The IAPP Global Summit Privacy Summit this year was a huge event with over 5,000 attendees and a smorgasbord of keynotes and seminars on a wide range of topics – from privacy and AI compliance to the recent Generative AI developments together with predictions, the status of EU-US data transfers post Schrems II, and the latest in international data transfers. There were also very interesting sessions on privacy and ESG, and privacy and holistic data strategy.
Keynotes on AI and Privacy Developments
An exceptional keynote was given by FTC Commissioner, Alvaro Bedoya on Generative AI pointing out that AI is regulated. Commissioner Bedoya noted that section 5 of the FTC Act, unfair or deceptive practices, applies to companies making, selling, using or making representations about AI. The Commissioner emphasised that ‘there is no AI carve out’ in tort, civil rights, product liability and common law. You can read more here Remarks of Commissioner Alvaro M. Bedoya.
The closing keynote panel moderated by Joe Jones, with EDPB Chair Andrea Jelinek, former UK ICO Commissioner @Liz Denham CBE, and NOYB Chair Max Schrems, covered a number of topical issues including the following:
- Liz Denham CBE suggested a Bretton Woods on cross-border data transfers given ‘adequacy’ is not working and EDPB Chair, while Andrea Jelinek opined that the GDPR is the best solution we have and it should be the global standard.
- Max Schrems reported that NOYB has 800 outstanding cases and enforcement is taking time to occur, partly due to delays caused by differing national procedural laws. Andrea Jelinek indicated that the EDPB had presented a “wish list” on this issue to the European Commission and to expect an announcement about measures to streamline and harmonise national procedures in northern hemisphere summer this year.
- Max Schrems said that while the EU US Data Protection Framework was an improvement, it did not provide adequate protection for EU data subjects, particularly around proportionality and redress, and indicated that Schrems III is likely to be filed.
Nina D. Schick gave an astonishing keynote on the tipping point of Generative AI, predicting that 90% of internet content will be created by Generative AI by 2025 and calling for an authentication standard to address the challenge of information integrity. Ms Schick pointed out that ChatGPT took only took five days to reach 1 million users and two months to reach 100 million users. Unsurprisingly, ChatGPT is now being looked at by several data protection authorities, including South Korea and Italy, which is investigating whether it violates the GDPR.
Professor Danielle Citron, author of ‘The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age’, gave a thought-provoking keynote about the price we pay as technology migrates deeper into every aspect of our lives, arguing that citizens, lawmakers and corporations have the power to create a new reality where privacy is valued and individuals are protected as they embrace what technology offers. Professor Citron argues that ‘intimate privacy is a human, civil and moral right’.
Professor Dan Bouk author of ‘Democracy’s Data – The Hidden Stories in the US Census’ made the point that #privacy and #confidentiality protect personal data against uses beyond its inherent capacities. From his study of the 1940 census, Professor Bouk explained that ‘human robots’ (as they were called) standardized hand-written information in accordance with government policy, for example, replacing ‘partner’ with ‘lodger’ and changing racial designations and country of birth – which raises questions about identity.
Cross-border personal data transfers
Multiple sessions addressed the status of cross-border data transfers between the EU-US and globally with the trend towards data globalisation. While some sessions focused on the proposed EU US Data Privacy Framework and the challenge of personal data transfers from the EU to the US, others discussed the broader issue of government access to personal data for national security and public safety and the work of the OECD.
Dylan Cors, International Director, Office of Law & Policy, National Security Division, US Department of Justice, Bruno Gencarelli, European Commission, Audrey Plonk, Head of Digital Economy Policy Division, OECD Directorate for Science, Technology and Innovation and Kate Goodloe, Managing Director, Policy, BSA The Software Alliance discussed the OECD’s workstream on trusted government access to personal data, which was started by a December 2020 statement highlighting the urgent need for international collaboration to develop high-level principles or guidance on trusted government access to personal data, and its relevance to any company that sends data across international borders. This has led to the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities in December 2022, which clarifies how member countries’ security and policing agencies can access this data under existing legal framework in an effort to improve trust in cross-border data flows.
A panel comparing ASEAN and Ibero-American regional model contractual clauses with GDPR SCCs discussed challenges of data flows in regions with uneven data protection maturity, and on the topics convergence and interoperability ended with an intriguing note from Zee Kin Yeong, CEO of Singapore Academy of Law and Infocomm Media Development Authority, to watch for a forthcoming announcement.
