A

Hey everyone, it's Ari here. I want to let you know about our upcoming Market Live conference in New York on March 10th and 11th. Our live events last year were smashing successes with sold out standing room only crowds, amazing speakers and the best content you'll get in any setting in the advertising business. This year we've expanded to two days and over a thousand attendees, so it's the must attend event for the doers and thinkers in our business. You're going to learn something at this event. The speaker lineup has just been announced and it's really strong and we're just getting started. So we announced Sophia Kolushi, the CMO of Molson Coors Neil Vogel, the CEO of People Joanna o', Connell, the Chief Intelligence Officer at Omnicom Jeremiah Owang, the General Partner at Blitzscaling Ventures, he's an expert in AI and Lance Armstrong, the General Partner at Next Ventures. Get your tickets now. Early bird ends soon so your tickets are available at market that's markitecturelive.com and we have special deals for brands, agencies and publishers while tickets last, so we're going to sell out. So you want to get your tickets. It's a two day event so plan ahead. But it's in New York, nice and easy to get to and we're looking forward to seeing you there.

This podcast is brought to you by audiohook, the leading independent audio dsp. Audio Hook has direct publisher integrations into all major podcast and streaming radio platforms, providing 40% more inventory than what could be accessed in omnichannel DSPs. What's more, audiobook has full transcripts on more than 90% of all podcast inventory, enabling it advanced contextual targeting and brand suitability. Audio Hook is so confident that in addition to CPM buys, they offer the industry's only pay for performance option where brands can scale audio and podcasting with peace of mind, knowing they are only paying for outcomes. Visit audiohook.com to learn more. That's audiohook.com.

B

Welcome to the Monopoly Report the Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. I'm Alan Chappelle. I'm a privacy and regulatory attorney and have worked with hundreds of digital media and ad tech companies over the years. I also publish a monthly regulatory outlook for digital media worldwide called the Chappelle Report. You can find a link to a sample copy of of the Chappelle Regulatory Outlook Report in the show Notes this week. My guest is Peter Craddock, a partner in data protection at the law firm Keller and Heckman. Peter helps companies innovate and use data better worldwide by providing strategic advice and legal assistance in the areas of privacy, data protection, data governance, AI governance, cybersecurity, e commerce, digitalization, and software contracting. Peter works with a bunch of digital media companies and has represented the iab, EU and some of its legal battles regarding regarding the Trust and Consent Framework, or tcf. I wanted to have Peter on to discuss the Digital Omnibus. The Digital Omnibus is a proposed set of EU regulations aimed at simplifying and harmonizing the AI act and the gdpr. Regular listeners may have heard my recent episode with Gabriela Zanfir Fortuna where we touched on some of these same issues. But there's just so much going on in Europe right now and I think there's a ton of additional ground to cover with the Digital Omnibus. So let's get to it.

Hey Peter, thanks for coming on the pod. How are you?

C

I'm doing great, thanks Alan. I'm very happy to be back.

B

Yes, you were a rare two time guest of the Monopoly Report, so welcome back. I don't know if that's a good thing or a bad thing. I guess we'll find out. Where are you these days?

C

I'm basically outside of Antwerp in Belgium.

B

Wonderful. We I have not made it to Antwerp yet. I've made it to Bruges. That's probably, probably in the as close as I've as I've gotten. So the next time we do a European tour, Brussels and a lot of Belgium is going to be on the map for me.

C

Well, you know, I'm always around Brussels, so or off to clients all over Europe. So anytime you're in the neighborhood, you just give me a shout.

B

Well, fantastic. And actually this is right on point because I'm getting the feeling that I'm going to be in Europe a lot more in 2026 as a result of this Digital Omnibus.

Let me set the table here. The Digital Omnibus, it's a proposal from the EU Commission to streamline EU data protection rules. So before we go too far into the changes under discussion here, I would love to get your thoughts regarding why these changes are being made. What's the goal and how are these changes? Are they aligned with the goal?

