Greetings from Munich. The city is preparing to host its 188th Oktoberfest, the world-famous traditional folklore and beer-ignited festival. The Bavarian capital will be flooded with 5 million visitors over the next two weeks to enjoy traditional entertainment.

In a tamer style, the IAPP hosted its Data Protection Intensive: Deutschland 2023 this week, featuring no less than five German regulators on the main stage and discussions covering accountability in the EU General Data Protection Regulation, the evolving role of the data protection officer, cybersecurity and data transfers among others. Unsurprisingly, a lot of presentations and hallway chatter was about artificial intelligence and challenges associated with operationalizing AI in an uncertain legal and regulatory environment.

Regulators from Baden-Württemberg, Bavaria, Rhineland-Palatinate and Schleswig-Holstein all concurred on a few key points:

  • AI is not a new technology but the speed at which it is developing and being deployed is unprecedented. That said, regulators all agree the speed doesn't change the fact that GDPR principles should apply to AI and controllers need to be able to comply with their accountability duty.
    "There is no privilege for AI under the GDPR," one regulator said. Which also means organizations can leverage the risk-based approach under the GDPR (and what will emerge in the upcoming AI Act) to find a way to minimize and mitigate risks.
  • There is no certainty at the moment on which authority will be the AI regulator in Germany. DPAs are not always the best placed to lead, at times, they may even not want to be in the driver’s seat. However, they will plan to cooperate among themselves on AI data protection matters, and together with other sectoral regulators that will also be involved in AI supervision and enforcement.
  • When it comes to the ideal AI governance structure, there is no one-size-fits-all, nor do regulators see a particular model emerging. It depends on the company, its risk environment and many other factors. One element on which they all agree: the DPO office might not be the best lead for AI governance, but they should have a seat at the table.
  • Regulators do get questions about AI but this is not a daily occurrence, just yet. In a few German states, AI pops up a bit more in the public sector context — use of AI in schools, traffic surveillance questions, etc.

In a somewhat comforting way, everybody seems to be in the same boat — private sector and regulators alike — when it comes to mastering compliance, building knowledge, developing skills and creating the right governance structure for this multidisciplinary field.

IAPP President and CEO J. Trevor Hughes, CIPP, opened the conference advocating that AI governance conveys a sense of urgency for privacy professionals, called to do a lot of work to ensure responsible and trustworthy AI innovation.

Regardless of what laws like the EU AI Act will require, organizations will need qualified professionals to do the work and an AI governance structure capable of coalescing many different and complementary profiles. In order to help empower professionals to get there, the IAPP is rolling out an AI Governance Professional training and certification. Our team is hosting in-person workshops at our upcoming conferences so if you are interested, reach out!

Elsewhere:

  • European Commission President Ursula von der Leyen delivered her much-awaited State of the Union address on Wednesday. Temperature had risen in Brussels in the days preceding her intervention with concerns about what she would say — or commit the EU leadership to do — on hot topics ranging from electric cars to the Ukraine war.
    She addressed digital policy, mostly focusing AI. "We have a narrowing window of opportunity to guide this technology responsibly. Together with partners, Europe should lead the way on a new global framework for AI, built on three pillars: guardrails, governance and guiding innovation,” she said.