Calls are increasing for both privacy professionals and regulators to step forward and take on more prominent roles to address challenges stemming from a fluid digital landscape.
No longer are privacy and data protection the singular mission. Focus is shifting toward an all-encompassing concept of digital governance, where personal data collides with artificial intelligence technologies, commercial surveillance, biometrics, cybersecurity and more.
The topic of how practitioners and regulators are handling the new paradigm headlined the keynote stage at the IAPP Global Privacy Summit 2024. The overwhelming message among keynote speakers was, while policy considerations are piling up, professionals and regulators are positioned to lead the charge to foster strong overarching digital governance practices and consumer trust.
"Because we are not privacy-specific, narrowly focused or sector specific, we are able to think about these issues in the integrated way in which they are appearing in markets," U.S. Federal Trade Commissioner Rebecca Kelly Slaughter said during a keynote panel.
The FTC has indeed been nimble across the digital governance spectrum in recent months with enforcement work on AI, data brokers, location privacy and children's privacy. Slaughter said the FTC's work on AI and how it "hits across almost every division of our agency" is particularly exemplary of the the all-encompassing approach the agency is adopting instead of "imposing artificial siloes on markets that don't exist in the real world."
Straddling digital spaces is nothing new to Australian Privacy Commissioner Carly Kind. Before becoming commissioner in February, Kind was the director of the Ada Lovelace Institute and worked on digital policy for the European Commission and the Council of Europe.
Successfully traversing the intersections within digital governance, according to Kind, draws back to prior lessons learned. She said the key to good AI governance practices can be copied from what organizations previously built for privacy and data protection.
In the regulator scope, Kind indicated the promotion of good AI governance relies on "how we redistribute and rebalance power through the law and the governance regime." However, there should not be one concrete framework to achieve balance and good practices.
"I don't think we need to stipulate one way forward," she said. "We should certainly try to agree what principles should define good AI governance, and I think some of those include putting citizens or consumers at the starting point."
Organizational alignment
A noncohesive regulatory regime is top of mind for organizations trying to manage or delegate responsibilities for tackling digital governance. Companies of all sizes are facing different laws in different sectors and different jurisdictions more than ever before.
There's no shortage of unsettledness and confusion in the EU, where the bloc's digital rulebook grew significantly in recent years with the Digital Markets Act, Digital Services Act, Data Act and Data Governance Act joining the EU General Data Protection Regulation and other existing digital laws. The AI Act will soon be added to mix, generating a greater avalanche of questions around interplay with other laws and what compliance measures take precedent.
Organizing the response to the "big soup" of EU digital regulations and laws in other jurisdictions begins with a clear statement of values, according to Mastercard Chief Privacy and Data Responsibility Officer Caroline Louveaux, CIPP/E, CIPM. For example, Mastercard launched data responsibility principles years ago that are "consumer-centric" and "guide everything with data and technology."
"They apply everywhere, irrespective of the law or the country," Louveaux added. "To make it simple, we have one process and one tool to review all our products and solutions. ... We've also established a governance committee with all key (company stakeholders) present, because effective governance can only happen with a multitude of teams, diverse skillsets and expertise."
IBM is using similar collaboration models to ensure integrated governance practices are maintained. Vice President and Chief Privacy and Trust Officer Christina Montgomery said her company has similar committees, both broad and subject specific, that keep all facets of IBM's business informed and at the decision-making table.
Explaining IBM's approach to its AI offerings, Montgomery indicated while the all-inclusive discussions are crucial, there is a priority on expertise to guide organizational discussions.
"You need to understand how your HR team is using (AI), and then your finance team, etc.," she said. "The domain expertise is another element that's really important with what you might find in some areas depends on your business model."
The compliance bridge
For companies that do not have one-size-fits-all compliance capabilities, new product deployment has never been more challenging. Identifying if a law even applies to a company or its new product is at the heart of the compliance puzzle.
Commissioner Slaughter sympathized with the burdens of assessing where compliance is required, but also acknowledged businesses "have the responsibility" to perform that due diligence to be a player in the market in the first place.
"I think our goal is to be as transparent as possible with companies about what the law requires so you know in advance and can do the work to figure out how a product fits in," Slaughter said. "Doing that anticipation, planning and mapping instead of trying to go back and clean things up after the fact. It's just what the law requires and what we want to help companies do well."
To carry out effective fact finding and pre-deployment risk assessments, particularly in the context of AI, Louveaux indicated a given company "should not start from scratch" and instead "leverage existing risk structures and governance rules." Privacy professionals are positioned well to be a resource to company executives on why those existing tools and processes are still appropriate and applicable.
"We understand data and technology better than anyone else," Louveaux said. "We know how to balance different points, different interests and how to manage risks that come with it all. And we're already used to convincing stakeholders across the company to get the job done."