"Is this the real life? Is this just fantasy?" — U.S. federal privacy law echoes Queen's "Bohemian Rhapsody."
Bets are on in the U.S. and beyond after news dropped last weekend of a viable federal privacy bill, the American Privacy Rights Act. There are a few reasons people are taking notice. First, the APRA is bicameral and bipartisan — meaning both Republicans and Democrats in lead committees across both the Senate and House of Representatives are standing behind it — which, in the current climate and an election year increases the proposal's odds of moving forward. Second, the bill follows many failed attempts at federal privacy legislation over two decades, though each made the prospect a bit more likely than the one before. Notably, the APRA seems to overcome two of the main reasons its predecessor, the American Data Privacy and Protection Act, failed most recently: It would preempt existing state privacy laws, while incorporating parts of them, and would introduce a private right of action.
Of course, this optimism should be nuanced. The bill still has to go through the legislative process in both the House and the Senate before even getting to a floor vote. There are a few windows of opportunity to do that, but the clock is ticking as the November election looms. It is, however, undeniable that a heightened appetite for a federal law is growing, as 80-plus jurisdictions around the world have comprehensive privacy legislation in place, as U.S. states are passing their own privacy bills (15 to date), and as privacy is gaining traction as a critical area where regulators, policymakers and the general public increasingly expect responsible behaviors and accountability.
Elsewhere:
- The European Parliament validated its position on the EU General Data Protection Regulation procedural harmonization proposal, which aims to improve cross-border enforcement by standardizing procedures and improving complainants' right-to-be-heard, among other technical aspects.
The European Council is still working out its amendments to the European Commission's proposal and is expected to reach a compromise by June. Trilogue negotiations would start after the European elections, which could mean a final agreement before the end of the year.
Some industry players have flagged a risk that new procedures may challenge confidentiality of business information and vastly increase the number of complaints, while civil society groups hope these changes will mean better and faster resolution of cross-border cases. The trilogue negotiations will have to reconcile these various concerns, together with potential changes required to national law to implement this future regulation.
- On the eve of the European Data Protection Supervisor's 20th anniversary, EDPS Wojciech Wiewiórowski presented the Annual Report 2023 before the European Parliament. Wiewiórowski provided an overview of EDPS activities over the past year, highlighting the delivery of as many as 116 legislative consultations, the closing of 58 complaint cases — the highest number to date — and participation in 36 international initiatives.
Last year was one of adaptability as the EDPS had to constantly reconsider its focus and priorities due to the changing regulatory environment. Wiewiórowski pointed out three topics at the forefront of the EDPS's attention: artificial intelligence, protection against child sexual abuse online and issues related to the borders and migration.
Regarding AI, the EDPS was involved not only in EU efforts including the AI Act, but also in various international initiatives. Concerning child sexual abuse, Wiewiórowski reminded of the EDPS's position on the current proposal against child sexual abuse material, reiterating the dangers the proposed measures pose to the right to privacy. Related to migration, he underlined the importance of ensuring the right to personal data protection of the most vulnerable.
- On 8 April, France's data protection authority, the Commission nationale de l'informatique et des libertés, published its first recommendations on the development of AI systems.
The CNIL recommends ensuring the development of AI is in accordance with data protection rules, as this is necessary to guarantee respect for European values and citizens' trust in these systems.
The recommendations were developed with private and public sector stakeholders and presented in the form of seven sheets that detail steps to be taken in AI design and development. Among other things, the CNIL recommends identifying the applicable legal regime, defining a purpose and legal basis, carrying out a data protection impact assessment and accounting for data protection in data collection and management.
Make sure you check the updated agenda for the upcoming IAPP AI Governance Global 2024 conference and training, to be held in Brussels 4-7 June.