Search Discovery attended April’s Global Privacy Summit, where privacy professionals from around the world descended on Washington, D.C., for a week of privacy sessions, panels, and networking. Of course, with so much happening lately in the realm of privacy, there was a lot to talk about, but upon reflection, the discussions tended to coalesce around three key themes.
Certainly, one of the topics top of mind for attendees was the use of Artificial Intelligence. With systems like OpenAI’s ChatGPT, introduced in late 2023, many brands were considering if and how they should use the technology.
The Role of Legal Teams
Due to the novelty of the technology, we heard it was often falling to legal teams to evaluate the compliance aspects before companies did further work around engineering integration. Legal teams on the panels said this was a shift for them, likely indicating that brands are being more cautious in light of increasing regulation in privacy.
Two of the keynote speakers, Nina Schick, author of Deepfakes: The Coming Infocalypse, and Alvaro Bedoya, a Commissioner of the FTC, had amazing presentations on AI. Nina’s presentation centered around transparency with generative AI and how the systems could be abused to endanger the erosion of trust.
Do Existing Regulations Apply to AI?
Alvaro’s humorous presentation in the closing ceremony centered on policy at the point where it intersects with privacy and civil rights, specifically a belief that AI systems could be subject to existing regulation in many scenarios. Both presentations are worth watching for anyone interested in AI usage in an operational context.
As expected, panels on privacy regulation compliance were commonplace during the conference. For HIPAA, EU Regulation, or recently enacted State laws (such as the amended CCPA), there were one (or multiple) panels reviewing the latest developments and guidance for compliance activities. These were very well attended, with California’s Privacy Protection Agency’s panel exceeding capacity—nearly 100 attendees could not attend the panel.
While topics varied by region and industry, the call for regulation harmonization was consistent. Given the increasing amount of regulation, brands find it challenging to carve out regions (e.g., “treat California differently than everywhere else”) like was done initially with California and the European Union.
Now that more countries and states are enacting their laws, this pushes brands to adopt a more holistic approach to their privacy programs to simplify compliance activities and engineering efforts. Legal teams agreed that this time-intensive process ultimately reduces ongoing compliance costs and is worth the investment.
Privacy by Design
Increasingly required by regulation, building privacy into products from the start is becoming commonplace. Still, even with these requirements, brands need help to adopt Privacy by Design methodologies in their development processes.
What is Privacy by Design?
Privacy by Design, a concept introduced by Ann Cavoukain, Ph.D., in the 90s, is a set of principles that offer a solid foundation for privacy within business efforts that promote user trust. It’s become part of GDPR, which has acted as a basis for evolving US legislation.
Successful Privacy by Design Practices
At the Summit, experts recommended Privacy by Design solutions involving cross-functional teams collaborating in a project's ideation and design phases to satisfy privacy requirements before development. Critically, processes such as adopting privacy as the default setting and ensuring privacy is embedded into designs are often easier to do upfront rather than being bolted on after the fact.
We learned that brands that failed to align during design had a stressful working relationship with their product teams. Conversely, successful privacy teams met their engineers halfway: They invested in learning the technology to share a common vocabulary and vision of how privacy compliance should work in a product context.
Privacy-enhancing technologies, which are techniques and solutions that promote Privacy by Design, also featured prominently in conversations.
Of specific interest to attendees was understanding the use cases for solutions such as synthetic data (and any associated legal risks) and which solutions allow for provable anonymization standards (which is increasingly becoming a topic in regulation enforcement cases). The latter is often misunderstood due to a lack of familiarity with potential attacks that can recombine or expose data subject to lesser standards (such as pseudonymization).
Technical teams often need to be better versed in privacy-enhancing technology use cases, without which development time increases. Brands can expect training in these technologies to be required as they seek to advance their privacy programs in the engineering context.
The need for privacy work continues to grow as laws and regulations pass and technology demands increase. We encourage brands to understand the legal implications within their lines of business and plan for training and engineering integration to support Privacy by Design activities.
Regarding Artificial Intelligence, caution is well warranted, as the Federal Government has issued a joint press release on possible enforcement considerations. We echo the conference's caution to exercise significant consideration before integrating AI into product offerings.
We loved attending the Summit and strongly recommend the event to anyone interested in data privacy. Should you have any questions about privacy topics reflected here, or anything else, our staff would be happy to discuss your concerns.