Masters of Privacy

“You trust your chatbot with everything. Should you?” is the title of Theodore Christakis’ comprehensive research project on the privacy of our conversations with AI. Part two of this project (“Governments, Courts and the Battle Over Your Chatbot Conversations”) was published on June 8th, and we have taken the opportunity to ask the author for a high-level overview of his findings. On top of this, we have also discussed his separate piece on the rise of AI-powered health assistants against the backdrop of the new European Health Data Space, discussed last week in our Spanish-language channel.
(Our previous conversation with Mr. Christakis focused on the use of personal data in LLM training datasets.)
Theodore Christakis is Professor of International, European and Digital Law at University Grenoble Alpes (France). He holds, since 2019, the Chair on the Legal and Regulatory Implications of Artificial Intelligence at the Multidisciplinary Institute on AI (AI-Regulation.com). He is Director of Research for Europe at the Cross-Border Data Forum, a member of the Board of Directors of the Future of Privacy Forum, and a former Distinguished Visiting Fellow at the New York University Cybersecurity Centre.
His work focuses on the questions at the centre of today’s debates on digital sovereignty: government access to data held by private companies, international data transfers, the security and operational resilience of digital infrastructure, and the regulation of artificial intelligence. He served as an expert for the OECD in the process that led to the adoption, in December 2022, of the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities. He was a member of the International Data Transfers Experts Council of the United Kingdom Government, and an expert for the High-Level Expert Group on Access to Data for Effective Law Enforcement established by the European Commission and the Council of the European Union. He has also served as a member of the French National Digital Council and of the French National Committee on Digital Ethics.
He has published or co-edited twelve books and is the author or co-author of more than 120 academic articles and book chapters. He has been invited to lecture and present his work at conferences, workshops and seminars on more than two hundred occasions, in over 38 countries.
As an independent expert, he advises governments, international organisations and private companies on questions of international and European law, cybersecurity, artificial intelligence, digital sovereignty and data protection.
References:
* Theodore Christakis’ SSRN Author Page
* Theodore Christakis on LinkedIn
* You Trust Your Chatbot With Everything. Should You? Part I: How The Controller Uses Your Chat Data (March 3, 2026)
* You Trust Your Chatbot With Everything. Should You? Part II: Governments, Courts and the Battle Over Your Chatbot Conversations (June 8th, 2026)
* The Health AI Agent Rush: Five Companies, Your Health Data, and the Governance Questions Nobody Is Asking (March 25th, 2026)
* Mikel Recuero: a deep dive into the European Health Data Space (ES, Masters of Privacy, June 2026)
* Multidisciplinary Institute on AI
* Université Grenoble Alpes: Centre d’études sur la sécurité internationale et les coopérations européennes.


This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

We are revisiting the AI-copyright interplay for the first time in nearly three years. Copyright remains very relevant to our sphere of interest, not least because the EU AI Act specifically points at EU copyright law with regards to training data and transparency requirements for AI models.
Malcolm Bain is an English solicitor and Spanish abogado. He has worked as an Information Technology and Intellectual Property lawyer over the last 20 years, with a specialisation in technology licensing, open source software and content, technology transfer and privacy. In 2006, together with his partner Manuel Martínez, he founded his own firm “id-law partners” as a boutique specialized in IP and ICT. In May 2018, both incorporated this firm into Across Legal.
In addition to his professional activity advising entrepreneurs, private companies, public administrations and open source projects, Malcolm is a member of the Free Software Foundation Europe and ASTP, associate professor of law at the University of Barcelona, ​​mentor in Tecniospring Industry and other programs for entrepreneurs and frequent speaker at conferences and seminars in the field of ICTs and entrepreneurship in the digital world.
References:
* Malcolm Bain at Across Legal
* Malcolm Bain on LinkedIn
* Monkey selfie copyright dispute (Wikipedia)
* Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC
* Report on Copyright and Artificial Intelligence (UK Intellectual Property Office)
* Stability AI largely wins UK court battle against Getty Images over copyright and trademark (AP News, November 2025)
* US Copyright Office: Copyright Registration Guidance: Works Containing Material Generated by Artificial Intelligence (2023)
* German Court Rules OpenAI Infringed Song Lyrics in Europe’s First Major AI Music Ruling (November 2025)
* Jakob Plesner: Copyright Exceptions for Generative AI (Masters of Privacy, October 2023).
* (NOTE: The second part of this conversation was recorded in Spanish and is available in our separate Masters of Privacy ES channel.)


