exemption. And that's just one complication. The other complication is that while there are exemptions from this, let's say DNT2O or 3O, I don't know, for providers of media services, they do not seem to be exempted from the general rule that they would need to have consent for cookies to be placed if the cookies or any other sort of personal data that would be placed or would be extracted from devices of individuals. If they go beyond gathering data beyond the purposes that are now permitted, which would include audience measurement in aggregated form, but if they go beyond that, so for advertising purposes they would still need consent. However, they don't have to respect the general signal, but they would still, you know, you would still see banners. So.

B

Yeah, so if the, if a large portion of the rationale behind this entire initiative is simplification of some of the issues around consent fatigue. But it doesn't sound like we've moved away from that at all. Because if you're going to require, and I'm not here to pick on Axel Springer, I do just they're very well known. If Axel Springer can't avoid a consent to serve a, you know, to frequency cap on their network of sites, then why are we here?

C

That is a good question. And, and probably we'll see much more nuance around this as the debate moves on in Brussels.

B

Yeah, and, and that's probably something that, that we should talk a bit about. What's the, the stated timing for this and then what's your best guess as, as an expert in this area to when the, you know, real implementation date is going to be?

C

There is no stated timing as far as I am aware. And it's important to note that this legislative proposal is special in that it targets several legislative acts. So it's not just about changes to the gdpr. It's also about changes to the Data act, the Data Governance act, some of the Cybersecurity Security Acts. All of these changes are proposed through one piece of legislation. That's why it's called an omnibus. And this is the digital omnibus. There is the second omnibus proposed the same day, which targets the AI act in some very specific points. Now for my understanding, the European Commission intends to have it wrap up quite quickly and I'm pretty sure they would be happy to see it wrapped up in, let's say, six months. So by the mid of 2026, realistically speaking, I don't think this will be possible given the complexity and given already the emotion and reaction that the publication of this draft legislative proposal had already in Brussels. So I think this will take place a year in my estimation at least, and then we'll see whether it comes with any sort of implementation period, grace period to implement and so forth.

B

Yeah, and in fairness, the GDPR basically had a two year implementation period or a two year warning before they started enforcement. And so but that also means that there's a lot of stuff under discussion right now which could fundamentally change the digital ad space and other places too. But that's the focus here in this pod, is digital ads. But that we really aren't going to know how this shakes out for some time.

C

Absolutely agreed. Absolutely agreed.

B

So you've hinted at this and I would love to talk about it a little bit more directly. I would love it if you would walk my audience through some of the changes to the use of AI, particularly as it pertains to digital media. And boy, does AI hit digital media from a whole bunch of sides. So, for example, the use of AI for model training seems squarely okay under legitimate interest under these rules. I have a little trouble getting my head around how the right to withdraw permission is required under legitimate interest is going to work. And then there's some intellectual property concerns. But I would love it if you would just walk the audience through what are those changes and how are those going to impact those really important areas of the marketplace?

C

There are some important changes coming with regards to processing personal data for AI purposes. Let me stop for a second and just highlight how significant it is that the Data Protection Law is being amended to particularly target a technology that's named. This has not happened so far. Data Protection Law, the GDPR has been a tech neutral set of rules, right? So imagine if five years ago the GDPR would have been amended for the Metaverse, let's say, or blockchain. Right? I think this also speaks to just how transformative AI is being considered to be, even in places like Brussels, which are potentially more traditional when it comes to regulation. So important to mention that then the changes are that we'll have a particular ground for processing personal data for both training and operation of AI systems. So it's both for development and the operation of AI systems, and that will be based on legitimate interests. The proposal includes this new article which also has a set of measures that controllers would need to put in place so that they can rely on this lawful ground. I believe a lot of negotiations will happen around those measures because you are right, there will be technical difficulties in providing erasure, opt out and so forth. Then the other one, which is very important, there is a change of regime in the processing of sensitive data. Many of you know that I talking to your audience, many of you know that Article 9 of the GDPR has a prohibition for processing sensitive data unless one of the grounds in Article 9 to apply. Well, now the proposal aims to include a particular exception in Article 92 for the development and operation of an AI system. This would again come with a number of measures that are actually quite detailed in a separate paragraph and which would counterbalance this new exception and would ensure that there is some sort of equilibrium there in between the rights and interest of individuals and the operators, developers of an AIC system.

B

So help me get my head around something. So the concept of legitimate interest is basically a balancing test that says that my right to collect this data set is superior to the risks to anybody who happens to fall under that data set. So when you take that concept into artificial intelligence, what it seems to be saying is that I can scan the entirety of the Internet, which is probably going to include a whole bunch of stuff about Gabriella and definitely some stuff about Alan, and in the case of Alan, probably some stuff I don't want everybody to know. But. But fair enough. But you can scan all of that data and then where is my right to object to being included in that data set that's used to train the model?

