The International Association of Privacy Professionals ("IAPP") is the world's largest information privacy organization.
IAPP provides education, training, and tools to professionals engaged in data privacy and security.
Each year, IAPP hosts a Global Privacy Summit bringing together data protection regulators, government officials, attorneys, information technology consultants, and data privacy experts from all over the world to participate in education and networking seminars on emerging trends in global data privacy.
The 2018 Global Privacy Summit took place in March in Washington, D.C. with a particular focus on the European Union's upcoming General Data Protection Regulation ("GDPR"), set to take effect on May 25, 2018. The sessions covered a wide range of topics from specific GDPR implementation and enforcement strategies, including discussions about the potential legal conflicts between the GDPR and United States privacy laws, to the impact artificial intelligence ("AI") and blockchain technologies will have on privacy.
Specific seminars included:
GDPR Enforcement Panel:
Helen Dixon, Commissioner of the Office of Data Protection of Ireland, noted that her organization has more than doubled its staff to assist in enforcing the GDPR. She emphasized that enforcement begins on day one, May 25, and that there is no "grace period" for companies that have not yet begun the process of implementing the GDPR.
In discussing the enormous fines entities could face for not complying with the GDPR, Commissioner Dixon stated that fines were simply one tool in her office's toolkit, but that her team was ready to assess fines for any company that put data subjects' personal information at risk.
Conflicts between United States Privacy Laws and GDPR:
Isabelle Falque-Pierrotin, current President of France's top data protection authority, the National Commission on Informatics and Civil Liberties, emphasized that any company that had not yet prepared for the GDPR is already behind and should start "today, not tomorrow."
Nonetheless, Falque-Pierrotin acknowledged the potential conflicts of law between United States data protection laws and the GDPR and that there would be a learning curve for European authorities in situations where, for example, the Federal Bureau of Investigation requires an entity to delay notification for law enforcement purposes despite the GDPR's 72-hour notification requirement. She emphasized that the intent of GDPR enforcement policy was not to financially penalize companies, but to instead hold companies accountable after taking all facts into consideration in a pragmatic and proportionate process by means of working with the company at issue to protect data subjects' fundamental rights.
Filament CEO Allison Clift-Jennings and Cardozo School of Law Professor Aaron Wright, experts in the rapidly developing field of blockchain technology, discussed how blockchain is intertwined with data privacy and future privacy law in relation to the ever-evolving blockchain technologies. Clift-Jennings also discussed the upside of blockchain from a data privacy perspective, as blockchain databases promote transactions between parties without those parties having to disclose their identity to the public and allow parties to control their own data better than they could under other data storage mechanisms.
Clift-Jennings noted that because the linked "blocks" are arranged in chronological order, data recorded on a blockchain is very difficult to alter or manipulate. This structure can be extremely useful in preventing fraud, but it can also conflict with the GDPR's "Right to be Forgotten," which allows a data subject to demand that the subject's personal data be completely erased.
Oracle Managing Counsel Pedro Pavon, Shopify Associate General Counsel and Data Protection Officer Vivek Narayanadas, and dataxu Legal and Data Protection Officer Andrew Dale debated the benefits and harms of AI and its impact on privacy. However, there was much discussion about the dangers of algorithmic bias and its potential conflict with the GDPR's prohibition on decision-making based solely on automated means when such decisions impact a data subject's legal rights.
The panel also debated the potential privacy issues posed by the always-on technologies such as Amazon's Alexa® and the overall impact and influence these technologies have on society's behavior and attitude towards privacy.
The panelists all agreed that one of the greatest benefits of AI is its ability to quickly and seamlessly collect, synthesize, and generate data that can benefit society using machine learning without human interference.
If you would like to learn more about how privacy and data security laws impact your business, or specifically the GDPR, please contact Angela P. Doughty, CIPP/US.
© 2019 Ward and Smith, P.A. For further information regarding the issues described above, please contact .
This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.