Building Privacy Partnerships Between Users and Developers

Privacy isn’t a policy layer in AI. It’s a design constraint. The new EDPB guidance on LLMs doesn’t just outline risks. It gives builders, buyers, and decision-makers a usable blueprint for engineering privacy - not just documenting it. The key shift? → Yesterday: Protect inputs → Today: Audit the entire pipeline → Tomorrow: Design for privacy observability at runtime The real risk isn’t malicious intent. It’s silent propagation through opaque systems. In most LLM systems, sensitive data leaks not because someone intended harm but because no one mapped the flows, tested outputs, or scoped where memory could resurface prior inputs. This guidance helps close that gap. And here’s how to apply it: For Developers: • Map how personal data enters, transforms, and persists • Identify points of memorization, retention, or leakage • Use the framework to embed mitigation into each phase: pretraining, fine-tuning, inference, RAG, feedback For Users & Deployers: • Don’t treat LLMs as black boxes. Ask if data is stored, recalled, or used to retrain • Evaluate vendor claims with structured questions from the report • Build internal governance that tracks model behaviors over time For Decision-Makers & Risk Owners: • Use this to complement your DPIAs with LLM-specific threat modeling • Shift privacy thinking from legal compliance to architectural accountability • Set organizational standards for “commercial-safe” LLM usage This isn’t about slowing innovation. It’s about future-proofing it. Because the next phase of AI scale won’t just be powered by better models. It will be constrained and enabled by how seriously we engineer for trust. Thanks European Data Protection Board, Isabel Barberá H/T Peter Slattery, PhD

‼️📱The CNIL - Commission Nationale de l'Informatique et des Libertés has released its final recommendations for mobile application developers to help them ensure privacy protection. These guidelines, which will be enforced starting in 2025, target all parties involved in creating and distributing mobile apps, including app publishers, developers, SDK providers, operating system vendors, and app store providers. 📍The recommendations emphasise that all stakeholders must cooperate to protect personal data throughout the app development process. The document outlines the responsibilities of each group, helping them navigate legal requirements and collaborate effectively to guarantee data protection. For instance, app publishers make the software available to users, while developers are responsible for writing the app's code. SDK providers offer pre-built functionalities like audience measurement tools while operating system providers such as iOS and Android enable apps to function on mobile devices. 📍One of the primary goals of the recommendations is to clarify each stakeholder's role and ensure they understand their responsibilities. This includes advice on how to inform users about their data use better. User consent is another critical focus, especially when apps request data for purposes beyond the app's functionality, such as targeted advertising. The CNIL stresses that consent must be freely given, and users should be able to refuse or withdraw consent at any time without facing hurdles. 📍To combat the overwhelming nature of consent requests, CNIL advises developers to collect consent in a way that is contextual and easier for users to understand. This means seeking consent based on the user's actions at appropriate moments rather than bombarding them with requests upfront. Additionally, while technical permissions (such as access to location data or camera) allow apps to function, they do not necessarily constitute legal consent under data protection laws. Therefore, developers must implement a Consent Management Platform alongside technical permissions. 📍CNIL clarifies when developers are considered data processors or data controllers under the regulation. If a developer provides the app's code and has no further role in its operation or data processing, they are not responsible under GDPR. However, if they process data on behalf of the publisher, they are considered data processors and must ensure the app's design complies with GDPR's data protection principles if the developer uses personal data for their purposes, such as improving other apps or offering new services. In that case, they may be classified as a data controller and must obtain the app publisher's approval before using the data for additional purposes. #mobileapps #gdpr #privacy

Isabel Barberá: "This document provides practical guidance and tools for developers and users of Large Language Model (LLM) based systems to manage privacy risks associated with these technologies. The risk management methodology outlined in this document is designed to help developers and users systematically identify, assess, and mitigate privacy and data protection risks, supporting the responsible development and deployment of LLM systems. This guidance also supports the requirements of the GDPR Article 25 Data protection by design and by default and Article 32 Security of processing by offering technical and organizational measures to help ensure an appropriate level of security and data protection. However, the guidance is not intended to replace a Data Protection Impact Assessment (DPIA) as required under Article 35 of the GDPR. Instead, it complements the DPIA process by addressing privacy risks specific to LLM systems, thereby enhancing the robustness of such assessments. Guidance for Readers > For Developers: Use this guidance to integrate privacy risk management into the development lifecycle and deployment of your LLM based systems, from understanding data flows to how to implement risk identification and mitigation measures. > For Users: Refer to this document to evaluate the privacy risks associated with LLM systems you plan to deploy and use, helping you adopt responsible practices and protect individuals’ privacy. " >For Decision-makers: The structured methodology and use case examples will help you assess the compliance of LLM systems and make informed risk-based decision" European Data Protection Board

You just killed another project with two words: "Privacy requirements." Marketing’s face goes blank when you explain why their targeting campaign can’t use third-party data. Product pushes back your feature review for the third time. Sales is working around your restrictions again. Here’s the problem you might be having: You’re speaking compliance, but they’re hearing roadblock. Marketing doesn’t care about GDPR Article 6. They care about: → Lead generation that works → Campaign performance they can measure   → Attribution they can defend to executives → Customer acquisition costs that don’t kill budgets Product doesn’t care about privacy-by-design principles. They care about: → User experience that flows → Development velocity that doesn’t stall → Technical performance that scales → Customer satisfaction scores that go up Sales doesn’t care about data governance frameworks. They care about: → Lead quality that converts → Sales cycles that close faster → Predictable customer acquisition → Competitive positioning that wins deals Here’s how you can build influence instead of resistance: Stop saying “You can’t access that customer data.” Start saying “Here’s what data you can use for outreach” Stop saying “You can’t use that third-party data for targeting.” Start saying “Here’s how we can get similar results with data we can stand behind.” Stop saying “This feature needs to be GDPR compliant” Start saying “Here’s how we build user control into this feature to increase engagement.” The difference? You’re solving their problems instead of creating new ones. Learn their metrics. Join their planning before decisions are made. Show how privacy features can support business goals and strengthen customer trust, even if they’re not a competitive advantage on their own. The most influential privacy professionals don’t usually win through authority. They win through usefulness. Which team have you found the best partnership with? What made that collaboration click?

🗣️ Sometimes the meeting before the big meeting is where you accomplish the most. If you are working in Privacy, AI Governance, or any other role where you need to guide organizational thinking and behavior, building relationships is a priority. Sure…being friendly and approachable is nice and good, but real partnership will grow when you invest time and energy in understanding the goals (and pain points) of other stakeholders. 🤝 Before you ask the Digital team to make changes in the consumer journey, make sure you understand their mandates and key requirements. 🤝 Before assigning training to your Customer Experience team, spend time learning how they actually process data or use AI in their role, and then give them training tailored to them. 🤝 Before sounding the alarm on risks associated with your Application Development teams, work with them directly to get understanding on why things currently work the way they do. None of these actions require you to compromise the quality guidance you give your organization. They actually help you be well-informed enough to actually provide that guidance. If you want to build effective solutions, build better relationships first. #privacy #dataprotection #aigovernance #cybersecurity #besties