Achieve eSignature Licitness for Physical Exam Consent in European Union

How to eSign a document: e-signature licitness for Physical Exam Consent in European Union

[Music] I'm Scott llin this is the data Chronicles and here are your data points today we are discussing the cookie Wars with a focus in the EU cookies have many different flavors and varieties pixels beacons tractors many others they are all really popular and ubiquitous on the internet but if they're so widespread why did I call it a war I think the fact there is a vast disagreement on how cookies can and should be used there are two sides companies operating websites they love them they make websites easier to use more engaging tailored dynamic they also provide great insights into how a company's customer base is interacting with their service and how to continue to improve their product services and engagement that's on the one hand on the other hand Regulators seemingly hate them in their minds trackers represent the hidden part of the internet where users information is exploited indefinitely without any type of knowledge or consent of the user as a result there are really two sides to this debate websites want the data and Regulators are trying to keep them in check so it's a very difficult area to follow it's very difficult to understand the rules and where things are trending and to help our audience understand the current state of play I have invited two of my partners yoka btz in our Amsterdam office and Gonzalo Geo in our Madrid office both of whom are data protection lawyers spending their days deep inside of this debate they also come from two countries where the dpas of both the Netherlands and Spain have recently leaned hard into the cookie conversation so there's no one better than yoken and Gonzalo to sort through the noise and give us the Insight on how companies may use cookies today and how to plan for the future Gonzalo yoka welcome to the podcast hi thank you a pleasure yoka maybe I can start the conversation with you can you just give us a sense of the laws and the Frameworks in the EU that may apply to cookies yeah absolutely so in the European Union there is various laws that actually apply to cookies we have the general data protection regulation that focus on the use of personal data that you collect by means of cookies or you use so it's personal data but in addition to that we have the eprivacy directive and eprivacy directive is a fairly old piece of legislation but it's still applicable and because it is a directive it is implemented in each European member state in a slightly different way and that this makes it quite complex so we have a harmonized framework of the gdpr and in addition to that we have the E privacy rules that apply in addition to that but are also implemented and interpreted in slightly different ways in each European member state so if we talk about the European cookie legal landscape you should always consider both in parallel that also means that we have Regulators that have slightly different interpretation But ultimately all use the same legal framework and then going back to the point you already mentioned scull there is Regulators in Europe who are very active in this field and I think that activity and that's I think relevant to mention here is mainly triggered because there were hundreds of complaints submitted by various Regulators in Europe in the past few years there's been a real Trend and I think it started in 21 that privacy activist communities like nof your business started to submit complaints about cookie banners and consent methods with various Regulators throughout Europe and as a result of that those Regulators were heavily occupied by reviewing those complaints well that is in itself something which is a well I would say day task already but because there were so many and so many Regulators were busy with that they decided to jointly team up and create a task force that task force was created at European level in the European data protection boards and that is ultimately the I would say cooperation between the various supervisory authorities in Europe so they all sit together in that European data protection board and they issue guidance and that guidance is generally very strictly interpreted by Regulators in a member state level so generally companies look at the guidance from the European data protection board and take that as a starting point in addition to obviously the law and in this way that would be the gdpr and the eprivacy directive so what happened there were a lot of complaints submitted by these Regulators Regulators were completely overloaded decided to team up and created this task force task force resulted in a I would say guidance note on how to use cookies and cookie benners and that report is now being what subject to a new debate and I think we will need to discuss that today during the podcast because there is a lot happening but before we dive into the details about the curent debate I think it's important to well briefly mention what was included in the report so people have a bit of an understanding of what the discussion is about in Europe it is first and foremost about cookie banners so cookie Banners are those popup screens that you see if you visit the website where you can generally accept cookies and go to settings or sometimes reject all the cookies so for those cookies you can make a distinction between the cookies that are necessary and that are just function well I would say not person say necessary for the services but helpful for the company that actually deploys those cookies so that could be tracking cookies for instance that could help those companies to Target you with specific advertising services and just personalize your experience so the European view about what you should