The International Association of Privacy Professionals (IAPP) held its annual Europe Data Protection Congress in Brussels on November 15 & 16, 2023. Whilst the Congress covered a wide range of topics related to privacy, cybersecurity and the regulation of data more broadly, unsurprisingly a recurring theme throughout was the responsible development, commercialization and use of AI. In this regard panelists explored (amongst other things) what practical and effective AI governance may look like, the role of a Digital Ethics Officer, how to strike a balance between enabling innovation and safeguarding individual rights, and how AI may be used to automate data breach detection and response.

Monika Zdzieborska, Senior Managing Associate in Sidley’s Competition team, participated in a panel discussion entitled “Navigating the Intersection Between Privacy and Antitrust.” She and her co-panelists Teresa Basile, Romana Hajnovicova and Giorgia Vulcano considered how competition law and privacy are evolving as data ecosystems become more ubiquitous. While there are still open questions on the potential for conflicting aims and outcomes between the two regimes (such as “privacy washing” or privacy-related concerns around data-sharing obligations), the panelists noted that agencies around the world are taking important steps to achieve a more joined-up approach to digital regulation and enforcement. Given that digital technologies – and AI in particular – bring up issues that fall under the remit of several regulators, it is imperative that regulators:

  • Engage in structured inter-agency cooperation – in the UK, the Digital Regulation Cooperation Forum (DRCF) – a body that brings together four main UK regulators that cover digital services – leads the way in such cross-disciplinary collaboration. A similar cooperation platform, the Digital Regulation Cooperation Platform (SDT) was launched in the Netherlands. At EU level, the High-Level Advisory Group on the Digital Markets Act, which includes both the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), could serve as a forum for future coordination. For now, these bodies only have advisory functions without any decision-making powers, but this may change in the future. For example, the DRCF’s AI and Digital Hub will be launched early next year in the UK. This is a pilot of a new multi-regulator interface that will allow companies to direct their questions to all four UK regulators through a single point of access and receive tailored support in return.
  • Develop closer ties with their international counterparts – in addition to horizontal coordination between national agencies, we have also seen agencies around the world finding new ways of working together. Earlier this year, the International Network for Digital Regulation Cooperation – which aims at fostering discussion between regulators on matters of coherence across digital regimes – was launched. Further, the EDPB created a task force charged with identifying ways to boost cooperation between national data protection and competition authorities, and how they interact with EU authorities. Developing international standards pertaining to digital regulation will be perhaps one of the biggest tasks in the coming years.
  • Invest in robust technological expertise – finally, to work effectively together, regulators must have the necessary tools to understand fully the issues at play. To build such understanding, the agencies should: (i) invest in robust in-house data and intelligence units to be able to engage in effective dialogue with industry, and (ii) encourage honest dialogue – including through incentive mechanisms to allow companies to exchange information in a safe environment – with industry to develop a better understanding of the underlying technologies and potential issues.

The growing interplay between competition law and privacy is resulting in increased inter-agency information sharing and joint investigations. Companies should be alert to the potential risks and prepare accordingly. Businesses should consider taking the following steps: (i) ensure close and early (e.g., at the stage of product/service creation) cooperation between in-house competition and data protection teams; (ii) monitor how this information provided in response to a consultation or a request for information is presented and who it might be subsequently shared with, and (iii) carefully consider the confidentiality of the submissions and how information may be used by other regulators.

In parallel to the Congress, Sidley hosted a Women in Privacy (WIP) Networking Lunch on November 15, 2023. The lunch, which was attended by female professionals in the field of privacy and cybersecurity, featured two Q&As. The first featured a discussion with Neema Singh Guliani, Deputy Assistant Secretary for Services in the International Trade Administration, hosted by Francesca Blythe, partner in Sidley’s European Privacy and Cybersecurity team. The discussion was focused primarily on the successful implementation of the EU-U.S. Data Privacy Framework, and the U.S. Department of Commerce’s role in supporting global data transfers. The second featured a discussion with Sophia Ignatidou, Group Manager for AI and Data Science at the UK Information Commissioner’s Office, hosted by Lauren Cuyvers, Senior Managing Associate in Sidley’s European Privacy and Cybersecurity team. The discussion was focused primarily on the risk and causes of bias and discrimination in AI, the importance of the fairness principle in AI governance, and how diversified and/or synthetic data sets could reduce these risks.