C

The general context has always been that there's this general idea among the among EU institutions about better regulation has been a mantra for a while now. And recently there's been this idea of simplification. This is all in this context of what's been known as the draggy reports about trying to see how can we increase EU competitiveness. So it's all about trying to figure out what are the rules that we've got, what are the issues that we have today? And do our rules, does our regulatory framework enable us to reach our goals? And if not, how do we improve them? How do we simplify them? Ideally, rather than adding. And while we know the EU is great at thinking about new regulations, we've seen our fair share of new digital regulations over the past five years in particular. But this is really an attempt to rethink this approach and try to see how can different pieces of legislation maybe be combined, how can existing legislation be adapted? And so part of this digital omnibus has been relating to the EU AI act, another part has related to the Data act and some of the related concepts, the Data Governance Act. And, and then there's a third part that is a really important one nowadays, which covers pretty much every topic and that's the one regarding the GDPR and what's called, known as the E Privacy or E Privacy regime. And so they, they're really three separate groups. The last two, GDPR and Data act, are basically put in one proposal, but it's really an entirely separate logic behind them. Now, do these attempts really work or do they attain the objective? If you think of it this way, the GDPR and Data Act 1 is basically 153 or two pages long. So the whole idea of simplification, you can think, wow, is that really simplification? But a big part of it is about trying to explain the context, is about trying to say, why do we need this? And then there's a huge part of it that's basically trying to merge legislation. The GDPR part is actually very limited in there. It's basically, I don't know, a dozen pages. It's not that much in terms of actual text, but it's really impactful. It's something that's going to have an impact on the way that legislation is interpreted going forward if this gets adopted as it is.

B

So let's walk through a couple of the changes and for now I'm probably more focused on the specific GDPR changes because, as you know, my audience is, is mostly people who work in the digital media space. So you've been a proponent of interpreting the definition of personal data in the EU more narrowly. And that definition is, you know, so the definition is a relative depending on who holds it and focusing on identifiability and in other words, that a data subject might be personal data in Peter's hands, but not in Alan's hands. So has the definition of personal data under the digital omnibus mostly followed the, the recent was it SRB decision of the Court of Justice? I mean, is that sort of where this seems to have landed?

C

Yes and no, because what, what's happened is that you've got actually a few, few key cases over the years. There was the BRIAR judgment, there was a Scania judgment and the now the SRB judgment. There are others that basically have an influence. But the three that have the biggest impact on this definition are those three. That's because the relative notion that you're hinting at, and that's really important and I've been a big proponent of it for years, is something that actually comes initially that was really discussed in the Breyer case and the first beginnings of it weren't there. And so the SRB case really emphasized this, made it crystal clear, and that part of the SRB judgment is now basically being integrated within the definition of personal data by the Commission proposal. But what the Commission did is that it went a bit a step further and it's trying to tackle another part, which is that Scania judgment and the SRB judgment talks about it a bit in a few paragraphs. What is it about? It's basically about the there are two stages in determining whether information is personal data regarding an identifiable natural person. From my perspective, the first part is knowing do I have means at my disposal or can I call upon a third party to basically help me identify the natural person, the individual? If the answer is no, then SRB confirms what BRI already said and what's in the recitals of the gdpr. If I don't have those reasonable means, then it's not personal data from my perspective. Good. That's what the Commission proposal does. It confirms that. But then the second part is what if I then I have some information that isn't personal data for me, but I then transfer it to someone else for whom it might be personal data because they might actually have reasonable means likely to be used to get to the identity basically of the individual? That's an entirely different question. And the Scania case is one where the Court of Justice basically said, this information that I've got and I'm sharing with Alan, it's not personal data for me as such, but it can be personal data for you if you have those means basically to get to identification and indirectly for me, because I'm basically making it available to you. What on earth this indirect idea of personal data means is a big question mark because the Court of Justice didn't explain that. And so this is what actually has led to a lot of questions. Well, what does that mean? Does it mean that I'm basically unable to share it with anyone out of fear that suddenly the GDPR might start to apply? And if it does, what are my obligations? It's not at all clear. And so I think what the Commission was trying to do is figure out how do we manage this uncertainty, how do we make it clear that the one who's got this data that isn't personal data for them, they shouldn't be considered to be covered by the gdpr. And so that's where they went. They added some wording in the definition of personal data that from a certain point of view, goes further than what's been said so far. But I don't see it as really going further. I see it as trying to figure out what are the potential misinterpretations we can make of that Scania judgment and how do we then integrate a reasonable approach in that definition. So basically what the Commission then wrote is it doesn't matter what is the perspective of the recipient. So basically the one who's got this information that isn't personal data from its own perspective, it is then not processing personal data. The GDPR doesn't apply. What happens if I share it with someone else? Then I think that's an entirely different discussion. And I think a lot of regulators are actually simply going to say, well, if you're enabling the processing of information that becomes personal data in other contexts, then maybe there's a way for you to become joint controller, specifically in relation to what that other third party is doing. But then it doesn't change your own assessment for your own use of that data. I think this could be an elegant way to resolve that uncertainty. But we've seen a lot of people getting up in arms about this, saying this is actually a material change to the gdpr.