do with cookies is mainly targeted at those tracking Technologies so making sure that individuals are in control whether they want to receive targeted advertising personalized services or not and in order to do that you're presented with this popup if you go to our website and the European data protection board ultimately said we believe that that popup should be transparent in a way that people are offered the choice so they should be able to reject all the cookies or accept all the cookies but those two options should be presented in parallel and if you only present accept all cookies and you don't allow people to reject cookies or they need to take certain steps that goes against the interpretations of of The Regulators of what would be a compliant way of using the laws I mean that's fascinating yoka I'm interested in many things that you said and Gonzalo I want you to bring you in this conversation I mean I'm reminded of whenever I from the United States and I'd say whenever I travel to Europe or the UK I am presented with cookie banners every website that I go to whereas here in the United States you know maybe one out of five and it's a very different user experience and I think yoka one of the things that you mentioned is that we have a common framework within the gdpr which was largely intended to harmonize data protection through the European Union but the eprivacy directive then allows for a different set of considerations which are then localized which sounds very much like my world where I have 50 different states all doing the same thing Gonzalo from your perspective how much harmonization is possible with that Dynamic especially when you have the edpp who is providing the centralized guidance which presumably the other dpas would respect and follow yes um you are right because directives in the European Union are not directly applicable to the citizens basically each EU member state has to implement its own laws and this is what happened with the EU with the Privacy directive basically it was necessary for each EU member state to publish to approve their own law and certainly when it was approved years ago there were some differences between EU jurisdictions so you find some places like in Spain for instance which was more relaxed and certain cookies were allowed even without a clear consent so implicit consent was possible for instance in other countries there was a clear requirement for explicit consent but what happens is that once when we have the gdpr in 2018 which is a regulation that applies directly so there is no possibility of you member states to defer from the regulation there was a kind of harmonization basically because Al the cookies is are not about personal data only in the practice in many cases they collect personal data and probably the most important cookies the advertising cookies are all about collecting information about users which well we can discuss if it is personal data or not but the DPA in Europe have I mean they consider this clear that an IP address or any information collected through a cookie is personal data so basically all the laws that were basically approved by you m States after the Privacy directive were in the practice harmonized as a consequence of the gdpr and now of this should that we have DPA with um a slightly different Vision on for instance uh consent or or cookie walls or cookie pay walls we can discuss this later if you want uh because this is a very interesting topic now uh the truth is that the general rule which could be that the consent is required and a specific consent is required is basically I mean there is harmonization across Europe so basically now the European data board through the path force that has been mentioned by Yuki is I mean has clarify certain specific very very specific aspects of the cookie rules I will say but the general rule is basically harmonized across across the European Union and this is why you see all these cookie banners every time you come to Europe yeah I mean I think one of the areas where you know it's easily to get caught up really in the details of this is because the technology here in some ways is just outpaces how The Regulators can adapt and frankly how users could potentially even understand what's happening and so yoka maybe I'm going to go back to you with a question because you were just making the distinction which is important is that while we are talking about cookies or pixels or different trackers there are actually subsets within those groups that is important because some cookies are you know what we think of as strictly necessary almost like important for the website to work if it didn't have it the website just wouldn't present to users all the way on the other side of the spectrum to marketing you know where we're dropping cookies in order for purposes of doing behavioral advertising targeted advertising you name it and I think maybe one challenge to all this conversation is even getting agreement on what the categories are what are the rules that apply to different categories and then for any specific piece of technology where does it fit within those categories let alone for us to figure out then what to do about it yeah well this is a a brilliant question very difficult to answer if possible to answer there is no guidance on how to qualify functional cookies versus marketing cookies so it's very much to the interpretation of the company or the regulator and I think there is some clear guidance as to which cookies could be qualified as strictly necessary but what you see in practice is that cookies are quite often used for multiple purposes there is an element of necessity but there could also be an element which could create personalization within that same cookie so making a very clearcut distinction between this is