5 minute read | December.04.2024
Over 3,000 privacy professionals from around the world gathered in Brussels recently for the 13th International Association of Privacy Professionals’ Europe Data Protection Congress 2024.
The conference focused on the optimal way of regulating data protection and artificial intelligence, analysing the flurry of new privacy and AI laws and regulations and building bridges between existing legal frameworks and risk management systems.
Speakers explored governance structures and implementation mechanisms, global data protection and AI practices and litigation risks posed by new technologies and privacy statutes.
Many companies are developing organizational structures and taking other AI governance steps to comply with the sweeping AI Act. Key topics included:
Allocating responsibilities within companies:
Many panelists advocated for cross-functional AI compliance teams involving legal, IT, data protection, business and product development. Speakers also debated the role of a company AI officer.
Risk management:
Speakers shared insights on risk management systems, often based on a traffic light system categorizing AI tools by risk level. This approach helps determine which tools require coordination with AI governance roles and which can be used more freely.
Compliance frameworks:
Many speakers reiterated the importance of leveraging existing compliance frameworks, such as those established for GDPR, to comply with the AI Act, a point also made at the IAPP Global Privacy Summit 2024. Speakers recommended identifying overlaps in compliance work and building on existing risk assessments, records of processing activities, incident logging and security policies. Some suggested integrating AI topics into privacy training to ensure comprehensive compliance.
While companies are making efforts to ensure timely compliance with the AI Act, many speakers highlighted numerous difficulties due to uncertainties and open-ended questions.
Particular concern centers on provisions set to take effect in February 2025. Many speakers said they eagerly await guidelines and opinions from authorities, including possible templates. Companies are also looking forward to the European Data Protection Board's opinion on "AI models," expected by the end of 2024. Some panelists noted the tight timeline between the opinion and the February effective date of several AI Act provisions.
Panelists expressed concern about the number of authorities regulating AI, noting that the AI Act lacks a cooperation mechanism. One panelist cited Ireland, where nine authorities have AI-related competencies. Many said it's already challenging to align positions among data protection authorities. They expect it to become even more difficult with the involvement of more authorities at the national and EU levels. Some speakers emphasized the challenge of aligning industry-specific regulations with the horizontal, cross-industry AI Act.
Many panelists expressed concern about the implications of the GDPR for AI systems, particularly regarding the legal basis for training AI models, whether AI models contain personal data, and the implementation of data subject rights. A significant issue is that AI models are difficult to "untrain" once data is fed into them.
Many in the industry rely on legitimate interest as the legal basis to train AI models. Yet some panelists noted challenges due to enforcers' general mistrust of this basis and the prevalence of consent-centric jurisdictions. The Irish Data Protection Commissioner commented that legitimate interest can be acceptable if supported by a robust legitimate interest assessment (LIA). He criticized many companies' LIAs for lacking sufficient information and emphasized the need for reassessments throughout an AI system's life cycle. Panelists also discussed a new AI-related draft model LIA developed by the Information Accountability Foundation. Although regulators found the draft model helpful, it is not officially endorsed and must be aligned on a case-by-case basis.
Europe aims to become a leader in AI, said Kilian Gross, Head of Unit for AI Policy Coordination and Development at the European Commission. The Commission has combined all of its AI activities under one director. A new AI Office in the European Commission will leverage Commission resources but maintain some autonomy.
The AI Office aims to regulate and support AI adoption. Its first General-Purpose AI Code of Practice is in the consultation process. The office seeks a cooperative approach and wants to learn from companies about the gray areas in the AI Act that need clarification. Discussions continue on whether EU Member States should adopt a centralized enforcement approach. An emphasis remains on ensuring authorities have the necessary expertise and skills.
A session with Lieven Brouwers from the European Commission and Alex Greenstein from the U.S. Department of Commerce focused on the state of the EU-U.S. DPF more than one year in. The Commerce Department has increased staffing and oversight. It conducts spot-checks on compliance, including a look at privacy policies, and may follow up with questionnaires if it detects deficiencies. Regulators also are looking into automating oversight.
Executive Order 14086 on government access remains unchanged. Agencies have implemented necessary guidelines and policies. The EU official seemed satisfied with U.S. measures but said the lack of complaints means companies have had little to no practical experience with the framework yet. Concerning a legal challenge, the U.S. official considered it an advantage that the United States drafted the executive order based on the Schrems II judgment.
Regarding potential changes in a second Trump administration, the U.S. official noted past bipartisan recognition of the importance of EU-U.S. data flows. The Commerce Department and European Data Protection Board are in discussions to prepare guidance on HR data and onward transfers related to the EU-U.S. DPF.
If you have questions, reach out to our authors (Henry Wu, Dr. Daniel Ashkar, Dr. Christian Schröder, Robert Weinhold).