Data Privacy Detective - how data is regulated, managed, protected, collected, mined, stolen, defended and transcended.

This is a true story of a phone scam of May 2021. The Data Privacy Detective got a call on the home landline. This scam will succeed in stealing money from countless Americans. It’s targeted particularly at older people who dearly love their television, especially during pandemic times. You can see the tricks and traps in this scam. Of course, the best defense is not to answer such calls at all, but then how can one know that a local number is not an old friend or acquaintance calling for a good reason. If you get a call like this, write down the details. Share them with the fraud hotline of the company being impersonated. Notify the FBI and the Federal Trade Commission if you have the time. This builds a file on these entities. Though it’s unlikely that law enforcement will be able to shut down the criminal syndicates and others active in this fund-raising activity, it will build the awareness that our privacy is attacked through such intrusions. Without greater regulation and defense against such increasing scams, there’s a risk that our communications systems become so riddled with such problems, that we’ll all retreat into a hole to avoid them. One definition of privacy is the right to be left alone. Anyone with a phone will find that hard to achieve. You can, however, work with your phone service provider to block calls in various ways. Check with your provider what restrictions you can put into place to limit calls from James Michael and Ralph Smith. Remember – protecting your personal privacy begins with you. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

This podcast episode explores ransomware from preventive, legal, and communications angles. While there’s no 100% effective vaccination against a ransomware attack, there are steps enterprises and each of us can take to beware, prepare, and take care. Ransomware. It’s the modern equivalent of kidnapping – except people aren’t grabbed and held hostage. Instead, an enterprise has its computer and information system locked by a criminal. Data gets encrypted and unusable until and unless the organization pays a ransom to the thief, who is known only by a digital address and often demands untraceable payment in cryptocurrency. Ransomware is a type of malware – software installed in a system by an outside party for bad purposes. Unlike malware focused on stealing data, ransomware aims to extract a ransom payment in exchange for decrypting and restoring the victim’s data. From a criminal’s perspective, ransomware is a simpler, less expensive way to get money than malware that aims to export (or exfiltrate) and resell data. It can be an “in and out” operation, not requiring search, download, categorization, and reselling of purloined data. Despite this, because data has great value, Blackfog estimates that 70% of ransomware attacks include data exfiltration, so that the attacks not only temporarily freeze data usage but result in a release of personal and business data to third parties as secondary damage. Ransomware theft is rising. Security sector experts report a 7-times increase in ransomware attacks between 2019 and 2020, with the average ransom demand increasing more than 3 times the prior year’s figure. Blackfog predicts cybersecurity theft will approach $6 trillion for 2021. CrowdStrike’s comprehensive summary of 2020 and early 2021 reports a four-fold increase in interactive intrusions in the past two years, with 149 criminal syndicate followed as tracked actors on its list of named adversaries. Ransomware is organized crime on a massive and global scale. For units of government, businesses, and non-profits (like universities and hospitals), ransomware can strike like a rogue wave at sea. But it’s often an attack more like a time bomb, lying in wait until the criminal gang is ready to demand its ransom at a time of its choosing. And when this happens, it can immobilize the organization’s ability to operate. Immediate action is required. How do we get our data back? Do we pay the ransom? If we do, will we get the data back? Even then, how do we know it’s safe? How can we prevent this from happening again? If it does, how do we deal with the immediate issues, recoup the data, and ensure it’s clean and usable? If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Janus was the Roman god of doors, gates, and transitions. He needed two faces to look in both directions - life and death, past and future. Internet browsers allow us to access and gaze across the internet, but at the same time, they are watching us, recording what we do while browsing. True, browsers do not charge us for their services – browsing is free. But as it is said, when a product is free, we become the product – or more specifically, our data becomes the product. In this podcast episode Jeff Bermant, the founder and CEO of the browser Cocoon, joins us to explore how browsers and privacy intersect. Cocoon was founded for the purpose of providing a more privacy-secure experience than any other browser by creating a cocoon around the browsing individual. We discuss how users have data privacy choices – which browsers to consider, how to adjust privacy settings, and what add-ons are available for browsing. When it comes to data privacy, protecting your personal data begins with you. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Facial recognition. It’s a hot topic. Targeting, misidentification, and doxing - the dangers are real. So are the benefits – finding criminals and solving crimes, searching for relatives and old friends, researching history, conducting social research, sharing with friends over a lifetime. Kashmir Hill’s penetrating cover article in the March 21, 2021 New York Times Magazine, “Your Face is Not Your Own,” details how our photos are scraped and used by companies far beyond what we imagine. Our images are available from public sources such as driver’s licenses. Many arise from our choice– through Facebook and Instagram postings, directories, newspaper and other media sources. As the TV series Cheers’ theme song sang, “Sometimes you want to go where everybody knows your name.” But now it’s not just the neighborhood pub. It’s the internet, where everybody knows your name, and everybody can find your face. What to do? That’s where scrubbing comes in. Scrubbing is the effort to erase, stop, or minimize the spread of a digital posting. Scrubbing is a challenge. It can be expensive. Certain scrubbing services charge annual fees of $100 a year or more per person. In this episode we discuss what options are available to you, what governments are experimenting with to find a balanced solution, and if there is any hope to truly erase your face from digital history. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