necessary this is analytical and this is tracking is sometimes not easy to be made and what we see with Regulators is that regulator take a very strict interpretation and they go for this well very narrow Vision on everything to be well tracking Technologies whereas in practice certain tracking could be necessary to actually deliver the services that the individual is seeking something I think that the poem is even is even bigger because there is no clear view on what a cookie is or what track technology should be considered cookies the concept of cookie was established in the European Union through the E privacy directive which was approved years ago I mean they were thinking on the pure cookies basically information what the law says is something like you have to you need the consent in order to basically store information in the computer of a user or to get information from the computer of a user which is a cookie a cookie is a txt file that is installed in the computer it is there and the the same website or a different website gets it ing to the policy they have so a pure cookie however what happens is that now we have tracking techologies which are not storing anything stly speaking in the computer of anyone I mean you have you have a pixel tag for instance there's no storage of information in the computer the person okay so there was some possibility of saying okay then all these new technologies that are tracking Technologies should not be captured by the E privacy directive because are not cookies I mean there is no information that is been stored in the computer and there is no information that is been collected from the computer because all the Privacy directive and the cookies cookie rules were not established thinking on privacy we're thinking on keeping the intimacy and keep and protect the information of people in the computer so what they have a different Bild now we are talking about privacy Etc but the Orion was not privacy and this is why cookies are not only personal data Etc but the thing is that now what the European datation board has done and the through the the P force that was mentioned by ji earlier has been to interpret the concept of storage in a very very very broad way meaning that since there is no specific mention to a time for the storage could be milliseconds and therefore since in the practice any computer needs to store information during MCS and the memory they consider that everything that is able to track the individual or the user can be considered as a cookie in the E privacy directive but the truth is that you can find Technologies or and probably will see in the future more and more technologies that are able to track people and I mean it is difficult to include them in the concept in the old concept of cookies we have in the currently in the EU privacy laws so it is not only to say to provide a category for the cookies but it is even it is even worse because there are the difficulties to say when we are in front of a cookie or not from the US perspective yeah I mean that's a fascinating point and really one to worth pausing on I think Gonzalo because I think one of the things that has become apparent is that you know there is so much technology around us and often most organizations most Professionals in the space use the technology without actually even understanding how the technology works and you know this has been an area that's caught a lot of shade in the United States because there has been a number of enforcement actions against organizations who are using tracking Technologies especially with respect to sensitive data and as part of those cases The Regulators have pointed out that often times the individuals with inside of an organization who is responsible for deploying the tracking technology may have had no training or expertise in this particular area you know may have come straight from school and say oh well of course it's important to enable this type of analytics and this type of pixel because that's what everybody else does without understanding the data that's being collected or how it's being used on the back end and for you know these companies Unfortunately they got in serious trouble for that I think what you're describing here is and how this all kind of pulls together is it's very hard to implement a compliant solution without understanding those Technologies in order for you to properly categorize them from marketing to strictly necessary so that when individuals are presented both the notices that the describe the cookies that are available and that you're properly and describing that and then second is that you're affecting an opt out if I say I'm going to opt out of marketing but not analytics well presumably we have to make sure that the only the analytics cookies are being enabled in that case and not the marketing and if there is any doubt as to whether an analytics cookie is a marketing cookie or vice versa we are not actually honoring user choice in that particular scenario so there's only really one way of making this work and that is means that the technology that is so available has to be known and understood I mean what are your thoughts on that well you are right you're are right and it is also necessary not only to understand technology but also to be able to explain all this complexity to the users because this is another point I mean it is not only that you have to understand the technology but you have to understand it to a point where you are able to make easy for the users to understand what's going what's going to happen with the cookies because you have application and we we can link this with another obligation under the under the U law which is to be transparent and to provide detailed information to the user about how the cookies are going to work with what