B

So help me bring this around to companies in the ad space, most of whom are really doing everything they can to stay in the pseudonymous world. Can they now look at this rule set and say, as long as we only work with other pseudonymous companies and we just pass data pseudonymously back and forth, have we effectively removed ourselves from the rule set of the GDPR in practice?

C

This is what the SRBE judgment basically tells us today. So the digital Omnibus is just a proposal. We'll see what happens with it. So it's not law, we will see what, if anything, gets adopted. I'm basically hopeful that, like I said in a conference a bit recently, I said, I hope 75% of that proposal makes it through, but we'll see. But what we have today is the judgments. And the case law basically tells us that this is the situation today, that if you, as an ad tech intermediary are able to say, sorry, but I actually don't have anyone I can turn to to help me identify the individual and there's nothing in the data that I've got in and of itself that helps enable identification, then basically the GDPR doesn't apply to me. Now, the important thing is being able to show that you really don't have those means at your disposal and also that you're not sharing it with someone who will then be in that situation where you're suddenly, indirectly enabling the processing of personal data. But I say you have to show it. The fact is the onus of proof, the burden of proof actually lies on the regulator. It doesn't lie on you. You can't prove a negative fact. That's your company required to prove a negative fact. So the point is that it's up to the regulators to show, sorry, but based on these circumstances, it's very clear that actually you are processing personal data. But you still want to figure out, how do I justify my own position? Because if you say, suddenly I'm taking a position that the GDPR doesn't apply, that's a very important position to take. It has significant consequences. So if you want to go down that route, basically document it. But you can today, based on the law as it stands.

B

So there's two wrinkles to that in my view, and I would love your reaction. The first wrinkle is, as a practical matter, so many companies within the ad space are working with Google, who has, years ago, almost a decade ago, has merged their pseudonymous data and their identifiable data. So by virtue of working with Google, and I don't mean to pick on them at least here, but by virtue of working with them, you would seemingly not remove yourself from the rule set. Am I thinking about this the right way?

C

This is where that whole indirect issue comes into play. Because a lot of larger companies such as Google, are employing a lot of techniques to basically reduce what we could call the privacy risk in a number of situations. And so it might be that basically when you are interacting with Google, that you are actually not providing information that enables them to combine everything. And even if you do, then basically what is happening is that the provider you're sharing data with, for instance, Google, is the one that then is processing that personal data, but you are not processing personal data in that context. So you might be enabling it. There might be a question of are you actually then becoming a joint controller for the transfer of data, specifically for the transfer of data, not for the further use of that data, but for basically the collection of that initial data and the transfer of that data to, in this case, Google. There could be regulators saying this is the way you have to structure it, joint controllership, but then it could be a limited one in scope. And so it doesn't mean that the GDPR applies to everything you're doing. You could then have an indirect impact of the GDPR by virtue of the fact that you're sharing data with someone that is able to lead to identification, but it doesn't mean that what you're doing is within the scope of the gdpr. So very important to figure out who, what, what am I doing with this data? Am I sharing it with someone? And if so, who is that someone? What, what are their own capabilities? It's basically inviting you to figure out who your partners are and what are they capable of doing with the data.

B

Ad tech has been dragged kicking and screaming for a decade into the world of data governance, which you've just illustrated is another example of why it's really a good thing to understand what's happening. So that's been helpful. But there's the elephant in the room here, which is the Privacy Directive. And even if parts of that have now been moved into the gdpr, you still need a consent to place almost any type of cookie in an ads context. I know there's some exemption around some types of measurement, but. But let's leave that aside for now because that's great, but there's still a whole bunch of other processing activities that would seemingly still require a consent, even if you are otherwise exempt from the gdpr. Am I thinking about that? Right?

