Critical insights from the IAPP Europe Data Protection Congress 2023

20 November 2023

The monumental cloakroom line at the end of the day at this year’s International Association of Privacy Professionals Europe Data Protection Congress 2023 was one concrete indicator of the fervent interest in what appears to be a pivotal moment for the privacy profession ― the rise of generative artificial intelligence.

 Once again, the annual Brussels conference attracted a record number of about 3,000 participants to the Square Meeting Centre. But while last year’s conference had barely a mention of AI, the explosion of interest in AI systems such as OpenAI’s ChatGPT and Google’s Bard meant that it was difficult to attend any session in the 2023 DPC without hearing the initials “AI” at some point. The meeting agenda was peppered with sessions such as “A Playbook toward Operationalizing Responsible AI” and “The Emerging AI Landscape: Revolution and Evolution?” Whether it turns out to be revolution or evolution, the IAPP is trying to be at the forefront of how AI transforms the profession, proposing and then launching a training program this year that aims to create a new professional expertise within organizations to manage the regulatory risks around AI. The dark circles under many eyes at the end of this year’s DPC reflected, beyond the active social pace at one of Europe’s top annual privacy gatherings, the two intensive days of training in AI and other data protection issues that preceded the public conference.

 Even with the focus on AI, there were still plenty of non-AI data protection issues to work through at this year’s congress, which featured a speech by European Justice Commissioner Didier Reynders on his plans to create a new global “network” of nations and international organizations with data transfer adequacy deals with the EU, a club that is likely to grow in the near future following Reynders’ plans to travel to Brazil and Chile to “discuss opportunities to further intensify our cooperation on digital matters.” Another interesting session on mass litigation claims revealed that a recent ruling in a case over claims in the Netherlands that TikTok neglected the privacy of children who watch and upload videos by collecting more data than necessary may dampen the prospects for similar claims in the future because the decision may make such cases less attractive to commercial litigation funders. The DPC was also a coming out party for an important new regulator, Anu Talus, the new chair of the European Data Protection Board. Her session was so popular that it had people sitting and standing in the aisles. And there was plenty of AI news, including a session where European Parliament negotiators said the EU’s AI Act remains on track to be finalized by the end of the year.

Mike Swift
MLex Chief Global Digital Risk Correspondent

Keep scrolling for a taste of our specialist reporting from this significant event, or start your 14-day free trial now to access MLex® insights in full.

The latest on AI regulation, ads, adequacy agreements and more

Generative AI is ‘pivotal’ for regulators, companies must heed privacy risks, UK official says

Data protection watchdogs are united in seeing the rise of generative artificial intelligence as a "pivotal" moment, and AI-focused companies would be wise to consult extensively early on, a senior UK regulator said. Stephen Almond, of the Information Commissioner’s Office, cited regulatory interventions against Snap, Google and ChatGPT developer OpenAI, and said he worried about the risk that organizations might "cut corners" when it comes to privacy.

Deal on EU's AI Act on track, parliament negotiators say, but risks still wait in the wings

The EU’s AI Act is still on track to be finalized by the end of the year, with a Dec. 6 political meeting between legislative institutions being the last of its kind, key European Parliament negotiators said today. But posing a risk to this are the use of AI in law enforcement with biometrics, foundation models, governance questions and a need to clarify the list of "high-risk" activities that will bring an organization into the law's scope, they told a privacy event.

Meta's ad-free option on Instagram, Facebook spark GDPR compliance questions from EU watchdogs

Meta Platforms’ decision to offer paid versions of its services has prompted questions from European data protection regulators on whether consumers are given sufficiently “granular” information about how their personal data will be processed, a Belgian privacy official has said. The case deals with Meta’s legal basis to process data for personalized advertising and relates to one of the most controversial pieces of enforcement since the GDPR entered force in 2018.

Contextual ads seen as privacy-friendly, EU official says, amid debate over targeted ads and cookies

An alternative to targeted advertising that links users’ web activity to online ad placement would be more privacy-friendly, a European Commission official said today. The commission has proposed a voluntary “cookie pledge” that would provide users with improved information about websites’ business models to ensure consumers can make more informed choices on whether or not to accept targeted advertising.

GDPR is stuck in the past and risks EU's digital future, says lawmaker negotiating AI Act

Europe’s digital development is at risk due to the General Data Protection Regulation's restrictive approach to data processing, said EU lawmaker Axel Voss, a key negotiator on the bloc's forthcoming AI Act. The GDPR is outdated and no longer fit for purpose, Voss told a conference. Also, a lack of uniform interpretation of the regulation “has been a mistake that should be corrected,” he said.

EU plans data adequacy for international organizations, not just nations, Reynders says

A first-ever EU data-transfer adequacy agreement with an international organization — rather than a nation — is in the planning and should be proposed soon, the EU’s justice commissioner said today, without naming the organization. Didier Reynders also outlined a European Commission plan for a conference next year with nations or entities that have an EU data adequacy agreement in place.

Dispute over Google's 2019 GDPR enforcement remains stalled, complainant says

A GDPR case against Google remains stalled after years despite attempts by regulators to resolve it, the complainant has said. Romain Robert, formerly of privacy campaign group Noyb, said at a conference today that the enforcement against Google for transparency and consent failings — which led to a 50 million-euro French fine — remains open because the French and Irish watchdogs still cannot agree who is responsible for the remnants of the case, he said.

New EU-US Data Privacy Framework attracting participants and will withstand judicial test, officials say

Four months after the EU and US inked a new trans-Atlantic data bridge, a US official said today that about 2,500 companies have signed up for the new Data Privacy Framework and more are “in the pipeline,” with a majority of those companies being small and mid-sized businesses. Bruno Gencarelli of the European Commission also revealed that Didier Reynders is flying to Latin America this month for adequacy talks with Brazil and Chile, saying there is a “network effect” with data-transfer adequacy agreements.

Israel’s Hamas war leads to first ‘test’ for EU’s content-moderation rules, official says

The wave of violent images and disinformation that has erupted since Hamas’ attacks on Israel on Oct. 7 has been the first “test” for the EU’s content-moderation Digital Services Act, a senior European Commission official has said. The commission’s requests for information from platforms show that it’s learning “the hard way,” and it must rapidly start enforcing the EU rules as a centralized enforcer, Renate Nikolay, deputy director-general of the commission’s digital department, said today.

African nations heaping up privacy laws but obstacles remain for international data flows, experts say

Less than a fifth of countries in Africa lack a data protection law or aren’t working on passing one. But rules that require businesses to store data with a nation’s geographic borders are hampering the development of local and regional markets in digital services, experts on those laws say. A Moroccan privacy regulator and Amazon cloud executive were among voices discussing the continent's challenges at a conference this week.