.svg)
Last week, Didomi had the pleasure of hosting a fascinating conversation with renowned privacy lawyer, author, speaker, and chairperson of noyb Max Schrems, Marie Fenner, Global senior vice president at Piano, and our CEO and co-founder, Romain Gauthier.
Over the course of an hour, the three engaged in a discussion covering data sovereignty and the EU-U.S. Data Privacy Framework, innovative methods of data collection and their impact on businesses, and, of course, artificial intelligence and the challenges it’s presenting to data privacy as we know it today.
Keep reading for an overview of the conversation, and head to the end of the article to access the recording of the webinar. *Disclaimer: Some quotes were lightly edited for clarity and legibility.
Data sovereignty: The role and impact of the Data Privacy Framework (DPF) on international data transfers
Our speakers opened the webinar with a brief introduction, followed by a discussion on data sovereignty, explicitly focusing on the EU-U.S. Data Privacy Framework (DPF).
This adequacy decision replaced the defunct Privacy Shield, enabling compliant transatlantic data transfer. Implemented via an executive order from former U.S. President Joe Biden, the framework has always been considered on shaky grounds, but mainly since the inauguration of Donald Trump:
It [The DPF] was always a bit of a house of cards, in the sense that it’s based on an executive order signed by Joe Biden. While we hope everybody can comply with that, we know that Donald Trump can overturn it tomorrow.
- Max Schrems, Chairperson of noyb, privacy lawyer, author, and speaker
The conversation covered foreign companies facing significant fines in the EU and a potential end to the DPF, and expanded beyond the U.S.-EU question towards a global outlook, including international geopolitics, trade wars, and the fact that data privacy regulations and frameworks can be leveraged amidst geopolitical tensions.
The concerns surrounding the “weaponization of privacy” were a focus of Romain Gauthier’s last quarterly LinkedIn update:
The global political climate and geopolitical scene of the past few months, marked by tariffs, calls for deregulation, and at times tense relationships between the EU and the U.S., have fostered a new antagonistic mindset in cross-Atlantic relations.
While I strongly support the idea of data sovereignty and governance, especially in the context of data operations (it is one of the pillars behind our acquisition of Addingwell earlier this year), I also believe that we should avoid the traps of antagonistic sovereignty and a “us vs. them” mentality, especially in the context of data privacy.
Data privacy is a human right, and its principles and standards should always strive to be universal, regardless of whether they apply to consumers in the U.S., the EU, or anywhere else in the world. Amidst intense debates over AI regulation, it would be a shame for users of ChatGPT and Mistral to be subject to different privacy standards based on the company's headquarters location. Or worse, to have EU citizens relegated to the status of second-class citizens when it comes to access to technology because the EU and the U.S. have chosen to weaponize privacy in their trade war.
- Romain Gauthier, CEO and co-founder of Didomi (source: LinkedIn)
Offering a global perspective, Max Schrems touched on his experience with data transfers with China, and Marie Fenner, as the global senior vice president at Piano, shared her point of view and expertise with the group regarding some of the things organizations can implement to ensure they strike the right balance between compliance and maximizing data value:
From Piano’s perspective, we are here to help our client collect the right data and use it to provide better services to their customers. There are a number of things organizations can put in place (...)
You’ve seen the latest announcements, for example, in the UK, saying you can collect data as long as you can limit the purpose. (...) I would really urge all of you to assess that you’re doing the right thing in terms of due diligence, but also not losing that competitive advantage by leveraging exemptions.
- Marie Fenner, Global senior vice president at Piano
To dig deeper and learn more about data transfers and the EU-U.S. Data Privacy Framework, including how to get ready for potential changes, check out our blog:
Data collection: Emerging methods like server-side tracking
The second topic discussed by our panel was data collection, an often overlooked step in data privacy conversations, even though it’s seeing dramatic transformations, including the emergence of server-side technologies.
In a brief introduction/reminder, Romain Gauthier covered what server-side tracking is, as opposed to client-side, the context surrounding its current rise, from gatekeepers’ influence, browser restrictions, and industry changes, as well as the benefits it entails, including a positive impact on performance, data quality, and governance for organizations.