C

Yes. Well, it's, it's even. It's even worse than that. This proposal, the digital omnibus, basically is creating a distinction between the E privacy rules that we have today, where basically it just applies no matter what, whether it's personal data or not. And then it creates a carve out saying when personal data is involved, then actually we're going to have a copy of that article 5.3 of the ePrivate Directive, we're going to integrate it within the GDPR and we're going to add some exceptions to it. So this is where you have some form of analytics, but it's kind of first party analytics. It's not something you can't even use a processor based on the description, so you really have to do it yourself. Whereas in France, for instance, the whole idea of analytics has also been in the past there'd been this idea that as long as it's not being used to combine with data from someone else, basically there's a way to do that. But here's very clear, you are alone are able to do your analytics yourself. You can't work with a third party because that then falls outside of the scope of that exemption. And then there's a security exemption that's also added. But the problem is you don't have that within the Prouse directive. So now on one hand we've got a definition of personal data that makes it clear that there are a number of situations that fall outside of the scope of the gdpr. So you think, ah, great, we can actually not apply the GDPR to a number of scenarios. But then you're still dealing with the existing E Privacy rules, whereas if you are using personal data, then you could be dealing with the new version which has two additional consent exemptions. So it's getting a bit schizophrenic. Because what is actually more interesting, and the problem is the way I see it, is that by adding two exceptions, especially the one on security, security was previously interpreted by a number of regulators as being part of what's called the service exemption under the privacy rules. So the whole idea that if something is strictly necessary for the provision of a service to the user, then basically I don't need consent. And so there were lots of regulators who said, okay, well at least user centric security is focused on that. Even someone further and said just security of the service is covered, you don't need consent for it. But now you've got a specific exemption that would come in the GDPR for personal data regarding security, which means that your service exemption suddenly gets more narrow in scope, it doesn't cover security anymore. And what does that mean? When you're dealing with non personal data, suddenly you're not allowed to use security, you're not allowed to use security measures without consent. So it create, to me it just creates a number of big questions because I think it doesn't resolve anything, it just creates more problems.

B

And it might be even worse than that because my understanding is that the E Privacy Directive is generally enforced by the local supervisory authority and the GDPR is enforced by whomever is Your, you know, designated supervisory authority under the one stop shop principle. So now you potentially just say if you're sitting in, happily sitting in a data flow located in France, but you happen to be registered in, oh say Ireland, you may have two supervisory authorities who sometimes see the world very differently, opining on the same data flow using two completely different sets of standards.

C

It gets even more fun than that because when you're dealing with a gdpr, you're not just dealing with one authority. If you have that international component, then you're dealing with all of the relevant authorities talking together and that adds to the complexity as well. So EPOC today is indeed just one local authority and it's not always the data protection authority and certain countries is an entirely different one. And so yes, you do have. This is why I think it's getting very awkward and a bit schizophrenic because it's going to introduce a way too much complexity in the way that the rules are interpreted and indeed the cooperation mechanisms that apply among regulators. It's going to be fun if this happens, really fun for, for data protection lawyers. But I don't think that fun for anyone else.

B

No, I think. And ladies and gentlemen, if you've just started listening, welcome to Alan and Peter's Parade of Horribles.

So I wanted to talk a bit more about. There's sort of a revamped, I call it do not track 2.0 or 3.0. But there's a component in there where browser controls are designed to be able to perhaps provide a consent or is it just to withhold a consent? So it wasn't clear to me if this was designed to bring us back to like a 2009 era, a privacy interpretation where browser settings could constitute consent or if they've just thrown out the rule book entirely and that there's a. They're just going to follow the global privacy control popularized by California. Do you have any clarity regarding what they're trying to do there?

C

Clarity regarding what they're trying to do? I'm not actually that clear myself on what it is they're trying to achieve. And based on the reactions I've seen so far, I can tell you that not many people on the, I want to say the more business side are pleased with this idea. Not even the publishers actually who had been initially mentioned as being exempt from a number of aspects. There's a specific part in the relevant article that deals with media organizations. But the problem is that it's actually very difficult to figure out what is the real Benefit except for basically giving users the ability to say no blankly to anything, anywhere. And so it's actually something that's going to lead to, I think a lot of pushback from many different sides of industry because it is a very awkward provision. And based on my discussions with a number of players from different sectors so far I haven't actually seen one business player who actually is pleased with this proposal. That part about, about the global, but basically the browser level management because ultimately there's this fear that this will just go down in the direction of being a one click refusal for everything and not necessarily going in the direction of one click consent. So that basically skews the entire debate. Instead of being able to say that this is a real yes or no, that basically would just be an easy no and then a very difficult way to get yes afterwards.

