AI sets the global privacy agenda

To access over 30 MLex® stories from this year's Global Privacy Summit, including exclusive side-line interviews with top officials, download our Special Report today.

The world’s privacy community scattered back home this week from Washington, DC, with a fresh realization: In artificial intelligence, they face a major new area of focus that will demand a robust learning curve for lawyers and regulators alike.

In the days leading up to the start of the Global Privacy Summit organized each year by the International Association of Privacy Professionals, Italy’s data-protection agency announced a ban on OpenAI’s ChatGPT chatbot, while the Office of the Privacy Commissioner of Canada unveiled a probe on the first morning of GPS.

At one of the conference’s main sessions, Alvaro Bedoya of the US Federal Trade Commission warned companies who deploy AI that they aren't “operating in a law-free zone,” but asked the privacy community to embrace the “wonder” of a technology that even its creators don't fully understand.

“The idea that AI is unregulated helps that small subset of companies who are uninterested in compliance,” Bedoya said, touching on the idea that there may be competition questions around the deployment of AI as well as data protection questions. “We've heard these lines before: ‘We're not a taxi company; we’re a tech company. We're not a hotel company; we’re a tech company.’ These statements are usually followed by claims that state or local regulations could not possibly apply to those companies.”

Beyond ChatGPT, the gathering of about 5,000 regulators, legal practitioners, technologists, scholars and journalists had its usual overflow of data protection revelations.

For once, there was a real sense of hope from governments on both sides of the Atlantic that they've unraveled the Gordian knot of international data transfers with the EU-US Data Privacy Framework.

Coupled with a behind-the-scenes effort launched by Japan and pursued by the 38 member nations of the Organization for Economic Cooperation and Development, there was a sense that democracies had accomplished something historic, in which privacy standards would help draw the line between democratic and authoritarian regimes in future years.

Max Schrems, whose takedown of the EU-US Privacy Shield triggered the current legal crisis, discounted the US commitment to adopt European privacy data protection concepts such as “proportionality” to govern the signals intelligence of its spy agencies, and he promised another challenge.

Regulators from Latin America and Asia touted their progress on privacy, but it was Europe’s General Data Protection Regulation that was a global point of reference. Once defended by advocates as a “toddler law” that was yet to grow to maturity, the GDPR is set to turn five next month and is slowly ticking more points off its developmental checklist as it shows its regulatory teeth.

“I think the success of the GDPR is that on day one, 500 million people got new rights and other jurisdictions around the world got a bit of rights-envy [and thought] 'Why don't we have these?' and I think the GDPR accelerated and inspired laws around the world,” said Elizabeth Denham, the former UK information commissioner, pointing to similar regulations passed by lawmakers in the Asia Pacific region and South America.

US states

With no sign the US Congress will enact a national privacy law anytime soon, the emerging patchwork of state privacy laws was a running theme at GPS.

Iowa recently became the sixth US state to pass a consumer law and speakers tried to predict which states will be next. New state laws in California and Utah aim to protect kids online, tackling some of the First Amendment issues that type of legislation poses.  

California in 2018 was the first US state to pass a comprehensive consumer privacy law, and a session where California privacy regulators discussed their enforcement priorities drew a standing-room-only crowd of hundreds.

One question has been how the California Department of Justice and the new California Privacy Protection Agency will divvy up enforcement of the California Privacy Rights Act. California Deputy Attorney General Stacey Schesser and Ashkan Soltani, executive director of the privacy agency, illuminated that question as they talked about how they’ll coordinate.

Both agencies will be enforcing the law, but they’re not really “twin” regulators, Schesser said. They’ll be focusing on different areas of enforcement, with the CPPA focusing on administrative issues and the AG focusing on civil enforcement and filing lawsuits in court, they said. The AG’s office is also more likely to handle more complicated cases that involved multiple statutes, not just alleged violations of the CPRA.  

The AG’s office will have a slight advantage. If for some reason the agencies are both investigating the same company for potential violations, the AG’s office has dibs.

California privacy regulators also want to ensure that any national privacy law doesn't override state protections that cover data about reproductive rights and other sensitive topics, given the sharp political polarization in the US.

Lydia de la Torre, a board member from the California Privacy Protection Agency, said states such as hers that place a high priority on women’s health choices and protecting the privacy surrounding them should be allowed to keep stringent laws in place. That’s especially true because so many other states seem eager to restrict those choices and threaten people’s privacy, she added.

