As human beings, sometimes we get wrapped up in our own world and issues, having tunnel vision and not always taking the time to stop, think and evaluate how our actions resonate beyond our community. We may think that is the case when it comes to artificial intelligence, a topic that has seized the privacy community in unprecedented ways, but there is no denying AI has become a prime-time issue.
Case in point: the BBC invited the IAPP to discuss the EU AI Act during its morning news segment. Although it was humbling for yours truly to be on air between segments about upcoming elections in Turkey and bombings on the Gaza strip, it was telling of how pervasive the debate about AI has become throughout society and business circles. The interest is only going to grow, as European Parliament will formally endorse its position in June and start trialogue negotiations with the European Commission and Council of the EU shortly after. Parliament departed from the original proposal on several significant areas of the text, including the inclusion of foundation models for general purpose AI or further limiting carve-outs to the use of biometric identification and facial recognition. With over 5,000 amendments only during parliamentary debates, the trialogues promise to be very intense.
To keep track of it all, and more AI global news, feel free to sign up to our new AI Governance Dashboard newsletter if you haven’t already.
On a different topic, European Parliament also made headlines by adopting a resolution about the EU-U.S. Data Privacy Framework. Unsurprisingly, given the institution's historic position on the issue, the resolution calls for the European Commission "not to adopt the adequacy finding until all the recommendations made in this resolution and the EDPB opinion are fully implemented" and to continue negotiations. While this is not a message many want to hear right now, its apparent gravity has a couple of caveats: Parliament has no formal role in the adequacy approval process so this resolution is nonbinding on the European Commission, though it is a noteworthy political signal. There is also very little to no appetite to reopen the negotiations on either side of the pond, as the U.S. government is still crossing the t’s and dotting the i’s on what was agreed in the first place.
But the fact that the DPF is not yet in place may raise privacy professionals’ blood pressure. Ireland’s Data Protection Commission is expected to adopt its decision on Facebook's standard contractual clauses today, possibly weakening the ease of use and reliability of this transfer mechanism for many organizations beyond the social media company. The impact of the DPC decision remains to be seen and, as much as we expect a transfer order suspension and possible a deletion order of data previously transferred in breach of compliance, it is possible Facebook's appeal strategy — assuming there is one — could drag on long enough for the DPF to become a valid transfer mechanism in the meantime time, at least for companies transferring data to the U.S.
We also have a couple of online conversations lined up about other hot issues in Europe that you may want to add to your calendars.
- On 16 May, the IAPP will host a webinar on the interdependence and collaboration between privacy and cybersecurity functions in Europe, jointly organized with (ISC)².
- 17 May, the IAPP will host a LinkedIn Live discussion with the European Data Protection Board on its newly launched coordinated enforcement action on the role of the data protection officer, followed by a discussion with two practitioners.
- 14-15 June, IAPP Data Protection Intensive: Nederland will have a keynote by Aleid Wolfsen, chair of the Netherlands' Data Protection Authority and EDPB chair candidate.
Much to watch out for in the days and weeks to come!