B

Well, and not to mention, so one concept that I think got buried in the original do not track concept, but I think it's harder to bury now is that browsers of mobile operating systems have their own business interests. Often they have their own advertising platforms and programs. I mean Europe to their credit, you know, Germany, France and I guess Poland have recognized in the case of Apple that it might not be a great idea to allow a platform to preference its own ad network over a third party ad network. But I don't see any of that thinking present within the digital omnibus. It seems like they've perhaps forgotten those lessons and so, and then they want this to be implemented in, I've heard six months and then I've also heard 24 months. 24 months is still way too short and six months is kind of comical if you think about it, that they're going to figure out all of these implementation details. So I'm hoping, Peter, that you'll let me crash on your couch because I feel like I'm going to be in Europe a lot over the next year.

C

Don't worry, I do have an extra one. So that's, that's fine.

It's definitely going to lead to a lot of debate this, this provision because like you said, it doesn't take a number of lessons into account. And, and so we're going to see what that leads to. We know that there's already a big movement by civil society to pose the GDPR related changes at the level of the kind of push the message towards, in particular the European Parliament, to say civil society does not agree with this. You're going to see a lot of push, big push as well from industry players saying, well, you know, there's a lot of real good value in the GDPR changes because they're pragmatic, they're trying to kind of rein in some absolutist approaches that have been mentioned. But you're going to see a kind of a reverse approach as regards the privacy provisions, where I think you're going to see a lot of people saying, well, there are some aspects in here that are very interesting from a civilized civil society perspective, whereas from an industry perspective, a lot of pushback. So it's going to be an interesting period that we're getting into where you'll see a lot of further discussions on these changes.

B

Well, and you raise the concerns of civil society, but often the concerns of civil society are also reflected or shared by many of the supervisory authorities in Europe. And, and so to the extent that the advocates are apoplectic about some of these changes, well, you know, given that most EU data protection regulators tend to be aligned with civil society, how do you think those regulators are going to be viewing these changes and will they ultimately fall in line with how these changes are implemented?

C

I don't think that regulators are as a whole aligned with civil society in that respect. Because if you actually look at the changes, yes, there's a lot that you can say about some of the, some of the fine tuning that could happen about the wording. I disagree with some of the suggestions regarding the GDPR simply because there's a bit of wording that creates that lads uncertainty. But as a whole, these changes are intended to add pragmatism, to bring us back to a more realistic approach of managing data protection, because the GDPR isn't a piece of legislation that was enacted to say data protection as a fundamental right prevails over everything else. That's not the point of the gdpr. The GDPR has been enacted with the idea of enabling responsible use of data. And yes, you do take into account the fundamental right to the protection of personal data, which is indeed a fundamental right in the eu. But you also take into account other fundamental rights, such as fundamental right of information and on freedom of expression, the, the fundamental freedom foreseen in the EU Charter of fundamental rights to conduct business and so on. So you have a number of other considerations that are relevant. And so you'll find that a number of regulators have actually said we welcome a bit of pragmatism. I've had some informal discussions with people from different regulators and different areas who basically say we welcome a pragmatic approach. So we're going to be examining this proposal with an open mind because we don't want to be seen as absolutists either. So I think you're going to see maybe a more subtle and nuanced approach from a number of regulators who are not going to come out and say this is bad. They're going to say it's important that we take into account fundamental rights. But they're not going to say this is a bad proposal because many of them actually do believe that this is the way forward.

B

Interesting. So my bad for treating, you know, 30 something regulators as a monolith, but I'm going to gently push back on some of what you're saying because if the Nordic supervisory authorities were here, or the Netherlands or the canal, you know, even the guarantee, perhaps there's a number of regulators who have been rather monolithic when it comes to cookies and tracking in particular. And so I would agree that, that it's unlikely that, you know, they're going to stand up and, and vocally object. That's not really how they operate. They take interpretations that allow them to push privacy as a fundamental and sometimes the only right. And that's sort of my concern here. I don't think they're jumping up and down complaining. I think that they are going to enforce in the way that they see fit, in a way that matches their worldview. And I think that has the potential for creating an entirely different level of complexity.