Didomi is helping drive the expansion of server-side tracking as a privacy-enhancing technology, as evidenced by our acquisition of the server-side tracking platform Addingwell earlier this year. Still, our co-founder and CEO also recognized the importance of using it mindfully and with privacy in mind, as highlighted by Marie Fenner:
I think server-side is great, but I don’t think it’s a panacea or a silver bullet. As we say, with great power comes great responsibility. (...) Regaining control as a brand from all sorts of tags firing almost without you knowing is fantastic, and brands are building that direct relationship with consumers, so I think that’s absolutely right.
But the fact that it’s happening on the server-side and is not always visible imposes a responsibility to bring transparency to the fore and implement all necessary consent mechanisms.
- Marie Fenner, Global senior vice president at Piano
Marie also mentioned the recent GTM decision in Germany, which led to a larger discussion and a legal perspective on recent calls for lighter regulation in the European Union.
Legal perspective: The EU digital omnibus package, privacy in the U.S., and the potential of a GDPR ‘light’
The conversation shifted towards the digital omnibus package, a new initiative proposed by the European Commission to overhaul digital regulation, streamline compliance, and address consent fatigue in the EU.
Max commented on the project (and previous omnibus from the European Commission) through the lens of a report he and his team at noyb are working on, mapping the balancing act between generating more work for DPOs, costing more money for businesses, and providing increased privacy protections for consumers (contrasting actions that cost a lot of money and energy while providing minimal impact for consumers, and high-impact changes that don’t require much extra work for DPOs):
What I saw with these omnibus approaches was that this work was probably not done from the first step.
We have a political feeling of ‘we want to do something with less bureaucracy’, but without really having the proper evidence and approach to see what does or doesn’t make sense.
- Max Schrems, Chairperson of noyb, privacy lawyer, author, and speaker
This criticism has been echoed by some, including our Chief Privacy Officer Thomas Adhumeau, who highlighted the technical limitations of the proposed reform in a recent article.
Max also mentions that only ⅓ of European businesses run online advertising campaigns (let alone advanced advertising tracking), which could be a motivating factor to push towards some form of regulatory streamlining, before transitioning to the recent trend of Global Privacy Control (GPC) and its enforcement in the U.S., most particularly in California, Colorado, and Connecticut.
On the topic of the complexity of the U.S. data privacy patchwork and the questions surrounding consent fatigue, Romain mentions the question of standardization, something he highlighted at the turn of the year as one of the main trends for 2025. In the webinar, he reiterated the importance to find common industry standards:
What is required to make that great vision happen is an open standard around privacy. We need to describe all the purposes and nuances in which GDPR has framed data processing in a digitally readable way.
- Romain Gauthier, CEO and co-founder of Didomi
A challenge identified by Romain to achieve this on a global scale, however, is the cultural difference in how U.S. and EU companies, for example, approach privacy, making it difficult to bring this vision to life. To illustrate the challenges ahead, he mentions the resistance he has observed from industry players with the IAB standardization efforts, which is common when trying to implement a standard to a large audience.
Wrapping up this section, Max evoked the long-discussed GDPR ‘light’, suggesting that we should soon find out whether some of these ideas will gain traction in the coming months.
Artificial Intelligence: The use and processing of personal data by AI technologies
Wrapping up the event, the panel focused on artificial intelligence systems, specifically the intersection of AI and data privacy, and the associated key legal and ethical challenges it might present.
Max opened the conversation by providing background on the type of work he and his team are concentrating on regarding AI, focusing specifically on AI training.
By providing examples related to social media platforms, training models, and LLMs, he highlighted that many companies rely on legitimate interest for ethically questionable training practices, which could impact millions of people, revealing upcoming developments in Europe:
That segues nicely into what we’re working on right now, which is collective redress in Europe, class actions. For a year and a half, we have had European class action laws, and I cannot say too much publicly, but it is brewing up.
- Max Schrems, Chairperson of noyb, privacy lawyer, author, and speaker
Max went on to share his opinion on the market's current direction and where it might end up in a couple of years:
We now have this ‘arms race’ for AI. (...) I don’t see it as a race; it’s probably more like a marathon in reality. (...) But in that whole hype, the question is “does anybody bother about the GDPR?” and the answer is probably no. That means risk is building up somewhere in the basement.
- Max Schrems, Chairperson of noyb, privacy lawyer, author, and speaker
On the topic of an “AI race”, Marie shared that 95% of generative AI pilots at companies fail to deliver business results, according to an MIT study. This highlights that jumping on the AI bandwagon without a proper strategy can result in a lack of impact on ROI.