On February 16, 2021 TikTok was sued in Europe for abusing consumer rights. Millions of Europeans use TikTok to post, share and watch videos 3 to 60 seconds long, ranging from dogs in pink tutus to Shaq dancing. The European Consumer Organization BEUC is an authorized entity in the EU to file complaints against businesses. Its press release, BEUC files complaint against TikTok for multiple EU consumer law breaches | www.beuc.eu, claims that TikTok engages in a “massive scale” of consumer abuse, including unfair and deceptive practices, terms of use that hurt consumers, failure to protect minors from harmful content and embedded advertising, and misleading use of personal data. By contrast, the U.S. President on August 14, 2020 issued an executive order to kick TikTok out of operation in the States unless it sold its American operations to a U.S. buyer. The Executive Order was based on TikTok’s Chinese ownership, which the prior U.S. Administration claimed was a threat to U.S. national security because the owner ByteDance was accessing personal data of U.S. persons that could be provided to PRC authorities. EO-on-TikTok-8-14-20.pdf (treasury.gov) TikTok successfully sued in several courts to block immediate enforcement of the Executive Order, a matter on appeal in the federal courts. On February 10, 2021, the Wall Street Journal reported that the Biden Administration decided that it would review the matter but was unlikely to pursue a forced sale to American companies. TikTok Sale to Oracle, Walmart Is Shelved as Biden Reviews Security - WSJ. What’s the future of TikTok as a Chinese-owned business that allows people to post, share and watch videos globally? And what does it mean for the world where business and human connections flow across borders? The Data Privacy Detective explores these puzzles in this podcast. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Data theft set new records in 2020. The major causes are not failures of equipment, software, or services. In an estimated 85% of cybercrime, the cause is us. We make careless mistakes as though we were inviting villains into our homes. We let thieves into our IT systems by accident. We get phished. You get a message on your computer. It may seem to be from a friend, a trusted source, a reliable company, even your boss. It might seek an urgent response about something. How do you avoid dealing with the emailed message without letting a villain into your computer, and so into your personal or business’ IT systems? How do you prevent making a mistake that gives a cybercriminal the chance to freeze and hold your personal or your company’s IT system for ransom or to hack personal and proprietary information? Here are seven top tips to avoid being the reason you or your business is the victim of data theft. Check emailed messages for seven red flags before acting: 1. Bad spelling 2. Bad grammar 3. Nonsense in the subject line 4. Incorrect domain name in images and links (hover over a link without clicking to reveal this) 5. Pressure tactics to scare you into acting fast 6. Unexpected message 7. Unexpected attachments or links in the message

As businesses move into 2021, what insurance can they have to limit cyber risk? What does cyber insurance cover and not cover? How is it priced and secured? Data Privacy Detective guest Sean McGee is a Vice President of USI Insurance Services, an independent company serving global clientele and accessing global insurance markets. www.usi.com / Sean.McGee@usi.com . Also an Ohio and Kentucky attorney, at USI Sean advises customers on a broad array of business risks, including those arising from personal data collection and use. Cyber insurance emerged in 1997. Insurance Journal reported 2019 premiums of over $2.2 billion, spread among a competitive range of providers, with growth anticipated in number of policies, variety of risks covered, and premiums. As one example, the average payment for ransomware attacks jumped to almost $85,000 by year-end 2019, almost double the prior year’s average, triggering an adjustment of price for covering this type of risk. Cyber insurance pricing is competitive. It depends on a company’s responses to questionnaires that can be 20 pages in length and interviews with CIO’s and others. Underwriters assess the strength and scope of an applicant’s cyber protection program before quoting a premium. A solid cyber policy will generally cover direct costs resulting from a data breach or incident. These include attorney fees and other costs of defense, resolution of private and public claims, expenses to recover purloined data, business interruption (subject to defined caps and other details), and similar out-of-pocket losses suffered from a cyber-attack. Policies generally cover global losses, including direct losses suffered in the European Union under GDPR. Coverage typically does not extend to more indirect losses, such as damage to reputation, costs to improve a system after an attack, or potential future lost profits as distinguished from business interruption loss. The more indirect or difficult to measure a loss is, the less likely it will be insured. Deductibles, caps and other limits, and unusual types of risks should be carefully reviewed before finalizing an insurance purchase. Top tips for businesses considering cyber insurance: -Have a top-to-bottom training program to help every individual avoid phishing and other incidents that lead to data breaches, ransomware attacks and other losses. -Have a data response plan in place before it’s needed, ready to activate immediately when required. -Think holistically. Preventing data attacks is not just a hardware problem. Review regularly measures to upgrade data protection, protect personal and proprietary data, and limit losses from data risks.