information is going to be collected the cookies that that are going to be installed and this information has to be provided in a clear way so means that if even if you understand the technology and you're able to explain everything on a very detailed terms from a it perspective I mean you should be able to phrase this in a way that it is very easy for people who is basically not Ticky they have don't understand anything about cookies because otherwise this could be a dark pattern I mean if you are basically providing tones of details about your cookies technicalities Etc and and the user is put in front of a policy of to 100 pages of details about the technology behind the the the the website for instance this probably would not be considered to be a transparent and therefore you have another problem here it is that your breaching the law because you are not providing detailed information and the consent of user could be considered valid so yes I mean here I think that cookies tend to be underestimated in terms of of um how difficult it is to draft a policy because in order to to balance all the capturing all the technicalities behind this technology which is more and more complex because as you have said it is not only about cookies but tracking technology is a huge I mean area but also to be able to explain this on clear terms to the to the users and also not I mean not I mean delivering I mean tones of information to them in in a way that they they basically are put in a situation where they are never going to to read everything because it is it is huge so really difficult yeah yeah I think that's exactly right yoka maybe I want to kind of circle back to one of the points that you were raising just in terms of where we are we are headed um you know I heard you say a couple of different things one is that uh we have to catalog inventory all of the the the cookies that are going to be deployed on our various digital platforms we then need to categorize them within the strictly necessary functional Etc uh we need to have a privacy notice I'm sorry a cookie notice I should say that describes all of the ways these these uh trackers are being used the data that's being collected and then we have to have a proper means by which we are presenting a banner uh that then gives individuals the option of accepting all or rejecting all um and presumably something in between that they can accept some but not others um and then it sounds like there also needs to be a lot of care and attention that is played to the actual Banner itself so that users understand how it's it actually works this sounds complicated I me it sounds maybe easy as I described it with just those five different categories but as I know and I know you work with companies all the time and actually deploying all of those various things it can get very difficult interested in in kind of how you're approaching these set of issues with your your your clients and in particular you know how you're helping them manage all of these very detailed requirements in a way that's going to allow them to be effectively implemented yeah so it this is very complicated and there's not a I would say guidance note that actually talks you through these steps that you need to take so it is very difficult and it's also very difficult because what we interpreted to be an analytical cookie could be considered having a marketing element to it or having a tracking element to it by the way it is used so it is working very closely together with the clients and and their business teams for making sure that you actually have a complete picture of what is going on but are also a good understanding of what we actually mean if we talk about functional cookies analytical cookies or tracking cookies so it all starts with that making sure that we all have the same understanding of the same technology used in the same way and I think what is very important is for for clients to actually have that understanding but not only to have that understanding but also make sure that to train the individual business teams about how they can actually use those data that they generate by means of cookies because otherwise you can collect something which you believe to be strictly necessary but that could be for instance used in a way that it no longer qualifies as being strictly necessary so it's difficult what is also very important is that well that that element of being transparent that Gonzalo already mentioned is not straightforward where it concerns cookies because if you apply let's say 40 different cookies from maybe well various other providers and that cookie is then being shared with third- party providers again how to be transparent in a way that you could still say it's clear and comprehensive that's fairly impossible so what we see now with Regulators requiring all these cookie tables I'm not sure if the individual user is actually happy or informed or feels that he or she is in control if they see a table with 30 different cookies being listed with names they can't identify with parties they don't know and how to give valid consent to that I don't think that that is a better situation than we had well I would say a few months ago so it is difficult to achieve this the steps that you need to take very much depends on a company by company basis because it also very much depends on what what kind of company you are how you operate in the market do you use your own cookies do you use third party cookies what do you do with the cookie data what does the other company do with the cookie data so how to create profiles of individuals also very much depend so it's it's a careful uh review that you need to do and that in the I would say broader light of the regulatory guidance that applies to you because we have companies that well obviously