C

I, I agree. What I've seen actually has been that some regulators have been taking very, very different approaches in their negotiations behind closed doors compared to their public positions. So for instance, there's been some discussions regarding guidelines on pay or okay. Where you've seen that suddenly there have been some shifts in position behind closed doors compared to what has been said in public. You've seen, we've, we've seen that similar positions regarding AI model training. And, and so I think you're going to see the same thing that in public many will be saying let's be careful, let's take fundamental rights into account. But behind closed, closed doors, you're going to see a broader variety of positions. It will be interesting to see what they are trying to achieve also behind the scenes because the regulators have discussions with their governments, the governments figure out what is going to be their positions. The regulators, some of them get invited by civil society or by European Parliament and so on. So you have a number of ways that basically everyone gets involved into the broader discussion. I think at this stage, unfortunately, none of us have a useful crystal ball that would allow us to see what is on the horizon. But I think we're definitely going to see a number of regulators now try to think how does this impact what I'm doing today? And that's going to be really interesting to see because we've got a number of guidelines that are being worked on by members of the European Data Protection Board that could be severely impacted if any one of these parts of the proposal gets through. So I think we're going to see a lot of interesting discussions happening there as well because of the digital Omniverse, because of this proposal and its very existence.

B

And I would agree with the idea that all of this is forcing, particularly AI is forcing some real interesting discussions because there was a time where it was fairly common, maybe not all regulators, but would say, okay, well in the mere transfer of an IP address and bringing that from the EU into the US required a consent. We've now reached the point where legitimate interest for model building the idea that one might be able to scan close to the entirety of the Internet to create an LLM, that that might be able to be done under legitimate interest. Now we can debate whether that's a good thing, but if that's on the table, one would have to assume that the lowly IP address might be viewed a little bit differently in terms of risk. Is that a fair way of looking.

C

At is it is the IP address has been one of the, indeed the poor ones at the front in basically facing the firing squad a lot of times. And I know for a fact that some authorities have been saying behind closed doors, sorry, book an IP address is personal data, full stop for even, even as recently as 2025. So I think the SRB case is forcing a rethink. I think the digital omnibus is going to force a rethink as well. And I think there is suddenly a way to basically manage privacy friendly approaches, I think with a bit more flexibility, because I think regulators themselves are becoming aware that an absolutist approach actually is going to create more problems down the road than anything else, that if, if you treat the IP address as being personal data, then actually you're preventing a number of things from happening. And so it may be better for them also to pick their battles and to try to figure out how do we actually achieve what we really want. Because what regulators actually want isn't to ban every bit of processing. If they do that, then basically they don't have a job anymore anyway. But I think what they really want is to promote good use of data, responsible use of data in A way that is fair, that is transparent and so on. And there are plenty of ways of doing that with personal data and there are plenty ways of doing even more with non personal data. So I think this is where a lot of the debate is going to go nowadays. And to get back to then the ad tech sector, I think this is really the fundamental question, is it personal data or not, which is the basis for the applicability of the GDPR is the number one question since day one of data protection. Now it's become a really relevant question again is revived thanks to the SRB case, thanks to the digital omnibus and we can actually now have a proper discussion about what it is that we're actually using.

B

Yeah, I, I and which I welcome that exact discussion. What one related thought, if you can create the model via legitimate interest, but in order to monetize ellm, because that involves advertising and probably some flavor of targeted advertising, you need consent. You're sort of forcing the business community towards a subscription model and that has a cost and implications which at least need to be reckoned with.

C

And that whole debate is actually a really touchy one. And so I know that, you know, I mentioned the fact that there's been these negotiations behind closed doors at the level of the European Data Protection Board regarding guidelines on pay or consent, but these are the kind of discussions that influence entire business models. Because ultimately if you say monetization of an AI model has to happen through consent, if you want to use personalized advertising, profile based advertising, however we want to call it, and basically you are indeed creating an impossible choice for users, especially if you take into account other parts of the digital omnibus, such as the fact that any consent has to come with a clear easy refusal button. How does that work with a pay or consent approach? Does that mean that I have to say pay, consent or refuse?

