The domination of AI related content, in particular the progress of the EU AI Act, reflected the important role data protection professionals have in assisting businesses navigate the current uncertain AI regulatory landscape to enable them to develop and deploy AI models compliantly and responsibly. It also highlights the importance of the fundamental principles of data protection regulation. These remain key foundations in the building blocks for regulation of AI.

We set out below our key takeaways from a host of sessions:

Progress of the EU AI Act

Will there be an agreed text of the EU AI Act by Christmas? This was a recurring question put before various Congress panels. The EU AI Act is currently in the last phase of the legislative process; the "trilogue" discussions with the European Commission, Council and Parliament negotiating the final text.

Despite the outstanding issues, there was hope that the these would be resolved and the text agreed at the next session on 6 December. Failure to agree the final draft of the text imminently is likely to mean a significant delay to the AI Act coming into force given the looming European elections in June 2024. There is a real drive to finalise the text and ensure that the EU is seen to be leading the way with a global standard for the regulation of AI.

AI governance and the expanding role of the privacy professional

A number of the sessions focussed on varying approaches to AI governance from risk assessments to governance structures and more. There was interesting debate about where the responsibility for AI governance should sit within an organisation. A number of data protection practitioners had amended their titles and remits to specifically include AI (some by choice, others by request). A data ethics framework was seen by many as key to harmonising varying approaches across jurisdictions.

Future regulation of the AdTech Industry

Another hot topic at Congress was the future regulation of the AdTech industry. There were several sessions which considered the challenges of navigating a cookie-less world and the complexity of complying with user transparency and control in respect of online advertising activities.

The recent binding decision from the European Data Protection Board regarding Meta's personalised advertising practices and "pay or consent" model was scrutinised by a panel of regulators from Belgium, France and Germany. They indicated that changes in AdTech privacy regulation are imminent that could result in the demise of personalised advertising. Much will depend on how the regulators view Meta's "pay or consent" model. Although such a model was not ruled out by the CJEU decision the regulator panellists questioned its viability.

Key messages from Didier Reynders (European Commissioner for Competition and Justice, European Commission) closed the Congress and had several important messages for the privacy community.

  • The EU has a world leading privacy regime. One of the fundamental concepts at the centre of all EU digital legislation is the ability for an individual to exercise control of their data.
  • The success of EU digital legislation now depends on enforcement. Cross border enforcement is working and fines are being issued at levels which have the ability to truly change practices. The development of a rich body of case law and guidance is providing greater legal certainty for businesses and clarity of rights for individuals.
  • Ensuring consistency goes beyond a handful of high profile fines. Other effective methods include guidance and codes of conduct. A common approach to the application of the GDPR is necessary. Data protection authorities must work together to achieve consistency and legal certainty.
  • Data protection authorities are already applying the GDPR to AI regulation and bringing enforcement action (for example against Chat GPT in Italy).
  • The EU-US Data Privacy Framework has created a stable mechanism for cross boarder transfers while addressing the concerns of the CJEU.
  • An adequacy decision is not an end point but a starting point to build on and the Commission is planning an international conference for adequacy partners. The UK should take note that any changes in their legislation will be considered.

This 2023 IAPP Congress has shown that developments in technology, in particular AI, will produce challenges for both regulators and privacy professionals. This makes collaboration and sharing of ideas at forums like the IAPP Congress even more important and it has made clear that cooperation between regulators will be the key to successful enforcement of AI regulation.