Co-regulation and regulatory sandboxes
Another interesting panel looked at whether co-regulation is the future of privacy, which was discussed in a session with Bertrand du Marais, Commissioner, CNIL and Councillor of State, Isabelle Vereecken, Head of Secretariat, European Data Protection Board, Marie-Charlotte Roques-Bonnet, Data Protection Legal Advisor, ENISA, Yannick Bailly, DPO, Nissan AMIEO, and moderated by Fabrice Naftalski, CIPP/E, CIPM, Partner, Attorney at Law, Global Head of Data Protection, EY Société D’Avocats. The clear benefit of co-regulation and regulatory sandboxes is that it enables regulators to keep up to date with technology innovations and industry developments and allows companies to improve and demonstrate compliance.
Anonymization – ISO/IEC
Audience polls conducted at the anonymization panel underscored the need for lawyers and technologists to be able to communicate effectively when developing anonymization strategies. There was discussion about the new ISO/IEC 27558-2022 standard, which may help to facilitate understanding and to focus on assessing data in its context when defining appropriate technical solutions. Although it may be required by law, it was pointed out that aggregation has limited application and rarely gets you to where you need to be.
Data Subject Access Requests (DSARs)
It was very interesting to learn that with the privacy legislation now in force in several US States, companies are already being inundated with DSARs. Not only the panelists but also a large number of the attendees were engaged in responding to these requests, and provided great insights and tips. Amber Cordover, Kelly Peterson Miranda, Jennifer Ruehr and Jena Valdetero discussed their different approaches to DSAR issues like authentication thresholds, authorised agent requests, whether to expand individual rights beyond what is required, balancing of individual rights, the differences between US and EU requirements, post-Dobbs consumer expectations, and automation. One clear issue that has emerged is the number of requests from employees using DSARs as a ‘sword’, which is time consuming and can require a costly eDiscovery-like approach, including review for relevance and privilege. In light of this known issue, the UK ICO has issued guidance on responding to employee DSARs.
Data and Privacy – Governance, Compliance and ESG
There were a number of interesting sessions covering holistic governance, privacy compliance and ESG.
‘The Privacy in ESG’ was a new addition this year. In this discussion, Julia B. Jacobson, Seth Berman, and Shari Piré explained that privacy and data use practices are gaining importance in the ESG framework as investors and other stakeholders seek to better understand how businesses treat privacy and data use practices in the context of their other responsible business practices. One of the key challenges is how to report and benchmark on privacy and that the GRI global reporting standards are currently being reviewed. A recent development is that some states, such as Texas, are now introducing legislation to ban ESG reporting, on the basis that it discriminates against some companies, such as oil companies.
Privacy was discussed in the broader context of the ‘datafication’ of businesses and the need for privacy and corporate leaders to overcome the data silos and have a holistic approach in the session on ‘Getting companies to embrace a holistic data strategy’ with Bojana Bellamy, Keith Enright, Christina Montgomery, Courtney Stout, and Keith Enright. The focus on this session was providing insights into how privacy leaders can work within their organisations to be effective business enablers, including tips on effective communication across the organisation and in dealings with the audit and risk committees and the board. One of the interesting points to emerge is the challenge around measuring privacy KPIs and ensuring that privacy activities and performance are measured.
The compliance trifecta of data discovery, data inventory and data retention was discussed in a session moderated by Rebecca Perry, Daniel Christensen and Billee McAuliffe. This session focused on how to architect a plan to develop a smart data inventory, operationalise data retention, and leverage data discovery to be ready for the changing privacy landscape. The mantra of – say it, do it and prove it – was very effectively conveyed to attendees!
Congratulations to IAPP and the team who put together a fabulous event! It was great to be able to reconnect in person with so many privacy professionals from around the globe!
The Hill We Climb by Amanda Gorman
‘For there is always light if only we’re brave enough to see it if only we’re brave enough to be it’.
Read by Amanda Gorman at the inauguration of President Biden and Vice-President Harris.
The White House on the President’s Spring Day Walk, 2 April 2023
Authors: Susan Bennett, Founder & Executive Director InfoGovANZ
Denise Backhouse, Shareholder, Littler Mendelson, InfoGovANZ International Council