Taiwan is one of the “Four Asian Tiger” economies. Its companies hold 66% of the world’s semiconductor market. It consistently tops the USPTO per-capita list of patent files, and its population of about 25 million enjoys what is considered the world’s fastest internet connection. It is becoming a major player in data. Considered part of China by the PRC which refers to it as the “Taiwan Authority,” Taiwan declares itself to be the Republic of China. Despite geopolitical issues, robust business flows between the two. Taiwan is a leading investor in the PRC. Commerce between the two seems unimpeded by political differences. With rising tensions between the U.S. and PRC, alongside changes in Hong Kong that threaten the “one country two systems” approach, how should global business consider Taiwan? Is it a bridge for east-west data-related commerce? John Eastwood leads of the Taiwan firm Eiger Law’s Greater China Practice. John EASTWOOD - Eiger. In this podcast John explains how Taiwan is becoming a major Asian data, financial and regional headquarter center for North American and European businesses, growing to rival Singapore and Hong Kong. Personal privacy protection is highly valued and regulated by Taiwan law that differs significantly from the PRC’s data localization regimen. Taiwan generally blocks flows of personal information from Taiwan to the PRC, and so can be viewed as a safe haven for western businesses that collect and process personal and company data in Asia. Unlike the PRC, Taiwan does not require data to be shared at will with government authorities. Taiwan’s Personal Data Protection Act (PDPA) adopts entirely neither the U.S. nor the GDPR model, though it embraces most of the key principles of the GDPR. Taiwan’s Personal Data Protection Rules - Taiwan Business TOPICS (amcham.com.tw). More flexible and consent-based than the EU’s regulation but comprehensive unlike the U.S. sectoral approach, Taiwan in recent years has broadened the protection of personal data while aiming to be attractive to multinational business seeking an east Asian data hub. Taiwan is pursuing an “adequacy decision” with the EU while addressing numerous concepts differently from the GDPR’s provisions. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Data privacy is about balancing individual concerns and community needs. Without assurance that private information will be responsibly shared and used, people may not share accurate information or be willing to provide data at all. But to get student aid, applications must reveal sensitive family financial information. To gauge student success, performance details must be documented and shared with others. Sociological research requires that a database be accurate and credible. How can a community design its IT system to reassure individuals about privacy but obtain and share data responsibly and create data platforms and visualizations to meet collective needs and aspirations? This challenge is common to any community, whether it’s a city, a business, a university or other type of collective. In this podcast Lee Norris, Vice Provost for Enterprise Data Architecture of the University of North Carolina Greensboro, discusses how a community that gathers data of 25,000 people at its core and about 100,000 data subjects overall, designs and operates its data system. Through a combination of communication and technology, its data architecture stems from privacy by design. This approach advances essential ethical, research, institutional and other objectives, beyond compliance with federal and other laws that regulate particular types of data, such as student information (FERPA) and medical information (HIPAA). UNCG’s design starts with an understanding of individuals’ concerns and circumstances. By communicating clearly to data subjects (people) what data is needed, what data need not be shared, and what and how data will be handled and safeguarded within UNCG, the data system is created to encourage appropriate but limited data sharing. This is data minimization and privacy by design thinking. By building a culture of trust, UNCG has not found that its constituents are reluctant to share needed information. This in turn increases the accuracy and reliability of databases that UNCG staff create from data pools for a variety of purposes, ranging from assessing individual and collective student success to compiling research databases. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

We all value privacy – at least to some extent. But some of us want to be famous, and all of us want to connect with friends and acquaintances. We like the convenience from technology that requires our personal information to operate. So we share our personal details in many ways, and our data flows like water down a stream into lakes and oceans, some of which we’d prefer to avoid. And our information becomes a piece of society’s knowledge base. Databases like the U.S. Census have essential purposes, but they’re only reliable and complete if we are comfortable sharing our data. How to respect individual privacy and achieve reliable databases? That’s a challenge! In this podcast episode Alex Watson, co-founder and CEO of Gretel.ai, explains two essential phrases to understand how this can be done. Alex founded a security startup called Harvest.ai, which was acquired by Amazon Web Services in 2016, when he became AWS General Manager and it launched its first customer-facing security offering. Gretel.ai is an early-stage startup that offers tools to help developers safely share and collaborate