Target consumers for instance in multiple EU jurisdictions that basically means going back to the point that gonzala already mentioned various laws various regulatory sets of regulatory guidance can apply to you with have slightly different interpretations and you need to help your clients navigate all those challenges and to give there give an explicit example so I think it was the knill so the French data protection authority that was the first authority to issue guidance in terms of what they expected to be in the cookie Banner that was something which was completely different from the interpetation of the Dutch regulator for instance so in the Netherlands we could make Arguments for saying that certain cookies would not be subject to consent requirements whereas the French Authority issued guidance saying that that was subject to consent requirements you can't go to to your business teams telling them that they need to deploy different cookie strategies in each EU jurisdiction which may change in a few months from now because then there is a regulator stepping up with new guidance so it's it's quite a challenge but I've never come across a company that we weren't able to help but it's very much something we need to tailor to the individual company yeah I think that's exactly right Gonzalo interested in in maybe um a more nuanced um kind of issue that's coming up here is that you know when you um you were talking earlier around you know getting the right type of consense now you and yoka and our other colleagues have trained you know this American lawyer to always be skeptical of hearing a consent under the gdpr uh and what exactly it means to have free and informed consent how is that issue being played out with respect to cookies and you know is there a position that's available to say you know most freely available websites need to make some sort of money in order for them to operate and thus you know having tracking Technologies is going to allow them to be able to uh to maintain uh you know that Revenue stream is there a way to say you know listen if you're not going to accept cookies then don't come to my website uh because there's no way that I can offer it to you just freely without having this advertis mechanism implemented yes well this is the the main issue we are facing now in the European Union so consent has to be explicit informed and free in order to be valid it is more in line with the what the gdpr says with regard to processing of personal data so information we have already mentioned is what Yi had been saying about the banners and the information in the policies Etc but the most difficult thing I should not be difficult but it is becoming difficult is this element of freedom so Freedom means basically that the user has to have a genuine possibility to choose whether or not to give the consent so any situation anything that affects this possibility of choosing to give the consent to accept the cookies or not is considered to be um to making the consent invalid so there are different situations where when this may happen but one of the cases which is mentioned in the gdpr is basically that the to does not exist when the user is put in a situation where it has to consent to accept to to give P that has to consent the person of personal data here we're talking about personal data uh in order to be able to access to a service or to a product provided that the personal data is not necessary so I'm talking about personal data because this rule is established in the gdpr but is applied by the DPA by the authorities also in the context of uh cookies so if you apply this concept of freedom in the in cookies in the cookie word what we find is that any system like cookie walls understood have a St of liid where basically it's a mechanism where the user is required to accept cookies or not to use the service is basically something which is considered to be against the freedom so basically all the providers are required to give an alternative to the users in order to be able to use a service which has to be equivalent and we can discuss about the equivalent concept later if you want because this is the the issue probably um if in case they just don't want to accept cookies so you have you have a provider and you give the user two options you can use the service I accepting cookies or you can use the same or equivalent service under these specific conditions we can talk about the conditions later and both services are more or less equivalent or very similar then you are fine because you are not forcing you are not compelling the user to accept the cookies um because they have the possibility to access to the service without accepting the cookies the problem here is that the service aset has to be equivalent in some cases this could be very clear so for instance if I'm a video platform for instance and I give the user the right or the possibility to access to full content if cookies are accepted or videos without soundrack or in black and white or with a very poor quality if cookies are not accepted then it is not equivalent and therefore you are still compelling the user to accept the cookies because otherwise the service is going to be very very poor and another scenario where this this or another aspect has to be considered and is the probably the most relevant one now is is the price you have mentioned is okay what if I give the user the right to access or the possibility to access to the service by accepting cookies normally behavioral advertising cookies or I give the possibility to access to a service the same service could be but paying a fee paying a price okay this is something that well I mean the in principle this is valid I mean the European datation board and the European court of justice have accepted that as a principle this