The 5th Annual Data Privacy Conference

Despite some much-anticipated progress towards advancing the ADPPA in 2022, Congress’s efforts to pass a comprehensive bipartisan privacy bill are still stalling (*at time of writing), while states continue to take the lead by introducing and passing various comprehensive or sectoral privacy laws. The FTC, in the meantime, continues to deliberate over what is next beyond its ANPR on commercial surveillance and data security.

Following the keynote session, and serving as an introduction to the rest of the day’s discussions, this panel will dive deeper into an analysis of the current state of data protection regulatory initiatives in the US and debate what this landscape means for individuals, tech, and non-tech businesses, including SMBs. It will explore the convergence and divergence of state laws enacted or introduced recently with one another (including narrower state laws governing specific forms or uses of data) as well as what is being considered at Congress and FTC levels. In this context, the panel will highlight the need for organizations to develop comprehensive data frameworks that consider data privacy and security concepts as well as human and technical elements to ensure better compliance with existing and possible future rules, increase individual trust, and reduce the risk of data breaches. This discussion will explore best practices and touch upon the interlink between cybersecurity and data privacy and the need to balance compliance, risk management, and effective business operations.

• What are the key similarities and differences between recently enacted and introduced state privacy laws, and how do they compare with obligations included in the ADPPA framework?

• What are some of the best practices for building data privacy programs that comply with different (and sometimes overlapping) privacy requirements while allowing for new rules in the future, including laws governing specific and narrower forms or uses of data? How can businesses ensure that their privacy programs are forward-thinking and agile enough to address future privacy laws, the constant emergence of new technologies and the continuously evolving threat landscape?

• How can businesses embed the principles of collection limitation, data minimization, purpose specification, and privacy-by-design in their operations, and what role can technological innovation play?

• To what extent should different levels of data protection based on the sensitivity and risk of each type of data exist? 

As the US Data Privacy landscape evolves, so does the global outlook. With several countries and regions implementing different data protection and privacy frameworks, there is a risk that contrasting data governance regimes further complicate the free flow of data globally, which is crucial to the functioning of the global digital economy and trade. The Executive Order issued by President Biden, expanding privacy protections for data transferred between the United States and Europe, is still going through an ‘adequacy determination’’ by the EU (*at time of writing); the CBPR Forum is welcoming participation from interested jurisdictions worldwide following the release of the Global CBPR Framework and its Terms of Reference; the OECD member countries have signed a Declaration on Government Access to Personal Data Held by Private Sector Entities aimed at facilitating government access to personal data held by businesses for law enforcement purposes; and the G7 Digital Ministers recently reaffirmed their support for the Data Free Flow with Trust system. Taking all these initiatives into account, this panel will discuss how efficient these are, how multilateral cooperation to boost the free flow of data can be further promoted, and if a trusted, interoperable global governance system that enables cross-border data flows can genuinely be achieved so that citizens and businesses across the world can fully participate in the digital economy and harness socio-economic opportunities.

• What is the latest on the EU-US Data Privacy Framework, given the significant caveats put forth by the EDPB and the European Parliament*? To what extent do the EO’s safeguards and redress mechanism provisions appropriately address the issues raised by the CJEU, and would the new framework withstand another challenge in the courts? What is being done to ensure the EU offers reciprocal legal remedies to American citizens? 

• To what extent can the Global CBPR Framework be considered a solid alternative to the GDPR as a global benchmark for privacy standards worldwide? 

• To what extent can the work undertaken by the Global CBPR and the OECD’s declaration on trusted government access to data inform the next steps for the DFFT initiative? 

• How can interoperability, rather than strict equivalence, be further encouraged between national and regional data governance systems to improve trust between trading partners?

• What support is given to global businesses that must comply with multiple data privacy laws around the globe, especially given the current economic context?

As AI systems become more ubiquitous in our lives, it is crucial that the personal and sensitive data collected to train algorithms isn’t used in the wrong context and that organizations understand the risks associated with using the technology, so that they take the necessary steps to protect consumers’ privacy. While the current headlines primarily focus on the risks linked to generative AI, it is essential to remember that the socio-economic benefits of data-enabled technologies such as AI are manifold, providing organizations with valuable insights to improve products, services, research and address socio-economic challenges. It is, therefore, essential that data-related regulations do not impede the endless opportunities it can deliver but encourage the deployment of AI technologies in ethical ways, protect privacy, eliminate bias and promote fairness and equity in line with core U.S. values.