C

Will have to find it in the haystack, if I can say that we will.

B

I was hoping you had something for me, Gabriella.

C

I was like, okay, we will have to find that right object in the haystack. And I think that the moment we will stop looking for it, I think it is indeed the time we just say goodbye to privacy, as much as it pains me to say that. But I think we should at least try to balance these two so that we maintain a semblance of privacy in our online lives.

B

So how does this new regime at a very high level, compare to how the US and India and South Korea and Japan, and I'm just, I'm China. How does this regime compare to how the rest of the world is viewing AI? Because in my view, and I don't look at this nearly as detailed as you do, but my meta view is here is that everybody thinks AI is going to be the future of civilization, so we need to get the heck out the way. Well, first of all, am I thinking about this the right way? And then secondly, is that how AI rules are being implemented elsewhere?

C

I think there is a bit of reckoning happening right now with the fact that everybody is acknowledging existing data protection law and existing privacy law has an absolute impact on the development and operation of AI. Whereas the past five years have been so focused in the AI governance, AI lawmaking space on new rules for AI. What is a new interesting legal framework we can think of and rein AI in and what principles for ethics and other principles for governance we can put in place. And there was just so much debate over that that people forgot we have this full comprehensive regime, legal regime that is being applied to the input into the AI systems being developed and AI models. And I think that reckoning is happening right now with everybody understanding that data protection legal frameworks very much impact development of AI. We have seen countries that after the GDPR was adopted back in 2016 and then as you mentioned, it became applicable two years later. So most folks know about 2018 as the GDPR year, but it was actually adopted in 2016. And after that time, many countries around the world, and I would particularly point to Brazil and to India, have roundtable efforts to adopt data protection laws which are quite similar in concept and philosophy to the gdpr. We have seen so many jurisdictions updating their data protection laws to be more aligned with the set of standards in the gdpr. And this includes South Korea, by the way. This includes Singapore and New Zealand, other regions around the world. And now with what's happening with the gdpr, it will be very interesting to see whether there will be ripple effects with these other regimes because the GDPR was very successful into exporting its broad conception of what personal data is. And now in the light of AI development and operation, the GDPR and the EU are kind of saying, oh wait a second, hold your horses, we might want to fiddle with the definition. Maybe it's not as broad as we thought because look, we need all of this data to have less restrictions or now no restrictions at all when we're using it for this sort of generational marking technology that is being developed right now. So this is kind of how I'm looking at the broader environments in this space.

B

Well, thank you very much for that overview. My, my one observation and boy, I would invite you to tell me how I'm full of baloney on this, but my one observation with respect to definition of personal data, just to bring this whole thing back, is, boy, a lot of focus and regulatory energy has been focused on pseudonymous data. And I just have to wonder, had we just kept the focus on identifiable data and we can debate at the margins of when you cross over that threshold, but if you kept the rule set focus more on identifiable data, I actually think you would have been able to get at a lot of the true privacy harms.

C

I think it's a valid perspective. And the Future of Privacy Forum has been talking and doing infographics for years on A spectrum of de identification and how you don't have binary personal non personal data, but you have truly a spectrum of various data with various degrees of identifiability and each of them having a set of find potential harms that also increase or decrease based on that spectrum. So I think this is a very valid perspective to have had.

B

We had that perspective back in, what was it, 2016. Our friends at Google might have not felt quite as empowered to just merge all of their identifiable data with pseudonymous data. And surely from a privacy perspective, I think the world would been an inch better for that. But Gabrielle, this has been an absolutely wonderful discussion. I've got one more question for you and it's kind of a big one because we've talked about the digital omnibus and you know, we've talked about fundamentally changing the EU mindset in terms of a number of critical areas of the rule set. Okay. So historically, you know, the EU enforcers, the supervisory authorities, they tend to adopt very pro privacy interpretations of the gdpr and I can't imagine that they are happy about some of these changes. I'd love to have Tobias Juden back on the pod at some point just to get his perspective because I just can't imagine that they're super happy. So what's your sense about how this is all going to play out? Do you see the EU regulators capitulating to these changes or do you see something closer to, like a regulatory revolt?

C

I see something closer to a regulatory revolt. This is also partially because some of the changes that the European Commission is proposing in the omnibus is for the European Commission to have more power as a digital regulator, as a data protection regulator. For instance, the European Commission would approve a template of data protection impact assessments. They would also approve lists of processing activities that are required to have a DPIA and lists of processing activities that are not required to have a dpia, as just one example. And these are things that you would think the EDPB more naturally would do. So my sense is that the EDP and the national regulators will not be very happy with these changes that are being proposed and we might see a forceful dialogue, let's say, happening in Brussels on all of this.