is possible so it is they are not against completely against the possibility of uh giving this option so cookies or payment the issue is when this payment is proportionate because it the pay the price is very high you are in a situation we have mentioned before you are still compelling the user to accept the cookies because the price is complet disproportionate in some scenarios you can imagine if you ask1 million EUR to access to a service which is very basic one you can say okay this is obviously disproportionate but there are other situations like subscription fee fees Etc that are very very common nowadays in in Internet um and where where it is not that obvious and actually it seems rasonable for a provider to to get a benefit for the service they are providing this is something that where there is no um homogeneous position across the European Union there are dpas with a more strict view on this on this aspect other more flexible and actually this something that the European datation board uh with will be discussing in the next weeks probably in order to try to find um a position on this on this aspect because it is obvious that that or it is clear that companies must be able to to implement business models where basically where they they they are paid or they receive any kind of compensation either by advertising or payment or a different way for the services they are providing um it makes no sense for to ask companies to to force companies to provide services for free I mean probably this is something that that is probably against the freedom of of business um and therefore yes I mean I think that this is a very important important aspect and we are all waiting to have a position from the European data protection board on this on this issue but well answering your question in principle it is possible to have an alternative base on payment however it is important to be careful on on the price you are asking uh for the content because otherwise you have the risk that it is considered to be abusive or disproportionate and therefore your content may be considered not to be free and therefore not valid do we know of anyone who's ever implemented something like that I mean I mean again you know people's expectations are likely to change over time as this stuff becomes more apparent but I have in this you know vision of my mind and maybe this is not right but I'm thinking like okay I'm going to go to a News website uh in uh in Spain uh and I'm presented the cookie Banner uh and I say reject all I'm like well if you want to to access this site and reject all you have to pay me2o and all of a sudden then I have to sit there and type in my you know my my um my credit card details in order to pay the the the news site to Euro to then be able to navigate this for maybe 30 seconds as I want to look at this one little headline and then go on you know surfing the internet all different ways is this I mean is this a business model that we've actually seen before yeah well I mean it is I mean I think that the first one was the was probably meta with with Facebook and WhatsApp it was about months ago it was after um Court decision from by the European court of justice which basically confirm or declare or state that meta was not able to uh process data in the cont of cookies um as something which was what was was part of the contract so the position of meta was okay my contract if you want to use my services part of the payment if you want or or or the way this works is I provide the service for free and you give me I mean you allow me to provide you behavioral advertising which requires spooky so it was like part of the contract the court of justice said this was not possible and therefore the only option abailable more or less was consent so therefore they implemented a consent mechanism and they also say okay if you want to use Facebook and I think was also WhatsApp actually you have to pay a fee I think was five if I remember correctly uh which was I think was the first one or the first one that was so big that people was was surprised oh oh so I now I have the option to pay um but now at least in Spain and probably in Europe is the same you find I mean hundreds and hundreds of companies with this system actually it is I will say it is I mean could say it is the mechanism by default I mean you you find that most of the companies that have a Content which was in the past subject to cookies and behavior advertising now they are offering the alternative to pay a subscription fee in order to be able to access to the to the content so now it is very very common in the European Union and this is why I have said that it is a very important topic and it is something that I mean must be clarified by the European data protection board very soon because here we are talking about the business model of of news companies active in Internet that's really really interesting I mean at some point I wish somebody would publish the data about how many people actually decide to pay versus just you know accept the cookies and move on and see exactly you know how much work and effort and inefficiency we're creating just for people to create a choice that nobody wants uh but maybe with with that yoka um you know as we we uh kind of wrap up here I'm interested in your perspective about where you see other developments coming from so you know Gonzalo mentioned this important Point uh around guidance on this subscription based model or this payment based model for consent um interested in your perspective if there are other things that are on the horizon because I know in particular the Dutch DPA has been leaning into this this debate um and where you're seeing that the the outcome of that yeah so the Dutch DPA was actually GR additional funding for cookie law enforcement so 500,000 