IAPP UK Data Protection Intensive 2024 Highlights: Dive into AI, Data Privacy, & Cybersecurity

Welcome to the recap of the highly anticipated IAPP UK Data Protection Intensive 2024. This leading industry event brought together legal professionals and privacy experts to explore the latest trends and developments in AI, data privacy, and cybersecurity. A focal point of the event was the keynote speech delivered by UK Information Commissioner John Edwards, who shed light on the key themes dominating the legal landscape in the UK. Let's delve into the highlights from this thought-provoking conference.

UK Regulatory Priorities:

During his keynote speech, Edwards outlined the key areas of the UK Information Commissioner's Office (ICO) strategy:

1. Social Media and Children: The ICO will continue to prioritise the protection of children online and in particular on social media and video sharing platforms, in line with the Children’s Code of Practice that was introduced in 2021. This year, the ICO will focus on default settings, in particular relating to capturing location data and targeted advertisement, on recommender systems through algorithms using behaviourial profiles and on age assurance technologies.
   
   In other sessions, participants discussed the regulatory framework in other jurisdictions, how to conduct relevant risk assessments and how best to incorporate the best interests of children into product design. Age-appropriate design will remain a key concern for online businesses interacting with children, and efforts to understand whether users are in fact children may have to become more effective.

2. Cookies and Consent: The ICO reviewed the cookie consent mechanisms on websites with the highest traffic in the UK and gave recommendations to more than half of the websites it reviewed, inter alia to ensure that it is as easy to accept as it is to reject cookies. The ICO is planning to launch an automated tool to accelerate the review of more websites going forward. How best to obtain cookie consent will be of interest to most companies with an online presence, in light of the continued regulatory interest in this area.
3. AI and ICO Consultation Papers: As AI continues to transform industries, the UK’s strategy is to regulate Artificial Intelligence through existing laws, including UK GDPR. The ICO published consultation papers to conceptualise responsible AI last year and will follow on with more papers this year. The panel following the keynote speech featured insights from AI industry insiders who discussed the shift in public perception of AI and its trustworthiness – one participant highlighted a study showing a significant shift from even just a few years ago. A large majority of samples in an age group below thirty would now trust AI more than a human reviewer. The panel highlighted the responsibility this trust entails and how easily it could be lost if AI is not developed and deployed ethically.
4. Interplay between Competition Law and Data Protection Law: Edwards outlined the cooperation between the ICO and the Competition and Markets Authority and in the joint statement with the CMA.
5. Biometrics: The ICO will continue to focus on the appropriate use of biometrics. Edwards mentioned its investigation into Serco where it found that the use of facial recognition and fingerprints to log attendance without offering an alternative was not compliant.

Key Topics Explored in the Conference:

The conference featured captivating sessions, presentations, and networking opportunities that deepened the discussions around AI, data privacy, and cybersecurity. Some of the key topics explored include:

1. Significance of AI and Data Privacy/Cybersecurity: The legal industry is embracing AI as a transformative force. The conference highlighted the increasing importance of integrating robust data privacy and cybersecurity measures into AI endeavors to foster regulatory compliance, build trust, and mitigate risks.
2. AI and the new EU AI Act: The conference had a strong focus on AI in a number of sessions including on the EU AI Act that was officially adopted after the conference took place as well as the laws and initiatives in other jurisdictions including the US. Participants discussed how to frame responsible AI governance and identifying appropriate risk models.
   
   There were lively discussions as to whether and how training data could be extracted from models or what other remediation might be possible where training data was not collected in compliance with privacy and/or Intellectual Property laws.
   
   AI regulation will affect most companies, and many companies have stood up governance frameworks for ethical AI use, allocating responsibility from board level down. This is important for all companies to consider appropriately. While only few companies develop cutting-edge AI models inhouse, most companies are already using AI as part of their business and this will only accelerate going forward, whether third party AI models are being deployed as part of products, within the enterprise, or as part of their customer service.