It becomes really complex to have an easy understandable user experience and user interface because the user is being asked to basically make impossible choices, choices between getting access to a service by paying, getting access by consenting, and then exercising his right to refuse the processing of personal data and not really figuring out what does that mean that actually means not using the service, full stop. Or do we then accept that when you are offered a choice between pay and consent, that basically the pay option is your refusal to the consent aspect. There are lots of uncertainties basically created by the current framework and we have to have a way that actually helps monetization, because otherwise these services are basically going to disappear full stop. If you can't have an approach to data protection implementation that allows for monetization and services just stop being offered. So I think this is where that pragmatic approach that we're seeing in the omnibus is so important. It's a reminder that we cannot continue to perceive data protection in a cyber. It is not something that you can just look at from an ivory tower and just focus on purely the idea of data protection. It's part of a broader context, a broader whole, and you need to take into account monetization as a means of enabling the use of that data.

B

So it sounds like, although you were very aware that there are some eggs being broken right now as we're making the omelet that is the revamp of the digital omnibus. But it sounds like you're optimistic that there's a level of pragmatism within Europe now that will serve all of us.

C

Well, like I said, maybe not so much on the E privacy front, but on the GDPR front I am. So I think, you know, with this there's hope. Until recently, I would have said that the regulators tend to have shown that they were a bit too absolutist in approach, and it's good to see that. It's been good to see over the past year or so that some regulators have been showing that they too can be pragmatic. And now we have part of the EU legislator, the commission, the one who basically comes with a proposal showing we want to be pragmatic. Maybe not completely, maybe there are some uncertainties, but we really want to. It's a new impetus that we're getting. It's a breath of fresh air, basically, in this context.

B

You know, if you had asked me five years ago if I thought that the EU would be pragmatic and it would be the US that was dogmatic when it came to the definition of personal data, I probably would have told you you're crazy. So maybe what we need is maybe you need to move from Antwerp to Sacramento. It's lovely there. And maybe, maybe some of the Cradock influence can. Can take root there.

So I've just got a couple more questions. Peter, this has been a lot of fun, but one of the critiques about the GDPR is that it was much more helpful to big tech. And so do these proposed changes hand more power to the gatekeepers or will they genuinely keep. Create a more level playing field? You know, with respect to, you know, I'm going to give you a couple of examples here, like the how does it charge large enterprises more for public data Impact the analysis by way of example.

C

My answer, there would simply be no. So I do not believe that this is giving more power to larger players. Because actually, if you think about the key changes, the fundamental change is basically figuring out, realizing that actually we cannot have an approach to the notion of personal data that does not take into account pragmatic decisions. And so the change isn't, you know, we don't even, in theory, we don't really need that change because this is something that is in case law. But when you integrate case law into the law, then you make it more accessible. Then it is no longer the companies that can afford to have data protection lawyers who are really up to date, who know every case, who've been maybe even involved in them. It's no longer those companies that basically have access to this information about what is personal data. If you have it in the definition, you're making that more accessible. It means that anyone who reads the definition will actually have a better understanding of it. So there's a whole discussion. Are these targeted changes in practice? They are targeted because they are very specific. They are not actually changing the fundamentals, they are making them clearer. And making the law clearer to the public is really critical in order to enable smaller players as well to basically make the most of the law in a positive way. So I think if you think about the AI model training aspect, well, it's not just about AI model training, it's about AI systems operations as well. So the whole idea of allowing, of making it clear that you can rely on legitimate interest and that you have to take certain measures basically to prevent the use of special categories of data like health data and so on from getting into your, your, the, the actual operation. These are very important again, reminders to everyone that you can actually do this. Like I said, you don't need to have the most up to date lawyer to know that you can actually read the law now. And, and basically even the, the most, I want to say the most modest and humble local lawyer will be able to provide you the exactly the same response in that respect. So, so it's about accessibility. This is a really important thing. Do any of those provisions really allow larger technology players to get more. I think ultimately every provision that allows for a more pragmatic approach is going to be welcomed by every business basically across the entire field. So I don't think any of those are giving more power to large tech companies. I think, like I said, this is really something that enables broader use of data in a responsible way by a large Number of players.