This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

Our repeat guest is a partner at Stoel Rives in San Francisco. John is co-lead of the firm’s Technology Industry Group. He counsels clients on data privacy, information security, artificial intelligence, and other technology dispute, compliance, and transactional matters.
John has taught Technology Transactions Law at the UC Davis School of Law and Comparative Privacy Law at the Santa Clara University School of Law. John has also guest lectured on technology and privacy law topics at the University of California, Berkeley, Haas School of Business; the University of San Francisco School of Management; and Stanford University.
References:
* John Pavolotsky: The Long Arc of Data Breaches: 2006-2026 (May 14, 2026)
* Colorado SB 26-189, repealing and replacing Colorado’s original 2024 AI Act
New laws being discussed in California, or just approved:
* AB 1542: to prohibit a business, service provider, or contractor from selling or sharing sensitive personal information to a third party.
* AB 1898: to require an employer to maintain an updated list of all workplace AI tools currently in use and to provide the list to workers annually.
* AB 2021: whistleblower complaints.
* AB 2169: social media platforms, artificial intelligence models - to allow a consumer to request a copy of the consumer’s personal information, contextual data, and social graph and require the social media company or model operator to respond to that request within five business days.
* SB 300: companion chatbots - transparency and rules of engagement.
* SB 574: to obligate an attorney who uses generative artificial intelligence to practice law to ensure that confidential personal identifying, or other nonpublic information, is not entered into a public generative artificial intelligence system.
* SB 867: AI-powered toys - to be subject to the same rules proposed for companion chatbots.
* SB 923: to expand data deletion requests to any personal information that the business has collected about the consumer (and not just from the consumer).
* SB 1000: to require provenance data disclosure in content generated by artificial intelligence as well as tools to facilitate detection.
* SB 1142: Digital Dignity Act - to prevent digital replicas for the purposes of impersonation.


This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

How about an extremely practical book with detailed examples and quizzes based on a fictional town? Also, let’s revisit the UK legal framework: impact of the DUAA 2025 and proposed PECR changes.
Tim Turner (here for a third time) is the author of “The DPO Daily Challenge” (April 2026). He has worked on Data Protection, Freedom of Information (FOI) and Information Rights law since 2001. He started at the Information Commissioner’s Office as a Policy Manager on FOI issues. After that, he was a Data Protection & FOI Officer for two councils and then an Information Governance Manager for an NHS organisation. He has been offering data protection training and consultancy since 2011. Also, Tim is the author of the popular DPO Daily newsletter and LinkedIn feed. 2040 is his training company.
References:
* The DPO Daily Challenge (sign up page)
* Tim Turner on LinkedIn
* ICO: Our advice to government on potential changes to online advertising rules
* The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations?
* Data Protection vs. Privacy and Data Privacy: a January 28th conundrum (Tim Turner, Carissa Véliz, Gabriela Zanfir-Fortuna, Markus Wünschelbaum, Brendan Quinn - Masters of Privacy, 2025)
* Tim Turner: UK news spotlight - advertising, reforms, AI (Masters of Privacy, March 2025)
* The Hitchhiker’s Guide to the Galaxy (Douglas Adams, 1979)
* 2040 Training
* The DPO Daily on LinkedIn


This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe

We’re back with a Newsroom update. We will cover four of our usual five blocks: ePrivacy & regulatory updates; MarTech & AdTech; AI, competition and digital markets; and the future of media.
This season’s update includes:
* Age-verification fines (insufficient controls, too much data collection) in the UK and Spain, EDPB age-verification guidelines, California’s upcoming age-verification requirements
* Enforcement actions in the US (public, private)
* Guidelines for email tracking pixels in France and Italy
* New ICO guidelines for storage and access technologies (exceptions for analytics, A/B testing, etc.)
* Social Media bans across the world and what is failing
* Data collection in the context of new media networks and AI labs.
As announced - Firmas.io: a mobile application to complement the TODO.LAW ecosystem (contract management, signatures, credentials).
All references and links (plus some bonus materials) can be found in a separate blog post available to paid Masters of Privacy subscribers on our website’s Newsroom section (Newsroom Notes: Spring 2026).
Our usual disclaimer: the voice that joins Sergio today is a text-to-speech output generated with Eleven Labs.


This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit www.mastersofprivacy.com/subscribe