with sensitive data in real-time. Alex explains that privacy is a problem rooted in code, not in compliance. By auto-anonymization, the personal data of an individual is separated from the underlying data so that the database where the information is needed comes to it without identifying the individual. The essential information is shared without allowing someone to know which individual’s information it is. While nothing is hack-proof, auto-anonymization eliminates the link between an individual and data about that individual as it moves to another user. Personal privacy is preserved in the transmission and further use. The other key phrase to understand is differentially private synthetic data. Data Privacy Detective Podcast 55 offers an introduction to the topic. This phrase means that information within a database has been changed to eliminate the ability to trace back the data to a particular individual. The information is private and individual to a person, but as pieces of data are shared for a purpose, they are not traceable to a specific person. The database user only needs the provided information, not the identity of individuals who contributed each piece. There is great public benefit in encouraging people to share sensitive data – e.g., public health databases, sociological research, Census Bureau studies. But people will share their private data only if they are comfortable knowing it will not be misused. Database users should ensure that they do not acquire personal data that identifies individuals without the need to have that information. Auto-anonymization and differentially private synthetic data – two phrases one should know. Their proper usage can achieve privacy by design. This will be an important contribution to creating reliable databases humankind needs to advance public health and other social good. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Ransomware - a sinister type of cyberattack that installs malware onto a computer system. Once inside a network, the malware encrypts documents, freezing the IT systems of entities and individuals until they pay ransom to regain access to their data. Recent average cost paid to a ransomware syndicate? $333,000, according to Greg Edwards, founder and CEO of CryptoStopper, a leading anti-ransom software provider. www.getcryptostopper.com. Ransomware surfaced in the late 1980’s, when AIDS Trojan was injected through floppy disks. Victims were asked to pay a “license fee” of $189 to a post office box to restore access to their data. Ransomware became ever-more sophisticated. Thanks to Bitcoin and other cryptocurrencies that emerged around 2012, thieves could hide their identity, and attacks mushroomed. Most start through a careless employee who gets phished and permits the villain to enter the enterprise’s system. Malware is unleashed to encrypt data, including on back-up copies held within the enterprise. Ransomware attacks in 2020 show a continuing growth in number and cost. Fileless ransomware appeared, far more likely to succeed than file-based attacks. Smart ransomware disguises itself as though it were Halloween, but it’s all trick and no treat. Major 2020 targets are healthcare systems, which cannot risk their patients’ health and are pressured to pay substantial ransom to release a freeze of critical data. Cybercriminals now offer Ransomware-as-a-Service, available as kits sold on the dark web that include everything needed to get into the business of kidnapping data. Greg Edwards’ company CryptoStopper uses detection technology to trick the ransomware code to fix on it as bait, blocking the infection before it spreads. Watcher files defend against attacks. Most clients are B2B, but the company offers a free of charge download to individuals. When ransomware criminals focused only on encrypting and decrypting data once they were paid, the privacy of data was relatively untouched. This has changed. Now ransomware attackers profit not only from ransom payments but also engage in exfiltration. They acquire and package data for sale on the dark web. Exfiltration releases company and personal data to use by criminals who purchase it for sinister purposes. Can law enforcement come to the rescue? Occasionally, but most attackers are from areas beyond the reach of Interpol and extradition treaties. How can enterprises defend and avoid having data breached and resold? Anti-ransomware products are available. Top tips from Greg Edwards to deal with the risk of ransomware beyond an add-on like his company’s offering: 1. Patch management – update all software and operating system of all devices on a network. 2. Keep anti-virus software up to date. 3. Keep back-ups in off-site locations. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Science and knowledge advance through information gathered, organized, and analyzed. It is only through databases about people that social scientists, public health experts and academics can study matters important to us all. As never before, vast pools of personal data exist in data lakes controlled by Facebook, Google, Amazon, Acxiom, and other companies. Our personal data becomes information held by others. To what extent can we trust those who hold our personal information not to misuse it or share it in a way that we don’t want it shared? And what will lead us to trust our information to be shared for database purposes that could improve the lives of this and future generations, and not for undesirable and harmful purposes? Dr. Cody Buntain, Assistant Professor at the New Jersey Institute of Technology’s