Change, uncertainty take center stage at 2022 Global Privacy Summit

When the International Association of Privacy Professionals last staged its Global Privacy Summit in 2019, it made a big deal of celebrating its 50,000th member. Three years later, as GPS returned in-person for the first time since the pandemic, IAPP membership was on the cusp of 75,000 — quintuple its total in 2014.

While the privacy world is bigger, it has rarely felt less settled. The GPS in 2022 attracted prominent speakers like Apple Chief Executive Tim Cook, Microsoft President Brad Smith, US Federal Trade Commission Chair Lina Khan and European Data Protection Board Chair Andrea Jelinek, yet all of them talked about change and uncertainty.

“This is a pivotal moment in the battle for privacy,” Cook said in a keynote speech in which he touched on one source of uncertainty — the push-pull between antitrust and privacy regulation.

There are many other sources of uncertainty. A transatlantic data transfer “framework” has been announced in principle, but no one knows exactly what it is. New regulations such as the Digital Services Act in Europe and privacy laws passed by a growing number of US states are putting pressure on the business model of targeted advertising. So are platform changes such as Google’s plan to phase out third-party cookies from Chrome, and Apple’s restrictions on third-party tracking by iOS apps.

Amid the uncertainty for how the European Union, the FTC and the state of California will regulate artificial intelligence, more than 600 privacy lawyers, with looks of concern, packed a standing-room-only session on the regulatory risks of AI and machine learning on Wednesday.

Smith proposed a new regulatory paradigm — a specialized US digital regulator to oversee privacy, data security and artificial intelligence regulation — but he predicted lawmakers in Australia, South Korea, Japan, the UK or the EU will get there first.

Khan hinted that the FTC will launch a broad new privacy rulemaking effort in the coming months, but it's uncertain how broad it will be or whether it will get over the finish line, given the uncertainty about who will control the White House and Congress after 2024.

Across the GPS, speakers voiced the collective expectation that whatever privacy — as a policy issue — has been in the past, it is poised to evolve into something more at the center of events. Khan told conference-goers that the dominant notice-and-consent paradigm is no longer sustainable — “outdated and insufficient” were her exact words.

The FTC might also stretch its enforcement reach to the thorny topic of data collection rather than just deception, Khan also said. The agency must grapple with “whether certain types of data collection and processing should be permitted in the first place,” Khan said.

Global data flows

One of big themes that emerged this week was uncertainty about the precise contours of an EU-US agreement on the free flow of data across the Atlantic.

There has been growing concern that more European data protection authorities will impose injunctions on data flows, particularly after the Austrian and French privacy agencies said companies’ use of Google Analytics was a violation of EU data protection rules because of potential access by US intelligence agencies.

One panel discussed how international data transfers are considered a material risk subject for investors looking to invest in US companies. A Japanese official told another panel that governments around the world have never been more in need of policy coordination on a global data-governance framework.

While there was some relief with last month’s announcement of an agreement “in principle” to replace the Privacy Shield, which the EU’s highest court annulled in July 2020, the legal texts of the framework still must be drafted and formally approved by the European Commission. EU justice chief Didier Reynders said there’s still “a lot of work to be done” and that the process should be completed by the end of this year.

Panels at the IAPP showed that lawyers and privacy officers are concerned the “devil is in the details” regarding the role of a new “redress mechanism” for EU citizens if they believe US surveillance authorities have unlawfully accessed their data.

The solution will include binding safeguards to limit access to data by US intelligence agencies to what is “necessary and proportionate,” and the establishment of an independent Data Protection Review Court. These commitments will be made in a US executive order that will be issued in the next few weeks.

Meanwhile, companies will still have to abide by the current rules for data flows. One panel did yield an important tip: lawyers should mention the US surveillance law changes — once in force — in data transfer impact assessments, which are still necessary for trans-Atlantic data flows.

There were also encouraging words by a senior US official that the the EU-US agreement could serve as a springboard for other agreements, such as between the US and the UK, as well as bolster multilateral talks at the Organization for Economic Cooperation and Development (OECD) or the Group of Seven nations.

But lurking in the back of IAPP participants’ minds is the nagging thought that Max Schrems, whose complaint about Facebook data being accessed by US authorities led to the annulment of first trans-Atlantic data flow arrangement, will mount another legal challenge and that the European Court of Justice will once again overturn the latest agreement.

Pending legislation

Another question for those scurrying from one conference room to another in the cavernous Washington Convention Center was whether US lawmakers will finally pass federal privacy laws this year.