Based on her position as the Global Senior Vice President at Piano, Marie was able to share best practices and guardrails from the company’s own use of AI with the audience, including:
- Guaranteeing data sovereignty and residency
- Providing data access for customers
- Taking proactive measures to prevent ‘Shadow AI’ risks
- Encouraging transparent, ethical AI practices internally
The best practices mentioned by Marie opened up another conversation introduced by Romain, surrounding AI agents and responsibility.
The rise of AI agents and their privacy implications
Romain opened the discussion by giving the example of a consumer asking an AI agent to conduct a transition on their behalf on the internet. During this process, the user agent interacts with agents from companies that provide services or sell products online to address their needs, which may involve the transfer of personal data.
Where does privacy fit in this world, and who’s going to assume responsibility if things go wrong?
While Max mentioned that the scenario still seems dystopian to him, he considered that a lot of the existing rights might already cover AI algorithms, but that the complexity of the technical proponents of these technologies and how they work makes it difficult for legal professionals to address, what Romain calls a “black box problem”.
From the business perspective, Marie then explored the new solutions emerging, like Cloudflare’s pay-per-crawl initiative. She provided examples of what she and her team have already started to observe in their interactions with clients:
We are already discussing agent-to-agent or agentic commerce relationships, where people are not actually visiting the publishers' or retailers' websites. They are actually asking their agent to go and find the best deal for their holiday next month. When that happens, who’s the data controller, who’s the data processor? It becomes quite murky.
- Marie Fenner, Global senior vice president at Piano
We strongly encourage you to watch the full recording (available at the end of the article) to hear the entire conversation, and to check Romain’s latest quarterly update on LinkedIn, where he shared some of his thoughts about where the internet is heading in regards to AI, at the intersection of digital marketing, publishing, data privacy, SEO, advertising, and User Experience (UX):
.png)
Conclusion and recording of the webinar
The event was a resounding success, offering fascinating insights to the hundreds of attendees who were able to watch live.
Marie, Max, and Romain explored a number of topics over the allocated hour, with a common thread on the necessity for data privacy to be considered as a human right, embedded into the technologies we use today and the ones we will use tomorrow.
Access the full recording below, and keep scrolling to read some of the answers to questions asked by the audience in the chat, we didn’t get the chance to get around to addressing during the event.
Questions and Answers (Q&A) from the webinar
Will new privacy laws around the world reshape tracking the way GDPR did?
Yes, but probably in more nuanced ways. As Max Schrems noted during the webinar, the GDPR set a global standard that inspired most current privacy laws. However, new regulations (in the U.S., Brazil, and parts of Asia) are taking a more pragmatic, business-driven approach.
The focus is shifting from restricting tracking outright to standardizing consent mechanisms and improving transparency, as highlighted by Romain Gauthier. You can expect gradual evolution, rather than a sudden overhaul.
Is Google consent mode GDPR-compliant?
As always, it depends heavily on the specific implementation and use case at hand. When used properly, tools like Consent Mode can support compliance, but organizations remain responsible for ensuring data isn’t collected before consent. To learn more, head to our article about Google consent mode.
What is the difference between server-side and client-side tracking for privacy?
The main difference lies in control and visibility.
Client-side tracking runs in the user’s browser, often relying on third-party scripts that can be hard to monitor. Server-side tracking happens on the organization’s servers, offering better data governance, accuracy, and performance. Check the full comparison in our article.
Ultimately and as Marie Fenner noted, that extra control also comes with extra responsibility: server-side is not a “silver bullet” and brands must still ensure transparency and maintain consent at every step, even if users can’t see what happens behind the scenes.
Google Tag Manager is under scrutiny in Germany, will other EU countries follow?
It is likely that the German decision will influence other jurisdictions and data protection authorities, based on similar cases in the past. Read our article to get the full picture of the GTM decision in Germany.
Is privacy seen differently in the U.S. and the EU?
Absolutely. As discussed during the event, data privacy in the U.S. is often treated as a consumer or commercial issue, while it is widely considered a fundamental right in Europe. This cultural gap affects regulation, enforcement, and even technology design.
The challenge for global organizations is to build privacy frameworks that meet both expectations, respecting EU-level protections while remaining practical in markets where privacy is driven by business or consumer trust.
.avif.avif){kind=tracking}