College of Computing and an affiliate of New York University’s Center for Social Media and Politics discusses in this podcast how privacy and academic research intersect. Facebook, Google, and other holders of vast stores of personal information face daunting privacy challenges. They must guard against unintended consequences of sharing data. They will not generally share with and will not sell to academic researchers access to databases. However, they will consider and approve collaborative agreements with researchers that result in providing academics access to information for study purposes. This access can aim to limit access to identifying individuals through various techniques, including encryption, anonymization, pseudonymization, and “noise” (efforts to block users from being able to identify individuals who contributed to a database). “Differential privacy” is an approach to the issues of assuring privacy protection and database access for legitimate purposes. It is described by Wikipedia as “a system for publicly sharing information about a dataset by describing the patterns of groups within the dataset while withholding information about individuals in the dataset.” The concept is based on the point that it is the group’s information that is being measured and analyzed, and any one individual’s particular circumstances are irrelevant to the study. By eliminating the need for access to each individual’s identity, the provider of data through differential privacy seeks to assure data contributors that their privacy is respected, while providing to the researcher a statistically valid sample of a population. Differentially private databases and algorithms are designed to resist attacks aimed at tracing data back to individuals. While not foolproof, these efforts aim to reassure those who contribute their personal information to such sources that their private information will only be used for legitimate study purposes and not to identify them personally and thus risk exposure of information the individuals prefer to keep private. “Data donation” is an alternative. This provides a way for individuals to provide their own data to researchers for analysis. Some success has been achieved by paying persons to provide their data or allowing an entity gathering data for research to collect what it obtains by agreement with a group of persons. Both solutions have their limits of protection, and each can result in selection bias. Someone active in an illicit or unsavory activity will be reluctant to share information with any third party. We leave “data traces” through our daily activity and use of digital technology. Information about us becomes 0’s and 1’s that are beyond erasure. There can be false positives and negatives. Algorithms can create mismatches, for example a mistaken report from Twitter and Reddit identifying someone as a Russian disinformation agent. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

COVID-19 has changed the world in dramatic ways. Contact tracing emerged as an approach to fight the pandemic’s spread and save lives. The idea is to notify people who have been in close contact with another person who tests positive for the virus. This should allow the contacted individuals to self-quarantine and take measures not to spread the virus before experiencing symptoms or otherwise learning that they are infected. Australia, a country of about 25 million, has an App called CovidSafe, developed and owned by the federal government. By October 1, 2020, it has been downloaded by about 27% of Australians. The government target is 40%. Sign-up is voluntary. To register, a person provides name, mobile number, postcode and age range. The App must be open on a user’s smartphone with Bluetooth enabled. It does not use GPS location technology. Persons in close proximity for at least 15 minutes will be identified as App contacts and eligible for future notices in case one person learns of a positive Covid test – and if the individual consents to notifying others about this. Results are mixed. In this podcast, Kelly Dickson, a principal lawyer of the Australian law firm of Macpherson Kelley(www.mk.com.au), explains the CovidSafe App and discusses how data privacy and healthcare intertwine. How does CovidSafe work? The app recognizes other registered users’ devices and uploads data to cloud-based central storage controlled by the federal government. Notices go to persons who had close contact when another person posts a positive test. The data is shared with others for 21 days from each contact on a rolling basis, though the Health Ministry may keep the data longer for public health purposes. Encryption and cybersecurity aim to protect the sensitive data and to convince Australians that their personal data is highly secure and shared only for the purpose of public health. Great idea - but how’s it working? Critics say it’s not working as it was conceived. Limited participation and consent result in an undercount of those infected and so limit the impact of the effort. Having smartphone apps live constantly has resulted in a report of loss of functionality and battery drain. When phones lock, the App does not function as intended. There have been inevitable bugs and fixes for the App, which was rushed into a prompt launch. States and territories have their own tracing methodologies (some in traditional hard copy format), with varying work and other restrictions in force. While workplaces are required to have a CovidSafe plan in place, this requires significant human intervention and is prone