There are now four US states with privacy laws, and each time another state passes legislation, the debate over preemption — in which a federal law would nullify the state laws — then makes it harder for Congress to enact a federal law, legal experts said during a panel.

New state laws from California, Virginia, Colorado, and most recently Utah are also raising concerns that businesses are facing a compliance “nightmare,” Colorado Attorney General Phil Weiser said.

State privacy regulators need to pool their resources and work together to help businesses understand their obligations under each state’s consumer privacy law, he said, because if they're too difficult to follow, businesses simply won’t comply.

New privacy rules are coming from both the Colorado AG’s office and the newly created California Privacy Protection Agency, and differences are to be expected, Weiser said.

They can’t be insurmountable, which means ongoing dialogue between states will be critical if they hope to succeed, he said. Working together is nothing new for resource-strapped state AGs, who frequently coordinate on enforcement actions, Weiser said.

Privacy experts debated whether and to what extent these new state privacy laws should be preempted if Congress manages to pass a federal privacy law.

Preemption doesn’t have to be absolute, but if a federal privacy law still allowed states to experiment with their own legislation, without any constraints or limitation, “we are going to end up with a bunch of bad state laws,” said Kirk Nahra, co-chair of Wilmer Hale’s cybersecurity and data practice.

While there’s still no clarity on a federal law, with debates on capping liability a key issue, Andrea Jelinek, the chairwoman of the European Data Protection Board, said European data protection authorities “stand ready” to help California officials who are setting up a supervisory authority next year.

There’s also lingering uncertainty about pending EU content-moderation legislation. The European Parliament has called for a ban on targeted advertising because of concern about privacy-invasive tactics by large platforms.

Wojciech Wiewiórowski, the European Data Protection Supervisor, told MLex in an interview that a proposed ban on behavioral ads that target minors in the EU’s draft content-moderation rules is a “good compromise” after a full prohibition was rejected earlier this year.

Privacy vs. Antitrust

As the Venn diagram of data protection and antitrust increasingly overlaps, the borderline has become increasingly troubled.

Privacy-related considerations are now becoming critical in mergers and acquisitions, lawyers and regulators said at one GPS session.

Privacy-related concerns are making companies walk away from acquisitions because of the risks associated with purchasing a new asset, or because the risk associated with a merged entity would have exceeded a company’s risk tolerance. Aside from that, national security law experts and traditional privacy experts will have to engage increasingly more on this subject as democracies around the world, and especially the OECD, try to devise a new framework.

A view among FTC Chair Khan and her supporters to view antitrust enforcement as an enforcement tool with benefits for consumer privacy is “wrong, wrong, wrong,” said Republican Commissioner Noah Phillips.

Stopping mergers won’t necessarily boost privacy, Phillips said. That puts supporters of antitrust as a remedy to privacy violations in the paradoxical position of contending that a corrected marketplace will naturally gravitate toward privacy while also supporting increased regulation, he asserted.

“If you believe that the market is going to solve everything, you shouldn’t support privacy law. You certainly shouldn’t support privacy rulemaking,” he said — an allusion to a widely expected regulatory process the FTC will almost certainly initiate in the coming months.

Where Congress sits in all of this is unknown. Lawmakers have talked about a federal privacy law for more than two decades. But recent testimony from Facebook product-manager-turned-whistleblower Frances Haugen may persuade lawmakers to renew serious efforts to compromise, a Democratic staffer said.

“There’s been a real, noticeable change in attitude,” said John Beezer, a senior advisor to Democrats on the Senate Commerce consumer protection subcommittee. Increasingly, lawmakers are abandoning “hardline” stances on controversial issues, such as a private right of action and preemption of state privacy laws, observers said.

“States have really shown us a lot of the options,” said Timothy Kurth, chief Republican counsel for the House Energy and Commerce Subcommittee on Consumer Protection. “And we can choose the best.”

Change was central to the speech by Microsoft’s Smith, who called on tech companies to “lean in” to regulation as he proposed the creation of a specialized digital regulator.

Until now, the idea of standing up a new data protection agency has gained limited currency in Washington policy circle, and has mainly found support among progressives dissatisfied with what they view as the FTC’s weak oversight during the two-decade rise of “surveillance capitalism.”

At the least, Smith’s call for a Digital Regulator Commission vaults the idea into the mainstream.

"I think we’re going to see one or more governments adopt this,” Smith told MLex in an interview. “The question is which government will go first. These days it’s usually not the United States, but then the question becomes, 'When does the US focus on this as well?'”

* “IAPP Global Privacy Summit 2022;” International Association of Privacy Professionals; Washington, DC; April 11-13, 2022.