Commitment to Privacy Requires Action
In November 2024, our legal team attended the IAPP Europe Data Protection Congress in Brussels, Belgium, hosted by the International Association of Privacy Professionals (IAPP) – the world’s largest organization to define, promote, and improve the professions of privacy, AI governance, and digital responsibility globally. Given our commitment to ensure security and privacy for everyone, we find it essential to be part of the latest developments in privacy and data protection within the EU and beyond.
Evolving Privacy and AI Regulations
The conference attracted over 3,000 participants and offered over 50 different breakout session topics. Not surprisingly, one of the major conference topics was “Artificial Intelligence” (AI) with several sections covering the new EU Artificial Intelligence Act (EU AI Act), its legislative requirements, potential risks and challenges, and how to ensure compliance. As expected, many questions remain open, and only the future can tell if the EU AI Act can fulfill its expectation as a landmark law that protects fundamental rights while boosting innovation and establishing Europe as a leader in the field.
Having been implemented for one year already, the EU-US Data Privacy Framework (DPF) was also a topic of interest. Due to the upcoming change of the U.S. government, there is a general uncertainty about what to expect, particularly with regards to whether U.S. President Biden’s Executive Order of October 7, 2022, facilitating the transatlantic data transfer under the DPF might be revoked by the incoming president elect. It was interesting to learn that, so far, no complaints were filed at the new U.S. Data Protection Review Court established by the Executive Order. Otherwise, not much is known about this court that was created in the summer of 2023 to review cases based on complaints arising from individual EU residents alleging the U.S. government violated their privacy rights through digital surveillance.
The current U.S. patchwork of privacy law was discussed as well. Although there is still no federal U.S. privacy legislation, currently, 20 U.S. states provide comprehensive data privacy laws to ensure privacy protection on a state level. Note that the scope, requirements, and rights of individuals in these state privacy regulations differ from state to state and, in comparison to the GDPR, are often less extensive.
The Battle for Digital Governance
Columbia Law Professor Anu Bradford who coined the term “the Brussels effect” in 2012 discussed, as a keynote speaker, the global battle to regulate technology by differentiating between three different digital models – the American market-driven model, the Chinese state-driven model, and the European rights-driven model – as well as their implications for liberal democracies. Professor Bradford noted that unless we are willing to accept that digital economies are either governed by authoritarianism or by tech companies, everybody’s task is to show the world that there is a liberal democratic way to govern technology. She concluded that we still have a choice to decide: Is it technology that governs us or is it the human, the rule of law, the commitments to rights, and democratic governance that will be shaping the future of technology and our society?
Data Protection Software Takes Center Stage on the Conference Floor
On the conference show floor many different exhibitors promoted their management software, stating that it would help companies’ data protection compliance efforts, including exhibitors offering an official GDPR certification scheme (as referred to under Art. 42 GDPR) that is approved by the European Data Protection Board (EDPR), to demonstrate compliance of data processing activities. It was encouraging to see that companies are continuously willing and interested to invest time and money to comply with data protection requirements. As noted during our attendance at the Global Privacy Summit 2023 in Washington D.C., our team would also be interested in witnessing more conversations about how to avoid the collection of unnecessary personal data to reduce non-compliance risks and protect user data. This could be achieved, for instance, by instituting the “principle of least authority” (POLA). At Least Authority, we believe privacy should be proactive and preventative, and planned as the default setting that should be embedded into the design of products.
The Global Compliance Agenda: How We Can Help
For us, attending events like the IAPP Europe Data Protection Congress is more than staying up to date — it is about contributing to the conversation and identifying where our expertise can make a meaningful difference. With AI and new compliance matters dominating discussions, it is clear that businesses are looking for solutions to manage increasingly complex regulatory landscapes.
Rather than offering a “one-size-fits-all” solution, at Least Authority, we work with teams to understand their unique risks, build confidence through technical audits, and ensure privacy remains more than an afterthought — it is by design.
Reach out to us at consulting@leastauthority.com to learn more. We are here to help you strategically and securely approach privacy matters.