The question of whether to pre-empt state laws like California’s has been one reason Congress has so far failed t pass a US national privacy law. Because of the large political divisions in the US, any federal privacy law should be crafted to give states considerable leeway to have laws that reflect the values of their citizens, de la Torre said.

Along with fellow agency board member Alastair MacTaggart, who spearheaded the passage of the state’s privacy laws, de la Torre feared that with preemption, the national standards will align with the standards of the states with weakest protections.

ChatGPT

AI chatbot ChatGPT was the topic of countless discussions this week from panel discussions to networking cocktail hours, with regulators across the world highlighting the privacy concerns around the algorithm-training data ChatGPT uses.

Those questions include: Are people giving proper consent for their data to be used to train ChatGPT? Is the AI chatbot properly scrubbing personal identifying information from that raw data?

“They [OpenAI] provided very general information as to how they collected data and how they built their model," said Ko Hak-soo, top enforcer of the Korean Personal Information Protection Commission.

"We are trying to find out a bit more details as to how they built their training data [...] or how much of the data contains data from Korea,” Ko said in an exclusive interview with MLex Tuesday. Ko confirmed that Korea is investigating ChatGPT as well.

Throughout the week multiple countries announced enforcement actions like Canada’s investigation into ChatGPT. Italy put a temporary ban on the AI language learning model last week.

On Wednesday, OpenAI agreed with Italian data protection authorities that it would come into compliance with GDPR and offer more transparency.

PETs

Big Tech and regulators alike are increasingly interested in privacy enhancing technologies, or PETs.

In a conversation centered on multilateral regimes of international interests, US Ambassador for Cyberspace Nathaniel Fick said data protective policies are best shaped when technologies like PETs are “baked in” to the policy-making discussions from the beginning.

A director of privacy policy for Meta, Cecilia Alvarez, said it’s unclear for businesses how concepts like anonymization, transparency and personal data apply to PETs under the GDPR, as different jurisdictions interpret the legal basis for anonymization differently. At the PETs panel, Stephen Almond of the UK Information Commissioner’s Office added that this is an “inflection point” for maturing PETs.

While some of the standards and incentives to advance PETs can come from regulators, Almond said much of it “really, really needs to come from within industry.” But overall, the companies and regulators agreed that, even as PETs mature and become crucial to Big Tech business models, technological innovation can’t replace strong government in privacy and data protection.

GDPR reaches fifth anniversary

With almost 2,000 fines issued since its entry into force in 2018 totaling over 2.5 billion euros, according to a LexisNexis GDPR enforcement tracker, the regulation has left an imprint on not only the European but the global approach to privacy — partially because of its impact on US Big Tech giants such as Amazon and Meta Platforms, regulators said this week.

The UK's Denham insisted GDPR changed the conversation about data protection around the world and “allowed privacy professionals to get the attention of the C-suite and the board.”

And current and former enforcers insisted this week that the EU’s rulebook is set to be improved further this year as the European Commission looks to streamline the oftentimes unwieldy and difficult-to-navigate administrative processes associated with its enforcement.

And while this optimism is perhaps not so surprising when it comes from senior EU officials — such as the European Data Protection Board’s outgoing chairwoman, Andrea Jelinek, or the commission’s deputy head of the data protection unit, Karolina Mojzesowicz — it's notable that this sentiment is even echoed by those with less reasons for bureaucratic optimism.

Put Schrems, the Austrian “privacy rockstar,” on that list. Schrems has never been shy about calling out regulators that in his view just don't do enough. But even the outspoken critic of the EU authorities’ track record on enforcement insisted 2023 could prove to be a turning point — not only because of these procedural changes, but also important clarifications on the law by courts and potential new redress avenues for complainants.

These changes come as political leaders around the world scramble to figure out a new, more sustainable framework for international data transfers and as the UK tries to find a “third way” with privacy reforms to streamline the EU-inherited GDPR and make them more business-friendly, while discovering the limits and costs of post-Brexit regulatory divergence from the bloc’s rulebook.

But despite all the teething problems, the GDPR still drives the global conversation on privacy. Not bad for a five-year-old.

For more insights from the summit, download our Special Report today.