a year for while issuing guidance on cookie but also cookie law enforcement until 2026 so it's a pretty it's a pretty hefty increase for the Netherlands if you see what what the well what the Dutch uh DPA got so what they will do is they will review the market in terms of how companies use cookies and how that complies with well back again the gdpr and the E privacy laws I think that is an important development I also think that that well creates a bit of uh debate in the market not only in the Netherlands but also outside of the Netherlands because there is so many countries where this is a Hot Topic at the moment there is from the top of my head guidance from Regulators in well the Netherlands Austria uh Belgium France uh Spain the UK so there is this is not something that this is only a topic in single EU jurisdictions did this covers Europe as a whole I think the the the Alternatives that that Gonzalo already mentioned are very well to be considered by companies and I think in addition to that if you want to not use cookie data but still want to do advertising that could also be an alternative for seeing if you could do Advertising based on account data rather than on cookie data with that you take you step away from that eprivacy discussion and that's actually going to resolve I think quite a few questions I think what is also important to mention here is that the European data protection board takes a very strict view on that payment for cookies they initially I think want to argue that there is no way that we could validate that pay or OKAY model so that model wherein you say okay to cookies or you have some kind of subscription payments I think it's important to keep in mind that pricing is not part of the GDP PR pricing is not part of the eprivacy directive and with that the European data protection boards may have an opinion about it but pricing should not be the driver for certain guidance and I think what Gonzalo already mentioned pricing in itself is not per se prohibited it was confirmed by the European data protection board a few years ago that pricing could be an option a valid option which they now seem to have forgotten but it has also been confirmed in other laws other laws that apply to companies just as important as privacy laws and eprivacy laws so for instance the the Omnibus directive that we have in in Europe but also the digital content directive even the draft eprivacy regulation all of those laws confirm that there is an option for using some kind of paid methods for allowing people access to your services or to the content so we shouldn't only consider the edpb in this context I think we should really push for the edpb to give the European data protection board to give guidance about the legal basis for processing personal data and how to use cookies in that regard but they should not be involved in a discussion about pricing and they should not issue guidance at least from my perspective in a way that that goes against well other directives that explicitly allow for using these kind of methods so long story short I think a lot is happening in Europe and I think it is a fascinating opportunity for for companies to well follow this interesting topic because a lot will happen and a lot will happen on a very short notice because we know that the European data protection board is having his meeting about this topic in a really short not on a really short notice so within the next couple of months likely by the summer we have some additional clarification and guidance from the regulator I mean okay and not all it sounds like a lot is happening in Europe that sounds EX exactly right it also sounds very messy uh and to try to sort through how to to navigate these uncertain Waters uh you know sounds like a a Herculean task and at the same time I heard you say a moment ago that enforcement may be increasing uh as uh you know additional dpas are funded with the expectation that they're going to increase enforcement in this area which I think for many organiz ations is quite scary if we have uncertain obligations and at the same time you know we have the hammer that they're wielding to say we're going to take you know enforcement action maybe um Gonzalo asked the last question to you are you seeing the same thing that yoka mentioned um uh in Spain or anywhere else in Europe where we're expecting additional or increase enforcement around yeah cies yeah yeah yeah this something I mean in his space there was announced a kind of EX official investigation so is when the DPA decides to to check how companies are fulfilling the quick requirements and know member states is more the same I think this is also because since the dpas are not I mean have not the same position necessarily on this issue they are trying to establish their own position by basically investigating a issuing resolutions where they are establishing their position because if all the people is is fulfilling the of a DPA then it is easier for the DPA to to basically to try to impose their position in the in the context of the board of the European datation board so yes definitely yes I think that this is um something where thep are Focus now uh I'm seeing this in Spain and in other and in other countries fins in this area in Spain have not been very high uh in the in the I mean in the history but but now probably they are going to be higher and higher since this matter is starting to be a more uh inter topic for the epas yes well really appreciate both of your insights and expertise on on this podcast I certainly learned a a lot and I'm sure our entire audience did as well yoka Gonzalo thanks so much for joining me on the podcast today thank you very much has been a pleasure with that I'm Scott llan this is the data Chronicles and those are your data [Music] points [Music]