to haphazard error. Different states report varying degrees of take-up, support and efficacy. Will sensitive healthcare information be misused? While a targeted federal statute covers the security of App collected and shared data, users control whether positive test information will be shared. If a person tests positive, that person may consent – or not – to share the data – and without consent, the system will not accomplish its purpose of notifying others. There’s a CovidSafe Data Store where information is held in the cloud, leaving the possibility of hackers’ accessing both data in flight to and from the cloud and within the Store. September 2020 polling showed a skeptical public, with 57% concerned about security and only 41% confident the government would protect the privacy of data collected. This is despite strong support from the Prime Minister and a lack of overly divisive public sentiment akin to the USA’s mask/no-mask divide. Some critics are concerned that Amazon holds the data or that it is otherwise retained or accessed outside of Australia. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Brazil’s General Personal Data Protection Law or “LGPD” entered into force on September 18, 2020. In this podcast, Thiago Luís Santos Sombra of the prominent Brazilian law firm Mattos Filho, www.mattosfilho.com.br, explains the basic approach to personal data privacy of South America’s largest country. Highlights: • Brazil chose the European Union’s basic approach (GDPR), but there are differences between GDPR and LGPD. • Personal data is defined broadly to include identifiers such as email address, geo-location and similar information particular to a person. • Data mapping and risk assessment are the immediate steps a business should take that collects or processes personal data of Brazilians. • Companies must assess whether consent or legitimate interest is the basis of holding particular personal data and decide a compliant approach thereafter. Brazil’s Code is broader than GDPR in providing various bases to hold and process personal data. Businesses will look to express consent as a last resort rather than the first in complying with the law. • A privacy-compliant notice should be posted. • A prevention and emergency plan should be in place for handling breaches. • If a business is compliant with GDPR (or thinks it is), this does not guarantee Brazilian compliance, as there are differences from GDPR. There is probably more flexibility in Brazil for businesses than exists under GDPR, but until an Authority is in place, there is no regulator to discuss ambiguities or obtain advance guidance. • Cross-border transfers take the European approach, with no data localization as required by China, Russia, or India. The data protection authority to be appointed will need to issue standard contractual clauses or otherwise specify what is required. Brazil and the USA are already negotiating about data transfers, with no clear guidance from the Code about what is required of another country’s level of protection by law. • Data Protection Officers (DPO’s) must be appointed for controllers but not processors, with no threshold or de minimis test for this (unlike GDPR). No specific liability is specified for DPO’s, except for willful misconduct common to any relationship. DPO’s can be internal or outsourced. While there is no requirement that the DPO reside in Brazil, Portuguese language skill is practically essential for a DPO. • Regulations will follow in time. Individuals will need to be appointed to the Authority and approved by the legislature, with the aim of having an enforcement agency ready to act by August 2021. Because of Brazil’s prominent position as the giant of South America, one could expect an Iberian approach to personal data privacy throughout South America. Similar but not identical comprehensive codes exist in Chile, Colombia and many other South American countries. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Robo-calls, phishing, identity theft, ads we didn’t ask for – and worse. How does this happen? How does our personal data get collected, used and sold, without our knowing approval? Data brokers are a primary answer. They are businesses that collect, use, and sell blocks of personal information to a wide variety of buyers. This is not per se a shady business, though it may seem that way to those of us overwhelmed with constant interference by phone, email, pop-ups, and attacks aiming to disrupt our day or steal our assets or identity. Rob Shavell, CEO and co-founder of Abine, a 10-year-old privacy company, gives us a tour of data brokerage. Our personal data is collected in many ways. Some is virtually public – postal address, registered voter information, other ways in which details about us become publicly available. A lot of information about ourselves we contribute to the world – through social media posts, publicity, items we publish. There’s a tension between our instinct for privacy and the desire to be known, even famous if only for a day or two. Sensitive information is held by financial institutions, healthcare providers and others, who are generally restricted by federal and state law from sharing it with others but are themselves victims of a data breach. Information once disclosed becomes available to data brokers, who organize, package and sell the data to others interested in advertising to customers, monitoring behavior, analyzing groups or otherwise seeking data for their legitimate purposes (and otherwise. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.