B

So the EDPB is going to say, I'm going to send a very tersely written letter to the Commission and, and see how that plays out. But, but I, I think that their power and, and I'm not here to, to praise or bury the EU supervisory authorities. I mean, I get their role. They are protectors of the realm, as it were, when it comes to the fundamental right of privacy. And so they are by definition not supposed to be taking into account things like business concerns, like a right is a right. It's sort of like here in the good old usa, the First Amendment is supposed to be a nearly unassailable right. But I think their true power here is going to be in how they choose to enforce this. And my gut tells me that enforcement around this new rule set is going to be rather stubborn and is going to lean towards the old interpretations over something new.

C

I think that is right. The data protection authorities have been, I mean, the oldest of them have been around for 40 years plus. Look at the kneel right. They have built a body of knowledge and they have built a perspective that has been transmitted from generation to generation. And I think this is their role, to kind of perpetuate that body of knowledge, while at the same time they would need to take into account, of course, new developments of the digital economy and digital society we're living in. However, I think it's natural that they take into account their sort of historical progression. I will also point out that their role is guarded at constitutional level in the European Union with mentioning of independent supervisory authorities, both in the treaty on the functioning of the EU and in the charter, fundamental rights under Article 8. So I think they do have legitimacy to have a strong voice. Now let's see if they will find the leaders to voice that strong voice or not, who knows?

B

My concern is less about their resiliency because I think they have that in spades. Even if I might disagree at times, these are people who, who say what they believe and are not afraid to express that. What concerns me is that we have a EU Court of Justice. So as these things work their way up through the regulatory process, and this isn't unique to Europe, the US normally takes a long time for these things to work out. We could be a decade before we get some level of clarity from the EU Court of Justice regarding how all this stuff plays out. And my fear is that it will be only those who have the huge regulatory and litigation pocketbooks who are going to survive that decade.

C

And this is where we go to that simplification goal, which I'm not entirely sure is met by all of these efforts, because I agree it will take some time for the Court of Justice to bring clarifications. Imagine that only now, after 10 years almost since the GDPR was adopted, we finally have clarifications of the simplest thing. If you think about what is Direct marketing. We just got a judgment two weeks ago. Only now we have some clarifications on automated decision making and the right under that Article 22. And now that we have that clarification, the European Commission proposes that we kind of change a bit the wording in that article. So then I can see another time being passed before we get additional clarification.

B

Well, thank you and I'm going to let that be the last word. Gabriela Zanfe Fortuna, thank you so much for coming on. This has been just a wonderful conversation. Where can my audience find you and the Future of Privacy Forum?

C

Well, absolutely. @fpf.org from Future of Privacy Forum and you'll find there timely analysis, blogs and announcements about our events and on LinkedIn. You will find me on LinkedIn quite easily under Gabriela Zamfir Fortuna. And you'll also find the Future of Privacy forum on painting. Sure you follow us.

B

Well, thanks. And I cannot recommend either Gabriela and the Future of Privacy Forum more heartily. They tackle very complex issues in a non political way in an effort to try to come up with solutions. And so well done. And thank you so much for coming on the pod.

C

Gabriela, thank you so much, Alan. This was an absolute pleasure. Thank you.

B

That was a really insightful discussion. I feel like we're barely scratching the surface in terms of the changes underway in Europe with the Digital Omnibus proposal. One thing I want to emphasize, what they are attempting in the EU is really ambitious with a whole bunch of interdependencies. They've got to start somewhere. And so while I'm clearly a bit critical of the number of ambiguities that are squarely left on the table, I am trying to be grateful for the attempt. And I also recognize that there are a number of different views which need to be considered as part of this process, many of which are in conflict with each other. I'd encourage all of us to see these changes as part of a journey rather than as a destination. Big ideas take time. That said, if you judge this particular proposal as it stands today, and in my view at least, the Digital Omnibus fails. It fails to meet its stated goal of simplification of the rule set. It doesn't address the issues around consent fatigue. It turns legitimate interest as a legal basis completely on its head, and it creates all kind of complexities and enforcement frontiers that will only serve to make Europe less competitive. In other words, it fails on almost every level. I am hoping to have someone from the EU Commission on the podcast to share their views sometime in 2026, so this certainly won't be the last time we talk about the digital omnibus. I have Peter Craddock coming on the POD later in December, and Peter isn't the only great guest we'll have here on the Monopoly Report podcast over the next couple of weeks. I'll have Commissioner Mark Metter of the Federal Trade Commission joining me on the podcast. So please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And thanks for listening. Hey, Ryan Reynolds here for Mint Mobile. You know one of the perks about having four kids that you know about is actually getting a direct line to the big man up north. And this year he wants you to know the best gift that you can give of someone is the gift of Mint Mobile's Unlimited Wireless for $15 a month. Now you don't even need to wrap it. Give it a try@mintmobile.com switch upfront payment.

C

Of $45 for three month plan equivalent to $15 per month required new customer offer for first three months only. Speed slow after 35 gigabytes if network's busy. Taxes and fees extra. Cmintmobile.

B

Com.