3. EU Data Act and Manufacturing/Utility Companies: The EU Data Act and its sharing obligations were discussed in several sessions, recognizing its profound implications for manufacturing, providers of “related services” and utility companies, as well as cloud hosting companies. A session took us through the complexity of a real-world example featuring a papermill and an electricity company. This showcased the challenges in identifying and preparing the data assets that would need to be shared, and the prerequisites for sharing, as well as the limitations.
4. Competition and Data Protection Interplay: Sessions featured speakers from the CMA and the ICO who illustrated how the use of personal data by companies can be relevant under both regulatory regimes, and how regulators work to coordinate enforcement actions. The CJEU decision in Facebook reviewing whether the German Federal Cartel Office had acted ultra vires when investigating not only competition law but also GDPR was discussed as an example, as were the ongoing discussions on Google's sandbox for phasing out third-party cookies.
   
   The speakers highlighted the challenges to reconcile the goals of competition law for access to personal data with the goals of data protection law to achieve data minimization, individual control over data, and its safe handling. But they also drew out the common ground and how that is reflected, for example, in the EU Digital Markets Act and the EU Digital Services Act. These could be said to use tools of competition law to reinforce privacy rules when it comes to technology companies with the highest market power.
   
   Companies should therefore consider fostering collaboration and interaction between their antitrust/competition lawyers with their privacy teams to ensure that companies can equally be ready to approach their compliance stance from all angles, reconciling their antitrust and privacy programs to a coherent whole.
5. Challenges and Opportunities in AdTech and Privacy: The pervasive role of AdTech in the digital age brought forth intriguing conversations about its compatibility with privacy regulations. Attendees scrutinized the challenges and explored innovative approaches to strike a balance between effective advertising and preserving privacy. The conference discussed the permissibility of the Consent or Pay model that is subject to review by European regulators. The European Data Protection Board issued an Opinion on its limitations in April. These developments are triggered by social media platforms that are subject to the investigations at a Member State level that have risen to discussion at EDPB level, but the outcome of these investigations could also affect the many publishers employing a pay or consent model for cookies on their websites.
6. Recent Enforcement Actions and Notable Cases: Insights into recent enforcement actions included an interesting discussion on the recent ICO finding against Snap, finding that Snap’s privacy impact assessment on a generative AI chatbot that was used by a large number of users between 13 and 17 years old was insufficient in that it did not review the privacy risks appropriately. A panel also discussed the ICO decision in Clearview (finding that Clearview’s use of billions of images was incompliant) and Clearview’s successful appeal against that decision on grounds of lack of jurisdiction. ICO decisions against Experian and the ongoing investigation into TikTok were also discussed. Speakers from the ICO also mentioned the forthcoming fining guidelines by the ICO, which is hoped to bring more clarity. These case studies provoked thoughtful discussions around best practices and risk mitigation.
7. Ongoing Discussions on International Data Transfers: International data transfers and the EU-US Data Protection Framework as well as the US-UK Data Bridge continued to be a focal point, with attendees actively engaging in discussions surrounding evolving standards and strategies to comply with varying global regulations.

Top Three Takeaways:

1. Networking Opportunities: The IAPP UK Data Protection Intensive 2024 offered invaluable networking opportunities, enabling privacy lawyers and professionals to forge connections, foster collaboration, and share knowledge. The power of community support in navigating the evolving legal landscape cannot be understated.
2. AI Regulations: AI regulations extend beyond developers of large language models. Privacy lawyers are encouraged to delve into the EU AI Act and global regulations to stay abreast of compliance requirements when clients develop AI models as well as when they adopt third-party AI systems. Expanding expertise in this area will enable legal professionals to better support their clients in an AI-driven world.
3. Beyond AI: The EU Data Act carries significant implications for manufacturing and utility companies, requiring them to prioritize the management and protection of data assets. Additionally, the scrutiny surrounding the Consent or Pay model underscores the need for publishers to reassess their approach, ensuring both compliance and sustainable monetization.

Conclusion:

The IAPP UK Data Protection Intensive 2024 provided a platform for legal and privacy professionals to engage with cutting-edge topics in AI, data privacy, and cybersecurity. The event highlighted the growing importance of staying informed about evolving regulations and emerging best practices in privacy. Closing speeches reminded us of the bigger picture, the ethical dimension of why we regulate privacy and AI, how important decent privacy and legal practices will continue to be. Lord Holmes focused on equality and inclusion in AI, as reflected in the private members bill he introduced to UK Parliament on AI, while Anna Funder highlighted the historical dimension of privacy rights as a human right, and how significant it will be to keep the lessons of past abuses in mind as we forge ahead in AI.

💡 Better navigate evolving regulations surrounding AI, data privacy, and cybersecurity.