B

Just an observation, and I said this before. You're. You're very optimistic about the destination. My fear is that it's going to take a little bit of time to get over that mountaintop. And in that intervening period, the level of uncertainty, I do think there's going to be some supervisory authority pushback, some of it rather stubborn, but that's not helpful to the companies who only have one privacy lawyer and don't have a team of hundreds. And so I'm hopeful that you were right that they're eventually going to get there, but I do think there's going to be a fair amount of pain in the process to get there.

C

Ultimately, now that the discussion is happening through SMB, through the digital omnibus, I think anything we can do to make people aware of this is anywhere helping? Yes, some authorities are going to be a bit more stubborn than others. We have seen an indication that some of the authorities are not too keen on making big changes to their guidelines on pseudonymization. We'll see what happens. But, yes, you will, in the meantime, also have more people becoming aware that these rules have a certain interpretation that is more favorable than what has been mentioned by authorities for years, which means that maybe more companies will dare to actually say, I'm going to make use of this position. So I think anything you can do, you know, through, through your podcast, through making this information available to others, this is fantastic. This is really enabling better awareness. Yes, we will have a transition period and we will. Anyway. Part of the legislative process is that a lot could be changed by the European Parliament, a lot could be changed by the Council. It could even just disappear. It could be tabled, it could be withdrawn. So there are lots of possible avenues for the future of this piece of legislation, but the fact that it is there, I think is a really useful signal for anyone. Data protection is not about absolutism. Pragmatism is back in town, and that is a really good message.

B

I think that's also a great song lyric, bringing us back full social.

Peter, where do people find you?

C

I can be found mainly. I know a lot of people find me through LinkedIn, but yeah, I'm easy to reach out to by phone, by email, through LinkedIn, and then every now and again, you know, there's. There's the odd Spotify song or, or a, a conference that you can hear me speak at.

B

Well, fantastic. And I, I just want to throw out an endorsement of the, the holiday song that you just released. It's fantastic. I enjoyed listening to it. I'VE played it with my 5 year old and she loves it too.

C

Ah, that's good to hear. I've got it. I've got a fan. Fantastic.

B

Peter Craddock, thank you so much for coming on the pod. This was great.

C

Thank you Alan. Great to be there.

B

Thanks.

That was a great conversation. Peter is clearly very optimistic about the tone shift in Europe. In Peter's view, this new tone favors pragmatism over dogma where privacy is fundamental but perhaps not the only consideration. While I support that view conceptually, I have some concerns. First, I want to be careful about hand waving away the pain that all of this short term uncertainty is likely to impose on businesses. Even if you see this pragmatic future as utopian, it's going to take a long time and a lot of resources to get there. Second, and this is sort of a related point, there are just too many components of this digital omnibus proposal which come off to me at least as half baked and absolutely no guarantee that questions regarding public data, some of the rules around logged in users, the definition of a media company, and the changes to the E Privacy Directive. Europe has been trying to find practical solutions to many of these issues for well over a decade with very little success. And I don't know how that all of these questions get answered with the tone shift and the use of AI. And third, I'm not sure we can count on most or even many of the EU supervisory authorities to fully buy into this huge paradigm shift. So if you're in the ad space, what do you do? Well, I'm not providing legal advice, but if I were running an ad tech company, I would not abandon the IABTCF just yet. But I would Hope that in 2026 there will be a bit less risk around cookie consents while all of this resolves itself. And I would double down on data governance because there are still too many companies in the ad space who have not fully documented their data flows and conducted risk assessments. And finally, now is probably not a good time to start processing identifiable personal data. If you're in the ad space, we'll have much more to talk about regarding Europe and data protection in 2026, and we have a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. For example, I'll have Commissioner Mark Better of the Federal Trade Commission joining me on the pod, and I have a number of other legislators and regulators that have accepted an invite to come on the pod in early 2026. So 2026 is going to be an interesting year both for the regulatory world and the Monopoly Report podcast. So please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And thanks for listening.

D

The Uniswap Wallet makes crypto easier and safer to own and use. Discover new tokens, research confidently, swap instantly, and manage it all securely in one place. The Uniswap trading protocol has powered over $3 trillion in volume, and it's trusted by millions worldwide. Buy your first crypto crypto assets in a few taps and experience the freedom of decentralized finance with Uniswap. Tap the banner to get started.