This session will focus on the power of personal data in delivering data-enabled intelligent technologies for the interest of society as a whole and the challenges involved by discussing the complex interplay between data, AI, privacy, and the protection of civil rights against possible harmful automated decision-making. It will explore the potential of PETs to drive positive change while protecting privacy during the collection, processing, analysis, and sharing of data and to ultimately build trust with the public to empower them to participate in a data economy that benefits society equitably. Speakers will discuss the latest initiatives and regulatory work undertaken in these areas, such as the AI Bill of Rights released by the White House in October 2022; NIST’s Artificial Intelligence Risk Management Framework, the OSTP’s National Strategy to Advance Privacy-Preserving Data Sharing and Analytics; NTIA’s recent AI Accountability Request for Comment; the FTC’s guidance on algorithmic bias; and ask how technical, legal, and policy experts can collaborate to shape a US strategy and policies on data and AI that balance the tension between the protection of individuals against harmful effects and the promotion of positive innovation,

• As AI systems rely on the availability and accessibility to large amounts of data – sometimes personal and highly sensitive data – how can it be ensured that enough data, representative of all groups of society, is available to accurately train AI systems while simultaneously preserving data privacy and avoid bias, discriminatory or unfair outcomes? 

• What role can PETs play, and to what extent can they help uphold commitments to equity, transparency, and accountability? What needs to be done to accelerate their uptake? What could a future data ecosystem that effectively incorporates PETs look like?

• How can principles such as fairness, transparency, accountability, equity and explainability (all included in the White House AI Bill of Rights) truly be operationalized for commercial and government use? 

• Does the lack of a comprehensive federal privacy law undermine the possible advancement of responsible artificial intelligence-based technologies? To what extent do the discussions around AI regulation differentiate non-personal data from personal data and non-sensitive data from sensitive data?

• What can be done to build confidence and empower citizens to access, manage and share their data with private and public organisations to bring unprecedented benefits to broader society?

Children’s data privacy has moved to the forefront of the legislative and regulatory agenda. President Biden has repeated calls for broader data privacy protection and stricter limits on companies collecting personal data, with a total prohibition on targeted advertising to children; the FTC’s enforcement efforts on children’s privacy through COPPA have intensified, and the agency has questioned whether commercial surveillance practices harm minors in its ANPR; several bills have been introduced in Congress to improve children privacy and online safety standards (including the recently-reintroduced KOSA), and States have taken action to create comprehensive children’s privacy and social media safety laws, prompted by the California Age-Appropriate Design Act.

As momentum around minor’s privacy is building, and with children’s privacy and safety intrinsically interlinked, this panel will explore the current state of children’s online protections in the US as well as the challenges faced by parents, educators, the tech industry, and policymakers to protect young people when considering both the direct and indirect risks of data collection, algorithmic amplification, and dark patterns. Panelists will examine how technology can be both a tool for protection and risk to privacy with a focus on age-verification tools and the privacy implications linked to this solution and will analyze how best practices such as parental control tools, privacy education for children and parents, and responsible data collection be optimized.

• To what extent do the various bills introduced at State and Federal levels adequately protect young people’s privacy and shield them from online harms? Will real change come from children-specific data privacy laws or a broader comprehensive federal law similar to ADPPA?

• With new rules, such as the California Age-Appropriate Design Code, requiring platforms to assess possible harm to children before rolling new products out and to expand their default privacy settings, how can businesses embed the privacy-by-design and privacy-by-default principles into the designs of their latest products and solutions, especially if they don’t think of themselves as doing business with children? Shouldn’t these rules apply to all users, regardless of their age? 

• What are the benefits and drawbacks of age verification solutions and encryption?

• What does current enforcement look like for the protection of children’s privacy, and what can be expected in the future from the FTC to regulate further the collection, use, sharing, and retention of children’s data and the security requirements linked to this, as new technologies such as the metaverse and natural language processing tool driven by AI technology emerge?

Using personal data in healthcare can bring numerous benefits, including improved patient outcomes, enhanced medical research for treatments and cures, and better public health. With the increasing amount of patient information being generated, collected and shared, and with several tech companies attempting to enter the healthcare market, the benefits of using personal data for improved healthcare outcomes must be balanced with the need to protect patient privacy and ensure that data is used ethically and responsibly. With HIPAA being nearly three decades old, the law does not cover health data collected by health apps, web searches, wearables and other technologies that have boomed in recent years, creating a gap in patient protections. This session will discuss how the privacy of patients can be improved while enabling healthcare providers and the tech industry to deliver the promise of data-enhanced healthcare. It will explore the scope, benefits, and limits of HIPAA and the extent to which new safeguards are needed for Americans’ health data. It will examine how healthcare providers, patient groups, the tech industry, researchers and policymakers can work together to mitigate the risks linked to using sensitive medical data.

• What are the potential consequences of data breaches and cyber attacks on healthcare systems, and how can healthcare providers, the tech industry and policymakers mitigate these risks?

• In the absence of a comprehensive federal privacy law, how can health data falling outside the scope of HIPAA be protected? To what extent does HIPAA need to be updated to account for the evolution of emerging technologies and data management tools, or are brand new rules covering the privacy protections of health data required? What is being done at the state level?

• How can patients’ trust in using their medical data be enhanced? What are the latest trends and innovations in data privacy in healthcare, and how can these be leveraged to improve patient outcomes?