Rarely do data privacy stakeholders from academia, tech companies, the White House, and the European Union Parliament convene in a single room. However, such an event occurred during Tuesday's IAPP Global Privacy Summit 2023 in Washington, D.C. Panelists utilized this opportunity to deliberate on the ongoing transatlantic negotiations surrounding the Privacy Shield Agreement's successor and to exchange perspectives on the legal frameworks required to address technology's evolving advancements.
Ongoing Data Privacy Negotiations Between U.S, EU Discussed at IAPP Global Privacy Summit 2023
During the IAPP Global Privacy Summit 2023 session titled "What Are the Long-term Implications of the Trans-Atlantic Data Privacy Framework," panelists discussed the ongoing obstacles faced by the EU-U.S. Data Privacy Framework (EU-US DPF). They also questioned the long-term sustainability of the adequacy model in the global context.
Recently, the AG completed the consultation process on the list of judges for the DPRC, indicating that the U.S. is progressing in finalizing the judges that will serve on the DPRC.
While the EDPB praised the efforts of negotiators to limit the collection of signals intelligence based on necessity and proportionality, it also highlighted some key concerns. These concerns could potentially signal the shortcomings of protections of individuals in the EU, according to EU Privacy Counsel at the Future of Privacy Forum Sebastião Barros Vale.
The U.S. still needs to finalize its efforts. Until then, any decision from the European Commission on whether the U.S. has adequate data privacy protections may be delayed. The EDPB recommends that the European Commission withhold the issuance of the final adequacy decision until the U.S. intelligence agencies effectively implement the policies and procedures needed to comply with the executive order and the new court is in place and functioning, said Vale.
Additionally, the EU must be determined as a qualifying state by the U.S. before it can render its adequacy judgment. According to Caitlin Fennessy, CIPP/US Vice President and Chief Knowledge Officer at IAPP, the U.S. is discussing with the European Commission the information needed to identify the EU as a qualifying state. The framework has an element of reciprocity. The U.S. Department of Justice must deem the EU a qualifying condition to provide reciprocally commensurate redress and protections for U.S. citizens across the EU.
New Discussions Around AI Governance
Discussions around AI governance have recently been a hot topic between the U.S. and EU, with both jurisdictions aiming to regulate AI, albeit through slightly different approaches. During the "The Challenges of Governing Artificial Intelligence: US and EU Perspectives" session, panelists from both sides discussed these approaches. While the EU proposed the AI Act, which is still in the legislative process, Brando Benifei noted that existing EU laws, including GDPR, Digital Services Act, and Digital Markets Act, offer some guardrails for AI models to comply with. Benifei suggested that additional regulatory efforts may be needed for AI models that pose higher risks to citizens' safety, health, and fundamental rights.
On the other hand, the U.S. has taken a different approach to regulate AI, with less actual regulation, possibly because it is home to many AI innovations. Alexander Macgillivray pointed to the existing legal framework in the U.S., such as the EEOC and FTC actions and the White House's recently released Blueprint for an AI Bill of Rights. The Blueprint focuses on expectations for AI models to respect privacy, be safe and effective, avoid algorithmic discrimination, and always have a human alternative. Macgillivray noted that the Blueprint thinks about the potential impact of the particular AI and aims to make AI safer and more likely to work.
